-
Important Announcement for The TrueNAS Community.
The TrueNAS Community has now been moved. This forum will now become READ-ONLY for historical purposes. Please feel free to join us on the new TrueNAS Community Forums
Resource icon
Reverse Proxy using Caddy (with optional automatic TLS)
- Thread starter danb35
- Start date
- Joined
- Dec 31, 2021
- Messages
- 973
Code:
{"level":"error","ts":1663338034.5880609,"logger":"tls.obtain","msg":"will retry","error":"[my.domain.ca] Obtain: [my.domain.ca] solving challenges: waiting for solver certmagic.solverWrapper to be ready: checking DNS propagation of _acme-challenge.my.domain.ca: NS my.my.cloudflare.com. returned SERVFAIL for _acme-challenge.my.domain.ca. (order=https://acme-staging-v02.api.letsencrypt.org/acme/order/68792424/4099082804) (ca=https://acme-staging-v02.api.letsencrypt.org/directory)","attempt":1,"retrying_in":60,"elapsed":7.476983261,"max_duration":2592000}
- Joined
- Dec 31, 2021
- Messages
- 973
Not getting errors when doing this. Everything appears valid.
danb35
Hall of Famer
- Joined
- Aug 16, 2011
- Messages
- 15,504
There is no "for itself" to get a cert for--Caddy obtains (or tries to obtain) certs for FQDNs you specify in the Caddyfile (or in the JSON configuration if you want to be hard core). I'm not sure what else to suggest here--you may need to check in the Caddy forum.
- Joined
- Dec 31, 2021
- Messages
- 973
Excellent work.
1. So to update, since caddys files are all in the mount point, I can just rebuild another jail, after having renamed or deleted the only one.
2. Is it possible to just do reverse proxy internally without TLS (http to https redirect)?
3. How do I renew a cert manually to see if caddy is still able to do it after changing DNS rules? To confirm proper cert renewal.
4. Does it matter if the app it’s redirecting to has a self signed cert?
1. So to update, since caddys files are all in the mount point, I can just rebuild another jail, after having renamed or deleted the only one.
2. Is it possible to just do reverse proxy internally without TLS (http to https redirect)?
3. How do I renew a cert manually to see if caddy is still able to do it after changing DNS rules? To confirm proper cert renewal.
4. Does it matter if the app it’s redirecting to has a self signed cert?
danb35
Hall of Famer
- Joined
- Aug 16, 2011
- Messages
- 15,504
You could do that, or you could just install upgrades in the jail itself.
I'm not quite sure what you're asking here. If you don't want Caddy to use HTTPS for a hostname, just specify port 80 for that host.
I'm not aware of a mechanism Caddy has for this.
If that app is using HTTPS, it will cause an error. You can configure Caddy to ignore that if you wish.
- Joined
- Dec 31, 2021
- Messages
- 973
Cant seem to find docs to configure this...
danb35
Hall of Famer
- Joined
- Aug 16, 2011
- Messages
- 15,504
See:
reverse_proxy (Caddyfile directive) - Caddy Documentation
Caddy is a powerful, enterprise-ready, open source web server with automatic HTTPS written in Go
I'm definitely a novice here, sorry. I'm trying to install caddy to reverse proxy jellyfin to my domain. I get an error when trying to run the script ./caddy-jail.sh. Any help is appreciated!
JAIL_INTERFACES not set, defaulting to: vnet0:bridge0
caddy successfully created!
Stopped caddy due to VNET failure
Failed to create jail
JAIL_INTERFACES not set, defaulting to: vnet0:bridge0
caddy successfully created!
Stopped caddy due to VNET failure
Failed to create jail
- Joined
- Dec 31, 2021
- Messages
- 973
What does your config file look like?
JAIL_IP="192.168.1.2"
DEFAULT_GW_IP="192.168.0.1"
POOL_PATH="/mnt/FEDERER"
DNS_PLUGIN=godaddy
danb35
Hall of Famer
- Joined
- Aug 16, 2011
- Messages
- 15,504
That's not going to work--your gateway needs to be on the same network as your jail.
- Joined
- Dec 31, 2021
- Messages
- 973
And if it is then you forgot to add the /23 at the back of your IP. The script defaults to /24 if you don’t add that.
I'm pretty sure they are both on the same network, my home network. I only have one network as far as I know, my LAN. How can you tell if they're not on the same network?
I didn't forget, rather I didn't even know I was supposed to. I added /23 to the back of both the jail IP and the gateway IP and got the same error.
JAIL_IP="192.168.1.2/23"
DEFAULT_GW_IP="192.168.0.1/23"
Did I do that incorrectly maybe?
danb35
Hall of Famer
- Joined
- Aug 16, 2011
- Messages
- 15,504
You really need to read up on IP subnetting, in which respect Google will be your friend. But in short, unless you've set things up in a very unusual way (and if you'd deliberately done so, you should already know all of this), 192.168.0.x is a separate network from 192.168.1.x--those are both Class C subnets, with 24-bit netmasks. If you're running devices on more than one network, you'd need something to route between those two. It's possible--but frankly bizarre, and technically invalid--to set yourself up with, say, a 23-bit subnet, but I can't think of any reason you'd want to do so; if you need more than ~200 devices on a single network, just use one of the Class B ranges in 172.16.0.0/12.
tl;dr: if your router is at 192.168.0.1, everything on your network should probably have an address of 192.168.0.x.
danb35
Hall of Famer
- Joined
- Aug 16, 2011
- Messages
- 15,504
Though it's possible, isn't this an invalid configuration? 192.168.foo is a Class C range, which should have subnets of 8 bits or fewer. I'm not even sure the router would recognize it, though that might depend on the router @dfrey18 is using.
Similar threads
