Reverse proxy to localhost on VPS without opening ports

1. Output of caddy version:

v2.6.2

2. How I run Caddy:

sudo caddy start

a. System environment:

Debian 11

b. Command:

Paste command here.

c. Service/unit/compose file:

Paste full file contents here.
Make sure backticks stay on their own lines,
and the post looks nice in the preview pane. -->

d. My complete Caddy config:

Paste your config here, replacing this text.
Use `caddy fmt` to make it readable.
DO NOT REDACT anything except credentials.
LEAVE DOMAIN NAMES INTACT.
Make sure the backticks stay on their own lines.

3. The problem I’m having:

I am trying to reverse proxy from a subdomain to an application running on a certain port.

In the past I had my applications running on docker and everything was fine. But docker regularly rewrites IP_tables and I want to have control over my firewall rules, since I am using a VPS, where every exposed port is directly exposed to the internet.

Unfortunately the reverse proxy to localhost is not working with ufw blocking anything incoming except 80 and 443. I always get a ‘connection refused’ error, unless I expose the port I am forwarding to.

How do I best configure Caddy to avoid exposing ports?

4. Error messages and/or full log output:

Paste logs/commands/output here.
USE THE PREVIEW PANE TO MAKE SURE IT LOOKS NICELY FORMATTED.

5. What I already tried:

6. Links to relevant resources:

So Caddy is running as systemd service on your host (Debian 11) and UFW is only allowing :80 and :443.

The connection from your client (e.g. web browser) to Caddy is fine, I’d assume?

Is your reverse_proxy target (upstream) you are trying to proxy to running in Docker or rather directly on that host like Caddy itself?

1 Like

It used to run in Docker, which was fine. But since Docker rewrites IP-tables, I cannot be sure that this isn’t because the port is exposed.

Now I am trying to run the target on the same host as Caddy as another systemd service. This throws the connection refused error.

Can you please share the output of

curl --verbose --location localhost:8080

or whatever target port you are using

1 Like