Restricting some subdomains to local only

uuupah · November 3, 2023, 12:37am

1. The problem I’m having:

Howdy all! I’m midway through configuring my homeserver to be accessible from the public internet, but I’m having some trouble restricting certain subdomains to my local network. These are services that i would like to have a pretty domain for convenience at home, but don’t have a need to be used while out and about.

I’ve tried francislavoie’s solution at Making one site local-only - #5 by francislavoie in both its full and truncated forms, as well as changing the range to 192.168.0.0/16 and private_ranges. I’ve also tried inverting the pattern as per How to stop remote access - #27 by Whitestrake.

Additionally, I’ve heard some whispers about routers blocking dns rebinding and have adjusted my settings to no avail.

Internal and external requests give a slightly different response, but both return a 200 with an empty body.

2. Error messages and/or full log output:

caddy log:

Nov 03 10:55:18 uuuserver systemd[1]: Started Caddy HTTP/2 web server.
Nov 03 10:55:18 uuuserver caddy[2243579]: caddy.HomeDir=/home/caddy
Nov 03 10:55:18 uuuserver caddy[2243579]: caddy.AppDataDir=/home/caddy/.local/share/caddy
Nov 03 10:55:18 uuuserver caddy[2243579]: caddy.AppConfigDir=/home/caddy/.config/caddy
Nov 03 10:55:18 uuuserver caddy[2243579]: caddy.ConfigAutosavePath=/home/caddy/.config/caddy/autosave.json
Nov 03 10:55:18 uuuserver caddy[2243579]: caddy.Version=v2.7.5 h1:HoysvZkLcN2xJExEepaFHK92Qgs7xAiCFydN5x5Hs6Q=
Nov 03 10:55:18 uuuserver caddy[2243579]: runtime.GOOS=linux
Nov 03 10:55:18 uuuserver caddy[2243579]: runtime.GOARCH=amd64
Nov 03 10:55:18 uuuserver caddy[2243579]: runtime.Compiler=gc
Nov 03 10:55:18 uuuserver caddy[2243579]: runtime.NumCPU=4
Nov 03 10:55:18 uuuserver caddy[2243579]: runtime.GOMAXPROCS=4
Nov 03 10:55:18 uuuserver caddy[2243579]: runtime.Version=go1.21.3
Nov 03 10:55:18 uuuserver caddy[2243579]: os.Getwd=/
Nov 03 10:55:18 uuuserver caddy[2243579]: LANG=en_GB.UTF-8
Nov 03 10:55:18 uuuserver caddy[2243579]: PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/snap/bin
Nov 03 10:55:18 uuuserver caddy[2243579]: HOME=/home/caddy
Nov 03 10:55:18 uuuserver caddy[2243579]: LOGNAME=caddy
Nov 03 10:55:18 uuuserver caddy[2243579]: USER=caddy
Nov 03 10:55:18 uuuserver caddy[2243579]: INVOCATION_ID=7192f89b982b482b8727c596c065f76b
Nov 03 10:55:18 uuuserver caddy[2243579]: JOURNAL_STREAM=8:99106195
Nov 03 10:55:18 uuuserver caddy[2243579]: SYSTEMD_EXEC_PID=2243579
Nov 03 10:55:18 uuuserver caddy[2243579]: {"level":"info","ts":1698971118.7358618,"msg":"using provided configuration","config_file":"/etc/caddy/Caddyfile","config_adapter":""}
Nov 03 10:55:18 uuuserver caddy[2243579]: {"level":"warn","ts":1698971118.7369602,"msg":"Caddyfile input is not formatted; run 'caddy fmt --overwrite' to fix inconsistencies","adapter":"caddyfile","file":"/etc/caddy/Caddyfile","line":1}
Nov 03 10:55:18 uuuserver caddy[2243579]: {"level":"info","ts":1698971118.7379367,"logger":"admin","msg":"admin endpoint started","address":"localhost:2019","enforce_origin":false,"origins":["//localhost:2019","//[::1]:2019","//127.0.0.1:2019"]}
Nov 03 10:55:18 uuuserver caddy[2243579]: {"level":"info","ts":1698971118.7380917,"logger":"http.auto_https","msg":"server is listening only on the HTTPS port but has no TLS connection policies; adding one to enable TLS","server_name":"srv0","https_port":443}
Nov 03 10:55:18 uuuserver caddy[2243579]: {"level":"info","ts":1698971118.7381094,"logger":"http.auto_https","msg":"enabling automatic HTTP->HTTPS redirects","server_name":"srv0"}
Nov 03 10:55:18 uuuserver caddy[2243579]: {"level":"debug","ts":1698971118.7381375,"logger":"http.auto_https","msg":"adjusted config","tls":{"automation":{"policies":[{}]}},"http":{"servers":{"remaining_auto_https_redirects":{"listen":[":80"],"routes":[{},{}]},"srv0":{"listen":[":443"],"routes":[{"handle":[{"handler":"subroute","routes":[{"handle":[{"handler":"reverse_proxy","upstreams":[{"dial":"localhost:3000"}]}],"match":[{"remote_ip":{"ranges":["192.168.0.0/16"]}}]}]}],"terminal":true},{"handle":[{"handler":"subroute","routes":[{"handle":[{"handler":"reverse_proxy","upstreams":[{"dial":"localhost:8123"}]}]}]}],"terminal":true}],"tls_connection_policies":[{}],"automatic_https":{}}}}}
Nov 03 10:55:18 uuuserver caddy[2243579]: {"level":"info","ts":1698971118.7386458,"logger":"tls.cache.maintenance","msg":"started background certificate maintenance","cache":"0xc00040fe80"}
Nov 03 10:55:18 uuuserver caddy[2243579]: {"level":"info","ts":1698971118.7387123,"logger":"http","msg":"enabling HTTP/3 listener","addr":":443"}
Nov 03 10:55:18 uuuserver caddy[2243579]: {"level":"info","ts":1698971118.7387483,"logger":"tls","msg":"cleaning storage unit","description":"FileStorage:/home/caddy/.local/share
/caddy"}
Nov 03 10:55:18 uuuserver caddy[2243579]: {"level":"debug","ts":1698971118.7389572,"logger":"http","msg":"starting server loop","address":"[::]:443","tls":true,"http3":true}
Nov 03 10:55:18 uuuserver caddy[2243579]: {"level":"info","ts":1698971118.7389715,"logger":"http.log","msg":"server running","name":"srv0","protocols":["h1","h2","h3"]}
Nov 03 10:55:18 uuuserver caddy[2243579]: {"level":"debug","ts":1698971118.7390108,"logger":"http","msg":"starting server loop","address":"[::]:80","tls":false,"http3":false}
Nov 03 10:55:18 uuuserver caddy[2243579]: {"level":"info","ts":1698971118.7390168,"logger":"http.log","msg":"server running","name":"remaining_auto_https_redirects","protocols":["h1","h2","h3"]}
Nov 03 10:55:18 uuuserver caddy[2243579]: {"level":"info","ts":1698971118.7390206,"logger":"http","msg":"enabling automatic TLS certificate management","domains":["storage.uuu.soy","map.uuu.soy"]}
Nov 03 10:55:18 uuuserver caddy[2243579]: {"level":"debug","ts":1698971118.7394052,"logger":"tls","msg":"loading managed certificate","domain":"storage.uuu.soy","expiration":1706704485,"issuer_key":"acme-v02.api.letsencrypt.org-directory","storage":"FileStorage:/home/caddy/.local/share/caddy"}
Nov 03 10:55:18 uuuserver caddy[2243579]: {"level":"debug","ts":1698971118.7398906,"logger":"tls.cache","msg":"added certificate to cache","subjects":["storage.uuu.soy"],"expiration":1706704485,"managed":true,"issuer_key":"acme-v02.api.letsencrypt.org-directory","hash":"f97381a5cd5355e6dc87db43b26543e834f193f866ab5dbcf73ccc735a049e3e","cache_size":1,"cache_capacity":10000}
Nov 03 10:55:18 uuuserver caddy[2243579]: {"level":"debug","ts":1698971118.7399127,"logger":"events","msg":"event","name":"cached_managed_cert","id":"30ca69dc-2aa0-4e5b-8c47-4e626b53d9f8","origin":"tls","data":{"sans":["storage.uuu.soy"]}}
Nov 03 10:55:18 uuuserver caddy[2243579]: {"level":"debug","ts":1698971118.7403748,"logger":"tls","msg":"loading managed certificate","domain":"map.uuu.soy","expiration":1706572646,"issuer_key":"acme-v02.api.letsencrypt.org-directory","storage":"FileStorage:/home/caddy/.local/share/caddy"}
Nov 03 10:55:18 uuuserver caddy[2243579]: {"level":"debug","ts":1698971118.7405345,"logger":"tls.cache","msg":"added certificate to cache","subjects":["map.uuu.soy"],"expiration":1706572646,"managed":true,"issuer_key":"acme-v02.api.letsencrypt.org-directory","hash":"fe60b2fbdf89b8881da5138817321f1332ae2fe7f3586f6591f9a8124e3880ec","cache_size":2,"cache_capacity":10000}
Nov 03 10:55:18 uuuserver caddy[2243579]: {"level":"debug","ts":1698971118.7405484,"logger":"events","msg":"event","name":"cached_managed_cert","id":"08fe8a46-710f-4460-8c07-4d12fd62f7b6","origin":"tls","data":{"sans":["map.uuu.soy"]}}
Nov 03 10:55:18 uuuserver caddy[2243579]: {"level":"info","ts":1698971118.740577,"logger":"tls","msg":"finished cleaning storage units"}
Nov 03 10:55:18 uuuserver caddy[2243579]: {"level":"info","ts":1698971118.7407408,"msg":"autosaved config (load with --resume flag)","file":"/home/caddy/.config/caddy/autosave.json"}
Nov 03 10:55:18 uuuserver caddy[2243579]: {"level":"info","ts":1698971118.7407484,"msg":"serving initial configuration"}
Nov 03 10:55:29 uuuserver caddy[2243579]: {"level":"debug","ts":1698971129.9205933,"logger":"events","msg":"event","name":"tls_get_certificate","id":"85a8b85f-39a9-4277-8679-447d6abecc99","origin":"tls","data":{"client_hello":{"CipherSuites":[4866,4865,49196,49195,49200,49199,49188,49187,49192,49191,49162,49161,49172,49171,157,156,61,60,53,47],"ServerName":"storage.uuu.soy","SupportedCurves":[29,23,24],"SupportedPoints":null,"SignatureSchemes":[2052,2053,2054,1025,1281,513,1027,1283,515,514,1537,1539],"SupportedProtos":["http/1.1"],"SupportedVersions":[772,771,770,769],"Conn":{}}}}
Nov 03 10:55:29 uuuserver caddy[2243579]: {"level":"debug","ts":1698971129.920741,"logger":"tls.handshake","msg":"choosing certificate","identifier":"storage.uuu.soy","num_choices":1}
Nov 03 10:55:29 uuuserver caddy[2243579]: {"level":"debug","ts":1698971129.9207575,"logger":"tls.handshake","msg":"default certificate selection results","identifier":"storage.uuu.soy","subjects":["storage.uuu.soy"],"managed":true,"issuer_key":"acme-v02.api.letsencrypt.org-directory","hash":"f97381a5cd5355e6dc87db43b26543e834f193f866ab5dbcf73ccc735a049e3e"}
Nov 03 10:55:29 uuuserver caddy[2243579]: {"level":"debug","ts":1698971129.9207654,"logger":"tls.handshake","msg":"matched certificate in cache","remote_ip":"144.6.18.144","remote_port":"57920","subjects":["storage.uuu.soy"],"managed":true,"expiration":1706704485,"hash":"f97381a5cd5355e6dc87db43b26543e834f193f866ab5dbcf73ccc735a049e3e"}
Nov 03 10:55:53 uuuserver caddy[2243579]: {"level":"debug","ts":1698971153.0442126,"logger":"events","msg":"event","name":"tls_get_certificate","id":"3f01536c-fd25-442b-8cec-76aa34996af8","origin":"tls","data":{"client_hello":{"CipherSuites":[4866,4867,4865,4868,49196,49200,52393,52392,49325,49195,49199,49324,49187,49191,49162,49172,49161,49171,157,49309,156,49308,61,60,53,47,159,52394,49311,158,49310,107,103,57,51,255],"ServerName":"storage.uuu.soy","SupportedCurves":[29,23,30,25,24,256,257,258,259,260],"SupportedPoints":"AAEC","SignatureSchemes":[1027,1283,1539,2055,2056,2057,2058,2059,2052,2053,2054,1025,1281,1537,771,769],"SupportedProtos":["h2","http/1.1"],"SupportedVersions":[772,771],"Conn":{}}}}
Nov 03 10:55:53 uuuserver caddy[2243579]: {"level":"debug","ts":1698971153.0450034,"logger":"tls.handshake","msg":"choosing certificate","identifier":"storage.uuu.soy","num_choices":1}
Nov 03 10:55:53 uuuserver caddy[2243579]: {"level":"debug","ts":1698971153.0450466,"logger":"tls.handshake","msg":"default certificate selection results","identifier":"storage.uuu.soy","subjects":["storage.uuu.soy"],"managed":true,"issuer_key":"acme-v02.api.letsencrypt.org-directory","hash":"f97381a5cd5355e6dc87db43b26543e834f193f866ab5dbcf73ccc735a049e3e"}
Nov 03 10:55:53 uuuserver caddy[2243579]: {"level":"debug","ts":1698971153.0450652,"logger":"tls.handshake","msg":"matched certificate in cache","remote_ip":"144.6.18.144","remote_port":"60876","subjects":["storage.uuu.soy"],"managed":true,"expiration":1706704485,"hash":"f97381a5cd5355e6dc87db43b26543e834f193f866ab5dbcf73ccc735a049e3e"}
Nov 03 10:56:14 uuuserver caddy[2243579]: {"level":"debug","ts":1698971174.8924992,"logger":"events","msg":"event","name":"tls_get_certificate","id":"a311cce1-87f4-4dba-92e0-fa2fed501625","origin":"tls","data":{"client_hello":{"CipherSuites":[49196,49200,159,52393,52392,52394,49195,49199,158,49188,49192,107,49187,49191,103,49162,49172,57,49161,49171,51,157,156,61,60,53,47,255],"ServerName":"","SupportedCurves":[29,23,25,24],"SupportedPoints":"AAEC","SignatureSchemes":[1537,1538,1539,1281,1282,1283,1025,1026,1027,769,770,771,513,514,515],"SupportedProtos":null,"SupportedVersions":[771,770,769],"Conn":{}}}}
Nov 03 10:56:14 uuuserver caddy[2243579]: {"level":"debug","ts":1698971174.892591,"logger":"tls.handshake","msg":"no matching certificates and no custom selection logic","identifier":"192.168.0.102"}
Nov 03 10:56:14 uuuserver caddy[2243579]: {"level":"debug","ts":1698971174.892609,"logger":"tls.handshake","msg":"no certificate matching TLS ClientHello","remote_ip":"172.56.104.251","remote_port":"41945","server_name":"","remote":"172.56.104.251:41945","identifier":"192.168.0.102","cipher_suites":[49196,49200,159,52393,52392,52394,49195,49199,158,49188,49192,107,49187,49191,103,49162,49172,57,49161,49171,51,157,156,61,60,53,47,255],"cert_cache_fill":0.0002,"load_or_obtain_if_necessary":true,"on_demand":false}
Nov 03 10:56:14 uuuserver caddy[2243579]: {"level":"debug","ts":1698971174.8927038,"logger":"http.stdlib","msg":"http: TLS handshake error from 172.56.104.251:41945: no certificate available for '192.168.0.102'"}
Nov 03 10:56:24 uuuserver caddy[2243579]: {"level":"debug","ts":1698971184.8055198,"logger":"events","msg":"event","name":"tls_get_certificate","id":"a32e1315-bfaa-49f8-85aa-1731646a3ae1","origin":"tls","data":{"client_hello":{"CipherSuites":[4866,4867,4865,49196,49200,159,52393,52392,52394,49195,49199,158,49188,49192,107,49187,49191,103,49162,49172,57,49161,49171,51,157,156,61,60,53,47,255],"ServerName":"storage.uuu.soy","SupportedCurves":[29,23,30,25,24],"SupportedPoints":"AAEC","SignatureSchemes":[1027,1283,1539,2055,2056,2057,2058,2059,2052,2053,2054,1025,1281,1537,771,515,769,513,770,514,1026,1282,1538],"SupportedProtos":["h2","http/1.1"],"SupportedVersions":[772,771,770,769],"Conn":{}}}}
Nov 03 10:56:24 uuuserver caddy[2243579]: {"level":"debug","ts":1698971184.805639,"logger":"tls.handshake","msg":"choosing certificate","identifier":"storage.uuu.soy","num_choices":1}
Nov 03 10:56:24 uuuserver caddy[2243579]: {"level":"debug","ts":1698971184.8056664,"logger":"tls.handshake","msg":"default certificate selection results","identifier":"storage.uuu.soy","subjects":["storage.uuu.soy"],"managed":true,"issuer_key":"acme-v02.api.letsencrypt.org-directory","hash":"f97381a5cd5355e6dc87db43b26543e834f193f866ab5dbcf73ccc735a049e3e"}
Nov 03 10:56:24 uuuserver caddy[2243579]: {"level":"debug","ts":1698971184.8056824,"logger":"tls.handshake","msg":"matched certificate in cache","remote_ip":"66.220.149.5","remote_port":"65184","subjects":["storage.uuu.soy"],"managed":true,"expiration":1706704485,"hash":"f97381a5cd5355e6dc87db43b26543e834f193f866ab5dbcf73ccc735a049e3e"}
Nov 03 10:56:27 uuuserver caddy[2243579]: {"level":"debug","ts":1698971187.1067061,"logger":"events","msg":"event","name":"tls_get_certificate","id":"600a6790-a434-42f8-8313-aab5c0b63a3c","origin":"tls","data":{"client_hello":{"CipherSuites":[4866,4867,4865,49196,49200,159,52393,52392,52394,49195,49199,158,49188,49192,107,49187,49191,103,49162,49172,57,49161,49171,51,157,156,61,60,53,47,255],"ServerName":"144.6.18.144","SupportedCurves":[29,23,30,25,24],"SupportedPoints":"AAEC","SignatureSchemes":[1027,1283,1539,2055,2056,2057,2058,2059,2052,2053,2054,1025,1281,1537,771,515,769,513,770,514,1026,1282,1538],"SupportedProtos":["h2","http/1.1"],"SupportedVersions":[772,771,770,769],"Conn":{}}}}
Nov 03 10:56:27 uuuserver caddy[2243579]: {"level":"debug","ts":1698971187.1067684,"logger":"tls.handshake","msg":"no matching certificates and no custom selection logic","identifier":"144.6.18.144"}
Nov 03 10:56:27 uuuserver caddy[2243579]: {"level":"debug","ts":1698971187.1067772,"logger":"tls.handshake","msg":"no matching certificates and no custom selection logic","identifier":"*.6.18.144"}
Nov 03 10:56:27 uuuserver caddy[2243579]: {"level":"debug","ts":1698971187.1067824,"logger":"tls.handshake","msg":"no matching certificates and no custom selection logic","identifier":"*.*.18.144"}
Nov 03 10:56:27 uuuserver caddy[2243579]: {"level":"debug","ts":1698971187.1067882,"logger":"tls.handshake","msg":"no matching certificates and no custom selection logic","identifier":"*.*.*.144"}
Nov 03 10:56:27 uuuserver caddy[2243579]: {"level":"debug","ts":1698971187.106793,"logger":"tls.handshake","msg":"no matching certificates and no custom selection logic","identifier":"*.*.*.*"}
Nov 03 10:56:27 uuuserver caddy[2243579]: {"level":"debug","ts":1698971187.1068017,"logger":"tls.handshake","msg":"no certificate matching TLS ClientHello","remote_ip":"66.220.149.17","remote_port":"64500","server_name":"144.6.18.144","remote":"66.220.149.17:64500","identifier":"144.6.18.144","cipher_suites":[4866,4867,4865,49196,49200,159,52393,52392,52394,49195,49199,158,49188,49192,107,49187,49191,103,49162,49172,57,49161,49171,51,157,156,61,60,53,47,255],"cert_cache_fill":0.0002,"load_or_obtain_if_necessary":true,"on_demand":false}
Nov 03 10:56:27 uuuserver caddy[2243579]: {"level":"debug","ts":1698971187.1068425,"logger":"http.stdlib","msg":"http: TLS handshake error from 66.220.149.17:64500: no certificate available for '144.6.18.144'"}
Nov 03 10:56:27 uuuserver caddy[2243579]: {"level":"debug","ts":1698971187.2158394,"logger":"events","msg":"event","name":"tls_get_certificate","id":"f88942b5-aa2d-400e-be80-c6f4e2821164","origin":"tls","data":{"client_hello":{"CipherSuites":[4866,4867,4865,49196,49200,159,52393,52392,52394,49195,49199,158,49188,49192,107,49187,49191,103,49162,49172,57,49161,49171,51,157,156,61,60,53,47,255],"ServerName":"storage.uuu.soy","SupportedCurves":[29,23,30,25,24],"SupportedPoints":"AAEC","SignatureSchemes":[1027,1283,1539,2055,2056,2057,2058,2059,2052,2053,2054,1025,1281,1537,771,515,769,513,770,514,1026,1282,1538],"SupportedProtos":["h2","http/1.1"],"SupportedVersions":[772,771,770,769],"Conn":{}}}}
Nov 03 10:56:27 uuuserver caddy[2243579]: {"level":"debug","ts":1698971187.2159243,"logger":"tls.handshake","msg":"choosing certificate","identifier":"storage.uuu.soy","num_choices":1}
Nov 03 10:56:27 uuuserver caddy[2243579]: {"level":"debug","ts":1698971187.215945,"logger":"tls.handshake","msg":"default certificate selection results","identifier":"storage.uuu.soy","subjects":["storage.uuu.soy"],"managed":true,"issuer_key":"acme-v02.api.letsencrypt.org-directory","hash":"f97381a5cd5355e6dc87db43b26543e834f193f866ab5dbcf73ccc735a049e3e"}
Nov 03 10:56:27 uuuserver caddy[2243579]: {"level":"debug","ts":1698971187.2159562,"logger":"tls.handshake","msg":"matched certificate in cache","remote_ip":"66.220.149.118","remote_port":"54416","subjects":["storage.uuu.soy"],"managed":true,"expiration":1706704485,"hash":"f97381a5cd5355e6dc87db43b26543e834f193f866ab5dbcf73ccc735a049e3e"}

internal curl

> curl -vL storage.uuu.soy
*   Trying 144.6.18.144:80...
* Connected to storage.uuu.soy (144.6.18.144) port 80 (#0)
> GET / HTTP/1.1
> Host: storage.uuu.soy
> User-Agent: curl/8.0.1
> Accept: */*
>
< HTTP/1.1 308 Permanent Redirect
< Connection: close
< Location: https://storage.uuu.soy/
< Server: Caddy
< Date: Fri, 03 Nov 2023 00:25:29 GMT
< Content-Length: 0
<
* Closing connection 0
* Clear auth, redirects to port from 80 to 443
* Issue another request to this URL: 'https://storage.uuu.soy/'
*   Trying 144.6.18.144:443...
* Connected to storage.uuu.soy (144.6.18.144) port 443 (#1)
* schannel: disabled automatic use of client certificate
* ALPN: offers http/1.1
* ALPN: server accepted http/1.1
* using HTTP/1.1
> GET / HTTP/1.1
> Host: storage.uuu.soy
> User-Agent: curl/8.0.1
> Accept: */*
>
* schannel: remote party requests renegotiation
* schannel: renegotiating SSL/TLS connection
* schannel: SSL/TLS connection renegotiated
< HTTP/1.1 200 OK
< Alt-Svc: h3=":443"; ma=2592000
< Server: Caddy
< Date: Fri, 03 Nov 2023 00:25:29 GMT
< Content-Length: 0
<
* Connection #1 to host storage.uuu.soy left intact

external curl

> curl -vL storage.uuu.soy

*   Trying 144.6.18.144:80...
* Connected to storage.uuu.soy (144.6.18.144) port 80 (#0)
> GET / HTTP/1.1
> Host: storage.uuu.soy
> User-Agent: curl/7.82.0
> Accept: */*
> 
* Mark bundle as not supporting multiuse
< HTTP/1.1 308 Permanent Redirect
< Connection: close
< Location: https://storage.uuu.soy/
< Server: Caddy
< Date: Fri, 03 Nov 2023 00:25:52 GMT
< Content-Length: 0
< 
* Closing connection 0
* Clear auth, redirects to port from 80 to 443
* Issue another request to this URL: 'https://storage.uuu.soy/'
*   Trying 144.6.18.144:443...
* Connected to storage.uuu.soy (144.6.18.144) port 443 (#1)
* ALPN, offering h2
* ALPN, offering http/1.1
*  CAfile: /etc/pki/tls/certs/ca-bundle.crt
*  CApath: none
* TLSv1.0 (OUT), TLS header, Certificate Status (22):
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
* TLSv1.2 (IN), TLS header, Certificate Status (22):
* TLSv1.3 (IN), TLS handshake, Server hello (2):
* TLSv1.2 (IN), TLS header, Finished (20):
* TLSv1.2 (IN), TLS header, Supplemental data (23):
* TLSv1.3 (IN), TLS handshake, Encrypted Extensions (8):
* TLSv1.2 (IN), TLS header, Supplemental data (23):
* TLSv1.3 (IN), TLS handshake, Certificate (11):
* TLSv1.2 (IN), TLS header, Supplemental data (23):
* TLSv1.3 (IN), TLS handshake, CERT verify (15):
* TLSv1.2 (IN), TLS header, Supplemental data (23):
* TLSv1.3 (IN), TLS handshake, Finished (20):
* TLSv1.2 (OUT), TLS header, Finished (20):
* TLSv1.3 (OUT), TLS change cipher, Change cipher spec (1):
* TLSv1.2 (OUT), TLS header, Supplemental data (23):
* TLSv1.3 (OUT), TLS handshake, Finished (20):
* SSL connection using TLSv1.3 / TLS_AES_128_GCM_SHA256
* ALPN, server accepted to use h2
* Server certificate:
*  subject: CN=storage.uuu.soy
*  start date: Nov  2 12:34:45 2023 GMT
*  expire date: Jan 31 12:34:44 2024 GMT
*  subjectAltName: host "storage.uuu.soy" matched cert's "storage.uuu.soy"
*  issuer: C=US; O=Let's Encrypt; CN=R3
*  SSL certificate verify ok.
* Using HTTP2, server supports multiplexing
* Copying HTTP/2 data in stream buffer to connection buffer after upgrade: len=0
* TLSv1.2 (OUT), TLS header, Supplemental data (23):
* TLSv1.2 (OUT), TLS header, Supplemental data (23):
* TLSv1.2 (OUT), TLS header, Supplemental data (23):
* h2h3 [:method: GET]
* h2h3 [:path: /]
* h2h3 [:scheme: https]
* h2h3 [:authority: storage.uuu.soy]
* h2h3 [user-agent: curl/7.82.0]
* h2h3 [accept: */*]
* Using Stream ID: 1 (easy handle 0x55de18c72450)
* TLSv1.2 (OUT), TLS header, Supplemental data (23):
> GET / HTTP/2
> Host: storage.uuu.soy
> user-agent: curl/7.82.0
> accept: */*
> 
* TLSv1.2 (IN), TLS header, Supplemental data (23):
* TLSv1.3 (IN), TLS handshake, Newsession Ticket (4):
* TLSv1.2 (IN), TLS header, Supplemental data (23):
* Connection state changed (MAX_CONCURRENT_STREAMS == 250)!
* TLSv1.2 (OUT), TLS header, Supplemental data (23):
* TLSv1.2 (IN), TLS header, Supplemental data (23):
* TLSv1.2 (IN), TLS header, Supplemental data (23):
< HTTP/2 200 
< alt-svc: h3=":443"; ma=2592000
< server: Caddy
< content-length: 0
< date: Fri, 03 Nov 2023 00:25:53 GMT
< 
* Connection #1 to host storage.uuu.soy left intact

3. Caddy version:

v2.7.5 h1:HoysvZkLcN2xJExEepaFHK92Qgs7xAiCFydN5x5Hs6Q=

4. How I installed and ran Caddy:

Installed using standard ubuntu method - Install — Caddy Documentation

a. System environment:

Ubuntu Server 22.04.3

b. Command:

systemd, see below

c. Service/unit/compose file:

[Unit]
Description=Caddy HTTP/2 web server
Documentation=https://caddyserver.com/docs
After=network.target

[Service]
ExecStart=/usr/bin/caddy run --environ --config /etc/caddy/Caddyfile
ExecReload=/usr/bin/caddy reload --config /etc/caddy/Caddyfile
User=caddy
TimeoutStopSec=5s
LimitNOFILE=1048576
LimitNPROC=512
PrivateTmp=true
ProtectSystem=full
AmbientCapabilities=CAP_NET_BIND_SERVICE

[Install]
WantedBy=multi-user.target

d. My complete Caddy config:

map.uuu.soy {
  reverse_proxy localhost:8123
}

storage.uuu.soy {
  @local remote_ip 192.168.0.0/16
  reverse_proxy @local localhost:3000
}

francislavoie · November 3, 2023, 12:52am

Empty 200 status responses are normal, that’s Caddy’s default behaviour when you don’t tell it to do anything else.

You probably want something like this instead, though:

storage.uuu.soy {
	@remote not remote_ip private_ranges
	abort @remote

	reverse_proxy localhost:3000
}

This will abort any connections not coming from private IP ranges (forcefully closing the connection).

You could also instead use error or respond if you want “friendlier” behaviour (i.e. respond with a basic HTTP error code). But an abort is the “fastest” way to reject traffic, since responding with HTTP does mean you send out some traffic back to the client.

uuupah · November 3, 2023, 2:39am

Cheers francis, this is definitely a lot cleaner. I’m still having the issue where all connections aren’t passing the handler, regardless of whether they’re in or out of the network. Skimming the curl responses, it seems like the queries are going out to the public internet before going back in to my homeserver, which makes sense, and also explains why every query is being considered external.

Does caddy have the capacity to grab these queries before they leave the local network, or would I have to use some flavour of custom (local) DNS?

francislavoie · November 3, 2023, 3:56am

If you only want that domain to be accessible locally (and still get a publicly trusted certificate), then yes you’ll probably need to run a DNS server in your LAN to make that domain resolve to your LAN IP instead of your WAN IP. Or you could override the IP address in /etc/hosts on the relevant machines.

system · December 3, 2023, 3:56am

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.