1. Caddy version (caddy version
):
v2.2.0 h1:sMUFqTbVIRlmA8NkFnNt9l7s0e+0gw+7GPIrhty905A=
2. How I run Caddy:
caddy.service
[Unit]
Description=Caddy
Documentation=https://caddyserver.com/docs/
After=network.target
[Service]
User=caddy
Group=caddy
ExecStart=/usr/bin/caddy run --environ --config /etc/caddy/Caddyfile
ExecReload=/usr/bin/caddy reload --config /etc/caddy/Caddyfile
TimeoutStopSec=5s
LimitNOFILE=1048576
LimitNPROC=512
PrivateTmp=true
ProtectSystem=full
AmbientCapabilities=CAP_NET_BIND_SERVICE
[Install]
WantedBy=multi-user.target
a. System environment:
Ubuntu 20.04 LTS vanilla baseline install in HyperV VM, only runs Caddy.
b. Command:
echo "deb [trusted=yes] https://apt.fury.io/caddy/ /" \ | sudo tee -a /etc/apt/sources.list.d/caddy-fury.list
sudo apt update
sudo apt install caddy
c. Service/unit/compose file:
paste full file contents here
d. My complete Caddyfile or JSON config:
# The Caddyfile is an easy way to configure your Caddy web server.
#
# Unless the file starts with a global options block, the first
# uncommented line is always the address of your site.
#
# To use your own domain name (with automatic HTTPS), first make
# sure your domain's A/AAAA DNS records are properly pointed to
# this machine's public IP, then replace the line below with your
# domain name.
:80
# Set this path to your site's directory.
root * /usr/share/caddy
# Enable the static file server.
file_server
# Another common task is to set up a reverse proxy:
# reverse_proxy localhost:8080
# Or serve a PHP site through php-fpm:
# php_fastcgi localhost:9000
# Refer to the Caddy docs for more information:
# https://caddyserver.com/docs/caddyfile
3. The problem I’m having:
I have a new caddy server described above on my intranet. I also have an existing (working) Windows DirectAccess VPN solution for my users. Part of that solution requires a 'Network Location Service" be configured, which is basically a secure website that is ONLY accessible from the intranet and NOT resolvable from the internet.
Is it possible to create a website on the caddy server that responds to NLS requests that is automatically secured by LetsEncrypt certificates as Caddy so reliably does, yet unresolvable from the internet? I can change the internal DNS A record to point to the Caddy server once I have it configured properly.
4. Error messages and/or full log output:
5. What I already tried:
I currently have a few different reverse proxy type sites up and running on a separate Caddy server, but I know that for Caddy to acquire and maintain a LetsEncrypt cert, a DNS entry needs to be externally resolvable, which is specifically what I don’t want the DirectAccess clients to be able to do.