I have a working HAProxy configuration. It took me quite some time to figure out the nitty gritties in order to add SSL offloading for each of my services via the Acme Client plugin.
However, now that caddy is also available as a plugin in the mimugmail repo, I would like to switch over to caddy2 since configurations are easier to find for caddy2. Will the Acme Client plugin still be needed after switching to caddy since caddy handles the LE certs automatically?
Can someone help me to convert the HAProxy config into caddy config? I want this to be seamless because once I switch over to caddy, I want all my services to be accessible as I have my password manager as 1 of them. Having no access to that would cause a lot of consternation.
Once the caddy2 config is built, do I just have to paste it under the Caddy plugin from mimugmail, enable the Caddy service and disable HAProxy service?
Here's my HAProxy config:
#
# Automatically generated configuration.
# Do not edit this file manually.
#
global
uid 80
gid 80
chroot /var/haproxy
daemon
stats socket /var/run/haproxy.socket group proxy mode 775 level admin
nbthread 1
hard-stop-after 60s
no strict-limits
tune.ssl.default-dh-param 2048
spread-checks 2
tune.bufsize 16384
tune.lua.maxmem 0
log /var/run/log local0 debug
lua-prepend-path /tmp/haproxy/lua/?.lua
defaults
log global
option redispatch -1
timeout client 30s
timeout connect 30s
timeout server 30s
retries 3
default-server init-addr last,libc
# autogenerated entries for ACLs
# autogenerated entries for config in backends/frontends
# autogenerated entries for stats
# Frontend: https (HAProxy Public Service for all LAN services)
frontend https
http-response set-header Strict-Transport-Security "max-age=15768000"
bind 192.168.1.1:443 name 192.168.1.1:443 ssl prefer-client-ciphers ssl-min-ver TLSv1.2 ciphers ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256 ciphersuites TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256 crt-list /tmp/haproxy/ssl/605e453acf0e75.09310296.certlist
mode http
option http-keep-alive
option forwardfor
# logging options
# ACL: nc_caldav
acl acl_6075fbe5edde88.14416266 path_end -i /.well-known/caldav
# ACL: nextcloud
acl acl_6068e929c25802.40129836 hdr(host) -i nextcloud.mydomain.com
# ACL: nc_carddav
acl acl_6075f978b44654.46404459 path_end -i /.well-known/carddav
# ACL: nc_nodeinfo
acl acl_609d839568e351.48169054 path /.well-known/nodeinfo
# ACL: nc_webfinger
acl acl_609d8379f35913.09534187 path /.well-known/webfinger
# ACL: firefly
acl acl_60b8e127010005.49996293 hdr(host) -i firefly.mydomain.com
# ACL: adguard
acl acl_633c7fddce7da1.80920986 hdr_reg(host) -i ^[adguard|agh]+\.mydomain\.com$
# ACL: amcrest
acl acl_60d3aaa0ca9ba7.98361344 hdr(host) -i cam1.mydomain.com
# ACL: apnet
acl acl_605e44279e3b56.98854478 hdr(host) -i apnet.mydomain.com
# ACL: dl
acl acl_606945b7508907.10161822 hdr(host) -i dl.mydomain.com
# ACL: dl2
acl acl_60694bc7097d72.55498217 hdr(host) -i dl2.mydomain.com
# ACL: home
acl acl_605e77060755c7.74232910 hdr(host) -i home.mydomain.com
# ACL: homer
acl acl_62351a098660c6.48798884 hdr(host) -i homer.mydomain.com
# ACL: emby
acl acl_6068ee14c01084.16274607 hdr(host) -i emby.mydomain.com
# ACL: jellyfin
acl acl_60affb35076bb2.76934816 hdr(host) -i jellyfin.mydomain.com
# ACL: nas
acl acl_6068e7c9290ad9.26389997 hdr(host) -i nas.mydomain.com
# ACL: netdata
acl acl_6068e847835b87.41206608 hdr(host) -i netdata.mydomain.com
# ACL: office
acl acl_6068e93d924d11.74924956 hdr(host) -i office.mydomain.com
# ACL: omada1
acl acl_6068e953c1b204.65701206 hdr(host) -i omada.mydomain.com
# ACL: pbs
acl acl_631fdfac2e34a6.66731673 hdr(host) -i pbs.mydomain.com
# ACL: proxmox
acl acl_60695b2ef32f30.68592514 hdr(host) -i proxmox.mydomain.com
# ACL: scanner
acl acl_6068e967a37f63.90582969 hdr(host) -i scanner.mydomain.com
# ACL: shinobi
acl acl_60d2b1089c1d58.17520071 hdr_reg(host) -i ^[shinobi|cctv]+\.mydomain\.com$
# ACL: switch
acl acl_605e444bbaa5f0.93057342 hdr(host) -i switch.mydomain.com
# ACL: ups
acl acl_605e7dd7be0f73.35996982 hdr(host) -i ups.mydomain.com
# ACL: vaultwarden
acl acl_63276269c65d47.19509789 hdr_reg(host) -i ^[bit|vault]+warden\.mydomain\.com$
# ACL: x9scl
acl acl_6068e97b2a02f8.85789703 hdr(host) -i x9scl.mydomain.com
# ACL: x10slh
acl acl_6068e98e041167.98049410 hdr(host) -i x10slh.mydomain.com
# ACTION: nc_caldav
http-request redirect code 301 location /remote.php/dav if acl_6075fbe5edde88.14416266 acl_6068e929c25802.40129836
# ACTION: nc_carddav
http-request redirect code 301 location /remote.php/dav if acl_6075f978b44654.46404459 acl_6068e929c25802.40129836
# ACTION: nc_nodeinfo
http-request redirect code 301 location /index.php%[capture.req.uri] if acl_609d839568e351.48169054 acl_6068e929c25802.40129836
# ACTION: nc_webfinger
http-request redirect code 301 location /index.php%[capture.req.uri] if acl_609d8379f35913.09534187 acl_6068e929c25802.40129836
# ACTION: fireflyHeaderProto
http-request set-header X-Forwarded-Proto https if acl_60b8e127010005.49996293
# ACTION: adguard
use_backend adguard if acl_633c7fddce7da1.80920986
# ACTION: amcrest
use_backend amcrest if acl_60d3aaa0ca9ba7.98361344
# ACTION: apnet
use_backend apnet if acl_605e44279e3b56.98854478
# ACTION: dl
use_backend dl if acl_606945b7508907.10161822
# ACTION: dl2
use_backend dl2 if acl_60694bc7097d72.55498217
# ACTION: home
use_backend home if acl_605e77060755c7.74232910
# ACTION: homer
use_backend homer if acl_62351a098660c6.48798884
# ACTION: emby
use_backend emby if acl_6068ee14c01084.16274607
# ACTION: firefly
use_backend firefly if acl_60b8e127010005.49996293
# ACTION: jellyfin
use_backend jellyfin if acl_60affb35076bb2.76934816
# ACTION: nas
use_backend nas if acl_6068e7c9290ad9.26389997
# ACTION: netdata
use_backend netdata if acl_6068e847835b87.41206608
# ACTION: nextcloud
use_backend nextcloud if acl_6068e929c25802.40129836
# ACTION: office
use_backend office if acl_6068e93d924d11.74924956
# ACTION: omada
use_backend omada if acl_6068e953c1b204.65701206
# ACTION: pbs
use_backend pbs if acl_631fdfac2e34a6.66731673
# ACTION: proxmox
use_backend proxmox if acl_60695b2ef32f30.68592514
# ACTION: scanner
use_backend scanner if acl_6068e967a37f63.90582969
# ACTION: shinobi
use_backend shinobi if acl_60d2b1089c1d58.17520071
# ACTION: switch
use_backend switch if acl_605e444bbaa5f0.93057342
# ACTION: ups
use_backend ups if acl_605e7dd7be0f73.35996982
# ACTION: vaultwarden
use_backend vaultwarden if acl_63276269c65d47.19509789
# ACTION: x9scl
use_backend x9scl if acl_6068e97b2a02f8.85789703
# ACTION: x10slh
use_backend x10slh if acl_6068e98e041167.98049410
# Backend: apnet ()
backend apnet
# health checking is DISABLED
mode http
balance source
# stickiness
stick-table type ip size 50k expire 30m
stick on src
http-reuse safe
server apnet 192.168.1.6:443 ssl verify none
# Backend: switch ()
backend switch
# health checking is DISABLED
mode http
balance source
# stickiness
stick-table type ip size 50k expire 30m
stick on src
http-reuse safe
server switch 192.168.1.9:443 ssl verify none
# Backend: home ()
backend home
# health checking is DISABLED
mode http
balance source
# stickiness
stick-table type ip size 50k expire 30m
stick on src
http-reuse safe
server home 192.168.1.20:443 ssl verify none
# Backend: ups ()
backend ups
# health checking is DISABLED
mode http
balance source
# stickiness
stick-table type ip size 50k expire 30m
stick on src
http-reuse safe
server ups 192.168.1.8:80
# Backend: nas ()
backend nas
# health checking is DISABLED
mode http
balance source
# stickiness
stick-table type ip size 50k expire 30m
stick on src
http-reuse safe
server nas 192.168.1.3:443 ssl verify none
# Backend: netdata ()
backend netdata
# health checking is DISABLED
mode http
balance source
# stickiness
stick-table type ip size 50k expire 30m
stick on src
http-reuse safe
server netdata 192.168.1.5:19999
# Backend: nextcloud ()
backend nextcloud
# health checking is DISABLED
mode http
balance source
# stickiness
stick-table type ip size 50k expire 30m
stick on src
http-reuse safe
server nextcloud 192.168.1.23:80
# Backend: office ()
backend office
# health checking is DISABLED
mode http
balance source
# stickiness
stick-table type ip size 50k expire 30m
stick on src
http-reuse safe
server office 192.168.1.24:9980
# Backend: omada ()
backend omada
# health checking is DISABLED
mode http
balance source
# stickiness
stick-table type ip size 50k expire 30m
stick on src
# ACL: omada1
acl acl_6068e953c1b204.65701206 hdr(host) -i omada.mydomain.com
# ACL: omada2
acl acl_6328cfa6578730.30147092 hdr_reg(host) -i ^omada\.mydomain\.com(:([0-9]){1,5})?$
# ACTION: omada_header_set
http-request set-header host omada.mydomain.com:8043 if acl_6068e953c1b204.65701206 || acl_6328cfa6578730.30147092
# ACTION: omada_response_replace
# NOTE: actions with no ACLs/conditions will always match
http-response replace-value location 8043 %[hdr(location),regsub(8043,443)]
http-reuse safe
server omada 192.168.1.10:8043 ssl verify none
# Backend: scanner ()
backend scanner
# health checking is DISABLED
mode http
balance source
# stickiness
stick-table type ip size 50k expire 30m
stick on src
http-reuse safe
server scanner 192.168.1.7:80
# Backend: x9scl ()
backend x9scl
# health checking is DISABLED
mode http
balance source
# stickiness
stick-table type ip size 50k expire 30m
stick on src
http-reuse safe
server x9scl 192.168.1.2:80
# Backend: x10slh ()
backend x10slh
# health checking is DISABLED
mode http
balance source
# stickiness
stick-table type ip size 50k expire 30m
stick on src
http-reuse safe
server x10slh 192.168.1.4:80
# Backend: emby ()
backend emby
# health checking is DISABLED
mode http
balance source
# stickiness
stick-table type ip size 50k expire 30m
stick on src
http-reuse safe
server emby 192.168.1.30:8096
# Backend: dl ()
backend dl
# health checking is DISABLED
mode http
balance source
# stickiness
stick-table type ip size 50k expire 30m
stick on src
http-reuse safe
server dl 192.168.1.22:9091
# Backend: dl2 ()
backend dl2
# health checking is DISABLED
mode http
balance source
# stickiness
stick-table type ip size 50k expire 30m
stick on src
http-reuse safe
server dl2 192.168.1.29:9091
# Backend: proxmox ()
backend proxmox
# health checking is DISABLED
mode http
balance source
# stickiness
stick-table type ip size 50k expire 30m
stick on src
http-reuse safe
server proxmox 192.168.1.5:8006 ssl verify none
# Backend: jellyfin ()
backend jellyfin
# health checking is DISABLED
mode http
balance source
# stickiness
stick-table type ip size 50k expire 30m
stick on src
http-reuse safe
server jellyfin 192.168.1.21:8096
# Backend: firefly ()
backend firefly
# health checking is DISABLED
mode http
balance source
# stickiness
stick-table type ip size 50k expire 30m
stick on src
http-reuse safe
server firefly 192.168.1.26:80
# Backend: shinobi ()
backend shinobi
# health checking is DISABLED
mode http
balance source
# stickiness
stick-table type ip size 50k expire 30m
stick on src
http-reuse safe
server shinobi 192.168.1.28:8080
# Backend: amcrest ()
backend amcrest
# health checking is DISABLED
mode http
balance source
# stickiness
stick-table type ip size 50k expire 30m
stick on src
http-reuse safe
server amcrest 192.168.4.2:80
# Backend: homer ()
backend homer
# health checking is DISABLED
mode http
balance source
# stickiness
stick-table type ip size 50k expire 30m
stick on src
http-reuse safe
server homer 192.168.1.32:80
# Backend: pbs ()
backend pbs
# health checking is DISABLED
mode http
balance source
# stickiness
stick-table type ip size 50k expire 30m
stick on src
http-reuse safe
server pbs 192.168.1.33:8007 ssl verify none
# Backend: vaultwarden ()
backend vaultwarden
# health checking is DISABLED
mode http
balance source
# stickiness
stick-table type ip size 50k expire 30m
stick on src
http-reuse safe
server vaultwarden 192.168.1.25:8000
# Backend: adguard ()
backend adguard
# health checking is DISABLED
mode http
balance source
# stickiness
stick-table type ip size 50k expire 30m
stick on src
http-reuse safe
server adguard 192.168.1.1:81
# statistics are DISABLED