1. The problem I’m having:
I would like to use Caddy for external and internal access.
From outside my network, all DNS names point to a single IP (Caddy) that receives requests and reverse proxy internal services.
From inside my network, each service is a container with it’s own IP address and respective DNS name.
When accessing from outside my network, I will use the URL adguard.home.arpa and Caddy will automatically use HTTPS and reverse proxy from port 3000.
But when accessing from inside my network, if I use the URL adguard.home.arpa browser will go direct to container IP, without use HTTPS and certificate provided by Caddy besides the fact that I must then add port 3000 to URL.
Can I use another DNS name to use caddy internally? For example, using URL caddy.home.arpa/adguard to reach internal AdGuard by Caddy instead of adguard.home.arpa:3000 (directly).
If yes, how should be the respective Caddyfile block?
2. Error messages and/or full log output:
No errors, just blank pages or 403 errors on some tryouts.
3. Caddy version:
v2.6.4 h1:2hwYqiRwk1tf3VruhMpLcYTg+11fCdr8S3jhNAdnPy8=
4. How I installed and ran Caddy:
a. System environment:
Operating System: Debian GNU/Linux 12 (bookworm
Kernel: Linux 6.2.16-5-pve
b. Command:
apt clean && apt update && apt -y upgrade && apt -y install caddy
wget -q -O caddy "https://caddyserver.com/api/download?os=linux&arch=amd64&p=github.com%2Fcaddy-dns%2Fcloudflare"
cp caddy /usr/bin/caddy
c. Service/unit/compose file:
# caddy.service
#
# For using Caddy with a config file.
#
# Make sure the ExecStart and ExecReload commands are correct
# for your installation.
#
# See https://caddyserver.com/docs/install for instructions.
#
# WARNING: This service does not use the --resume flag, so if you
# use the API to make changes, they will be overwritten by the
# Caddyfile next time the service is restarted. If you intend to
# use Caddy's API to configure it, add the --resume flag to the
# `caddy run` command or use the caddy-api.service file instead.
[Unit]
Description=Caddy
Documentation=https://caddyserver.com/docs/
After=network.target network-online.target
Requires=network-online.target
[Service]
Type=notify
User=caddy
Group=caddy
ExecStart=/usr/bin/caddy run --environ --config /etc/caddy/Caddyfile
ExecReload=/usr/bin/caddy reload --config /etc/caddy/Caddyfile --force
TimeoutStopSec=5s
LimitNOFILE=1048576
LimitNPROC=512
PrivateTmp=true
ProtectSystem=full
AmbientCapabilities=CAP_NET_BIND_SERVICE
[Install]
WantedBy=multi-user.target
d. My complete Caddy config:
{
debug
acme_ca https://acme-v02.api.letsencrypt.org/directory
#acme_ca https://acme-staging-v02.api.letsencrypt.org/directory
}
(cloudflare) {
tls username@domain {
dns cloudflare <secret>
}
}
(vips_only) {
@fuck_off_world {
not remote_ip 10.111.111.0/24 201.100.100.100/32 201.101.101.101/32 186.102.102.102/32
}
respond @fuck_off_world 403
}
pve.home.arpa {
import cloudflare
import vips_only
reverse_proxy https://pve.home.arpa:8006 {
transport http {
tls_insecure_skip_verify
}
}
}
adguard.home.arpa {
import cloudflare
import vips_only
reverse_proxy http://adguard.home.arpa:3000
}
graylog.home.arpa {
import cloudflare
import vips_only
reverse_proxy http://graylog.home.arpa:9000
}
caddy.home.arpa {
import cloudflare
import vips_only
#handle /adguard/* {
# # The path still retains "/adguard"
# reverse_proxy http://adguard.home.arpa:3000
#}
#handle_path /adguard/* {
# # The path has the "/adguard" prefix stripped
# reverse_proxy http://adguard.home.arpa:3000
#}
}