Caddy with internal address help

Started by SiliconOxide, February 06, 2026, 10:55:54 PM

Previous topic - Next topic
Print
Go Down Pages1
User actions
February 06, 2026, 10:55:54 PM
I am having a bit of an issue getting Caddy to work like I want it to for certificates and reverse proxy. I have caddy setup per this guide: https://docs.opnsense.org/manual/how-tos/caddy.html

Caddy is on my router at 192.168.1.1. I have a dynamic dns address that points towards my public IP. For example, home.mydomain.net points to my public IP. In Caddy I have a domain setup for home.mydomain.net as well a a handler that proxies home.mydomain.net to 192.168.1.124:8123. This works fine for accessing the site internally and externally (access lists in caddy prevent external access though).

However, for most things I do not need any kind of external access but I still would like working certificates. So, instead of using dynamic DNS to create a zone record for home.mydomain.com to my external IP I created an A zone record for home.mydomain.net to 192.168.1.1. Same setting in caddy as above with external IP. Trying homemydomain.net EXTERNALLY gets the expected results, it just tries to go to 192.168.1.1 on whatever network you are on at that time. However, accessing home.mydomain.net INTERNALLY seems to be bypassing caddy and just attempts to go to 192.168.1.1 directly.

To clarify, first working example:  home.mydomain.net --> wan IP --> caddy (on router @ 192.168.1.1) --> reverse proxy to 192.168.1.124:8123

What I am tring to do: home.mydomain.net --> 192.168.1.1 --> caddy --> reverse proxy to 192.168.1.124:8123

I do have a reason for attempting to do it this odd way. Using a VPN on my phone only for local addresses only.

What am I doing wrong?
Today at 10:27:59 AM #1
Keep the DNS record in the public DNS, so that Caddy can draw certificated for the domain and just create an access List for the allowed networks (Caddy: Reverse Proxy: Access).
Then edit the responsible handler and select the access list you've created before. So Caddy will limit access to the stated networks in the access list.

For restricting access to local network only, I've created an access list with all RFC 1918 subnets for instance.
Today at 03:22:16 PM #2
That won't work for what I need (how it is setup now). I need to use an internal IP for the VPN as the VPN is only used to access internal IPs. If I use the public IP it won't go through the VPN and I would have to leave the server open to the WAN. 

What I want to do, but I am not sure it is even possible, is have home.mydomain.net point to the router/caddy at 192.168.1.1. Then proxy to the server at 192.168.1.124:8123 with a usable certificate.
Today at 05:23:20 PM #3
Basically this should be doable, I think. However, the ACME client won't be able to draw or renew the certificate for the domain anymore, if it points to a private IP address.
So this doesn't make sense to me at all.

Maybe you should rather consider a strong access password for your services than routing them over the VPN.
Or if you don't need to provide public access to them, but via VPN, use your private PKI and install the CA certificate on all involved devices.
Print
Go Up Pages1
User actions