1. The problem I’m having:
I currently have Caddy setup with my domains and use Cloudflare DNS proxy (my domains are through Cloudflare so it seemed to make sense at the time). I’ve had issues with things like Autheila for SSO not always working as expected (it seems to lose something in the redirect back and fail then), the Home Assistant webpage not always loading all resources (this seems to get fixed after a few page reloads), immich not always loading right+file upload limits, etc. - it seems like things maybe get filtered out or removed through Cloudflare.
I’d like to still use Cloudflare DNS proxy for “mysite2.com”.
But for most of my selfhosted things that are behind mysite.org, I’d like to move off using the the authenticated origin pull, and Cloudflare DNS proxy, and move to using a LetsEncrypt certificate setup instead.
Is this possible in a single Caddy instance and what is the best way to secure things on the mysite.org side now that it would no longer have some of the “Cloudflare protections” in place? Things like fail2ban or geoblocking (I believe my geoblocking addon is working as expected) would be nice to have.
2. Error messages and/or full log output:
3. Caddy version:
v2.10.2
4. How I installed and ran Caddy:
FROM caddy:2.10.2-builder AS builder
RUN xcaddy build \
--with github.com/caddy-dns/cloudflare\
--with github.com/porech/caddy-maxmind-geolocation\
--with github.com/RussellLuo/caddy-ext/ratelimit\
--with github.com/WeidiDeng/caddy-cloudflare-ip\
--with github.com/fvbommel/caddy-combine-ip-ranges\
--with github.com/caddyserver/transform-encoder
FROM caddy:2.10.2
COPY --from=builder /usr/bin/caddy /usr/bin/caddy
a. System environment:
Docker Compose Caddy on Linux Mint 22.2
b. Command:
c. Service/unit/compose file:
services:
caddy:
build: /mnt/dcf652b9-5e69-42fb-924b-37a038d3f30c/Caddy/dockerfile-caddy
container_name: caddy
hostname: caddy
ports:
- "80:80"
- "443:443"
- "443:443/udp"
env_file: .env
volumes:
- /mnt/dcf652b9-5e69-42fb-924b-37a038d3f30c/Caddy/Caddyfile:/etc/caddy/Caddyfile
- /mnt/dcf652b9-5e69-42fb-924b-37a038d3f30c/Caddy/caddyconfig:/config
- /mnt/dcf652b9-5e69-42fb-924b-37a038d3f30c/Caddy/caddydata:/data
- /mnt/dcf652b9-5e69-42fb-924b-37a038d3f30c/Caddy/origin-pull-ca.pem:/etc/ssl/certs/origin-pull-ca.pem:ro
- /mnt/dcf652b9-5e69-42fb-924b-37a038d3f30c/Caddy/GeoLite2-Country.mmdb:/usr/share/GeoIP/GeoLite2-Country.mmdb:ro
- /mnt/dcf652b9-5e69-42fb-924b-37a038d3f30c/Caddy/AccessLogs:/var/log/mydomain.org
restart: unless-stopped
networks:
default:
name: $DOCKER_MY_NETWORK
external: true
d. My complete Caddy config:
{
acme_dns cloudflare xxxxxxxx
servers {
trusted_proxies cloudflare {
interval 12h
timeout 20s
}
}
debug
}
(headers) {
encode gzip
header Content-Security-Policy "upgrade-insecure-requests"
header Referrer-Policy "same-origin"
header Strict-Transport-Security "max-age=31536000; includeSubDomains"
header X-XSS-Protection "1; mode=block"
header X-Content-Type-Options "nosniff"
header X-Robots-Tag "noindex, nofollow, nosnippet, noarchive"
}
*.mysite.org {
log {
format transform "{common_log}"
output file /var/log/mysite.org/access.log
}
tls {
dns cloudflare xxxxxxxx
client_auth {
mode require_and_verify
trust_pool file {
pem_file /etc/ssl/certs/origin-pull-ca.pem
}
}
}
@mygeofilter {
maxmind_geolocation {
db_path "/usr/share/GeoIP/GeoLite2-Country.mmdb"
allow_countries US
}
}
@immich host immich.mysite.org
handle @immich {
import headers
reverse_proxy @mygeofilter immich-server:2283
}
@homeassistant host homeassistant.mysite.org
handle @homeassistant {
import headers5
reverse_proxy @mygeofilter 192.168.50.164:8123
}
@Joplin host joplin.mysite.org
handle @Joplin {
import headers
reverse_proxy @mygeofilter joplin-app:22300
}
@Auth host auth.mysite.org
handle @Auth {
import headers
reverse_proxy @mygeofilter authelia-app:9091 {
header_down -Access-Control-Allow-Origin
}
}
@hoader host hoard.mysite.org
handle @hoader {
import headers
reverse_proxy @mygeofilter hoarder-app:3000
}
@ghost1 host ghost.mysite.org
handle @ghost1 {
import headers
reverse_proxy @mygeofilter site1ghost-app:2368
}
handle {
abort
}
}
*.mysite2.com {
log {
format transform "{common_log}"
output file /var/log/mysite2.com/access.log
}
tls {
dns cloudflare xxxxxxxx
client_auth {
mode require_and_verify
trust_pool file {
pem_file /etc/ssl/certs/origin-pull-ca.pem
}
}
}
@mygeofilter {
maxmind_geolocation {
db_path "/usr/share/GeoIP/GeoLite2-Country.mmdb"
allow_countries US
}
}
@ghost2 host mysite2.com
handle @ghost2 {
import headers
reverse_proxy @mygeofilter site2ghost-app:2368
}
}