I’ve created a Vaultwarden instance that can be accessed only from my local network with HTTPS-enabled using Cloudflare DNS challenge. The A name on Cloudflare points to the internal IP address of my server.
It works perfectly. I am currently exposing the Caddy instance on port 8443. So my users have to type the URL vaultwarden.example.com:8443
Is there anything I can do so that my users can enter just the URL without the port? I’m already using 443 for another instance of Caddy that exposes services to the internet.
You’d have to use one Caddy instance instead of two. You can’t have both listening on the same port if they’re on the same server (unless they had different IPs and could bind on 2 different interfaces).
Let me ask my question another way… So in the below setup assuming this is the only Caddy instance running, I have memos being served on two different sub-domains. Memos-int points to my internal server address, whereas the Memos-ext points to my external IP address. Port 443 is forwarded to port 60443 on my router. I can access the external site using https://memos-ext.example.com, but for the internal site I need to specify the port: https://memos-int.example.com:60443
Is there any way to avoid using the port in this scenario?
In addition to this, what the is best practice / recommended way of disabling access from external IPs? Would it be using the remote_ip matcher?
Thanks for all the input!!
The problem is you’re publishing port 60443 to the host in your Docker Compose config:
You’d need to publish 443 with - 443:443 instead, which is the default HTTPS port.
Since your router’s port forwarding is not involved when the request is being made inside the LAN, you’d need something on your server in front of Docker doing the port forwarding or something… but why not just publish port 443 instead? Simplifies the setup significantly.
Yep. You can pair it with the abort directive to close connections as soon as possible.