caddy: deny access to private services outside LAN/VPN

2024-06-16 19:32:35 -04:00 · 2024-06-16 19:32:35 -04:00 · 1b3e800443
commit 1b3e800443
parent 58a2a1526b
2 changed files with 15 additions and 0 deletions
--- a/group_vars/all/50-vars.yml
+++ b/group_vars/all/50-vars.yml
@ -19,6 +19,11 @@ dataroot: /var/lib/serv_data
 dyndns_domain: null
 # dyndns_domain: d.nerdpol.ovh

+# limit this to, for example, your VPN subnet or your local subnet
+# alternatively, 0.0.0.0/0 to open up the internal services to all
+# for multiple subnets, separate with spaces
+internal_cidr: "{{ local_subnet }}"
+
 # this is set true in group_vars/bastion/vars.yml
 enable_ddclient: false

--- a/roles/caddy/templates/Caddyfile.j2
+++ b/roles/caddy/templates/Caddyfile.j2
@ -10,6 +10,10 @@
 }
 {% endif %}

+(external) {
+	@external not remote_ip {{ internal_cidr }}
+}
+
 import conf.d/*

 {% if "website" in group_names %}
@ -27,6 +31,9 @@ www.{{ domain }} {

 {% if groups["navidrome"] | length > 0 %}
 {{ navidrome_domain }} {
+	import external
+	respond @external 403
+
 	reverse_proxy {{ groups["navidrome"][0] }}:4533
 }
 {% endif %}
@ -43,6 +50,9 @@ www.{{ domain }} {

 {% if groups["paperless"] | length > 0 %}
 {{ paperless_domain }} {
+	import external
+	respond @external 403
+
 	reverse_proxy {{ groups["paperless"][0] }}:8000
 }
 {% endif %}