From 43aed3e6b7edcf8cc2508d341201d82a8c8dcb92 Mon Sep 17 00:00:00 2001
From: Sam Al-Sapti <sam@sapti.me>
Date: Sun, 24 Sep 2023 02:45:30 +0200
Subject: [PATCH] Deny remote access to local domains

---
 roles/docker_services/templates/Caddyfile.j2 | 20 ++++++++++++++++++--
 1 file changed, 18 insertions(+), 2 deletions(-)

diff --git a/roles/docker_services/templates/Caddyfile.j2 b/roles/docker_services/templates/Caddyfile.j2
index 193a577..c6f7620 100644
--- a/roles/docker_services/templates/Caddyfile.j2
+++ b/roles/docker_services/templates/Caddyfile.j2
@@ -23,7 +23,15 @@
         -Server
     }
 
-    reverse_proxy ipfs_kubo:5001
+    @local {
+        remote_ip 192.168.0.0/16
+    }
+
+    handle @local {
+        reverse_proxy ipfs_kubo:5001
+    }
+
+    respond 403
 }
 
 {{ services.ipfs.gateway_domain }},
@@ -76,5 +84,13 @@
         -Server
     }
 
-    reverse_proxy pihole:80
+    @local {
+        remote_ip 192.168.0.0/16
+    }
+
+    handle @local {
+        reverse_proxy pihole:80
+    }
+
+    respond 403
 }