OPNsense Forum
English Forums => General Discussion => Topic started by: Rumor on April 05, 2024, 11:52:30 pm
-
Hi,
Newcomer to OPNSense and Caddy plugin for my homelab, so bear with me, please. Googles, searched this and Caddy forums with no luck.
What I have: opnsense 24.1.4 (with web UI on 4433 port), os-caddy 1.5.2 on 443 port, both reside on the same host 192.168.1.1.
What I need:
1) add/expose a mydomain.tld from OPNSense's Unbound to my home network which (domain) will point to my intranet IP with a real server (RealServer below).
2) when someone opens https://<mydomain.tld> he should be redirected to RealServer:port.
3) when someone SSH to mydomain.tld:22 he should eventually SSH to RealServer:22.
4) nice to have: if someone reaches mydomain.tld:any_port_except_443 he should reach the same RealServer:any_port_except_443
What I did:
OPNSense:
* add mydomain.tld to Unbound and point it out to 192.168.1.1 so the caddy will route its requests.
Caddy:
* add the mydomain.tld to domains tab and a handler for it to proxify mydomain.tld:443 to RealServer:port.
So far so good, if I open https://mydomain.tld I indeed received the RealServer:port web page.
The problem is with SSH (22) TCP port which isn't HTTP and doesn't auto-handled by caddy. I was trying to add the second same domain (caddy/Domains tab) but with Reverse Proxy Port=22 and a corresponding handler to RealServer:22 but that didn't help (SSH connection was successful but I've connected to my OPNSesne box instead of RealServer since mydomain.tld points to 192.168.1.1 in Unbound).
So the question, how to define a single reverse proxy domain and multiple handlers for https and tcp source ports pointing to the same destination server but different ports?
Ideally, if I could define one handler to proxify mydomain.tld:443 -> RealServer:someport and another 'wildcard' handler mydomain.tld:anyport -> RealServer:anyport, but if I will need to define a handler per specific port explicitly I could live with it.
I've found that Caddy has the Layer4 app which seems fullfils my needs to proxify TCP traffic but os-caddy isn't built with it and doesn't support it so it's kinda a hard way I would like to ommit for now.
@Monviech, your help will be very appreciated. Thanks for the plugin a lot, BTW.
-
Hey there, please read the FAQ:
https://docs.opnsense.org/manual/how-tos/caddy.html#faq
You could have caught this before implementhing the plugin. The layer 4 proxy won't be implemented (its also still marked as experimental/ in developement) since there is HA-Proxy and Nginx for that usecase already. This one is purely for HTTP streams.
-
Thank you for the reference, I've missed that 'TCP/UDP support' notice.
I've looked at the caddy.layer4 app and apart its alpha status it currently supports only a json config which isn't compatible with caddyfile. So seems the only way here is to move to an other reverse proxy.
-
There is actually a Caddyfile plugin for the layer 4 plugin, but yeah it might be better to wait this one out for a while and take another option.
-
I've looked at the caddy.layer4 app and apart its alpha status it currently supports only a json config which isn't compatible with caddyfile. So seems the only way here is to move to an other reverse proxy.
Or use sslh in front of Caddy. I have not tried if that can be configured from the UI in OPNsense but fundamentally it would work.