I'm an idiot - Services were exposed to the internet for months now

Started by phzimm, October 11, 2025, 04:25:51 AM

Previous topic - Next topic
Print
Go Down Pages1
User actions
October 11, 2025, 04:25:51 AM
Back in April, I followed the Caddy how-to guide at https://docs.opnsense.org/manual/how-tos/caddy.html. During the Caddy setup, I created an access group allowing only local subnets to access my services. I applied this access group to my `*.example.com` domain, created my subdomains, updated Cloudflare settings, and finished configuring my reverse proxy.

Not long after setting up Caddy, I set up WireGuard VPN for remote access to my local network. For the past few months, I've been connecting to WireGuard whenever I was remote, allowing me to access my local network. Everything worked, so I didn't think my services could somehow be exposed.

Today, while remote, I pulled up a service I host locally — and it connected. But I wasn't connected to my VPN. I tried another service. Yep, I could connect remotely without being tunneled back into my local network.

So, I checked my Caddy settings. The access group allowing only local subnets was applied to my `*.example.com` domain. So why was I still able to connect remotely using my subdomains? Yeah, I'm sure you all already know the answer: I needed to apply the access group to each subdomain — or create a configuration file with the access group defined and include that config in each subdomain.

Well, I'm an idiot and didn't realize for months that **all** of my services were wide open. Just sharing this in the hopes that other idiots can learn from my idiotness.

Have a nice weekend everyone.
October 11, 2025, 10:15:04 AM #1 Last Edit: October 11, 2025, 02:05:46 PM by Bob.Dig
I don't use caddy but if you want something to be not accessible from the outside, you don't open ports. If you want publicly trusted certificates via lets encrypt, you use the DNS-challenge.

Maybe you know all of that and this is all about configuring a publicly accessible reverse proxy securely, then maybe write that in the subject-line.
October 11, 2025, 10:38:07 AM #2
Goes to show why "testing" is an important aspect in IT - even more so when the affected services are security-relevant.

If you used a wildcard certificate only, then nobody could guess your service names, BTW. You can check on https://crt.sh if any specific names were exposed at any time. 
Intel N100, 4* I226-V, 2* 82559, 16 GByte, 500 GByte NVME, ZTE F6005

1100 down / 800 up, Bufferbloat A+
October 11, 2025, 12:54:03 PM #3
Well happens....

Sometimes we learn the hard way. But next time really, test it. When I do some service implementation or rules, policies, I personally always try to test what I can.

Regards,
S.
Networking is love. You may hate it, but in the end, you always come back to it.

OPNSense HW
APU2D2 - deceased
N5105 - i226-V | Patriot 2x8G 3200 DDR4 | L 790 512G - VM HA(SOON)
N100   - i226-V | Crucial 16G  4800 DDR5 | S 980 500G - PROD
Print
Go Up Pages1
User actions