Reverse Proxy using Caddy (with optional automatic TLS)

[GJSchaller]

OK, Caddy jail is up and running. I have a basic HTML page served up as a proof of concept. So far, so good.

I'm currently using Dny.com (Formerly DynDNS.com, now owned by Oracle) as my domain name provider. I looked, but didn't see a package that supports this provider - am I missing something, or will I need to move to another provider?

Edit: I may be misthinking / overthinking this. A DNS provider is not the same as a Registrar - do I need a specific, dedicated DNS provider, or can I just use the defaults for the Caddy install script to work with my Dny.com dynamic hostname?

 

[danb35]

The DNS provider is relevant to Caddy only if you're using DNS validation to obtain certificates--generally this will be done if you don't want to open ports 80/443 to the Caddy installation. What I remember from your other thread, though, is that this is what you intend to do, so in that case, Caddy doesn't care whose DNS you use.

 

[GJSchaller]

Good memory, and good call, thank you!

For documentation / other people looking into this - I am using a Dyn.com host name that resolves to my home IP based off a client on my router that checks in with Dyn.com and updates the records there. I am planning on forwarding ports on my router to my Caddy jail, so that I can then access various apps on my TrueNAS from the public internet (i.e. - NextCloud for files, Piwigo for family photos, etc.). Based off this, I do not need to use a DNS provider, since the ports will have public access.

 

[danb35]

...and Caddy 2.5.0 has now been released, so this workaround should no longer be necessary.

 

[nanopete]

Searching this thread for SCALE nothing comes up. Does anyone know of a resource of someone trying to setup Caddy reverse proxy in Truenas Scale, as a "Custom Application" / Docker?
I am thinking a lot of the people in this thread would be looking to that in the future?
I've tried the Truecharts applications with Traefik instead of Caddy, but that feels quiet locked and I've been told I can't change Traefik configuration if I do it that way.

 

[danb35]

No, nothing about SCALE here; this is all CORE. And I'd honestly think Traefik would be the way to go if you needed a Reverse Proxy under SCALE. But if you want to use Caddy, there's a way to use docker-compose under SCALE; I'd look into that.

 

[GJSchaller]

OK, on to the next challenge... I have my Caddy proxy up and running. I can browse to a simple HTML file at the root of it, no issue so far. I have a Nextcloud instance in a separate Jail at 10.0.0.242 - I can access that by browsing to the IP address, so I know that's up and running on its own (No Cert, it's going to be behind the Proxy, which has a working cert).

When I attempt to browse to https://gjschaller.homeftp.net/nextcloud, I get a blank white page. No error, no readings, up or down...

Caddyfile:

{
email gjschaller@gmail.com
}

gjschaller.homeftp.net {
root * /usr/local/www/html
file_server
reverse_proxy /nextcloud* 10.0.0.242
reverse_proxy /piwigo 10.0.0.243
}

Nextcloud's Config.php:

<?php
$CONFIG = array (
'passwordsalt' => '(Redacted)',
'secret' => '(Redacted)',
'trusted_domains' =>
array (
0 => 'localhost',
1 => '10.0.0.241',
2 => '10.0.0.242',
3 => 'gjschaller.homeftp.net',
),
'datadirectory' => '/mnt/files',
'dbtype' => 'mysql',
'version' => '23.0.4.1',
'overwrite.cli.url' => 'http://localhost',
'dbname' => 'nextcloud',
'dbhost' => 'localhost:/tmp/mysql.sock',
'dbport' => '',
'dbtableprefix' => 'oc_',
'mysql.utf8mb4' => true,
'dbuser' => 'nextcloud',
'dbpassword' => '(Redacted)',
'installed' => true,
'instanceid' => '(Redacted)',
'logtimezone' => 'America/New_York',
'default_phone_region' => 'US',
'log_type' => 'file',
'logfile' => '/var/log/nextcloud/nextcloud.log',
'loglevel' => '2',
'logrotate_size' => '104847600',
'memcache.local' => '\\OC\\Memcache\\APCu',
);

Of note - I can't access Nextcloud's IP using https - I just get "Connection Refused." Do I need to enable https on the Nextcloud server to be able to proxy to it from the Proxy Caddy?

 

[danb35]

Nextcloud's IP using https - I just get "Connection Refused."

That's to be expected--your Caddyfile only tells it to listen on port 80. There's no need to change it.

'overwrite.cli.url' => 'http://localhost',

Try changing this to https://gjschaller.homeftp.net/nextcloud.

 

[GJSchaller]

Try changing this to https://gjschaller.homeftp.net/nextcloud.

Unfortunately, no change - still a blank page with no error.

Edit: Started a discussion at: https://help.nextcloud.com/t/lookin...-a-reverse-proxy-turenas-freebsd-caddy/138350

 

[danb35]

I'll see if I can find more specifics, but here are the official Nextcloud docs about putting it behind a reverse proxy:

Reverse proxy — Nextcloud latest Administration Manual latest documentation

Edit: One other thing you might try: Change line 5 of the Caddyfile to read:

Code:

:80 {

 

[GJSchaller]

Edit: One other thing you might try: Change line 5 of the Caddyfile to read:

Code:

:80 {

That kills the base site, as it's expecting / redirecting to https, which then fails.

 

[danb35]

I wasn't clear there--I'd meant to make that change to the Caddyfile in the Nextcloud jail, not in the Caddy jail--and that much works for me.

Using the subdirectory for a reverse proxy, though, is proving troublesome. Is it possible to use a subdomain? Something like cloud.gjschaller...?

 

[GJSchaller]

OK, abandoning my previous attempt, making a new one using a Namecheap domain with dynamic DNS enabled.

At the moment, I have it working properly with www.asikon.net pointing to a basic HTML page. So far, so good.

What I can't seem to find in any examples is what to put into my Caddyfile to use nextcloud.aiskon.net as a reverse proxy for my NC Jail, which is at 10.0.0.242. Is there a sample line for using a subdomain that does nothing but point to / act as a reverse proxy?

EDIT: After posting this, I found an example (of course). The current contents of my Caddyfile are:

Code:

{
  email gjschaller@gmail.com
}

gjschaller.homeftp.net, www.aiskon.net {
  encode gzip
  root * /usr/local/www/html
  file_server
}

nextcloud.aiskon.net {
  encode gzip
  reverse_proxy http://10.0.0.242
}

However, I am getting a blank page - no error, nothing - when browsing to http://nextcloud.aiskon.net

 

[danb35]

The simple case would be:

Code:

sub.domain.com {
    reverse_proxy 192.168.1.199
}

 

[GJSchaller]

Edited my post above, you were too fast for my own good ;-). Tried both 10.0.0.242 and http://10.0.0.242 - still getting the blank pages.

Is there a way to tell if the issue is the reverse proxy, or Nextcloud's config?

 

[GJSchaller]

From https://docs.nextcloud.com/server/l...ation_server/reverse_proxy_configuration.html under the "Caddy" section:

Code:

subdomain.example.com {
    rewrite /.well-known/carddav /remote.php/dav
    rewrite /.well-known/caldav /remote.php/dav

    reverse_proxy {$NEXTCLOUD_HOST:localhost}
}

That last line (in red) is confusing - I am guessing in my case it should be:

Code:

reverse_proxy {10.0.0.242:localhost}

Without solid examples on their end, and only generalizations, it's hard to tell.

 

[danb35]

It isn't red, but it comes across fine nonetheless. I don't know what they mean by that; AFAIK it isn't valid Caddy syntax. You wouldn't want the braces (unless you wanted to specify other options as discussed in the Caddy docs) , and you certainly wouldn't want to include the :localhost.

 

[GJSchaller]

Figured it out - I had a typo in the host name in the nextcloud-config file when I re-created the jail. Everything is working properly now!

 

[GJSchaller]

OK, next challenge. I have several jails working properly, but none of them use ports other than the basics (80 and 443). I just set up a Plex server, with an internal URL of:

http://10.0.0.244:32400/web/

I tried setting up the reverse proxy for this, but got an SSL error when trying to browse from outside. At the moment, the only ports my router forwards are 80 and 443 (to the Proxy jail). Do I need to forward an additional port on my router, and would I forward it to the Proxy server, or the actual Plex jail?

 

[danb35]

I don't proxy my Plex server for external access; I forward port 32400 to the Plex jail and let Plex sort it out. But I do still have it set up in the proxy, so I can browse to plex.mydomain in my LAN and have it work. Here's all I have in the Caddyfile for it:

Code:

plex.mydomain.org {
        encode gzip
        reverse_proxy 192.168.1.12:32400
}