Restrict subdomain access to LAN only with Caddy

There are subdomains on my home network that I only want accessible locally. While there are no public DNS records pointing to them, the URLs are still visible thanks to Certificate Transparency, and I want to add a layer of security just to be sure.

Here’s where Caddy snippets are convenient to block all WAN traffic for select subdomains. The following snippet in my Caddyfile blocks all traffic coming from outside the subnets after remote_ip, in the blocks where it’s used.

# Snippet
(lan_only) {
        # Allow traffic from my local network, including wg-easy
        @external not remote_ip 10.0.0.0/24 10.42.42.0/24
        abort @external
}

# Protected subdomain
        @subdomain host subdomain.ampho.fr
        handle @subdomain {
                import lan_only # Import the snippet
                reverse_proxy localhost:1234
        }

Don’t forget to reload the Caddy service after modifying the Caddyfile.

In my case, name resolution is done thanks to entries in the hosts file in my OpenWrt router from GL.iNet. GL.iNet offers a convenient interface to modify that file without having to SSH into the router. Example entry:

10.0.0.3 notes.ampho.fr