Using Caddy for Windows NLS service?

1. Caddy version (caddy version):

v2.2.0 h1:sMUFqTbVIRlmA8NkFnNt9l7s0e+0gw+7GPIrhty905A=

2. How I run Caddy:



ExecStart=/usr/bin/caddy run --environ --config /etc/caddy/Caddyfile
ExecReload=/usr/bin/caddy reload --config /etc/caddy/Caddyfile


a. System environment:

Ubuntu 20.04 LTS vanilla baseline install in HyperV VM, only runs Caddy.

b. Command:

echo "deb [trusted=yes] /" \ | sudo tee -a /etc/apt/sources.list.d/caddy-fury.list
sudo apt update
sudo apt install caddy

c. Service/unit/compose file:

paste full file contents here

d. My complete Caddyfile or JSON config:

# The Caddyfile is an easy way to configure your Caddy web server.
# Unless the file starts with a global options block, the first
# uncommented line is always the address of your site.
# To use your own domain name (with automatic HTTPS), first make
# sure your domain's A/AAAA DNS records are properly pointed to
# this machine's public IP, then replace the line below with your
# domain name.

# Set this path to your site's directory.
root * /usr/share/caddy

# Enable the static file server.

# Another common task is to set up a reverse proxy:
# reverse_proxy localhost:8080

# Or serve a PHP site through php-fpm:
# php_fastcgi localhost:9000

# Refer to the Caddy docs for more information:

3. The problem I’m having:

I have a new caddy server described above on my intranet. I also have an existing (working) Windows DirectAccess VPN solution for my users. Part of that solution requires a 'Network Location Service" be configured, which is basically a secure website that is ONLY accessible from the intranet and NOT resolvable from the internet.

Is it possible to create a website on the caddy server that responds to NLS requests that is automatically secured by LetsEncrypt certificates as Caddy so reliably does, yet unresolvable from the internet? I can change the internal DNS A record to point to the Caddy server once I have it configured properly.

4. Error messages and/or full log output:

5. What I already tried:

I currently have a few different reverse proxy type sites up and running on a separate Caddy server, but I know that for Caddy to acquire and maintain a LetsEncrypt cert, a DNS entry needs to be externally resolvable, which is specifically what I don’t want the DirectAccess clients to be able to do.

6. Links to relevant resources: