Reverse Proxy using Caddy (with optional automatic TLS)

[bermau]

Built new jail caddy V2, with DNS cloudflare plugin.
Reworked my caddyfile, all apps are perfectly reachable.

@danb35 your guide is fantastic.

thanks all

BM

 

[Basil Hendroff]

Updating Caddy

At the time of preparing this post, the current Caddy version is 2.2.1. To identify the official Caddy version, check https://github.com/caddyserver/caddy/releases. Follow the instructions below to keep your Caddy version current.

The instructions assume that you are using a terminal program such as PuTTY to access your caddy jail. Alternatively, though less desirable, you can use the main Shell in the FreeNAS/TrueNAS GUI. The instructions also assume that you don't just follow instructions blindly, but understand what the intent is behind each step.

1. Enter the Caddy jail iocage console caddy
2. Check the Caddy version caddy version. If it isn't, at least, the official version, continue.
3. Exit the jail exit.
4. Hopefully, you still have a copy of your caddy-config from the time you last built the Caddy V2 jail. Save a copy of it. If you can't find it, reconstruct it before proceeding to the next step. You can use the current jail characteristics to help you recreate it. It's a good idea to keep a copy of this file somewhere. It comes in handy each time you need to rebuild the Caddy jail.
5. Destroy the Caddy jail iocage destroy caddy -f. Your Caddyfile resides outside the jail and won't be affected. (If you're paranoid, rename the jail instead of destroying it first, alter the renamed jail to use DHCP to avoid an IP conflict when for the rebuilt jail, and save a copy of your Caddyfile).
6. Follow the instruction at https://github.com/danb35/freenas-iocage-caddy to download the installation script again and, together with the caddy-config from step 4, use it to rebuild the Caddy jail.

Repeat steps 1 and 2 to check your Caddy version. It should reflect the official downloadable Caddy version (see https://caddy.community/t/current-caddy-version/10287 if the version is +1 for the explanation).

The upgraded jail will continue to use your crafted Caddyfile. Confirm that your resources behind the Caddy reverse proxy are still accessible.

 

[danb35]

Be prepared to spend some time reworking your Caddyfile

So I just did this, this morning--I used my New and Improved™ Heimdall script (now with Caddy2 goodness!) to set up a new Heimdall jail, replacing my existing Caddy and Heimdall jails (which I had separate, as I'd set up Caddy before playing with Heimdall). And being a reckless sort, I just blew away the old jails (though I kept a copy of the old Caddyfile from the Caddy jail). Now the Caddy instance in the Heimdall jail is handling the reverse-proxy needs as well. Adding all that to the stock Caddyfile (for about a dozen apps, TLS, DNS validation with Cloudflare) took no more than about 15 minutes.

 

[sshftp]

The caddy-jail script now seems to break at line 125 due to the new version of go, version 1.16. I don't know anything about go, so I wasn't able to get it to work with the new version. Instead, I ssh'd into the jail that the script created and installed an older version of go, version 1.15.11. After that, following the script starting from line 120 seems to work.

 

[danb35]

The caddy-jail script now seems to break at line 125 due to the new version of go

Probably the same issue as this:

update xcaddy build command · danb35/freenas-iocage-nextcloud@f5defb5

Script to create an iocage jail on FreeNAS for the latest Nextcloud 28 release, including Caddy, MariaDB or PostgreSQL, and Let's Encrypt - update xcaddy build command · danb35/freenas-iocage-nextcloud@f5defb5

github.com

I'll see what I can come up with.

Edit: Yep, that was it. Fixed:

Update xcaddy build command · danb35/freenas-iocage-caddy@536c686

Script to install Caddy V2 in a FreeNAS jail. Contribute to danb35/freenas-iocage-caddy development by creating an account on GitHub.

github.com

 

[sshftp]

I somehow messed up my mount points, so I just deleted the jail and ran your updating script. It worked flawlessly this time, thanks!

 

[xames]

I have some php pages that does not work, how to implement php on this script¿ Thanks.
I try php_fastcgi 127.0.0.1:9000
but no good results

 

[xames]

How to implement multiple domains over one caddy server? i try with the documentation but don't work me.

 

[xames]

please...

 

[Basil Hendroff]

please...

You haven't given forum members much to work with. I think you need to be explicit and explain exactly what you're trying to achieve, but please be aware of this Caddy README extract as well...

Though we'll try to help on that thread, once Caddy's up and running, the Caddy forum is likely to be a better resource for its configuration, particularly with applications whose reverse proxy settings prove to be difficult. Once you have something working, though, please post back in the iXSystems forum.

 

[danb35]

As Basil says (and as the README he quoted says), the Caddy forum is really the place to asking questions about how to make Caddy do what you want it to do. But if you want to use PHP, you'll need to have it installed in the jail--the script doesn't do that.

Edit: But multiple domains are trivial in a Caddyfile:

Code:

domain1.com {
file_server
root * /usr/local/www/domain1/
}

domain2.com {
file_server
root * /usr/local/www/domain2/
php_fastcgi localhost:9000
}
...

 

[xames]

As Basil says (and as the README he quoted says), the Caddy forum is really the place to asking questions about how to make Caddy do what you want it to do. But if you want to use PHP, you'll need to have it installed in the jail--the script doesn't do that.

Edit: But multiple domains are trivial in a Caddyfile:

Code:

domain1.com {
file_server
root * /usr/local/www/domain1/
}

domain2.com {
file_server
root * /usr/local/www/domain2/
php_fastcgi localhost:9000
}
...

Fine works.
Now i have another problem, my 443 and 80 port is redirected to the nextcloud jail created with your script time ago, how to redirect visitors of port 80 and 443 throught nextcloud jail or the other two pages (another caddy jail) with domain1 and domain2 like you say.

 

[xames]

On he caddy pages the browser say me to accept this certificate and press to continue, how to avoid this like a normal page?

NET::ERR_CERT_AUTHORITY_INVALID

 

[danb35]

From the README:

 

[xames]

ups sorry, now i have problems with the php files, say me:

HTTP ERROR 502

 

[xames]

When I try to redirect my nextcloud instance inside this Caddy Server redirect to the other jail, is that good, or its something "stupid":

nextcloud.mydomain.com {
tls {
dns cloudflare pvuBLABLA...auG5I2zk68dwnoNg2utqOHlMaO4Me
}
reverse_proxy 192.168.1.96:80
}

 

[danb35]

Probably a question for the Caddy forum, but you'd need to have PHP installed and running in order to serve any PHP pages.

 

[xames]

Any "for dummies" installation after your script?

This could work?

How to Install and Configure Caddy Web Server with PHP and MariaDB on Ubuntu 20.04

Caddy Web Server is a modern open-source web server written in GO language. In this tutorial, youll install and configure Caddy to run along with PHP...

www.howtoforge.com

 

[Basil Hendroff]

@xames I'm finding it very difficult to follow your posts. With each post, the problems seem to morph into something else. I think it would be helpful if you provide a copy of your caddy-config and the Caddyfile for your Caddy reverse proxy, with any credentials redacted.

Now i have another problem, my 443 and 80 port is redirected to the nextcloud jail created with your script time ago, how to redirect visitors of port 80 and 443 throught nextcloud jail or the other two pages (another caddy jail) with domain1 and domain2 like you say.

What you should be doing is placing your Nextcloud jail behind your Caddy reverse proxy, not the other way around, but that's jumping too far ahead atm. I think you need to convince forum members that you have TLS working with your reverse proxy first.

 

[xames]

All two domains are working fine with tls api from cloudflare... And if i try to make inverse... Put the pages inside the danb35 nextcloud jail based on the script? Could work?