1. Output of caddy version
:
v2.5.2 h1:eCJdLyEyAGzuQTa5Mh3gETnYWDClo1LjtQm2q9RNZrs=
2. How I run Caddy:
Running WinSW as service
a. System environment:
Windows 11
b. Command:
caddy.exe
d. My complete Caddy config:
domain1.com {
header X-Real-IP {http.request.header.CF-Connecting-IP}
header X-Forwarded-For {http.request.header.CF-Connecting-IP}
header X-Forwarded-Host {http.request.hostport}
reverse_proxy ip:port ip:port ip:port ip:port {
# streaming
flush_interval -1
# load balancing
lb_policy least_conn
lb_try_interval 250ms
# passive health checking
max_fails 2
unhealthy_request_count 4
transport http {
dial_timeout 3s
keepalive_idle_conns_per_host 4
}
}
encode zstd gzip
tls mail@mail.com {
dns cloudflare KEY
resolvers x.x.x.x # pi-hole
}
log {
format transform [{ts}] - User={user_id} - X-Forwarded-For={request>headers>X-Forwarded-For} - remote_ip={request>remote_ip} Country={request>headers>Cf-Ipcountry} {request>method} {request>headers>X-Forwarded-Proto} {request>host} {request>uri} {request>headers>Referer>[0]} {request>headers>User-Agent>[0]} - {request>proto} {status} {size} - {request>headers} {
time_format "02/Jan/2006 15:04:05 -0700"
}
output file C:\stuff\caddy\logs\domain.log {
roll true # Rotate logs, enabled by default
roll_size_mb 5 # Set max size 5 MB
roll_gzip true # Whether to compress rolled files
roll_keep 2 # Keep at most 2 log files
roll_keep_days 7 # Keep log files for 7 days
}
}
@notLocal {
not remote_ip 192.168.1.0/24
#Reads Ip from --- header X-Forwarded-For {http.request.header.CF-Connecting-IP}
not remote_ip forwarded x.x.x.x/public wan ip
}
basicauth @notLocal {
USER PASS
}
}
http://domain2.com {
reverse_proxy http://192.168.1.4:9117 {
}
encode zstd gzip
@notLocal {
not remote_ip 192.168.1.0/24
}
basicauth @notLocal {
USER PASS
}
}
3. The problem I’m having and What I already tried.
The initiate problem was when I use the Port Forwarding section rules under my router with edgeOS ER12p would get by a lot of bad actors! even after setting up a firewall rule to block them, but more about this later - everything else worked really great and was hassle free and easy to setup more below this picture about this.
I would get hit by a lot of request from various bots,bad ips. So I setup a firewall with daily refreshed blacklisted IP’s, but soon learned that when you use the above settings in the picture, the rules in here will ignore or overrule everything else under Firewall policies and masq/nat/dnat settings under boot/startup
So I started trial and error setting up my router via the nat and dnat section with port forwarding and removing the initiate rules under the default page “Port Forwarding” section which now has most of it up and running.
First I had to add source nat masquerade for lan under source nat
Then I had to setup dnat for wan http/https for port 80,443.
I also added Hairpin LAN dnat rules for 80,443 as I’m inexperience and a noob, don’t do that unless you to try to host the entire internet, you will block your self out from everything, that’s why you can see on the screenshot they are greyed out/disable, luckily I could ssh in and delete the rules and again access to the web again
Last I had to setup go to Firewall Policies sections and setup for the nat/dnat rule setup I just did, so added 80,443 as shown in the 2 pictures, below the blacklist firewall I created before everything else.
So far all seems to be working from the outside wan to in lan
The rule issues start now when I have setup caddy with cloudflare for incoming connections at domain1dotcom, before the remote_ip would show cloudflare IP now it shows my router IP - 192.168.1.1 in the logs which gives all access to my stuff because I gave the permission as shown in the caddyfile for 192.168.1.0/24
The second issue is that I can no longer go to my domain2dotcom without getting redirected to my router ip and saying certificate has expired, where it also worked without problem before just hitting domain the and it would work as intended.
If I add both ports 80,443 back to the Port Forwarding section all these issues goes away but then I’m back to original problem by bots not getting blocked, so its properly just the matter of something in nat/dnat routes that needs to fixed up?
Domain2dotcom is my running local from the same server as caddy and runs on port 80, caddy does auto https it, I tried disabling this just to test, but it failed no matter what.
I’m really annoyed by this and would love some expert help, and by the history I have in from past topics in here, you guys always seem to have a guide or instructions ready with big expertise.
4. Reference - info & Links
My Router EdgeRouter 12P with latest firmware available v2.0.9-hotfix.4
The setup page wan port running on eth9 and ports 0-7 is in bridge mode.
Routes