Register for the iXsystems Community to get an ad-free experience and exclusive discounts in our eBay Store.

How to configure Caddy as a TLS reverse proxy for your other apps

Western Digital Drives - The Preferred Drives of FreeNAS and TrueNAS CORE
Status
Not open for further replies.

danb35

Hall of Famer
Joined
Aug 16, 2011
Messages
12,878
Plus, it would be great for everything to be accessible from Organizr (or something equivalent) to be used as landing page.
I've played with Organizr, and it gives a nice GUI. Caddy is a full-blown web server, and certainly could be used to serve it, but you'd kind of be on your own as far as configuration. For my installation, I just prepared a simple landing page using Skeleton, of which I posted a screen shot up-thread. Here's the HTML for that page:
Code:
<!DOCTYPE html>
<html lang="en">
<head>

  <!-- Basic Page Needs -->
  <meta charset="utf-8">
  <title>MyDomain LAN Services</title>
  <meta name="description" content="Landing page for apps.mydomain.com, explaining and giving links to available services">
  <meta name="author" content="danb35">

  <!-- Mobile Specific Metas -->
  <meta name="viewport" content="width=device-width, initial-scale=1">

  <!-- FONT -->
  <link href="//fonts.googleapis.com/css?family=Raleway:400,300,600" rel="stylesheet" type="text/css">

  <!-- CSS -->
  <link rel="stylesheet" href="css/normalize.css">
  <link rel="stylesheet" href="css/skeleton.css">

  <!-- Favicon -->
  <link rel="icon" type="image/png" href="images/favicon.png">

</head>
<body>

  <!-- Primary Page Layout -->
  <div class="container">
    <div class="row">
      <h2><strong>MyDomain LAN Services</strong></h2>
      <p>This server provides TLS termination and proxies for a variety of services provided in other FreeNAS jails and elsewhere on the LAN, as described and linked below.</p>
    </div>

  <div class="row">
    <div class="two columns"></div>
    <div class="ten columns">
      <h4>Installed web applications</h4>
      <ul>
        <li><a href="https://dup.mydomain.com/" target="_blank">Duplicati</a>:  Duplicati provides encrypted cloud backup to Google Drive for files on the FreeNAS server.</li>
        <li><a href="/nzbget/" target="_blank">NZBGet</a>:  NZBGet is a binary newsreader, downloading and decoding articles specified by .nzb index files</li>
        <li><a href="/radarr/" target="_blank">Radarr</a>:  Radarr is an automated movie indexing and downloading system.</li>
        <li><a href="/sabnzbd/" target="_blank">SABnzbd</a>:  SABnzbd is another binary newsreader.</li>
        <li><a href="/sonarr/" target="_blank">Sonarr</a>:  Sonarr functions as a DVR, indexing and downloading episodes of specified TV shows.</li>
        <li><a href="/tautulli/" target="_blank">Tautulli</a>:  Tautulli (formerly PlexPy) monitors the status of the Plex Media Server.</li>
        <li><a href="/transmission/" target="_blank">Transmission</a>:  Transmission is a Bittorrent client.</li>
        <li><a href="https://urb.mydomain.com/" target="_blank">Urbackup</a>:  Urbackup is a backup server for computers on the LAN.</li>
      </ul>
    </div>
    </div>
  </div>
<!-- End Document -->
</body>
</html>

Fancy? Not at all. But it's clean, readable, and has links for everything. I may play with Organizr a bit in the future, but probably not in the short term.

As far as setting this up for more of your apps, start by trying (and adapting with a suitable path and the proper URL to the service) the basic proxy block I give in the example Caddyfile--I've found that works more often than not. If it doesn't work immediately, I've found a few things to look at before you start Googling for examples:
  • Many applications have a setting for the "base URL"--of those I've tried, Radarr, Sonarr, and Tautulli have that setting. If the app has such a setting, set it to whatever path you're using (in my case, those would respectively be radarr, sonarr, and tautulli).
  • Some applications limit connections to certain specified FQDNs--two I've encountered with this limit are Duplicati and Transmission. For those apps, you can connect using an IP address, but they'll refuse connections to your FQDN unless you configure the app to accept that--in Transmission, the setting in settings.json is "rpc-host-whitelist".
  • Some applications don't appear to support being served as a subdirectory; two I've encountered with this limitation are Duplicati and Urbackup. IOW, I can't set a proxy for apps.mydomain.com/duplicati -> 192.168.1.20:8200. What I've had to do in those cases is assign separate hostnames for those, using separate blocks in the Caddyfile.
If those still don't get it working, a Google for "appname reverse proxy" will often find examples of how to do it, which you'd then need to convert to Caddy syntax. "appname reverse proxy caddy" might find something, but Caddy's still relatively new and nowhere near as popular as Apache or Nginx.
 

danb35

Hall of Famer
Joined
Aug 16, 2011
Messages
12,878
As I think about it further, there are other options for using Caddy with Organizr. The most obvious strikes me as what I mentioned above: serve it directly with Caddy (there are instructions here, though they're written with a Windows focus). But another option, if you have it running somewhere else, is to simply proxy the root of your FQDN there, like this:
Code:
org.yourdomain.com {
...
proxy / http:organizr_ip:port {
  transparent
}

}
 

danb35

Hall of Famer
Joined
Aug 16, 2011
Messages
12,878
OK, some very rough instructions on installing Organizr under Caddy in its own jail:
Code:
cat <<__EOF__ >/tmp/pkg.json
{
  "pkgs":[
  "nano","curl","openssl","sqlite3","bash","caddy","git",
  "php72-simplexml","php72-sqlite3",
  "php72-zip","php72-zlib","php72-hash","php72-xml",
  "php72-session","php72-pdo","php72-pdo_sqlite",
  "php72-curl","php72-bz2","php72-openssl",
  "php72-ldap","php72-json",
  "php72-memcache","php72-opcache","php72"
  ]
}
__EOF__

iocage create --name "organizr" -p /tmp/pkg.json -r 11.2-RELEASE ip4_addr="vnet0|192.168.1.66/24" defaultrouter="192.168.1.1" boot="on" host_hostname="organizr" vnet="on"

iocage console organizr
sysrc php_fpm_enable=YES
sysrc caddy_enable=YES
sysrc caddy_cert_email=me@example.com
service php-fpm start
mkdir -p /usr/local/www/html
chmod -R 777 /usr/local/www
nano /usr/local/www/Caddyfile


Contents:
Code:
*:80 {
gzip
root /usr/local/www/html/
fastcgi / localhost:9000 php
}


nano /usr/local/www/html/test.php
Contents:
Code:
<? phpinfo(); ?>


service caddy start
Browse to http://IP/test.php and make sure you see a phpinfo page.
Code:
cd /usr/local/www/html/
git clone -b v2-develop https://github.com/causefx/Organizr
mv Organizr/* .

Browse to http://IP, you should see the Organizr setup page. From the information up-thread, you should be able to modify to handle SSL and an actual domain name.
 
Last edited:

ByteNick

Explorer
Joined
Jan 24, 2015
Messages
98
Thank you so much. I started to work on it last night. First, I make sure everything works under Caddy before migrating to Organizr.
But, without any doubt now, Caddy is the way, that is to stay a bit on-topic.

I will post may findings, as soon as I have "tangible" results. Hass.io and Nextcloud seem to be more complicated to configure.
 

ByteNick

Explorer
Joined
Jan 24, 2015
Messages
98
The JSON file above has an issue:
Code:
Please supply a valid JSON file with the format:
{
    "pkgs": [
    "foo",
    "bar"
    ]
}


However, I put it a more familiar format (for me) and the jail installed. Then, after having started caddy service above, it gives a
"404 Not Found" message.
I am looking further, may be I will understand what is wrong.
 

danb35

Hall of Famer
Joined
Aug 16, 2011
Messages
12,878
The JSON file above has an issue:
Simple missing quote, fixed now.
"404 Not Found"
Is that when you're trying to reach test.php, or the Organizr installation?

Edit: Also, everything after the iocage create needs to be done in the jail--I've added an iocage console command to clarify that.
 
Last edited:

danb35

Hall of Famer
Joined
Aug 16, 2011
Messages
12,878

ByteNick

Explorer
Joined
Jan 24, 2015
Messages
98
Meanwhile, on topic, Caddy setup progress report:

1. As mydomain.com/app:
OK: emby, tautulli, radarr, sonar, lidarr, deluge, sabnzbd, nzbget.
NOK: plex-pass, transmission, headphones, calibre
Not tested: ombi, jackett

2. As sub.domain.com:
OK: ombi, urbackup, nextcloud, hass.io (home assistant)
NOK: duplicati
Not yet tested: Plex-pass,

On separate jail, I installed Orginizr v2, and the situation is NOT identical:
1. As mydomain.com/app:
OK: emby, tautulli, radarr, sonar, lidarr, deluge, sabnzbd, nzbget.
NOK: plex-pass, transmission, headphones, calibre
Not tested: ombi, jackett

2. As sub.domain.com:
OK: ombi, urbackup, nextcloud
NOK: duplicati
Not tested: Plex-pass, hass.io

Please note that nextcloud has been installed using your script, with STANDALONE_CERT set to 1
 

danb35

Hall of Famer
Joined
Aug 16, 2011
Messages
12,878
Did Deluge take any special configuration, or just
Code:
proxy /deluge http://blah:8112 {
  transparent
}
 

ByteNick

Explorer
Joined
Jan 24, 2015
Messages
98
Finally managed to make Transmission work. Steps:
1. Stop transmission jail.
2. Edit settings.json (normally located at /usr/local/share/transmission/web/settings.json)
3. set "rpc-enabled": true and "rpc-host-whitelist": "caddy_proxy.mydomain.com"
4. Edit Caddyfile transmission block and set:
Code:
proxy /transmission 192.168.100.210:9091 {
    transparent
    }

5. Buy @danb35 a beer; he definitely deserves it. ;-)
 

danb35

Hall of Famer
Joined
Aug 16, 2011
Messages
12,878
Finally managed to make Transmission work. Steps:
...and I'm still getting the 409 error with those steps. Strange. But Deluge is working, so maybe not a big deal.
 

ByteNick

Explorer
Joined
Jan 24, 2015
Messages
98
...and I'm still getting the 409 error with those steps. Strange. But Deluge is working, so maybe not a big deal.
Maybe you did not modified in settings.json the "rpc-url": "/transmission/", line. That is also needed, in just about any case.
 

danb35

Hall of Famer
Joined
Aug 16, 2011
Messages
12,878

ByteNick

Explorer
Joined
Jan 24, 2015
Messages
98
I am out of ideas. The only thing I can think of would be the "rpc-host-whitelist": "caddy_proxy.mydomain.com" . For me that was the game changer.
 

danb35

Hall of Famer
Joined
Aug 16, 2011
Messages
12,878
Yeah, and I have the rpc-host-whitelist set too. Not sure why it isn't working, but I'm not married to Transmission, and Deluge seems to be working fine (once I set appropriate permissions for the download directory). I'm OK with that.
 

Mara

Dabbler
Joined
Jan 14, 2017
Messages
48
Hi Danb35,

You know I'm noob that's why I need more time to understand:)

If I understand correctly, Caddy could simply solve the procedure so that my Tautulli server is accessible in SSL for example? (with Let's Encrypt)
 
Status
Not open for further replies.
Top