1. The problem I’m having:
There is a subdomain that I am setting up, similar to something like dashboard.lavado.ca. It is a service that has multiple endpoints, some of which can be used publicly. I’d like to use the reverse proxy function to send incoming requests to the service, just to keep things nice and tidy. I can successfully set up a reverse proxy for the entire service and limit that to private_ranges. I can also independently set up a @not private_ranges with a path matcher to ensure public addresses only access what I want them to. How can I do both in the same block?
2. Error messages and/or full log output:
No real error messages except that my attempts at trying to combine both blocks is not valid configuration 
N/A
3. Caddy version:
v2.9.1 h1:OEYiZ7DbCzAWVb6TNEkjRcSCRGHVoZsJinoDR/n9oaY=
(Using 2.9.1 because of Plugin broken with Caddy 2.1.0 | libdns 1.0 API · Issue #4 · caddy-dns/powerdns · GitHub )
4. How I installed and ran Caddy:
a. System environment:
Debian 12 Bookworm
b. Command:
Since it’s a service:
sudo systemctl start caddy
c. Service/unit/compose file:
# caddy.service
#
# For using Caddy with a config file.
#
# Make sure the ExecStart and ExecReload commands are correct
# for your installation.
#
# See https://caddyserver.com/docs/install for instructions.
#
# WARNING: This service does not use the --resume flag, so if you
# use the API to make changes, they will be overwritten by the
# Caddyfile next time the service is restarted. If you intend to
# use Caddy's API to configure it, add the --resume flag to the
# `caddy run` command or use the caddy-api.service file instead.
[Unit]
Description=Caddy
Documentation=https://caddyserver.com/docs/
After=network.target network-online.target
Requires=network-online.target
[Service]
Type=notify
User=caddy
Group=caddy
ExecStart=/usr/bin/caddy run --environ --config /etc/caddy/Caddyfile
ExecReload=/usr/bin/caddy reload --config /etc/caddy/Caddyfile --force
TimeoutStopSec=5s
LimitNOFILE=1048576
LimitNPROC=512
PrivateDevices=yes
PrivateTmp=true
ProtectSystem=full
AmbientCapabilities=CAP_NET_BIND_SERVICE
EnvironmentFile=/etc/default/caddy-conf
[Install]
WantedBy=multi-user.target
The environment file contains (actual domain here is redacted as is key):
PDNS_API_KEY=foobar
PDNS_API_URL=https://foobar.com/dns
d. My complete Caddy config:
This is the config I have that works for allowing the two public facing endpoints to be accessed from outside addresses.
*.lavado.ca {
tls {
dns powerdns {env.POWERDNS_SERVER_URL} {env.POWERDNS_API_TOKEN}
}
encode zstd gzip
@dashboard host dashboard.lavado.ca
handle @dashboard {
@not remote_ip private_ranges
reverse_proxy public/* request/* 127.0.0.1:9000
}
}
Normally I would do something like this for being able to hit all parts locally:
*.lavado.ca {
tls {
dns powerdns {env.POWERDNS_SERVER_URL} {env.POWERDNS_API_TOKEN}
}
encode zstd gzip
@dashboard {
host dashboard.lavado.ca
remote_ip private_ranges
}
handle @dashboard {
reverse_proxy 127.0.0.1:9000
}
}
5. Links to relevant resources:
Only the request matchers documentation at this point.