Resource icon

Reverse Proxy using Caddy (with optional automatic TLS)

victort

Guru
Joined
Dec 31, 2021
Messages
952
Does this give each reverse proxied service its own cert? Or just caddy?
If not, how do you access services locally with a valid cert?

Does the Caddyfile use tab or 4 spaces on each line?

In the installation, don’t you have to define the token and zone info?
Even within the Caddyfile there is nothing about zone info.
 
Last edited:

danb35

Hall of Famer
Joined
Aug 16, 2011
Messages
15,458
Does this give each reverse proxied service its own cert? Or just caddy?
It creates certs for each FQDN you define, but (unless you make other arrangements) only Caddy uses them.
If not, how do you access services locally with a valid cert?
Two possibilities:
  • Use local/split-horizon DNS to point those FQDNs to the Caddy jail
    • e.g., say Caddy's running on 192.168.100.10, and you're using it to reverse proxy Ombi at 192.168.100.20. Your local DNS should point ombi.yourdomain to 192.168.100.10
    • This naturally depends on your being able to configure your local DNS this way; most consumer routers are sufficiently brain-dead that you can't do it there. OPNsense and pfSense both allow it, or you could run a Pi-Hole instance for this purpose instead
  • Hairpin NAT
    • In this arrangement, there's no unique local DNS; ombi.yourdomain would resolve using public DNS to whatever your public IP is. Your router then turns that around, follows its own port-forwarding rules, and forwards the query to your Caddy jail, which then proxies it as usual.
    • Downside here is that not all routers support it. OPNsense handles it well; I wasn't able to make pfSense do it, and I really don't have enough experience with others to say.
The bottom line in either case is that when you try to browse to ombi.yourdomain on a LAN device, that query hits your Caddy instance, which presents a valid TLS cert, handles the TLS termination, and then proxies the query to whatever other local resource is desired.

Note that I've mentioned both pfSense and OPNsense--if you're using either of those, they support running the reverse proxy directly on the router (you can even run Caddy on OPNsense), and I'd recommend that instead. But if your router doesn't support acting as a reverse proxy, this script and jail give you an alternative.
In the installation, don’t you have to define the token and zone info?
Even within the Caddyfile there is nothing about zone info.
As the textbooks of old would say, this is left as an exercise for the reader--mainly because there are so many ways to handle it. The script will install Caddy with the desired DNS plugin, but configuring it is up to you.
 

victort

Guru
Joined
Dec 31, 2021
Messages
952
It creates certs for each FQDN you define, but (unless you make other arrangements) only Caddy uses them.

Two possibilities:
  • Use local/split-horizon DNS to point those FQDNs to the Caddy jail
    • e.g., say Caddy's running on 192.168.100.10, and you're using it to reverse proxy Ombi at 192.168.100.20. Your local DNS should point ombi.yourdomain to 192.168.100.10
    • This naturally depends on your being able to configure your local DNS this way; most consumer routers are sufficiently brain-dead that you can't do it there. OPNsense and pfSense both allow it, or you could run a Pi-Hole instance for this purpose instead
  • Hairpin NAT
    • In this arrangement, there's no unique local DNS; ombi.yourdomain would resolve using public DNS to whatever your public IP is. Your router then turns that around, follows its own port-forwarding rules, and forwards the query to your Caddy jail, which then proxies it as usual.
    • Downside here is that not all routers support it. OPNsense handles it well; I wasn't able to make pfSense do it, and I really don't have enough experience with others to say.
The bottom line in either case is that when you try to browse to ombi.yourdomain on a LAN device, that query hits your Caddy instance, which presents a valid TLS cert, handles the TLS termination, and then proxies the query to whatever other local resource is desired.

Note that I've mentioned both pfSense and OPNsense--if you're using either of those, they support running the reverse proxy directly on the router (you can even run Caddy on OPNsense), and I'd recommend that instead. But if your router doesn't support acting as a reverse proxy, this script and jail give you an alternative.

As the textbooks of old would say, this is left as an exercise for the reader--mainly because there are so many ways to handle it. The script will install Caddy with the desired DNS plugin, but configuring it is up to you.
As for HAproxy on pfsense, do I point the dns to the router IP?
I’ll try that first.
 

danb35

Hall of Famer
Joined
Aug 16, 2011
Messages
15,458
As for HAproxy on pfsense, do I point the dns to the router IP?
Certainly the external DNS. For internal DNS, yes, but you'd want hairpin NAT working for that, I think.

I've been back and forth between pfSense and OPNsense for a while (there's a thread in the OT forum if you're interested), and went back to OPNsense recently--and there's a third-party plugin for Caddy on OPNsense. And even though the only GUI it offers is a checkbox to enable and a text field to enter the Caddyfile (which you have to write yourself), I find it much easier to use that than I did HAProxy on OPNsense, which I found easier to use than HAProxy on pfSense.
 

victort

Guru
Joined
Dec 31, 2021
Messages
952
Certainly the external DNS. For internal DNS, yes, but you'd want hairpin NAT working for that, I think.

I've been back and forth between pfSense and OPNsense for a while (there's a thread in the OT forum if you're interested), and went back to OPNsense recently--and there's a third-party plugin for Caddy on OPNsense. And even though the only GUI it offers is a checkbox to enable and a text field to enter the Caddyfile (which you have to write yourself), I find it much easier to use that than I did HAProxy on OPNsense, which I found easier to use than HAProxy on pfSense.
About the Caddyfile, does it use tab or spaces on the lines?
 

victort

Guru
Joined
Dec 31, 2021
Messages
952
Basically I’m looking to do local TLS with trusted certs, (for bitwarden etc) locally, without external access.

1. Nginx
2. Caddy
3. HAproxy
4. HTTP TLS (not preffered as it requires outside access)
5. DNS Validation (which bitwarden doesn’t do on its own)

These are my options. Caddy seems nice, but if pfsense can do HAproxy, I’ll try that first.
 

danb35

Hall of Famer
Joined
Aug 16, 2011
Messages
15,458
About the Caddyfile, does it use tab or spaces on the lines?
It doesn't strictly matter; Caddyfile syntax isn't nearly as demanding as, say, YAML. I use spaces; I'm not sure it prefers one vs. the other.
 

danb35

Hall of Famer
Joined
Aug 16, 2011
Messages
15,458
Basically I’m looking to do local TLS with trusted certs, (for bitwarden etc) locally, without external access.
If the point is to do this without external access, HAProxy on pfSense may not be the answer you're looking for--I don't know that it's designed to work in that scenario. But pfSense can get a cert using DNS validation, and HAProxy can use that cert, so it may do the job.
 

danb35

Hall of Famer
Joined
Aug 16, 2011
Messages
15,458
I'm pretty sure if Caddy's running, it has a cert--it will fall over and die rather than run without one. But if you're browsing by IP rather than by name, you'll get a cert error.
 

victort

Guru
Joined
Dec 31, 2021
Messages
952
I'm pretty sure if Caddy's running, it has a cert--it will fall over and die rather than run without one. But if you're browsing by IP rather than by name, you'll get a cert error.
Lol. No I am using domains.

Code:
{
        # acme_ca https://acme-staging-v02.api.letsencrypt.org/directory
        email myemail.domain.com
}

mymain.domain.ca {
        tls {
                dns cloudflare longtokenthatisvalid
        }
        root * /usr/local/www/html
        file_server
}

my.domain.ca {
        encode  gzip
        reverse_proxy 192.168.1.132
}

myother.domain.ca {
        encode gzip
        reverse_proxy 192.168.1.133
}        
 

danb35

Hall of Famer
Joined
Aug 16, 2011
Messages
15,458
Is that with Chrome? If so, does Firefox show any more detail? You can also check the log file in the jail--I think it's at /var/log/caddy/caddy.log.
 

victort

Guru
Joined
Dec 31, 2021
Messages
952
Is that with Chrome? If so, does Firefox show any more detail? You can also check the log file in the jail--I think it's at /var/log/caddy/caddy.log.
Yes it seems like its trying to get in via port forward with connection refused.
Im not sure, but the token is set up properly to allow DNS validation though...
 

victort

Guru
Joined
Dec 31, 2021
Messages
952
Do all of the domains i proxy need to be DNS validated?
As i understand only caddy DNS name needs that.
Also Im finding that i have to edit the Caddyfile from the caddy jail instead of the apps/caddy directory.
 

victort

Guru
Joined
Dec 31, 2021
Messages
952
Yes it seems like its trying to get in via port forward with connection refused.
Im not sure, but the token is set up properly to allow DNS validation though...
This is not the zone toke, but the API token.
 
Top