"not" request matcher doesn't seem to function?

1. Caddy version (caddy version):

Docker Hub tag caddy:2

2. How I run Caddy:

Through docker on a VPS

a. System environment:

Docker

c. Service/unit/compose file:

version: '3'
services:
  app:
    image: 'caddy:2'
    #network_mode: "host"
    restart: unless-stopped
    ports:
      - '80:80'
      - '443:443'
    volumes:
      - ./data:/data
      - ./config:/config
      - ./Caddyfile:/etc/caddy/Caddyfile
      - ./srv:/srv
    networks:
      - backend

networks:
  backend:
    name: backend
    external: true

d. My complete Caddyfile or JSON config:

{
	email email@example.com
}

admin.trunking.telexperts-host.net {
	
	@public not remote_ip 24.78.154.37/32
	
	tls email@example.com {
		on_demand
	}
	
	respond @public 403 {
		
		close
	}
	
	reverse_proxy admin-panel-admin-panel-1:80
	
	
}


3. The problem I’m having:

The not request matcher doesn’t seem to work. When I put the above public filter it blocks my ip, not others.

4. Error messages and/or full log output:

caddy-app-1  | {"level":"error","ts":1653356648.3603776,"logger":"tls.issuance.acme","msg":"looking up info for HTTP challenge","host":"admin.trunking.telexperts-host.net","error":"no information found to solve challenge for identifier: admin.trunking.telexperts-host.net"}
caddy-app-1  | {"level":"error","ts":1653356648.3604548,"logger":"tls.issuance.acme","msg":"looking up info for HTTP challenge","host":"admin.trunking.telexperts-host.net","error":"no information found to solve challenge for identifier: admin.trunking.telexperts-host.net"}
caddy-app-1  | {"level":"error","ts":1653356648.3946877,"logger":"tls.issuance.acme","msg":"looking up info for HTTP challenge","host":"admin.trunking.telexperts-host.net","error":"no information found to solve challenge for identifier: admin.trunking.telexperts-host.net"}
caddy-app-1  | {"level":"error","ts":1653356648.3947623,"logger":"tls.issuance.acme","msg":"looking up info for HTTP challenge","host":"admin.trunking.telexperts-host.net","error":"no information found to solve challenge for identifier: admin.trunking.telexperts-host.net"}
caddy-app-1  | {"level":"error","ts":1653356648.3948286,"logger":"http.log.access","msg":"handled request","request":{"remote_ip":"172.105.18.30","remote_port":"49930","proto":"HTTP/1.1","method":"GET","host":"admin.trunking.telexperts-host.net","uri":"/.well-known/acme-challenge/MFUL2LWDEkPnf_Un8lbekgQoNahisWCb-VIHetYEAEk","headers":{"User-Agent":["cert-manager/v1.7.1 (clean)"],"Referer":["http://admin.trunking.telexperts-host.net/.well-known/acme-challenge/MFUL2LWDEkPnf_Un8lbekgQoNahisWCb-VIHetYEAEk"],"Accept-Encoding":["gzip"],"Connection":["close"]},"tls":{"resumed":false,"version":772,"cipher_suite":4865,"proto":"","server_name":"admin.trunking.telexperts-host.net"}},"user_id":"","duration":0.00022756,"size":0,"status":403,"resp_headers":{"Server":["Caddy"],"Connection":["close"],"Content-Type":[]}}
caddy-app-1  | {"level":"error","ts":1653356648.6687777,"logger":"http.log.access","msg":"handled request","request":{"remote_ip":"24.78.138.37","remote_port":"65460","proto":"HTTP/2.0","method":"GET","host":"admin.trunking.telexperts-host.net","uri":"/index.html?__WB_REVISION__=84af66af4dcf16627cd732d8779fb6f5","headers":{"User-Agent":["Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/100.0.4896.162 Safari/537.36"],"Referer":["https://admin.trunking.telexperts-host.net/service-worker.js"],"Accept-Encoding":["gzip, deflate, br"],"Accept-Language":["en-US,en;q=0.9"],"Pragma":["no-cache"],"Cache-Control":["no-cache"],"Accept":["*/*"],"Sec-Fetch-Site":["same-origin"],"Sec-Fetch-Mode":["cors"],"Sec-Fetch-Dest":["empty"]},"tls":{"resumed":false,"version":772,"cipher_suite":4865,"proto":"h2","server_name":"admin.trunking.telexperts-host.net"}},"user_id":"","duration":0.000051627,"size":0,"status":403,"resp_headers":{"Server":["Caddy"],"Connection":["close"],"Content-Type":[]}}
caddy-app-1  | {"level":"error","ts":1653356649.8410146,"logger":"http.log.access","msg":"handled request","request":{"remote_ip":"24.78.138.37","remote_port":"65462","proto":"HTTP/2.0","method":"GET","host":"admin.trunking.telexperts-host.net","uri":"/service-worker.js","headers":{"Sec-Fetch-Dest":["serviceworker"],"Referer":["https://admin.trunking.telexperts-host.net/service-worker.js"],"User-Agent":["Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/100.0.4896.162 Safari/537.36"],"Accept-Language":["en-US,en;q=0.9"],"Cache-Control":["max-age=0"],"Accept":["*/*"],"Service-Worker":["script"],"Sec-Fetch-Site":["same-origin"],"Sec-Fetch-Mode":["same-origin"],"Accept-Encoding":["gzip, deflate, br"]},"tls":{"resumed":true,"version":772,"cipher_suite":4865,"proto":"h2","server_name":"admin.trunking.telexperts-host.net"}},"user_id":"","duration":0.000037953,"size":0,"status":403,"resp_headers":{"Server":["Caddy"],"Connection":["close"],"Content-Type":[]}}

5. What I already tried:

I copied that from an example I found on this forum somewhere, it seems to be doing blocking, just the opposite from what I want!

If I remove the not from the @public line, it allows my connection, but doesn’t block others.

6. Links to relevant resources:

Which version, exactly? It matters, so that we’re on the same page. Please run caddy version inside the container to find out.

Your logs show a different port number than your config does. Notice the 3rd number, 138 vs 154. Are you sure you used the right IP in your config?

1 Like

This topic was automatically closed after 30 days. New replies are no longer allowed.