Reverse Proxy, using UFW to block traffic

muzicman0 · January 3, 2024, 11:39pm

1. The problem I’m having:

I have a reverse proxy set up and working. Our internal DNS for the URL in question points to the Caddy server. IE: (my URL) points to 10.1.13.5. This is all working. (sorry, it won’t let me put an actual formatted URL, so the ‘my URL’ is an actual URL)

I would like to use UFW on the server side (IE: the web app side, not the PC with Caddy installed) to block certain traffic. No matter what I do, it doesn’t seem to work. I am not super experienced with UFW, but I can typically get by with simple stuff.

For instance, I want to block 10.1.0.0/24 from reaching the application so I tried:

ufw deny from 10.1.0.0/24

But it still allows traffic through. The logs from Caddy show that it is processing the IP address correctly, but perhaps it isn’t sending on the original IP?

Any ideas what I can do to make this work?

2. Error messages and/or full log output:

None

3. Caddy version:

2.7.6

4. How I installed and ran Caddy:

added the repositories and used apt to install.

a. System environment:

Ubuntu 22.04 fully updated.

b. Command:

running as a service

francislavoie · January 3, 2024, 11:50pm

When using Caddy as an HTTP proxy, all TCP traffic will appear to be coming from your Caddy server’s IP address.

You need to block traffic before it reaches Caddy, not after.

muzicman0 · January 4, 2024, 12:37am

Thanks for the response. That means I won’t be able to do what I want then. Bummer. Thanks again!

Monviech · January 4, 2024, 5:47am

Isnt this a viable option with Caddy?

example.com {
        @access{
                not client_ip 10.1.0.0/24
        }
        handle @access {
                    reverse_proxy 172.16.0.173 {
                }
        }
}

Only IP addresses that are not 10.1.0.0/24 would be processes by the named matcher.

muzicman0 · January 4, 2024, 6:20am

perhaps. Can you do the reverse? I really want to only allow 2 subnets to have access. So could I do something like:

example.com {
        @access{
                client_ip 10.1.0.0/24
        }
        handle @access {
                    reverse_proxy 172.16.0.173 {
                }
        }
}

Which would then only allow 10.1.0.0/24? Of course I would have to add the second subnet, I get that. Assuming that is possible, would that break the auto certificate renewal?

Monviech · January 4, 2024, 6:53am

You can add as many subnets as you want after client_ip, delimited by space.

It doesnt break the certificate renewal, which is awesome.

francislavoie · January 4, 2024, 7:20am

I recommend doing this instead:

example.com {
	@denied not client_ip 10.1.0.0/24
	abort @denied

	reverse_proxy 172.16.0.173
}

Basically this will close any connections not from that IP range, and anything else continues through to the proxy.

muzicman0 · January 4, 2024, 4:26pm

Awesome, that works. Now I have a cert, but can only reach the actual server via my VPN, or a specific subnet. Exactly what I wanted!

system · February 3, 2024, 4:27pm

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.