I am trying to implement IP whitelist on my Caddy v2 configuration. Something equivalent to NGINX configuration like:
allow 1.1.1.1;
allow 8.8.8.8;
deny all;
My current Caddy configuration pretty straight forward:
my.website.com {
reverse_proxy http://127.0.0.1:3000 {
}
}
Thanks
You can try something like this in caddy v2:
my.domain.com {
#teammember {
remote_ip forwarded 183.77.5.126 113.73.5.126
}
handle #teammember {
reverse_proxy /* localhost:8081
}
respond "<h1>You are attempting to access protected resources!</h1>" 403
}
I'm not saying qed's answer is wrong, however I couldn't get it to work in my case (possibly due to using import templates inside a handle?)...
My solution was... Old config:
private.example.com {
import my_template argument_1 /path/to/example/argument2
}
This changed to:
private.example.com {
#blocked not remote_ip 1.2.3.4
respond #blocked "<h1>Access Denied</h1>" 403
import my_template argument_1 /path/to/example/argument2
}
Simply adding those two lines allows my site to be accessed on that IP. A test curl from a different IP returned the 403 error.
This is done on Caddy 2.4.6
I am not sure it is possible directly in Caddy, but you can add a middleware/plugin to do this.
Here is the link you can get it : https://github.com/pyed/ipfilter
According to the doc of this middleware, to you want to allow only the 2 IPs you wrote, you should probably do something like this :
my.website.com {
reverse_proxy http://127.0.0.1:3000
ipfilter / {
rule allow
ip 1.1.1.1 8.8.8.8
blockpage notauthorized.html
}
}
I also think if want to block every requests, not just the /, you have to write ipfilter /* instead of ipfilter /.
Related
I'm still new to nginx and I want to accomplish this.
I have two servers (server1 and server2), with an sftp server (bitvise) on server1.
And on server2 I have an nginx docker container running.
I want to configure nginx so when trafic comes to server2 (the one with nginx) on port 22 , it get redirected to server1, where my sftp sever is present.
I have an dns "transfer.test.com" mapped to my server2 public IP (tested).
This is the configuration I have added to nginx conf file.
server {
listen 22;
server_name transfer.test.com;
return 301 https://google.com;
location / {
set $sftp server1-private-ip:22;
proxy_pass $sftp;
}
}
server1-private-ip is the private IP of server1 (the one with sftp).
but till now its not working.
I can connect to sftp using filezile using the private IP of server1 BUT
I can't connect to sftp using filezila using the private IP of server2, means the trafic is not getting redirected.
Thank you for the help.
If you want to use nginx as a proxy to non-HTTP protocols like SSH or SFTP, you should define your server in a stream context rather than http one. Typical main configuration file (usually /etc/nginx/nginx.conf) looks like
user <username>;
worker_processes <number>;
...
events {
worker_connections <number>;
}
http {
include /etc/nginx/mime.types;
... # other global http directives here
include /etc/nginx/conf.d/*.conf;
}
As you can see, configuration files for individual servers (or server groups) are being included within the http context. You should add stream block to your main configuration file:
user <username>;
worker_processes <number>;
...
events {
worker_connections <number>;
}
http {
...
}
stream {
server {
listen 22;
proxy_pass <server1_private_ip>:22;
}
}
Directives like server_name or location are meaningless in the server blocks defined under the stream context. Please note that for using above configuration nginx should be compliled with ngx_stream_core_module and ngx_stream_proxy_module modules.
I got trouble using Caddy v2, while in v1 I never have such trouble
I want to prioritize:
file_server if started with /upload/*
reverse_proxy to 127.0.0.1:9090 if started with /api/*
else reverse_proxy to 127.0.0.1:3000
But seems I cannot get it properly work using v2, I've tried a lot (with matchers, changing port because 127.0.0.1 always 404 but localhost didn't, etc) but seems the 127.0.0.1:3000 always prioritized instead of file_server even when file exists, because it have wildcard?
{
debug
auto_https off
log {
output stdout
level DEBUG
}
local_certs
}
127.0.0.1:80, localhost:80 {
root ./svelte/dist
file_server /upload/* browse
reverse_proxy /api/* 127.0.0.1:9090
reverse_proxy * 127.0.0.1:3000
}
Nevermind, got the answer
https://caddy.community/t/v2-hard-to-make-it-right/13394/2
127.0.0.1, 127.0.0.1:80, localhost, localhost:80 {
handle /upload/* {
root ./svelte/dist
file_server browse
}
handle /api/* {
reverse_proxy 127.0.0.1:9090
}
handle {
reverse_proxy 127.0.0.1:3000
}
}
I have a service on foo.bar.com and I need to move it to foo.example.com. To give stragglers a chance to catch up I was hoping to put Caddy on on the server dealing with foo.bar.com and have it proxy for foo.example.com. Can't get even a basic example working like:
Caddyfile
:2015
reverse_proxy https://example.com
This is correct example, You did not provided any debugging and any information about the error you are getting.
Caddy by default expects https if web configuration is either not IP or you explicitly tell this is http endpoint.
So it should work for you with curl https://localhost:2016/
Enable debugging and show us any error.
To increase verbosity put this on your Caddyfile
:2015 {
log {
level DEBUG
output stdout
}
reverse_proxy https://example.com
# https://coredns.io/community/.
I can see the following configuration on the official website, but this does not provide HTTPS service, it is a forwarding.
I can't find how to configure the doh.
And for DNS over HTTP/2 (DoH) use:
https://example.org {
whoami
}
https://.:443 tls://.:853 {
tls plugin/tls/test_cert.pem plugin/tls/test_key.pem plugin/tls/test_ca.pem
cache
forward . 8.8.8.8:53 {
prefer_udp
}
}
I'm having trouble setting a custom http and https port on caddy in my Caddyfile and could not find an answer using google and stackoverflow
I can set a custom http port like this :
http://example.com:2015
but I can't set a custom https port
http://example.com:2015
https://example.com:2016
as caddy only reads the first line as valid.
Starting the file with https://example.com:2016 will try to bind http to port 80 which is already taken
I simply want to bind http to port 2015 and https to port 2016
Here is my current Caddyfile:
http://example.com:2015
https://example.com:2016
gzip
log access.log
basicauth / username password
filemanager / /path {
database dbname.db
no_auth
}
thank you for your time :)
If you are using multiple hosts
http://example.com:2015 {
tls off
gzip
log access.log
basicauth / username password
filemanager / /path {
database dbname.db
no_auth
}
}
https://example.com:2016 {
tls self_signed
gzip
log access.log
basicauth / username password
filemanager / /path {
database dbname.db
no_auth
}
}
If you wish for Caddys Automagic HTTPS you will need to use 443 but if you want to supply your own cert or self_sign (or us DNS challenge) then you should be ok.
Also well worth checking out https://caddy.community/