Reverse Proxy using Caddy (with optional automatic TLS)

[Basil Hendroff]

Destroyed the jail and started over. When I get to the curl step it does operation timed out. Maybe that is the problem the plugin doesn't download.

I attempted to recreate your steps in a test jail. The curl command works fine for me.

 

[NasKar]

Appreciate your doing that . After running it 10 x it successfully installed. But getting the error

Code:

acme: error presenting token: cloudflare: failed to find zone cf

Is there a way to verify the cloudflare plugin is functioning?

 

[NasKar]

did a pkg install gnupg and got

Code:

Downloading Caddy for freebsd/amd64 (personal license)...
Download verification OK
Extracting...
Backing up /usr/local/bin/caddy to /usr/local/bin/caddy_old
(Password may be required.)
Putting caddy in /usr/local/bin (may require password)
v1.0.4
Successfully installed

@Basil Hendroff If I go to the forwarding ports 80/443 to the caddy jail to get TLS with HTTP validation that way will that work with your resource to get open office working?

 

[Basil Hendroff]

2) DNS Validation is only if you don't want to expose the RP to the internet but still want to use https in your internal network?

You could use it even if the RP were accessible to the Internet, but I'm not sure there's a good reason to

If I go to the forwarding ports 80/443 to the caddy jail to get TLS with HTTP validation that way will that work with your resource to get open office working?

I should have done it that way. I misinterpreted the Caddy instructions, though it still worked. Please try and let me know how it goes and I will then update the OnlyOffice resource. Thanks!

 

[Basil Hendroff]

Could I convert my working nextcloud to work or would I have to start the nextcloud script with the NO_CERT option?

I believe you can, but again I haven't tested it. Please refer to this earlier post. Let me know how it goes. I'm interested.

 

[NasKar]

I think I'm over the rate limit. So I have to wait a week to try again.

Code:

failed to obtain certificate: acme: error: 429 :: POST :: https://acme-v02.api.letsencrypt.org/acme/new-order :: urn:ietf:params:acme:error:rateLimited

 

[danb35]

So I have to wait a week to try again.

Probably not. If the limit is for failed authorizations, it expires after an hour.

 

[NasKar]

update:
I switched my port forwarding to the caddy jail from my router and now I can get the index.html page with a lock symbol. I installed a fresh version of nextcloud with dan's script with the options NO_CERT with ip address 192.168.5.81 and HOST_NAME="cloud.mydomain.cf. If I ping cloud.mydomain.cf from the jail it returns my WAN IP.

my Caddyfile in the caddy jail

Code:

mydomain.cf {

gzip
        root   /usr/local/www/html/


        proxy /tautulli http://192.168.5.62:8181/ {
              transparent
              header_upstream X-Forwarded-For {remote}
}
        proxy /sabnzbd http://192.168.5.72:8080/ {
              transparent
}
        proxy /sonarr http://192.168.5.71:8989/ {
              transparent
}
        proxy /radarr http://192.168.5.73:7878/ {
              transparent
}
        proxy /lidarr http://192.168.5.69:8686/ {
              transparent
}
        proxy /emby 192.168.5.67:8096 {            # https://emby.media/
              transparent
}


cloud.mydomain.cf {
   gzip
   proxy / 192.168.5.81/ {
        transparent
   }
}

}

1) Can I run 2 jails with nextcloud on my system? My old one and the new one setup with no ssl?
2) When I type in the IP of the new nextcloud jail I get this site can't be reached. And the nextcloud_error.log is empty
new nextcloud Caddyfile

Code:

cloud.mydomain.cf:80 192.168.5.81:80 {

        root   /usr/local/www/nextcloud
        ....

3)My Caddyfile in the caddy jail cloud.mydomain.cf entry is bad as caddy won't start with it.
4) Side issue: all the proxies work except sonarr I get bad request invalid host. URL Base in sonarr is set to "/sonarr"

 

[Basil Hendroff]

3)My Caddyfile in the caddy jail cloud.mydomain.cf entry is bad as caddy won't start with it.

The ending brace should be before cloud.mydomain.cf. Watch your indentation e.g.
.

Code:

mydomain.cf {

  gzip
  root   /usr/local/www/html/


  proxy /tautulli http://192.168.5.62:8181/ {
    transparent
    header_upstream X-Forwarded-For {remote}
  }
  proxy /sabnzbd http://192.168.5.72:8080/ {
    transparent
  }
  proxy /sonarr http://192.168.5.71:8989/ {
    transparent
  }
  proxy /radarr http://192.168.5.73:7878/ {
    transparent
  }
  proxy /lidarr http://192.168.5.69:8686/ {
    transparent
  }
  proxy /emby 192.168.5.67:8096 {            # https://emby.media/
    transparent
  }
}

cloud.mydomain.cf {
  gzip
  proxy / 192.168.5.81/ {
    transparent
  }
}

 

[NasKar]

The ending brace should be before cloud.mydomain.cf. Watch your indentation e.g.

Moving the ending brace fixed caddy not starting.

I edited the new nextcloud jail config.php file and commented out the following lines and it works from 192.168.5.81

Code:

 # 'overwritehost' => 'cloud.mydomain.cf',
 # 'overwriteprotocol' => 'https',

Would you mind sharing a redacted version of your Caddyfile from the reverse proxy and nextcloud config.php. Thanks

 

[NasKar]

Code:

cloud.mydomain.cf {

  gzip
  proxy / http://192.168.5.81 {
    transparent
  }
}

It works and I can reach nextcloud with cloud.mydomain.cf Would still like to see your nextcloud config.php file if you don't mind.

 

[profzelonka]

Any way to DNS challenge cpanel? My domain is cpanel managed and cloudflare can't confirm dns.

 

[sheenegarmi]

See the Resource for the current version of these instructions.

Oops! We ran into some problems.
You do not have permission to view this page or perform this action.

 

[danb35]

Yeah, I should fix that. Click "Overview" at the top of the screen to get there:

 

[sheenegarmi]

But it will work with your nextcloud 19 script install

 

[danb35]

There's some discussion in this thread about using Nextcloud behind this reverse proxy, so I expect it's possible. I don't use it that way, though.

 

[danb35]

"You must own or control a live Internet domain (or subdomain)--I'll use sub.example.com" Can you use a RP like this if you have a freenom domain and clouldflare DNS or do you have to purchase a domain to use from the internet?

I don't think I've re-addressed this question. At the time you asked a few months ago, I said a freenom domain was fine. Since then, apparently as a result of abuse, Cloudflare has limited API DNS control on their free plan such that it doesn't work with freenom domains any more. You can either upgrade your Cloudflare plan, or register a normal domain--I expect the latter will cost much less; most TLDs I've seen run between US$10-15/year.

Cloudflare is also a domain registrar, though I haven't yet seen that you're able to register new domains there, just transfer them. So I'd register your desired domain at, e.g., easydns.com, and after 60 days have elapsed, transfer it to Cloudflare.

 

[danb35]

I've now updated this resource to use Caddy v2. Installation is now done using a script, as I've done with Nextcloud. Any questions or issues can still be discussed here.

 

[NasKar]

Very well written and informative Readme. Thanks for updating the guide to Caddy v2. Any recommendations on the best way to change from v1 to v2? ie stop the current caddy jail and install v2 in a new jail like caddy2, test and then destroy caddy v1 jail when all is working? Any other recommendations?

Edit: change the port forward on router to new caddy2 jail

 

[Basil Hendroff]

I suggest you stop the V1 jail, rename it something like caddy1, then restart it and make sure your reverse proxy is still functioning. It will take you a while to get your head around the new syntax for V2 and you'll need time to migrate your Caddyfile across.

and install v2 in a new jail like caddy2

While you certainly can do this, the script defaults to using the name caddy, so the path of least resistance is to name your V2 jail so.

If you've exposed your reverse proxy to the internet, ports 80 and 443 will be forwarded to your V1 jail. Be prepared to switch the ports between your V1 and V2 jails several times while you're doing the migration. You may not be able to complete the migration in one sitting so you'll need to keep your V1 reverse proxy working until then. Before you start the migration, make a backup copy of your V1 Caddyfile just in case you mess up your working copy.

I recommend migrating a simpler Caddyfile block first. Once you've got that working, migrate and test other blocks that look similar. Repeat for other groups of look-alike code blocks. Deal with unique code blocks last.

As you get familiar with the syntax, you'll begin to notice that the V2 code blocks are considerably shorter and more readable as well. Good luck and enjoy the journey.

test and then destroy caddy v1 jail when all is working?

I'd keep the V1 jail around after the migration, at least for a while (I'm nostalgic like that), but turn it off and uncheck jail autostart.