Reverse Proxy using Caddy (with optional automatic TLS)

danb35 · Apr 25, 2019

Mara said:
Caddy could simply solve the procedure so that my Tautulli server is accessible in SSL for example?

Yes, at least partially. If you want it to be accessible from outside your network, there would also be port forwarding, and some attendant risk.

Mara · Apr 25, 2019

danb35 said:
Yes, at least partially. If you want it to be accessible from outside your network, there would also be port forwarding, and some attendant risk.

Indeed, I'm looking for the easiest way to generate certs and integrate them into Tautulli. The fact that the port appears in my URL does not matter to me...

Mara · Apr 26, 2019

II wanted to test Caddy, I followed all your instructions "Create the jail and install Caddy", everything went well but 'Caddyfile' can not be found and I repeated two installation

danb35 · Apr 26, 2019

Mara said:
'Caddyfile' can not be found

You need to create it.

Mara · Apr 26, 2019

Ah okay! thx!

And if I understand, when you say "ports 80 and 443 must be forwarded to your Caddy jail, and stay that way" I nat 80 and 443 on my router with Caddy so therefore all my freenas plugins will have to go through Caddy after that?

rubberDuck4711 · Jun 20, 2019

I am trying to use this setup to proxy to nextcloud on a subpath of the reverse proxy but I do not seem to have any luck.
I have a let's encrypt domain cert for bla.net
I have nextcloud in a jail that is runs unter https://nc.bla,net and works fine
I have caddy in its own jail unter https://rosinante.bla.net with the caddyfile

https://rosinante.lagovallor.net {
gzip

log /usr/local/www/caddy.rosinante.bla.net.log {
rotate_age 14
rotate_size 10
}

errors /usr/local/www/caddy.rosinante.bla.net.errlog {
rotate_age 14
rotate_size 10
}

root /usr/local/www/html

tls {
load /usr/local/certs/bla.net/
}

proxy /nc https://nc.bla.net {
transparent
}
}

I get 502 error, if I change to proxy /nc/ https://nc.bla.net I get 404 errors. none of it works ...
BUT if I do not use a subpath aka: proxy / https://nc.bla.net it works .... what am I doing wrong??

tngri · Jun 30, 2019

Hi, just tried basic setup

Code:

*:80 {
  gzip
  root /usr/local/www/html/

  proxy /nzbget http://nzbget:6789/ {
    transparent
  }

  proxy /couchpotato http://couchpotato:5050 {
    transparent
  }

}

If I start the service, I got `rc variable $caddy_cert_email is not set. Please provide a valid SSL certificate issuer email.` error

danb35 · Jun 30, 2019

You need to set that variable regardless of whether you're using Let's Encrypt: sysrc caddy_cert_email="me@domain.com". Edit: this wasn't noted in the resource in the case where TLS wasn't used; fixed now.

theOneAndOnlyMrT · Aug 1, 2019

Thanks for the guide. I've been banging my head on the wall for a bit as I can't get the caddy service running. I've run this command:

Code:

sysrc caddy_env="CLOUDFLARE_EMAIL=myemail@gmail.com CLOUDFLARE_API_KEY=blahblah"

However, I am getting this...

Code:

/usr/local/www/Caddyfile:3 - Error during parsing: Setting up DNS provider 'cloudflare': cloudflare: some credentials information are missing: CLOUDFLARE_EMAIL,CLOUDFLARE_API_KEY

Any ideas?

danb35 · Aug 1, 2019

Maybe a dumb question, but you ran the sysrc command inside the jail, right?

theOneAndOnlyMrT · Aug 1, 2019

danb35 said:
Maybe a dumb question, but you ran the sysrc command inside the jail, right?

Yeah...I ran it again but it still didn't work. I may try and destroy the jail and try the steps again

theOneAndOnlyMrT · Aug 1, 2019

Well, I destroyed the jail and recreated it with the exact steps to the same issue. I can't seem to find any logs for Caddy (all the google searching I can find is in relation to Linux installs and not FreeBSD/FreeNAS). I decided to try something new and change it to your first config "No TLS" so the top of my Caddyfile looks like this:

*:80 {
gzip
root /usr/local/www/html/

With that configuration, Caddy starts up and everything works fine.

Are there any places I can check logs? Could my TLD have something to do with it? I'm using a .US domain.

danb35 · Aug 1, 2019

theOneAndOnlyMrT said:
Are there any places I can check logs?

The server log should be in /var/log/caddy.log. But the problems you note earlier sound more like the init script than Caddy itself, so it might not make it as far as writing a log file.

theOneAndOnlyMrT said:
I'm using a .US domain.

I wouldn't expect that to be an issue.

danb35 · Aug 2, 2019

theOneAndOnlyMrT said:
Well, I destroyed the jail and recreated it with the exact steps to the same issue.

What's the output of sysrc -a in the jail?

Dave-g08 · Aug 16, 2019

Thanks @danb35 for another great guide! Followed the guide TLS with DNS validation using a new domain with Cloudflare DNS which 'worked' but only if I forward ports 80 and 443 to the jail. Is there a way to see where the DNS validation is failing?

danb35 · Aug 16, 2019

Dave-g08 said:
Is there a way to see where the DNS validation is failing?

It should be in Caddy's log file: /var/log/caddy.log

Dave-g08 · Aug 18, 2019

with port 443 and 80 closed I get error 522 when trying to access the domain. caddy.log seems to show DNS challenge is working

Code:

2019/08/17 23:13:58 [INFO] [example.com] acme: Trying to solve DNS-01
2019/08/17 23:13:58 [INFO] [example.com] acme: Checking DNS record propagation using [8.8.8.8:53 8.8.4.4>
2019/08/17 23:13:58 [INFO] Wait for propagation [timeout: 2m0s, interval: 2s]
2019/08/17 23:13:58 [INFO] [example.com] acme: Waiting for DNS record propagation.
2019/08/17 23:14:01 [INFO] [example.com] acme: Waiting for DNS record propagation.
2019/08/17 23:14:03 [INFO] [example.com] acme: Waiting for DNS record propagation.
2019/08/17 23:14:05 [INFO] [example.com] The server validated our request
2019/08/17 23:14:05 [INFO] [example.com] acme: Cleaning DNS-01 challenge
2019/08/17 23:14:06 [INFO] [example.com] acme: Validations succeeded; requesting certificates
2019/08/17 23:14:08 [INFO] [example.com] Server responded with a certificate.

This is my config. http to https redirect works

Code:

example.com {
tls {
        dns cloudflare
}
gzip
root /usr/local/www/html/
proxy /transmission http://192.168.1.4:9091/ {
        transparent
}

}

danb35 · Aug 18, 2019

Dave-g08 said:
with port 443 and 80 closed I get error 522 when trying to access the domain.

When trying to access the domain from where? From elsewhere on your LAN, or from outside? If from outside, that's exactly as expected.

Dave-g08 said:
proxy /transmission http://192.168.1.4:9091/ {

I wasn't able to make Transmission work behind the proxy, FWIW.

Dave-g08 · Aug 18, 2019

danb35 said:
When trying to access the domain from where?

Yes, from on the same LAN. Do you need any port open on the caddy jail?

I've tried with sonarr and got the same result. You said 'own or control a live Internet domain'. I set up a new domain using cloudflare DNS and DNS-O-Matic. Is there anything I could have missed on this part of the setup?

danb35 · Aug 18, 2019

Dave-g08 said:
Do you need any port open on the caddy jail?

The jail opens the ports it needs. You're trying to browse using the FQDN, right? And does it resolve to your jail's IP address when you check from your LAN?

Important Announcement for the TrueNAS Community.

Reverse Proxy using Caddy (with optional automatic TLS)

Hall of Famer

Dabbler

Dabbler

Hall of Famer

Dabbler

Cadet

Dabbler

Hall of Famer

Dabbler

Hall of Famer

Dabbler

Dabbler

Hall of Famer

Hall of Famer

Dabbler

Hall of Famer

Dabbler

Hall of Famer

Dabbler

Hall of Famer

Similar threads