[SOLVED] Limit Caddy2 to 1 IP/Device

1. Caddy version (caddy version): aur/caddy2 2.3.0-2 (Arch Linux)

2. How I run Caddy:

I am running caddy on a personal server hosting within my home. The box has 2 NICs. (192.168.1.5 and 192.168.1.6). When I start caddy, it appears to be linked to both NICs and I need it to be limited to 192.168.1.5 only so that I can attach the IP/NIC to a docker container. Caddy is installed on the host system and NOT in a docker.

a. System environment: Arch Linux

Linux banshee 5.10.7-arch1-1 #1 SMP PREEMPT Wed, 13 Jan 2021 12:02:01 +0000 x86_64 GNU/Linux
systemctl --version
systemd 247 (247.2-1-arch)
+PAM +AUDIT -SELINUX -IMA -APPARMOR +SMACK -SYSVINIT +UTMP +LIBCRYPTSETUP +GCRYPT +GNUTLS +ACL +XZ +LZ4 +ZSTD +SECCOMP +BLKID +ELFUTILS +KMOD +IDN2 -IDN +PCRE2 default-hierarchy=hybrid

b. Command:

I am running caddy from a systemd service (see below)

[Unit]
Description=Caddy
After=network.target network-online.target
Requires=network-online.target

[Service]
User=http
Group=http
Type=exec

ExecStart=/usr/bin/caddy run --environ --config /etc/caddy/Caddyfile
ExecReload=/usr/bin/caddy reload --config /etc/caddy/Caddyfile
ExecStop=/usr/bin/caddy stop

TimeoutStopSec=5s
LimitNOFILE=1048576
LimitNPROC=512

PrivateTmp=true
ProtectSystem=full
AmbientCapabilities=CAP_NET_BIND_SERVICE

[Install]
WantedBy=multi-user.target

d. My complete Caddyfile or JSON config: (i know it says not to redact, but the site in irrelevant as I am dealing with a configuration issue)

As seen below, the Caddyfile config is not using 192.68.1.6, so I think it’s another configuration issue.

www.SITE.net, SITE.net {
	root * /srv/http/SITE.net
	php_fastcgi unix//var/run/php-fpm/php-fpm.sock
	file_server
	encode gzip
	log {
		output file /var/log/SITE.access.log
	}
}

git.SITE.net {
	reverse_proxy 192.168.1.5:3000
}

cloud.SITE.net {
	reverse_proxy 192.168.1.5:10025
}

3. The problem I’m having:

As stated above, I need caddy to limit it’s hosting to a single IP instead of system-wide.

4. Error messages and/or full log output:

When I run fuser to see which process is using a port:

[roberts@banshee caddy]$ sudo fuser 443/tcp
443/tcp:             13923

I check the process and it’s caddy:

[roberts@banshee caddy]$ sudo ls -l /proc/13923/exe
lrwxrwxrwx 1 http http 0 Jan 18 10:27 /proc/13923/exe -> /usr/bin/caddy

Any help would be appreciated, and thanks!

You can use bind for this:

Thank you. As I found, you must add the bind directive to ALL sites listed in order for it to work properly. (This includes the reverse proxy’s as well, even though they are already bound to the address I needed).

1 Like

It might be clearer to understand if you use caddy adapt --pretty to see the underlying JSON config for your Caddyfile.

Ultimately, the Caddyfile is an adapter to JSON config. The abstractions the Caddyfile makes don’t map 1:1 on the JSON, so certain things like bind which are lower-level things need some extra care to map properly to the underlying JSON.

This topic was automatically closed after 30 days. New replies are no longer allowed.