Remote access with Caddy, Duckdns vs Tailscale for security?

[Balinus]

Don't have a solution, just wanted to give an fyi for tailscale. You can only add 3 users to tailscale, but you can add a lot more users through direct access to your NAS/Server. I think its around 100 or so. And it's even better, because normally i don't want my friends to see all my machienes in my taislcale network. I only want to give them access to my NAS.

I had the same problem as you and was about to set up the whole duckydns/reverse proxy setup, but then i read i can just add way more friends directly to the machiene. And i prefer tailscale because it's just super secure.

I initially tried with sharing my jellyfin node but, somehow, my brother wasn't able to connect. It worked as soon as he joined my Tailnet though. Perhaps it was only a mistake on our part. I might retry this approach one day though!

If you want to use a DNS module you should build your own caddy image that includes the stuff for your specific DNS provider.

All custom images for all supported DNS providers are there : https://github.com/orgs/caddy-dns/repositories?type=all

You can add any other module you'd like to build the image you need

For instance my DNS provider is Infomaniak, and I also use the Crowdsec bouncer module on my Caddy to detect and block known attacks scenarios and offenders IPs, and so I build my caddy image with this docker command :

Code:

  FROM caddy:builder AS builder
 
  RUN xcaddy build \
      --with github.com/caddy-dns/infomaniak \
      --with github.com/hslatman/caddy-crowdsec-bouncer/http
 
  FROM caddy:latest
 
  COPY --from=builder /usr/bin/caddy /usr/bin/caddy

But all this will be tedious if you hardly master docker. And you will have to learn the fundamentals.

Once your image done, you should also configure properly the DNS parameters using a tls{} in your Caddyfile, for instance this is mine for infomaniak

Code:

*.domain.tld, domain.tld {

    crowdsec # this executes the CrowdSec module; if an IP is denied, it won't get access to the reverse proxy

        tls {
                dns infomaniak my_very_long_api_key_provided_by_infomaniak
                propagation_delay 60s
                propagation_timeout -1
        }

The parameters for your DNS might be different than mine, and you should find how to configure yours by yourself. There's generally some explanations on the readme of each caddy-dns sub-github

Thanks! 

Do you "automate" your Caddy build somehow? Or you execute your Docket command once there is a new version? Any benefit to using Docker here? Right now, I mostly run "directly" on the system. It is only hosting Jellyfin and Caddy in the end.

I will add "crowdsec", seems like a nice addition to the Caddy software.

[Duvel]

Sorry I assumed you were in docker. If you use a normal apt install I dont really know how modules works.
I rebuild my image manually every month or so

Crowdsec require another component. In caddy there's only the bouncer running, you also need the LAPI component (local API) that has to be run aside it.
https://github.com/crowdsecurity/crowdsec

That's the official image: crowdsecurity/crowdsec:latest

SO basically the bouncers communicate with the LAPI, which communicates with Crowdsec servers, and handle the local database of scenarios, alerts, decisions etc...

That's some config to make all this running... Have fun :-)

[Balinus]

Thanks!

No worry, I'll be able to adapt for my case. As far as I understand, this is mostly manual install for updating Caddy with add-on, either in Docker or through xcaddy approach. Thanks for the additional information about crowdsec, I'll take a look!

[Duvel]

Crowdesc on the reverse proxy is the ideal last line of strong defense.
I have the first lines on my pfSense router (geoip firewall rules, IP blacklists, Snort) that stops 95% of all bad traffic, but cant stop everything https related. This should be done on the reverse proxy handling the certs.

Results guaranteed if you get it running, especially against malicious bots :-)

[Balinus]

Seems like a nice add-on to have indeed. I think I might have succeed in installing everything, but I'll have to read more to be able to run it correctly. I am not sure where I should get the "api_key" or how to let crowdsec to connect to the LAPI server (I get a failed to connect "{"level":"error","ts":1744143712.4026,"logger":"crowdsec","msg":"failed to connect to LAPI, retrying in 10s:"). Probably due to the fact that I haven't entered the api_key in the "crowdsec" section of the Caddyfile.

No worries if you don't have the answers to that, I'll take a deeper look at the end of the week.

[Balinus]

So, I have read a little bit on Crowdsec. Very nice indeed, not super user friendly for someone that has limited knowledge about cybersecurity and networking like me. From what I understand:

- Install Crowdsec engine (done)
- Build Caddy with duckdns and crowdsec plug-in (done)
- Install Remediation Components (aka bouncers, blocklist, etc...)

This last point is a little bit obscure for me, there is so much blocklists, etc. The items I think I should install through Crowdsec engine are:

- Caddy collection: https://app.crowdsec.net/hub/author/crow...ions/caddy
- Jellyfin collection: https://app.crowdsec.net/hub/author/LePr...s/jellyfin

Once installed, I need to get an api somehow, this part is not very well documented. I tried using the "Service API key" in the settings of Crowdsec, but I'm not sure is this is the good one. Anyhow, I then configured the Caddyfile with:

Code:

# CROWDSEC
{
    debug # this is optional; makes Caddy log more details
    order crowdsec first # this ensures that the CrowdSec module is executed before any other HTTP handlers
    crowdsec {
        api_url http://localhost:8080 # the URL where your CrowdSec LAPI can be reached, somewhere on your network/system
        api_key SERVICE-KEY-API-FROM-CROWDSEC-CONSOLE-SETTINGS # the secret API key for the bouncer to authenticate against LAPI
    }
}

jellyfin-philipperoy.duckdns.org:9000 {
        reverse_proxy 127.0.0.1:8096

        crowdsec

        tls {
                dns duckdns DUCKDNS-API
        }
}

I still do get the error when looking at "systemctl status caddy"

Code:

{"level":"error","ts":1744243579.8556097,"logger":"crowdsec","msg":"failed to connect to LAPI, retrying in 10s:

so, that's where I'm at!

---

So, I have read a little bit on Crowdsec. Very nice indeed, not super user friendly for someone that has limited knowledge about cybersecurity and networking like me. From what I understand:

- Install Crowdsec engine (done)
- Build Caddy with duckdns and crowdsec plug-in (done)
- Install Remediation Components (aka bouncers, blocklist, etc...)

This last point is a little bit obscure for me, there is so much blocklists, etc. The items I think I should install through Crowdsec engine are:

- Caddy collection: https://app.crowdsec.net/hub/author/crow...ions/caddy
- Jellyfin collection: https://app.crowdsec.net/hub/author/LePr...s/jellyfin

Once installed, I need to get an api somehow, this part is not very well documented. I tried using the "Service API key" in the settings of Crowdsec, but I'm not sure is this is the good one. Anyhow, I then configured the Caddyfile with:

Code:

# CROWDSEC
{
    debug # this is optional; makes Caddy log more details
    order crowdsec first # this ensures that the CrowdSec module is executed before any other HTTP handlers
    crowdsec {
        api_url http://localhost:8080 # the URL where your CrowdSec LAPI can be reached, somewhere on your network/system
        api_key SERVICE-KEY-API-FROM-CROWDSEC-CONSOLE-SETTINGS # the secret API key for the bouncer to authenticate against LAPI
    }
}

jellyfin-philipperoy.duckdns.org:9000 {
        reverse_proxy 127.0.0.1:8096

        crowdsec

        tls {
                dns duckdns DUCKDNS-API
        }
}

I still do get the error when looking at "systemctl status caddy"

Code:

{"level":"error","ts":1744243579.8556097,"logger":"crowdsec","msg":"failed to connect to LAPI, retrying in 10s:

so, that's where I'm at!

[Duvel]

This thread is turning into a "how to protect Jellyfin with Crowdsec" :-)

First of all in your config, you need 2 different API keys, because you have 2 components locally:
The LAPI server
The Caddy Bouncer

1. Your LAPI server should be registered with Crowdesc central servers, and you use the API key provided on your crowdsec.org CP

2. Your Caddy Bouncer should be registered with your LAPI server. It looks like you are stuck on that one.

In order to register your bouncer to your LAPI, you need to use the crowdsec CLI using cscli commands ( https://docs.crowdsec.net/docs/cscli/ )

If you have a normal install, you just do:

Code:

sudo cscli <commands>

If you have a docker container, then you should do :

Code:

sudo docker exec crowdsec-container cscli <command>

Where "crowdsec-cotainer" is the name of your LAPI container, adapt.

Example : list the machines

Code:

tom@cerbere:/opt/caddy$ sudo docker exec crowdsec cscli machines list
[sudo] password for tom:
-------------------------------------------------------------------------------------------------------------------------------
Name      IP Address  Last Update          Status  Version          OS                            Auth Type  Last Heartbeat
-------------------------------------------------------------------------------------------------------------------------------
localhost  127.0.0.1  2025-04-10T06:38:05Z  ✔️      v1.6.8-f209766e  Alpine Linux (docker)/3.21.3  password  39s
-------------------------------------------------------------------------------------------------------------------------------

Next, list the bouncers:

Code:

tom@cerbere:/opt/caddy$ sudo docker exec crowdsec cscli bouncers list
---------------------------------------------------------------------------------------------------------
Name                      IP Address  Valid  Last API pull        Type              Version  Auth Type
---------------------------------------------------------------------------------------------------------
caddy-bouncer@172.21.0.1  172.21.0.1  ✔️    2025-04-10T06:49:58Z  caddy-cs-bouncer  v0.8.1  api-key
---------------------------------------------------------------------------------------------------------

I believe you are stuck there, and your list is probably empty. You have not added your caddy bouncer, which should have generated an API key for your bouncer to connect to the LAPI.

To register your caddy bouncer, use the <cscli bouncers add caddy-bouncer> command:

Code:

$ sudo docker exec crowdsec cscli bouncers add caddy-bouncer
API key for 'caddy-bouncer':

  Q8iKI+FuQc7SGG2vXQWx7WMpxKeGj2UA0Baw5lUf5Zc

Please keep this key since you will not be able to retrieve it!

This is the API key that you should specify in your CaddyFile, there:
SERVICE-KEY-API-FROM-CROWDSEC-CONSOLE-SETTINGS

Once Caddyfile is adapted, restart caddy.

And then recheck your bouncers list and status with cscli bouncers list
--> You should now see your caddy-bouncer connected

[Balinus]

Wow, THANKS! It worked! I'm very happy with it.

We should sticky your post really, it's mostly "Guide" ready imho.

On my bouncers list, there is another one listed, can't remember if I installed that or not. Is there a way to "test" this bouncer?

Code:

sudo cscli bouncers list
────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
Name                            IP Address  Valid  Last API pull        Type                      Version                                                                  Auth Type
────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
cs-firewall-bouncer-1744226856  127.0.0.1  ✔️    2025-04-10T12:29:06Z  crowdsec-firewall-bouncer  v0.0.31-debian-pragmatic-amd64-4b99c161b2c1837d76c5fa89e1df83803dfbcc87  api-key
caddy-bouncer                  127.0.0.1  ✔️    2025-04-10T12:28:32Z  caddy-cs-bouncer          v0.8.1                                                                  api-key
────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────

[TheDreadPirate]

If you're a bit of a Crowdsec Guru, feel free to write a guide in the Walkthrough subforum.  Does Crowdsec have modules for Nginx and Apache?  I currently use fail2ban, but I'm always open to try other apps.

This thread is turning into a "how to protect Jellyfin with Crowdsec" :-)

First of all in your config, you need 2 different API keys, because you have 2 components locally:
The LAPI server
The Caddy Bouncer

1. Your LAPI server should be registered with Crowdesc central servers, and you use the API key provided on your crowdsec.org CP

2. Your Caddy Bouncer should be registered with your LAPI server. It looks like you are stuck on that one.

In order to register your bouncer to your LAPI, you need to use the crowdsec cscli ( https://docs.crowdsec.net/docs/cscli/ )

If you have a normal install, you just do:

Code:

sudo clsci <commands>

If you have a docker container, then you should do :

Code:

sudo docker exec crowdsec cscli <command>

Example : list the machines

Code:

tom@cerbere:/opt/caddy$ sudo docker exec crowdsec cscli machines list
[sudo] password for tom:
-------------------------------------------------------------------------------------------------------------------------------
Name      IP Address  Last Update          Status  Version          OS                            Auth Type  Last Heartbeat
-------------------------------------------------------------------------------------------------------------------------------
localhost  127.0.0.1  2025-04-10T06:38:05Z  ✔️      v1.6.8-f209766e  Alpine Linux (docker)/3.21.3  password  39s
-------------------------------------------------------------------------------------------------------------------------------

Next, list the bouncers:

Code:

tom@cerbere:/opt/caddy$ sudo docker exec crowdsec cscli bouncers list
---------------------------------------------------------------------------------------------------------
Name                      IP Address  Valid  Last API pull        Type              Version  Auth Type
---------------------------------------------------------------------------------------------------------
caddy-bouncer@172.21.0.1  172.21.0.1  ✔️    2025-04-10T06:49:58Z  caddy-cs-bouncer  v0.8.1  api-key
---------------------------------------------------------------------------------------------------------

I believe you are stuck there, and your list is probably empty. You have not added your caddy bouncer, which should have generated an API key for your bouncer to connect to the LAPI.

To register your caddy bouncer, use the <cscli bouncers add caddy-bouncer> command:

Code:

$ sudo docker exec crowdsec cscli bouncers add caddy-bouncer
API key for 'caddy-bouncer':

  Q8iKI+FuQc7SGG2vXQWx7WMpxKeGj2UA0Baw5lUf5Zc

Please keep this key since you will not be able to retrieve it!

This is the API key that you should specify in your CaddyFile, there:
SERVICE-KEY-API-FROM-CROWDSEC-CONSOLE-SETTINGS

Once Caddyfile is adapted, restart caddy.

And then recheck your bouncers list and status with cscli bouncers list
--> You should now see your caddy-bouncer connected

[Duvel]

Wow, THANKS! It worked! I'm very happy with it.

We should sticky your post really, it's mostly "Guide" ready imho.

On my bouncers list, there is another one listed, can't remember if I installed that or not. Is there a way to "test" this bouncer?

Code:

sudo cscli bouncers list
────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
Name                            IP Address  Valid  Last API pull        Type                      Version                                                                  Auth Type
────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
cs-firewall-bouncer-1744226856  127.0.0.1  ✔️    2025-04-10T12:29:06Z  crowdsec-firewall-bouncer  v0.0.31-debian-pragmatic-amd64-4b99c161b2c1837d76c5fa89e1df83803dfbcc87  api-key
caddy-bouncer                  127.0.0.1  ✔️    2025-04-10T12:28:32Z  caddy-cs-bouncer          v0.8.1                                                                  api-key
────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────

Looks like the default firewall bouncer of crowdsec : https://github.com/crowdsecurity/cs-firewall-bouncer

Unsure if you got it installed by default or if you installed it manually...

So basically that one acts like fail2ban and modifies the iptables of your Linux to block the alerted IPs. That's a nice addition that would prevent an IP blocked to reach the whole Linux server.
This is only a little plus depending on your architecture.
If the only way to reach your webfacing server is through Caddy, then it's mostly useless because the caddy bouncer will block all those IPs.
Now if you have other ports opened, not using http(s), it might become usefull.

For my architecture it is useless, because I have a crowdsec bouncer on my main gate, with is the pfsense router, and both the router bouncer and caddy bouncer are connected to my Crowdsec Lapi. So whenever something is detected on any of my machines running Crowdsec, the LAPI will propagate it to the pfsense bouncer, which will block the IP on its firewall, and will thus prevent access from that IP to my whole network.
On top of this, your LAPI also propagate your detected IPs to the central servers and everyone can benefit it.

That's the beauty of Crowdsec approach: CROWD security.

@TheDreadPirate not considering myself as a guru but I am using Crowdsec for like 2 years on several different machines so I understand how it works.

Yes there's a nginx bouncer. Unsure for Apache

I might do a guide if it becomes necessary