Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Protect Caddy admin endpoints from being accessed from the internet #179

Closed
bohdan-shulha opened this issue Sep 8, 2024 · 1 comment
Closed

Protect Caddy admin endpoints from being accessed from the internet #179

bohdan-shulha opened this issue Sep 8, 2024 · 1 comment
Labels
caddy security
Milestone
Alpha

Comments

@bohdan-shulha
Copy link
Contributor

One way is to make Caddy listen at the UNIX socket instead of a TCP port.

https://caddyserver.com/docs/caddyfile/options#admin

Cause - Docker. (:

https://docs.docker.com/engine/network/packet-filtering-firewalls/#integration-with-firewalld

(ufw) is a frontend that ships with Debian and Ubuntu, and it lets you manage firewall rules. Docker and ufw use iptables in ways that make them incompatible with each other.

When you publish a container's ports using Docker, traffic to and from that container gets diverted before it goes through the ufw firewall settings. Docker routes container traffic in the nat table, which means that packets are diverted before it reaches the INPUT and OUTPUT chains that ufw uses. Packets are routed before the firewall rules can be applied, effectively ignoring your firewall configuration.
@bohdan-shulha bohdan-shulha added this to the Alpha milestone Sep 8, 2024
@github-actions github-actions bot added the triage label Sep 8, 2024
@bohdan-shulha bohdan-shulha added caddy and removed triage labels Sep 8, 2024
@bohdan-shulha
Copy link
Contributor Author

bohdan-shulha commented Sep 15, 2024
edited
Loading

The recipe to fix this issue:

  1. Install netfilter-persistent
apt-get install netfilter-persistent
  1. Add the rules to block outside actors accessing port 2019
iptables -I DOCKER-USER -p tcp -s 127.0.0.1 --dport 2019 -j ACCEPT
iptables -I DOCKER-USER -p tcp --dport 2019 -j REJECT --reject-with tcp-reset
  1. Save your rules
netfilter-persistent save

Installation script has been updated to reflect the changes.

@github-actions github-actions bot mentioned this issue Sep 15, 2024
Merged
bohdan-shulha added a commit that referenced this issue Sep 15, 2024
@bohdan-shulha
fix: #179 protect caddy admin port from an outside actors
91df9f8
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
caddy security
Projects
None yet
Milestone
Alpha
Development

No branches or pull requests
1 participant
@bohdan-shulha