1. The problem I’m having:
I’m often outside of my home network, so I use caddy and freedns.afraid.org to get a free subdomain to access. I want to try serving a port that I don’t wish to forward. Let’s say I have tdarr, and I want to check on the status of it transcoding video files. Now I’d solve this problem by using basic_auth, reverse_proxy, and forwarding port 8265. However, that’s insecure, because someone could still just type in the ip and port, and bypass basic_auth. However, I know there’s a way to serve an unforwarded port, because code-server (self hosted web vscode) has a port proxy where if you access /proxy/port (ie: /proxy/1234), you can access the port, even if you’re outside the home network. All I want to do, is have caddy serve an unforwarded port, so that I can minimize security risk.
2. Error messages and/or full log output:
N/A
3. Caddy version:
v2.7.6 h1:w0NymbG2m9PcvKWsrXO6EEkY9Ru4FJK8uQbYcev1p3A=
(xcaddy build v2.7.6 --with GitHub - caddyserver/replace-response: Caddy module that performs replacements in response bodies)
4. How I installed and ran Caddy:
I edited a caddy AUR package and made it build with replace-response instead of naiveproxy
a. System environment:
Distro: Arch Linux
Kernel: 6.8.7-hardened1-2-hardened
Caddy running bare-metal, no docker
Thinkpad T440
b. Command:
sudo systemctl enable --now caddy
c. Service/unit/compose file:
[Unit]
Description=Caddy webserver
Documentation=https://caddyserver.com/docs/
After=network-online.target
Wants=network-online.target systemd-networkd-wait-online.service
StartLimitIntervalSec=14400
StartLimitBurst=100
[Service]
User=caddy
Group=caddy
# environment: store secrets here such as API tokens
EnvironmentFile=-/var/lib/caddy/envfile
# data directory: uses $XDG_DATA_HOME/caddy
# TLS certificates and other assets are stored here
Environment=XDG_DATA_HOME=/var/lib
# config directory: uses $XDG_CONFIG_HOME/caddy
Environment=XDG_CONFIG_HOME=/etc
# do not print --environ here, as it may contain API tokens!!
ExecStart=/usr/bin/caddy run --config /etc/caddy/Caddyfile
ExecReload=/usr/bin/caddy reload --config /etc/caddy/Caddyfile
# Do not allow the process to be restarted in a tight loop.
Restart=on-abnormal
# Use graceful shutdown with a reasonable timeout
KillMode=mixed
KillSignal=SIGQUIT
TimeoutStopSec=5s
# Sufficient resource limits
LimitNOFILE=1048576
LimitNPROC=512
# Grants binding to port 443...
AmbientCapabilities=CAP_NET_BIND_SERVICE
# ...and limits potentially inherited capabilities to this
CapabilityBoundingSet=CAP_NET_BIND_SERVICE
# Hardening options
LockPersonality=true
NoNewPrivileges=true
PrivateTmp=true
PrivateDevices=true
ProtectControlGroups=true
ProtectHome=true
ProtectKernelTunables=true
ProtectKernelModules=true
ProtectSystem=strict
ReadWritePaths=/var/lib/caddy
ReadOnlyPaths=/etc/caddy
ReadOnlyPaths=-/var/lib/caddy/envfile
[Install]
WantedBy=multi-user.target
d. My complete Caddy config:
N/A
// what i'd like to do is reverse_proxy localhost:port
// but that doesnt work outside the network
// i think that when you do localhost:port
// it accesses that same link on the user's network
// instead of the host's network