Restricting access to LAN

tknx · May 5, 2025, 11:53pm

1. The problem I’m having:

I’ve given up on ever getting a pure internal certificate for vaultwarden. So I thought I would instead just limit to local IP and using some guides I saw from other people tried to implement, but am getting invalid certificate errors.

2. Error messages and/or full log output:

text  error  warn  system  array  login  

{"level":"info","ts":1746453913.482419,"msg":"got renewal info","names":["books.nagpal.house"],"window_start":1747338266,"window_end":1747493716,"selected_time":1747493675,"recheck_after":1746475513.482411,"explanation_url":""}
{"level":"info","ts":1746453913.4840145,"logger":"tls.cache.maintenance","msg":"updated and stored ACME renewal information","identifiers":["books.nagpal.house"],"cert_hash":"e353aea7dd4c99ec1d27bfbf82cae66f145766318c2db4ce2b4b88483b142d2d","ari_unique_id":"kydGmAOpUWiOmNbEQkjbI79YlNI.BjSXCVF4H5KK42UVZ1YkoUL9","cert_expiry":1750006821,"selected_time":1747431604,"next_update":1746475513.482411,"explanation_url":""}
{"level":"info","ts":1746453913.5155385,"msg":"got renewal info","names":["jellyfin.nagpal.house"],"window_start":1747338171,"window_end":1747493620,"selected_time":1747448370,"recheck_after":1746475513.5155294,"explanation_url":""}
{"level":"info","ts":1746453913.517173,"logger":"tls.cache.maintenance","msg":"updated and stored ACME renewal information","identifiers":["jellyfin.nagpal.house"],"cert_hash":"74b8fecf69c5b68d53080705654fab0648a6e96c56b1de2ba861375e19e44e11","ari_unique_id":"nytfzzwhT50Et-0rLMTGcIvS1w0.BWgyBbtOUl6x-y02wJsNo3fA","cert_expiry":1750006726,"selected_time":1747417928,"next_update":1746475513.5155294,"explanation_url":""}
{"level":"warn","ts":1746458587.613585,"logger":"tls.issuance.acme","msg":"looking up info for HTTP challenge","host":"jellyfin.nagpal.house","remote_addr":"162.158.154.220:53196","user_agent":"","error":"no information found to solve challenge for identifier: jellyfin.nagpal.house"}
{"level":"warn","ts":1746458587.703134,"logger":"tls.issuance.acme","msg":"looking up info for HTTP challenge","host":"jellyfin.nagpal.house","remote_addr":"172.70.42.191:46262","user_agent":"","error":"no information found to solve challenge for identifier: jellyfin.nagpal.house"}
{"level":"warn","ts":1746458593.8127956,"logger":"tls.issuance.acme","msg":"looking up info for HTTP challenge","host":"jellyfin.nagpal.house","remote_addr":"162.158.154.220:53202","user_agent":"","error":"no information found to solve challenge for identifier: jellyfin.nagpal.house"}
{"level":"warn","ts":1746458593.903482,"logger":"tls.issuance.acme","msg":"looking up info for HTTP challenge","host":"jellyfin.nagpal.house","remote_addr":"172.70.42.191:46262","user_agent":"","error":"no information found to solve challenge for identifier: jellyfin.nagpal.house"}
{"level":"warn","ts":1746458598.3047442,"logger":"tls.issuance.acme","msg":"looking up info for HTTP challenge","host":"jellyfin.nagpal.house","remote_addr":"162.158.154.221:15016","user_agent":"","error":"no information found to solve challenge for identifier: jellyfin.nagpal.house"}
{"level":"warn","ts":1746458598.3941855,"logger":"tls.issuance.acme","msg":"looking up info for HTTP challenge","host":"jellyfin.nagpal.house","remote_addr":"172.70.42.191:46262","user_agent":"","error":"no information found to solve challenge for identifier: jellyfin.nagpal.house"}
{"level":"warn","ts":1746458600.056,"logger":"tls.issuance.acme","msg":"looking up info for HTTP challenge","host":"jellyfin.nagpal.house","remote_addr":"162.158.154.220:58038","user_agent":"","error":"no information found to solve challenge for identifier: jellyfin.nagpal.house"}
{"level":"warn","ts":1746458600.145208,"logger":"tls.issuance.acme","msg":"looking up info for HTTP challenge","host":"jellyfin.nagpal.house","remote_addr":"172.70.42.191:46262","user_agent":"","error":"no information found to solve challenge for identifier: jellyfin.nagpal.house"}
{"level":"warn","ts":1746458602.6349583,"logger":"tls.issuance.acme","msg":"looking up info for HTTP challenge","host":"jellyfin.nagpal.house","remote_addr":"162.158.154.220:58040","user_agent":"","error":"no information found to solve challenge for identifier: jellyfin.nagpal.house"}
{"level":"warn","ts":1746458602.7230701,"logger":"tls.issuance.acme","msg":"looking up info for HTTP challenge","host":"jellyfin.nagpal.house","remote_addr":"172.70.42.191:46262","user_agent":"","error":"no information found to solve challenge for identifier: jellyfin.nagpal.house"}
{"level":"info","ts":1746464713.3218706,"logger":"tls","msg":"certificate is in configured renewal window based on expiration date","subjects":["vaultwarden.nagpal.house"],"expiration":1746478514,"ari_cert_id":"","next_ari_update":null,"renew_check_interval":600,"window_start":-6795364578.8713455,"window_end":-6795364578.8713455,"remaining":13800.678129998}
{"level":"info","ts":1746464713.3227983,"logger":"tls.cache.maintenance","msg":"certificate expires soon; queuing for renewal","identifiers":["vaultwarden.nagpal.house"],"remaining":13800.677202278}
{"level":"info","ts":1746464713.3228242,"logger":"tls.cache.maintenance","msg":"attempting certificate renewal","identifiers":["vaultwarden.nagpal.house"],"remaining":13800.677176232}
{"level":"info","ts":1746464713.3237011,"logger":"tls.renew","msg":"acquiring lock","identifier":"vaultwarden.nagpal.house"}
{"level":"info","ts":1746464713.3241088,"logger":"tls.renew","msg":"lock acquired","identifier":"vaultwarden.nagpal.house"}
{"level":"info","ts":1746464713.3248756,"logger":"tls.renew","msg":"renewing certificate","identifier":"vaultwarden.nagpal.house","remaining":13800.675128538}
{"level":"info","ts":1746464713.3281672,"logger":"tls.renew","msg":"certificate renewed successfully","identifier":"vaultwarden.nagpal.house","issuer":"local"}
{"level":"info","ts":1746464713.3282185,"logger":"tls.renew","msg":"releasing lock","identifier":"vaultwarden.nagpal.house"}
{"level":"info","ts":1746464713.3283424,"logger":"tls","msg":"reloading managed certificate","identifiers":["vaultwarden.nagpal.house"]}
{"level":"info","ts":1746464713.3289764,"logger":"tls.cache","msg":"replaced certificate in cache","subjects":["vaultwarden.nagpal.house"],"new_expiration":1746507914}
{"level":"warn","ts":1746467261.2660797,"logger":"http","msg":"looking up info for HTTP challenge","host":"nagpal.house","remote_addr":"172.70.134.201:56042","user_agent":"","error":"no information found to solve challenge for identifier: nagpal.house"}
{"level":"warn","ts":1746467296.176012,"logger":"http","msg":"looking up info for HTTP challenge","host":"nagpal.house","remote_addr":"172.70.134.201:53782","user_agent":"","error":"no information found to solve challenge for identifier: nagpal.house"}
{"level":"warn","ts":1746467311.0091991,"logger":"http","msg":"looking up info for HTTP challenge","host":"nagpal.house","remote_addr":"172.70.134.201:60694","user_agent":"","error":"no information found to solve challenge for identifier: nagpal.house"}
{"level":"warn","ts":1746467318.244284,"logger":"http","msg":"looking up info for HTTP challenge","host":"nagpal.house","remote_addr":"172.70.134.200:29138","user_agent":"","error":"no information found to solve challenge for identifier: nagpal.house"}
{"level":"warn","ts":1746467320.0295873,"logger":"http","msg":"looking up info for HTTP challenge","host":"nagpal.house","remote_addr":"172.70.134.201:31726","user_agent":"","error":"no information found to solve challenge for identifier: nagpal.house"}
{"level":"warn","ts":1746467321.854594,"logger":"http","msg":"looking up info for HTTP challenge","host":"nagpal.house","remote_addr":"172.70.134.201:52408","user_agent":"","error":"no information found to solve challenge for identifier: nagpal.house"}
{"level":"warn","ts":1746467322.2354293,"logger":"http","msg":"looking up info for HTTP challenge","host":"nagpal.house","remote_addr":"172.70.134.201:52414","user_agent":"","error":"no information found to solve challenge for identifier: nagpal.house"}
{"level":"warn","ts":1746467322.6273463,"logger":"http","msg":"looking up info for HTTP challenge","host":"nagpal.house","remote_addr":"172.70.134.201:52418","user_agent":"","error":"no information found to solve challenge for identifier: nagpal.house"}
{"level":"warn","ts":1746467323.490343,"logger":"http","msg":"looking up info for HTTP challenge","host":"nagpal.house","remote_addr":"172.70.134.201:52422","user_agent":"","error":"no information found to solve challenge for identifier: nagpal.house"}
{"level":"warn","ts":1746467323.8709059,"logger":"http","msg":"looking up info for HTTP challenge","host":"nagpal.house","remote_addr":"172.70.134.200:61770","user_agent":"","error":"no information found to solve challenge for identifier: nagpal.house"}
{"level":"warn","ts":1746467324.9829607,"logger":"http","msg":"looking up info for HTTP challenge","host":"nagpal.house","remote_addr":"172.70.134.201:52434","user_agent":"","error":"no information found to solve challenge for identifier: nagpal.house"}
{"level":"warn","ts":1746467339.7509167,"logger":"http","msg":"looking up info for HTTP challenge","host":"nagpal.house","remote_addr":"172.70.134.201:47712","user_agent":"","error":"no information found to solve challenge for identifier: nagpal.house"}
{"level":"warn","ts":1746467343.2027838,"logger":"http","msg":"looking up info for HTTP challenge","host":"nagpal.house","remote_addr":"172.70.134.201:42962","user_agent":"","error":"no information found to solve challenge for identifier: nagpal.house"}
{"level":"warn","ts":1746467347.1439764,"logger":"http","msg":"looking up info for HTTP challenge","host":"nagpal.house","remote_addr":"172.70.134.201:42976","user_agent":"","error":"no information found to solve challenge for identifier: nagpal.house"}
{"level":"warn","ts":1746467350.6291203,"logger":"http","msg":"looking up info for HTTP challenge","host":"nagpal.house","remote_addr":"172.70.134.201:42988","user_agent":"","error":"no information found to solve challenge for identifier: nagpal.house"}
{"level":"warn","ts":1746467351.019575,"logger":"http","msg":"looking up info for HTTP challenge","host":"nagpal.house","remote_addr":"172.70.134.201:42994","user_agent":"","error":"no information found to solve challenge for identifier: nagpal.house"}
{"level":"warn","ts":1746467358.4816911,"logger":"http","msg":"looking up info for HTTP challenge","host":"nagpal.house","remote_addr":"172.70.134.200:16792","user_agent":"","error":"no information found to solve challenge for identifier: nagpal.house"}
{"level":"warn","ts":1746467360.9936457,"logger":"http","msg":"looking up info for HTTP challenge","host":"nagpal.house","remote_addr":"172.70.134.200:16796","user_agent":"","error":"no information found to solve challenge for identifier: nagpal.house"}
{"level":"warn","ts":1746472415.2984002,"logger":"tls.issuance.acme","msg":"looking up info for HTTP challenge","host":"jellyfin.nagpal.house","remote_addr":"162.158.6.3:17554","user_agent":"","error":"no information found to solve challenge for identifier: jellyfin.nagpal.house"}
{"level":"warn","ts":1746472415.452449,"logger":"tls.issuance.acme","msg":"looking up info for HTTP challenge","host":"jellyfin.nagpal.house","remote_addr":"162.158.49.9:62760","user_agent":"","error":"no information found to solve challenge for identifier: jellyfin.nagpal.house"}
{"level":"warn","ts":1746472426.6837697,"logger":"tls.issuance.acme","msg":"looking up info for HTTP challenge","host":"jellyfin.nagpal.house","remote_addr":"162.158.6.3:25514","user_agent":"","error":"no information found to solve challenge for identifier: jellyfin.nagpal.house"}
{"level":"warn","ts":1746472426.8469594,"logger":"tls.issuance.acme","msg":"looking up info for HTTP challenge","host":"jellyfin.nagpal.house","remote_addr":"162.158.49.9:62760","user_agent":"","error":"no information found to solve challenge for identifier: jellyfin.nagpal.house"}
{"level":"warn","ts":1746472430.0430107,"logger":"tls.issuance.acme","msg":"looking up info for HTTP challenge","host":"jellyfin.nagpal.house","remote_addr":"162.158.6.3:56682","user_agent":"","error":"no information found to solve challenge for identifier: jellyfin.nagpal.house"}
{"level":"warn","ts":1746472430.203627,"logger":"tls.issuance.acme","msg":"looking up info for HTTP challenge","host":"jellyfin.nagpal.house","remote_addr":"162.158.49.9:62760","user_agent":"","error":"no information found to solve challenge for identifier: jellyfin.nagpal.house"}
{"level":"warn","ts":1746472435.0756986,"logger":"tls.issuance.acme","msg":"looking up info for HTTP challenge","host":"jellyfin.nagpal.house","remote_addr":"162.158.6.2:57358","user_agent":"","error":"no information found to solve challenge for identifier: jellyfin.nagpal.house"}
{"level":"warn","ts":1746472435.2416518,"logger":"tls.issuance.acme","msg":"looking up info for HTTP challenge","host":"jellyfin.nagpal.house","remote_addr":"162.158.49.9:62760","user_agent":"","error":"no information found to solve challenge for identifier: jellyfin.nagpal.house"}
{"level":"warn","ts":1746472442.5369406,"logger":"tls.issuance.acme","msg":"looking up info for HTTP challenge","host":"jellyfin.nagpal.house","remote_addr":"162.158.6.3:29252","user_agent":"","error":"no information found to solve challenge for identifier: jellyfin.nagpal.house"}
{"level":"warn","ts":1746472442.7003381,"logger":"tls.issuance.acme","msg":"looking up info for HTTP challenge","host":"jellyfin.nagpal.house","remote_addr":"162.158.49.9:62760","user_agent":"","error":"no information found to solve challenge for identifier: jellyfin.nagpal.house"}
{"level":"warn","ts":1746472445.1512628,"logger":"tls.issuance.acme","msg":"looking up info for HTTP challenge","host":"jellyfin.nagpal.house","remote_addr":"162.158.49.9:62760","user_agent":"","error":"no information found to solve challenge for identifier: jellyfin.nagpal.house"}
{"level":"warn","ts":1746472458.0048816,"logger":"tls.issuance.acme","msg":"looking up info for HTTP challenge","host":"jellyfin.nagpal.house","remote_addr":"162.158.6.3:33752","user_agent":"","error":"no information found to solve challenge for identifier: jellyfin.nagpal.house"}
{"level":"warn","ts":1746472458.1645432,"logger":"tls.issuance.acme","msg":"looking up info for HTTP challenge","host":"jellyfin.nagpal.house","remote_addr":"162.158.49.9:62760","user_agent":"","error":"no information found to solve challenge for identifier: jellyfin.nagpal.house"}
{"level":"warn","ts":1746472468.6521547,"logger":"tls.issuance.acme","msg":"looking up info for HTTP challenge","host":"jellyfin.nagpal.house","remote_addr":"162.158.6.2:16830","user_agent":"","error":"no information found to solve challenge for identifier: jellyfin.nagpal.house"}
{"level":"warn","ts":1746472468.8121817,"logger":"tls.issuance.acme","msg":"looking up info for HTTP challenge","host":"jellyfin.nagpal.house","remote_addr":"162.158.49.9:62760","user_agent":"","error":"no information found to solve challenge for identifier: jellyfin.nagpal.house"}
{"level":"warn","ts":1746472475.3584785,"logger":"tls.issuance.acme","msg":"looking up info for HTTP challenge","host":"jellyfin.nagpal.house","remote_addr":"162.158.6.3:24866","user_agent":"","error":"no information found to solve challenge for identifier: jellyfin.nagpal.house"}
{"level":"warn","ts":1746472475.5147507,"logger":"tls.issuance.acme","msg":"looking up info for HTTP challenge","host":"jellyfin.nagpal.house","remote_addr":"162.158.49.9:62760","user_agent":"","error":"no information found to solve challenge for identifier: jellyfin.nagpal.house"}
{"level":"info","ts":1746476113.4529533,"msg":"got renewal info","names":["books.nagpal.house"],"window_start":1747338266,"window_end":1747493716,"selected_time":1747348817,"recheck_after":1746497713.4529479,"explanation_url":""}
{"level":"info","ts":1746476113.454615,"logger":"tls.cache.maintenance","msg":"updated and stored ACME renewal information","identifiers":["books.nagpal.house"],"cert_hash":"e353aea7dd4c99ec1d27bfbf82cae66f145766318c2db4ce2b4b88483b142d2d","ari_unique_id":"kydGmAOpUWiOmNbEQkjbI79YlNI.BjSXCVF4H5KK42UVZ1YkoUL9","cert_expiry":1750006821,"selected_time":1747431604,"next_update":1746497713.4529479,"explanation_url":""}
{"level":"info","ts":1746476113.4893723,"msg":"got renewal info","names":["jellyfin.nagpal.house"],"window_start":1747338171,"window_end":1747493620,"selected_time":1747460780,"recheck_after":1746497713.4893672,"explanation_url":""}
{"level":"info","ts":1746476113.4905438,"logger":"tls.cache.maintenance","msg":"updated and stored ACME renewal information","identifiers":["jellyfin.nagpal.house"],"cert_hash":"74b8fecf69c5b68d53080705654fab0648a6e96c56b1de2ba861375e19e44e11","ari_unique_id":"nytfzzwhT50Et-0rLMTGcIvS1w0.BWgyBbtOUl6x-y02wJsNo3fA","cert_expiry":1750006726,"selected_time":1747417928,"next_update":1746497713.4893672,"explanation_url":""}
{"level":"info","ts":1746488713.4540818,"logger":"tls","msg":"storage cleaning happened too recently; skipping for now","storage":"FileStorage:/data/caddy","instance":"eedee84b-6575-43c6-92e6-246d6be6abe2","try_again":1746575113.45408,"try_again_in":86399.99999986}
{"level":"info","ts":1746488713.4542356,"logger":"tls","msg":"finished cleaning storage units"}
{"level":"info","ts":1746488987.2631602,"msg":"shutting down apps, then terminating","signal":"SIGTERM"}
{"level":"warn","ts":1746488987.2631826,"msg":"exiting; byeee!! 👋","signal":"SIGTERM"}
{"level":"info","ts":1746488987.263209,"logger":"http","msg":"servers shutting down with eternal grace period"}
{"level":"info","ts":1746488987.2718012,"logger":"admin","msg":"stopped previous server","address":"localhost:2019"}
{"level":"info","ts":1746488987.2718372,"msg":"shutdown complete","signal":"SIGTERM","exit_code":0}
{"level":"info","ts":1746488987.8047078,"msg":"maxprocs: Leaving GOMAXPROCS=16: CPU quota undefined"}
{"level":"info","ts":1746488987.804901,"msg":"GOMEMLIMIT is updated","package":"github.com/KimMachineGun/automemlimit/memlimit","GOMEMLIMIT":121404078489,"previous":9223372036854775807}
{"level":"info","ts":1746488987.805166,"msg":"using config from file","file":"/etc/caddy/Caddyfile"}
{"level":"info","ts":1746488987.806303,"msg":"adapted config to JSON","adapter":"caddyfile"}
{"level":"warn","ts":1746488987.8063097,"msg":"Caddyfile input is not formatted; run 'caddy fmt --overwrite' to fix inconsistencies","adapter":"caddyfile","file":"/etc/caddy/Caddyfile","line":1}
{"level":"info","ts":1746488987.808726,"logger":"admin","msg":"admin endpoint started","address":"localhost:2019","enforce_origin":false,"origins":["//[::1]:2019","//127.0.0.1:2019","//localhost:2019"]}
{"level":"info","ts":1746488987.8089213,"logger":"tls.cache.maintenance","msg":"started background certificate maintenance","cache":"0xc000619300"}
{"level":"info","ts":1746488987.8103135,"logger":"http.auto_https","msg":"server is listening only on the HTTPS port but has no TLS connection policies; adding one to enable TLS","server_name":"srv0","https_port":443}
{"level":"info","ts":1746488987.8103468,"logger":"http.auto_https","msg":"enabling automatic HTTP->HTTPS redirects","server_name":"srv0"}
{"level":"info","ts":1746488987.8106916,"logger":"http","msg":"enabling HTTP/3 listener","addr":":443"}
{"level":"info","ts":1746488987.8107727,"logger":"http.log","msg":"server running","name":"srv0","protocols":["h1","h2","h3"]}
{"level":"warn","ts":1746488987.810796,"logger":"http","msg":"HTTP/2 skipped because it requires TLS","network":"tcp","addr":":80"}
{"level":"warn","ts":1746488987.8107986,"logger":"http","msg":"HTTP/3 skipped because it requires TLS","network":"tcp","addr":":80"}
{"level":"info","ts":1746488987.8107998,"logger":"http.log","msg":"server running","name":"remaining_auto_https_redirects","protocols":["h1","h2","h3"]}
{"level":"info","ts":1746488987.810802,"logger":"http","msg":"enabling automatic TLS certificate management","domains":["jellyfin.nagpal.house","books.nagpal.house","vaultwarden.nagpal.house"]}
{"level":"info","ts":1746488987.9223247,"logger":"pki.ca.local","msg":"root certificate is already trusted by system","path":"storage:pki/authorities/local/root.crt"}
{"level":"info","ts":1746488987.922453,"msg":"autosaved config (load with --resume flag)","file":"/config/caddy/autosave.json"}
{"level":"info","ts":1746488987.9224591,"msg":"serving initial configuration"}
{"level":"info","ts":1746488987.9231267,"logger":"tls","msg":"cleaning storage unit","storage":"FileStorage:/data/caddy"}
{"level":"info","ts":1746488987.932404,"logger":"tls","msg":"finished cleaning storage units"}

3. Caddy version:

v2.10.0 h1:fonubSaQKF1YANl8TXqGcn4IbIRUDdfAkpcsfI/vX5U=

4. How I installed and ran Caddy:

a. System environment:

Unraid Docker

d. My complete Caddy config:

(protect) {
	@external {
		not remote_ip 10.0.0.0/8
	}
	respond @external 403
}

jellyfin.nagpal.house {
	reverse_proxy 10.0.0.141
	tls {
		dns cloudflare REDACTEDAPIKEY
	}
}

books.nagpal.house {
	reverse_proxy 10.0.0.152
	tls {
		dns cloudflare REDACTEDAPIKEY
	}
}

vaultwarden.nagpal.house {
	tls internal
	import protect
	reverse_proxy 10.0.0.103
}

5. Links to relevant resources:

timelordx · May 6, 2025, 1:36am

You’re using tls internal for vaultwarden.nagpal.house, so Cloudflare can’t validate the certificate, which results in a 526 error.

More info here:

tknx · May 6, 2025, 4:12pm

OK,

So I exchanged the tls internal with the same tls block as the other services.

Now when I try and access I get a 403 access denied error. I checked my devices IP address and it is 10.0.3.220 which should be within the protect rules

timelordx · May 6, 2025, 5:09pm

Since you’re coming in through a Cloudflare tunnel, your IP definitely won’t be 10.0.3.220, and as long as you’re using the tunnel, it never will be. I’d suggest checking your logs to confirm.

Also, take a look at the global option trusted_proxies cloudflare. Just a heads-up: you’ll need the Cloudflare module for that.

Mohammed90 · May 6, 2025, 11:35pm

Once you configure trusted_proxies, switch your matcher to client_ip.