Skip to Content
Deploy on a VPSFirewall

Firewall

Once Caddy terminates TLS, the only public ports you need are SSH, TCP/80 (for ACME HTTP-01 challenges and the HTTPS redirect), and TCP/443.

UFW (Ubuntu / Debian default)

Before running ufw enable on a remote box:

  • Double-check the SSH port number. An off-by-one here will cut your session.
  • Keep a second SSH session open in another terminal as insurance.
  • Confirm no other service you care about is listening on a port you’re about to block (ss -tlnp).
# Detect your actual SSH port first — don't assume 22
sudo grep -i '^Port' /etc/ssh/sshd_config /etc/ssh/sshd_config.d/*.conf 2>/dev/null
# Replace 22 below with whatever Port is set to.
 
sudo ufw default deny incoming
sudo ufw default allow outgoing
sudo ufw allow 22/tcp   comment "ssh"          # use YOUR actual ssh port
sudo ufw allow 80/tcp   comment "caddy acme+redirect"
sudo ufw allow 443/tcp  comment "caddy https"
sudo ufw enable
sudo ufw status numbered

firewalld (RHEL / Fedora)

sudo firewall-cmd --permanent --add-service=ssh
sudo firewall-cmd --permanent --add-service=http
sudo firewall-cmd --permanent --add-service=https
sudo firewall-cmd --reload

Cloud-provider security groups

Whatever firewall the VPS provider runs in front of your host (AWS Security Groups, Hetzner Cloud Firewall, DigitalOcean Cloud Firewall, etc.) needs the same rule shape: allow inbound 22 (or your SSH port), 80, 443 from 0.0.0.0/0 and ::/0; deny the rest.

UFW / firewalld only cover the host-level layer. If port 80 is blocked at the cloud edge, ACME challenges cannot complete and certificate issuance fails.

Do not expose Hiveloom’s upstream port

Hiveloom defaults to :3000. You do not want that open to the public; Caddy sits in front of it and proxies from loopback. The systemd page covers binding Hiveloom to 127.0.0.1:3000.

Next: Reverse proxy.

DNSReverse proxy