1. The problem I’m having:
I want to use Caddy to expose some endpoints used for metrics over HTTPS. I would like to expose these endpoints behind a firewall that only allows requests from whitelisted IP addresses. When doing so, I will face an issue with TLS certificates, as the certification authority wouldn’t be able to access the web server to perform the authentication and renewal of the certificate. This is so far pretty logical. Is there some sort of solution to this, as I have no other way of setting this up and I must have these HTTPS web pages behind this IP whitelist. I’d like to avoid managing the renewal of the certificates manually, as it is a lot of work for all the machines I’d like to install this setup on.
2. Error messages and/or full log output:
There are no error messages. I simply know that I will encounter this problem, and I am coming to this forum for suggestions on how to tackle it. If I set things up in this way, Caddy wouldn’t be able to get the certification authority to verify the ownership of the server as it’s not whitelisted on the firewall.
3. Caddy version:
2.7.6
4. How I installed and ran Caddy:
a. System environment:
Caddy is installed on several Windows, macOS and Linux machines. Each installation serves the exact same purpose (GET requests for metrics).
On Windows I have just downloaded the executable from your website and added it as a service.
On macOS, I am using the package provided in Homebrew and use it as a brew service.
On Linux, I installed the package following the installation instructions for Debian machines and run it as a systemd service.
b. Command:
Windows:
sc.exe start caddy
macOS:
brew services start caddy
Linux (Debian):
sudo systemctl start caddy
c. Service/unit/compose file:
Not applicable.
d. My complete Caddy config:
I am not allowed to give you the real domain name. I am sorry about that.
xxx.example.com {
redir /prom /prom/
handle_path /prom/* {
reverse_proxy 10.0.0.23:9182
}
redir /4D /4D/
handle_path /4D/* {
reverse_proxy 10.0.0.23:8080
}