Caddy is a reverse proxy that includes an ACME client, which offers free public valid certificates from Let’s Encrypt and ZeroSSL.
It is also possible to use self-signed certificates for internal services. In this case, Caddy acts as a locally trusted certificate authority (CA). However, I want to access some of my internal web interfaces via smartphone, and adding the internal root certificate to the trusted certificates on a smartphone is awkward.
For this use case, I found a solution that leverages Caddy’s ability to take the remote IP address into account and reroute or block anything from outside the internal network. See the code below:
example.jugu.dev {
@externalBlock {
not {
remote_ip 10.10.0.0/16
}
}
route @externalBlock {
redir https://jugu.dev
}
reverse_proxy 10.10.30.5:8000
}
The service will receive a publicly valid certificate from either Let’s Encrypt or ZeroSSL, depending on the general configuration. However, it will still only be accessible from the specified internal network.
For more information, check out Caddy’s documentation.