Reverse Proxy using Caddy (with optional automatic TLS)

[NasKar]

I can't seem to get a reverse proxy for sonarr,radarr and unifi to work. I'd like to be able to reach them only from my LAN.
Here is my Caddyfile attempt at creating the reverse proxy. Are there settings other than enabling Settings/General/enable ssl for sonarr and radarr? I presume I would go to mydomain.cf/sonarr to access the sonarr app for example.

Code:

{
#  acme_ca https://acme-staging-v02.api.letsencrypt.org/directory
  email mydomain@gmail.com
}

mydomain.cf {
   @untrusted not remote_ip 192.168.5.0/24
   root * /usr/local/www/html/
   file_server @untrusted {
    index restricted.html
   }
   file_server
        reverse_proxy /unifi* 192.168.5.78:8443
        reverse_proxy /sonarr* 192.168.5.71:8989
        reverse_proxy /radarr* 192.168.5.73:9898
#   header {
#     enable HSTS
#     Strict-Transport-Security max-age=31536000;
#   }
}
cloud.mydomain.cf {

   encode gzip
   reverse_proxy http://192.168.5.81
   header {
     enable HSTS
     Strict-Transport-Security max-age=31536000;
   }
}

collabora.mydomain.cf {
   encode gzip

   @collabora {
     path /loleaflet/*          # Loleaflet is the client part of LibreOffice Online
     path /hosting/discovery    # WOPI discovery URL
     path /hosting/capabilities # Show capabilities as json
     path /lool/*               # Main websocket, uploads/downloads, presentations
  }
  reverse_proxy @collabora http://192.168.5.89:9980
}

 

[danb35]

Are there settings other than enabling Settings/General/enable ssl for sonarr and radarr?

I don't have this turned on for either Radarr or Sonarr. What I do have, and you'll need as well, is the URL Base--it's on the same page.

 

[NasKar]

I don't have this turned on for either Radarr or Sonarr. What I do have, and you'll need as well, is the URL Base--it's on the same page.

I have the URL BASE as /sonarr

But when I got to mydomain.cf/sonarr I get
Bad Request (Invalid host)
Is it correct that Proxy Settings is set to NO?
Is my Caddyfile correct?

 

[danb35]

Is it correct that Proxy Settings is set to NO?

That's how I have it.

Is my Caddyfile correct?

I couldn't say--again, I don't use this sort of restriction myself. I'd previously recommended taking the question to the Caddy forums, and I still believe that's the best place to find more expertise in the details of its syntax.

 

[NasKar]

Interesting it worked with radarr but not with sonarr. It's also live on the internet which I don't want. Is there a way for my to just have an ssl cert for unifi on my local LAN only?

 

[Basil Hendroff]

Is there a way for my to just have an ssl cert for unifi on my local LAN only?

With HTTP validation, NO; with DNS validation YES. See post https://www.ixsystems.com/community...with-optional-automatic-tls.75978/post-601228

With HTTP validation, the best you can do is hide unifi behind a basicauth directive, which adds another level of authentication. The advantage of this is that you don't see the login page for unifi first.

 

[NasKar]

With HTTP validation, NO; with DNS validation YES. See post https://www.ixsystems.com/community...with-optional-automatic-tls.75978/post-601228

With HTTP validation, the best you can do is hide unifi behind a basicauth directive, which adds another level of authentication. The advantage of this is that you don't see the login page for unifi first.

Had a issue with my pfsense router and it cause my dynamic IP to get reassigned. I noticed that the ddns didn't update cloudflare to the new IP. Looking in the logs it says it doesn't support free domains from Freenom. Can't use DNS validation and now DDNS doesn't update. I'm ready to take the plunge and get a domain. I was looking at Namecheap as it's only $8.88/yr and no charge to keep your personal information private. Any reason not to use them? I know Dan recommends EasyDNS but it's twice as expensive.

 

[danb35]

I know Dan recommends EasyDNS but it's twice as expensive.

I've used and liked EasyDNS, but as far as I'm concerned, a registrar is a registrar. When I've gotten a new domain in the last year or two, I've bought it through name.com IIRC, and then transferred to Cloudflare after 60 days--Cloudflare is a registrar, but I haven't seen a way to register a new domain there.

 

[NasKar]

Working on the DNS validation install. Getting an error installing the cloudflare plugin.

Code:

go: downloading github.com/golang/groupcache v0.0.0-20200121045136-8c9f03a8e57e
# github.com/smallstep/certificates/authority/provisioner
/root/go/pkg/mod/github.com/smallstep/certificates@v0.15.0-rc.1.0.20200506212953-e855707dc274/authority/provisioner/jwk.go:155:24: assignment mismatch: 3 variables but x509util.SplitSANs returns 4 values
/root/go/pkg/mod/github.com/smallstep/certificates@v0.15.0-rc.1.0.20200506212953-e855707dc274/authority/provisioner/x5c.go:197:24: assignment mismatch: 3 variables but x509util.SplitSANs returns 4 values
2020/09/05 17:00:56 [INFO] Cleaning up temporary folder: /tmp/buildenv_2020-09-05-1700.529598520
2020/09/05 17:00:56 [FATAL] exit status 2
Command: xcaddy build --output /usr/local/bin/caddy --with github.com/caddy-dns/cloudflare failed!
Failed to build Caddy with cloudflare plugin, terminating.

caddy-config

Code:

JAIL_IP="192.168.5.212"
DEFAULT_GW_IP="192.168.5.1"
POOL_PATH="/mnt/v1"
JAIL_NAME="caddy212"
CONFIG_PATH="${POOL_PATH}/apps/${JAIL_NAME}"
HOST_NAME="mydomain.com"
DNS_PLUGIN="cloudflare"

 

[ornias]

Sure. And if you want to be responsible for that, and have the infrastructure to have multiple geographically-diverse DNS servers, go for it--and Caddy will support that too.

This is really an old comment, but I want to highlight this is fundementally wrong.
DNS servers should idealy indeed be geographically seperated and there should be multiple, but nothing is forcing you to do so.

I've had some running with 2 servers in one country, one server, 2 VM's in same datacenter.
DNS is quite resilient, certainly when having a 5min TTL.


Not every world is a perfect world.
With a bit of luck you can have a secondairy server at a friend and one at your own lab, that would already cover the requriements for DNS nicely.

 

[danb35]

I want to highlight this is fundementally wrong.

It's only "fundamentally wrong" if you assume I meant this was an absolute requirement (which you'll note I didn't say). My recollection is that the relevant RFCs make this "mandatory", but it isn't enforced, so it ends up being "strongly recommended" instead.

 

[ornias]

It's only "fundamentally wrong" if you assume I meant this was an absolute requirement (which you'll note I didn't say). My recollection is that the relevant RFCs make this "mandatory", but it isn't enforced, so it ends up being "strongly recommended" instead.

Yeah, As soon as I hit send I hated formulating it that way. :')

That being said: Strongly recommended for mission critical system for sure, yes.
But lets be real, people not having the option to fetch 2 super cheap VPS boxes... those are not the people going to run any kind of mission critical system....

 

[danb35]

Getting an error installing the cloudflare plugin.

Looks like an upstream bug.

CONFIG_PATH="${POOL_PATH}/apps/${JAIL_NAME}"

Why are you setting this in your config file? It's the default from the script.

 

[NasKar]

Looks like an upstream bug.

Great timing <G>

Why are you setting this in your config file? It's the default from the script.

Probably a leftover from prior config file. I'll delete it.

 

[danb35]

Great timing <G>

Try removing "master" from line 136 of the script, so it reads like:

Code:

if ! iocage exec "${JAIL_NAME}" xcaddy build --output /usr/local/bin/caddy --with github.com/caddy-dns/"${DNS_PLUGIN}"

Does it work without that?

 

[NasKar]

Does it work without that?

My version of the scipt was one commit behind and didn't have the master option. After doing a git pull the master option was added in and the script completed without error. Thanks for you f/u

 

[bermau]

Hi,
for almost a year my jail with caddy reverse proxy has worked great.
I just updated my freenas to version 11.3 U.5 and now the sites set in Caddyfile are no longer reachable.
has anyone had the same problem?
I don't know what to do.

my caddy is V1.

Thanks you all.

BM

 

[bermau]

Hi,
for almost a year my jail with caddy reverse proxy has worked great.
I just updated my freenas to version 11.3 U.5 and now the sites set in Caddyfile are no longer reachable.
has anyone had the same problem?
I don't know what to do.

my caddy is V1.

Thanks you all.

BM

Sorry, forget it, this mornig everything works perfectly and I've done nothing.
Give me an advice, is it better update caddy to V2? Can I update my current jail or create a new one?
thanks

BM

 

[Basil Hendroff]

Can I update my current jail or create a new one?

Build a new one. Caddy V2 is a very different product to V1. Be prepared to spend some time reworking your Caddyfile, but it isn't too onerous.

 

[bermau]

Build a new one. Caddy V2 is a very different product to V1. Be prepared to spend some time reworking your Caddyfile, but it isn't too onerous.

OK, thanks for your answer.
BM