"
Back in April, I followed the Caddy how-to guide at https://docs.opnsense.org/manual/how-tos/caddy.html. During the Caddy setup, I created an access group allowing only local subnets to access my services. I applied this access group to my `*.example.com` domain, created my subdomains, updated Cloudflare settings, and finished configuring my reverse proxy.
Not long after setting up Caddy, I set up WireGuard VPN for remote access to my local network. For the past few months, I've been connecting to WireGuard whenever I was remote, allowing me to access my local network. Everything worked, so I didn't think my services could somehow be exposed.
Today, while remote, I pulled up a service I host locally — and it connected. But I wasn't connected to my VPN. I tried another service. Yep, I could connect remotely without being tunneled back into my local network.
So, I checked my Caddy settings. The access group allowing only local subnets was applied to my `*.example.com` domain. So why was I still able to connect remotely using my subdomains? Yeah, I'm sure you all already know the answer: I needed to apply the access group to each subdomain — or create a configuration file with the access group defined and include that config in each subdomain.
Well, I'm an idiot and didn't realize for months that **all** of my services were wide open. Just sharing this in the hopes that other idiots can learn from my idiotness.
Have a nice weekend everyone.
Not long after setting up Caddy, I set up WireGuard VPN for remote access to my local network. For the past few months, I've been connecting to WireGuard whenever I was remote, allowing me to access my local network. Everything worked, so I didn't think my services could somehow be exposed.
Today, while remote, I pulled up a service I host locally — and it connected. But I wasn't connected to my VPN. I tried another service. Yep, I could connect remotely without being tunneled back into my local network.
So, I checked my Caddy settings. The access group allowing only local subnets was applied to my `*.example.com` domain. So why was I still able to connect remotely using my subdomains? Yeah, I'm sure you all already know the answer: I needed to apply the access group to each subdomain — or create a configuration file with the access group defined and include that config in each subdomain.
Well, I'm an idiot and didn't realize for months that **all** of my services were wide open. Just sharing this in the hopes that other idiots can learn from my idiotness.
Have a nice weekend everyone.
