Text only | Text with Images

OPNsense Forum

English Forums => Web Proxy Filtering and Caching => Topic started by: Singman on September 03, 2025, 08:55:57 AM

Title: Simple migration from host + caddy to opnsense + caddy plugin
Post by: Singman on September 03, 2025, 08:55:57 AM
Hi,

I have the following configuration working perfectly:
- two firewall rules that redirect ports 80/443 to a "proxy" host
- caddy configured on "proxy" which redirects to multiple hosts depending on the URL.

I want to transfer this configuration to the caddy OpnSense plugin. Following the documentation, I created the configuration and deleted the firewall rules, but the plugin is unable to retrieve the certificates. This is strange because in the previous configuration, Caddy retrieved the certificate directly from the destination and didn't attempt to obtain a new one from Let's Encrypt.

Old config
Code Select
jeu.ericdelcamp.fr {
    reverse_proxy web3.domain.lan {
        header_up Host {upstream_hostport}
    }
}
OPNSense config
Code Select
http://jeu.ericdelcamp.fr {
    handle /.well-known/acme-challenge/* {
        reverse_proxy web3.domain.lan
    }
    handle {
        redir https://{host}{uri} 308
    }
}
Code Select
jeu.ericdelcamp.fr {
    handle  {
        reverse_proxy https://web3.domain.lan {
        }
    }
}
Title: Re: Simple migration from host + caddy to opnsense + caddy plugin
Post by: Monviech (Cedrik) on September 03, 2025, 09:24:30 AM
Hello,

You still need firewall rules to allow 80/443 to "This Firewall". What you do not need are Port Forward rules, since caddy runs directly on the OPNsense. You only need firewall rules:

https://docs.opnsense.org/manual/how-tos/caddy.html#prepare-opnsense-for-caddy-after-installation

Why did you set "Redirect HTTP-01 challenge"? Remove it if you do not need it:

https://docs.opnsense.org/manual/how-tos/caddy.html#redirect-acme-http-01-challenge

You can do the missing "header_up" directive using the header menu, and attach it to a handler:

https://docs.opnsense.org/manual/how-tos/caddy.html#reverse-proxy-a-webserver-with-vhosts
 
Title: Re: Simple migration from host + caddy to opnsense + caddy plugin
Post by: Singman on September 03, 2025, 10:14:02 AM
Quote from: Monviech (Cedrik) on September 03, 2025, 09:24:30 AMHello,

You still need firewall rules to allow 80/443 to "This Firewall". What you do not need are Port Forward rules, since caddy runs directly on the OPNsense. You only need firewall rules:

https://docs.opnsense.org/manual/how-tos/caddy.html#prepare-opnsense-for-caddy-after-installation

Why did you set "Redirect HTTP-01 challenge"? Remove it if you do not need it:

https://docs.opnsense.org/manual/how-tos/caddy.html#redirect-acme-http-01-challenge

You can do the missing "header_up" directive using the header menu, and attach it to a handler:

https://docs.opnsense.org/manual/how-tos/caddy.html#reverse-proxy-a-webserver-with-vhosts
 

Ok, I have already done the 1st part, now added the headers and fixed HTTP-01 challenge.
When started, I get these errors in logs :

Code Select
"error","ts":"2025-09-03T08:09:48Z","msg":"challenge failed","identifier":"jeu.ericdelcamp.fr","challenge_type":"http-01","problem":{"type":"urn:ietf:params:acme:error:connection","title":"","detail":"82.65.33.149: Fetching http://jeu.ericdelcamp.fr/.well-known/acme-challenge/ynspH8y139vndg-RHdX2jfRN52I4XHElC13_AVIyfFs: Timeout during connect (likely firewall problem)","instance":"","subproblems":null},"stacktrace":"github.com/mholt/acmez/v3.(*Client).pollAuthorization\n\tgithub.com/mholt/acmez/v3@v3.1.2/client.go:557\ngithub.com/mholt/acmez/v3.(*Client).solveChallenges\n\tgithub.com/mholt/acmez/v3@v3.1.2/client.go:378\ngithub.com/mholt/acmez/v3.(*Client).ObtainCertificate\n\tgithub.com/mholt/acmez/v3@v3.1.2/client.go:136\ngithub.com/caddyserver/certmagic.(*ACMEIssuer).doIssue\n\tgithub.com/caddyserver/certmagic@v0.23.0/acmeissuer.go:489\ngithub.com/caddyserver/certmagic.(*ACMEIssuer).Issue\n\tgithub.com/caddyserver/certmagic@v0.23.0/acmeissuer.go:382\ngithub.com/caddyserver/caddy/v2/modules/caddytls.(*ACMEIssuer).Issue\n\tgithub.com/caddyserver/caddy/v2@v2.10.0/modules/caddytls/acmeissuer.go:288\ngithub.com/caddyserver/certmagic.(*Config).obtainCert.func2\n\tgithub.com/caddyserver/certmagic@v0.23.0/config.go:626\ngithub.com/caddyserver/certmagic.doWithRetry\n\tgithub.com/caddyserver/certmagic@v0.23.0/async.go:104\ngithub.com/caddyserver/certmagic.(*Config).obtainCert\n\tgithub.com/caddyserver/certmagic@v0.23.0/config.go:700\ngithub.com/caddyserver/certmagic.(*Config).ObtainCertAsync\n\tgithub.com/caddyserver/certmagic@v0.23.0/config.go:505\ngithub.com/caddyserver/certmagic.(*Config).manageOne.func1\n\tgithub.com/caddyserver/certmagic@v0.23.0/config.go:415\ngithub.com/caddyserver/certmagic.(*jobManager).worker\n\tgithub.com/caddyserver/certmagic@v0.23.0/async.go:73"}
Code Select
"error","ts":"2025-09-03T08:09:48Z","msg":"validating authorization","identifier":"jeu.ericdelcamp.fr","problem":{"type":"urn:ietf:params:acme:error:connection","title":"","detail":"82.65.33.149: Fetching http://jeu.ericdelcamp.fr/.well-known/acme-challenge/ynspH8y139vndg-RHdX2jfRN52I4XHElC13_AVIyfFs: Timeout during connect (likely firewall problem)","instance":"","subproblems":null},"order":"https://acme-v02.api.letsencrypt.org/acme/order/2636342801/424284910961","attempt":1,"max_attempts":3,"stacktrace":"github.com/mholt/acmez/v3.(*Client).ObtainCertificate\n\tgithub.com/mholt/acmez/v3@v3.1.2/client.go:152\ngithub.com/caddyserver/certmagic.(*ACMEIssuer).doIssue\n\tgithub.com/caddyserver/certmagic@v0.23.0/acmeissuer.go:489\ngithub.com/caddyserver/certmagic.(*ACMEIssuer).Issue\n\tgithub.com/caddyserver/certmagic@v0.23.0/acmeissuer.go:382\ngithub.com/caddyserver/caddy/v2/modules/caddytls.(*ACMEIssuer).Issue\n\tgithub.com/caddyserver/caddy/v2@v2.10.0/modules/caddytls/acmeissuer.go:288\ngithub.com/caddyserver/certmagic.(*Config).obtainCert.func2\n\tgithub.com/caddyserver/certmagic@v0.23.0/config.go:626\ngithub.com/caddyserver/certmagic.doWithRetry\n\tgithub.com/caddyserver/certmagic@v0.23.0/async.go:104\ngithub.com/caddyserver/certmagic.(*Config).obtainCert\n\tgithub.com/caddyserver/certmagic@v0.23.0/config.go:700\ngithub.com/caddyserver/certmagic.(*Config).ObtainCertAsync\n\tgithub.com/caddyserver/certmagic@v0.23.0/config.go:505\ngithub.com/caddyserver/certmagic.(*Config).manageOne.func1\n\tgithub.com/caddyserver/certmagic@v0.23.0/config.go:415\ngithub.com/caddyserver/certmagic.(*jobManager).worker\n\tgithub.com/caddyserver/certmagic@v0.23.0/async.go:73"}
The web browser return "ERR_SSL_PROTOCOL_ERROR"
Title: Re: Simple migration from host + caddy to opnsense + caddy plugin
Post by: Monviech (Cedrik) on September 03, 2025, 10:22:33 AM
Well this means Caddy could not issue a certificate on either port 80 or 443.

This is most likely a firewall configuration issue.

- Did you check that you /removed/ "Port Forward" rules.
- Are there Firewall rules for 80 and 443 to "This Firewall" on the WAN interface?
- Does the OPNsense WebGUI not run on 80 and 443?

If you need more help I need the following output:
- Your current Caddyfile

In the SSH shell:
# pfctl -s rules
# pfctl -s nat
# sockstat -l
Title: Re: Simple migration from host + caddy to opnsense + caddy plugin
Post by: Singman on September 03, 2025, 11:51:47 AM
Yes, I have 2 rules on WAN and 2 rules on LAN for 80/443 to my firewall, as written in https://docs.opnsense.org/manual/how-tos/caddy.html#prepare-opnsense-for-caddy-after-installation
WebGUI run on port 8088.
I disabled (not removed) my port forward rules.

The errors :
Code Select
2025-09-03T11:34:19Errorcaddy"error","ts":"2025-09-03T09:34:19Z","logger":"tls.obtain","msg":"could not get certificate from issuer","identifier":"jeu.ericdelcamp.fr","issuer":"acme-v02.api.letsencrypt.org-directory","error":"HTTP 400 urn:ietf:params:acme:error:connection - 82.65.33.149: Timeout during connect (likely firewall problem)"}
2025-09-03T11:34:19Errorcaddy"error","ts":"2025-09-03T09:34:19Z","msg":"validating authorization","identifier":"jeu.ericdelcamp.fr","problem":{"type":"urn:ietf:params:acme:error:connection","title":"","detail":"82.65.33.149: Timeout during connect (likely firewall problem)","instance":"","subproblems":null},"order":"https://acme-v02.api.letsencrypt.org/acme/order/2636342801/424304084391","attempt":2,"max_attempts":3,"stacktrace":"github.com/mholt/acmez/v3.(*Client).ObtainCertificate\n\tgithub.com/mholt/acmez/v3@v3.1.2/client.go:152\ngithub.com/caddyserver/certmagic.(*ACMEIssuer).doIssue\n\tgithub.com/caddyserver/certmagic@v0.23.0/acmeissuer.go:489\ngithub.com/caddyserver/certmagic.(*ACMEIssuer).Issue\n\tgithub.com/caddyserver/certmagic@v0.23.0/acmeissuer.go:382\ngithub.com/caddyserver/caddy/v2/modules/caddytls.(*ACMEIssuer).Issue\n\tgithub.com/caddyserver/caddy/v2@v2.10.0/modules/caddytls/acmeissuer.go:288\ngithub.com/caddyserver/certmagic.(*Config).obtainCert.func2\n\tgithub.com/caddyserver/certmagic@v0.23.0/config.go:626\ngithub.com/caddyserver/certmagic.doWithRetry\n\tgithub.com/caddyserver/certmagic@v0.23.0/async.go:104\ngithub.com/caddyserver/certmagic.(*Config).obtainCert\n\tgithub.com/caddyserver/certmagic@v0.23.0/config.go:700\ngithub.com/caddyserver/certmagic.(*Config).ObtainCertAsync\n\tgithub.com/caddyserver/certmagic@v0.23.0/config.go:505\ngithub.com/caddyserver/certmagic.(*Config).manageOne.func1\n\tgithub.com/caddyserver/certmagic@v0.23.0/config.go:415\ngithub.com/caddyserver/certmagic.(*jobManager).worker\n\tgithub.com/caddyserver/certmagic@v0.23.0/async.go:73"}
2025-09-03T11:34:19Errorcaddy"error","ts":"2025-09-03T09:34:19Z","msg":"challenge failed","identifier":"jeu.ericdelcamp.fr","challenge_type":"tls-alpn-01","problem":{"type":"urn:ietf:params:acme:error:connection","title":"","detail":"82.65.33.149: Timeout during connect (likely firewall problem)","instance":"","subproblems":null},"stacktrace":"github.com/mholt/acmez/v3.(*Client).pollAuthorization\n\tgithub.com/mholt/acmez/v3@v3.1.2/client.go:557\ngithub.com/mholt/acmez/v3.(*Client).solveChallenges\n\tgithub.com/mholt/acmez/v3@v3.1.2/client.go:378\ngithub.com/mholt/acmez/v3.(*Client).ObtainCertificate\n\tgithub.com/mholt/acmez/v3@v3.1.2/client.go:136\ngithub.com/caddyserver/certmagic.(*ACMEIssuer).doIssue\n\tgithub.com/caddyserver/certmagic@v0.23.0/acmeissuer.go:489\ngithub.com/caddyserver/certmagic.(*ACMEIssuer).Issue\n\tgithub.com/caddyserver/certmagic@v0.23.0/acmeissuer.go:382\ngithub.com/caddyserver/caddy/v2/modules/caddytls.(*ACMEIssuer).Issue\n\tgithub.com/caddyserver/caddy/v2@v2.10.0/modules/caddytls/acmeissuer.go:288\ngithub.com/caddyserver/certmagic.(*Config).obtainCert.func2\n\tgithub.com/caddyserver/certmagic@v0.23.0/config.go:626\ngithub.com/caddyserver/certmagic.doWithRetry\n\tgithub.com/caddyserver/certmagic@v0.23.0/async.go:104\ngithub.com/caddyserver/certmagic.(*Config).obtainCert\n\tgithub.com/caddyserver/certmagic@v0.23.0/config.go:700\ngithub.com/caddyserver/certmagic.(*Config).ObtainCertAsync\n\tgithub.com/caddyserver/certmagic@v0.23.0/config.go:505\ngithub.com/caddyserver/certmagic.(*Config).manageOne.func1\n\tgithub.com/caddyserver/certmagic@v0.23.0/config.go:415\ngithub.com/caddyserver/certmagic.(*jobManager).worker\n\tgithub.com/caddyserver/certmagic@v0.23.0/async.go:73"}
Infos:
Code Select
root@OPNsense:~ # pfctl -s rules
scrub in all fragment reassemble
block drop in log on ! igb0 inet from 192.168.0.0/24 to any
block drop in log inet from 192.168.0.254 to any
block drop in log on ! igb1 inet from 82.65.33.0/24 to any
block drop in log inet from 82.65.33.149 to any
block drop in log quick inet6 all label "5d75d96ba523ccd456ab15a327c7fed5"
block drop in log inet all label "02f4bab031b57d1e30553ce08e0ec131"
block drop in log inet6 all label "02f4bab031b57d1e30553ce08e0ec131"
block drop in log quick inet proto tcp from any port = 0 to any label "7b5bdc64d7ae74be1932f6764a591da5"
block drop in log quick inet proto udp from any port = 0 to any label "7b5bdc64d7ae74be1932f6764a591da5"
block drop in log quick inet6 proto tcp from any port = 0 to any label "7b5bdc64d7ae74be1932f6764a591da5"
block drop in log quick inet6 proto udp from any port = 0 to any label "7b5bdc64d7ae74be1932f6764a591da5"
block drop in log quick inet proto tcp from any to any port = 0 label "ae69f581dc429e3484a65f8ecd63baa5"
block drop in log quick inet proto udp from any to any port = 0 label "ae69f581dc429e3484a65f8ecd63baa5"
block drop in log quick inet6 proto tcp from any to any port = 0 label "ae69f581dc429e3484a65f8ecd63baa5"
block drop in log quick inet6 proto udp from any to any port = 0 label "ae69f581dc429e3484a65f8ecd63baa5"
block drop in log quick proto tcp from <sshlockout> to (self) port = ssh label "669143f420c3ab4118bcb0bf4b5fd823"
block drop in log quick proto tcp from <sshlockout> to (self) port = 8088 label "fa0ee49818eb8f6fd6b88f7b914f2321"
block drop in log quick from <virusprot> to any label "8e367e2f9944d93137ae56d788c5d5e1"
pass in log quick on igb1 proto udp from any port = bootps to any port = bootpc keep state label "f994f615e00b8be0042263f86c79913f"
pass out log quick on igb1 proto udp from any port = bootpc to any port = bootps keep state label "5cf7ab808da1fcbca1ddb9ba9b46b669"
block drop in log quick inet from <crowdsec_blocklists> to any label "5557b4052ac9b83fbc9ccd5f036668ed" tag CrowdSec
block drop out log quick inet from any to <crowdsec_blocklists> label "bc11f472cb987650ae6ef72250a50a93" tag CrowdSec
block drop in log quick inet6 from <crowdsec6_blocklists> to any label "9434d19f24afce5f12a288eff72f757c" tag CrowdSec
block drop out log quick inet6 from any to <crowdsec6_blocklists> label "37d8b7c0be7542115c9359bfd7cd0791" tag CrowdSec
pass in log quick on igb0 inet proto udp from any port = bootpc to 255.255.255.255 port = bootps keep state label "56d97e04b8ce723a8524bdda932fe056"
pass in log quick on igb0 proto udp from any port = bootpc to (self) port = bootps keep state label "ac5d6855f1bc6d537c949fd7ce458587"
pass out log quick on igb0 proto udp from (self) port = bootps to any port = bootpc keep state label "4071f735e7cf9dcad8b9305970c17911"
pass in log quick on igb0 inet6 proto udp from fe80::/10 to fe80::/10 port = dhcpv6-client keep state label "600d48bc4d9a060084eea027fa54cfdc"
pass in log quick on igb0 inet6 proto udp from fe80::/10 to ff02::/16 port = dhcpv6-client keep state label "600d48bc4d9a060084eea027fa54cfdc"
pass in log quick on igb0 inet6 proto udp from fe80::/10 to ff02::/16 port = dhcpv6-server keep state label "0e8cdb22b7059277a934591353ae2214"
pass in log quick on igb0 inet6 proto udp from ff02::/16 to fe80::/10 port = dhcpv6-server keep state label "06e2b143a84862bc38acb6bac5090d14"
pass in log quick on igb0 inet6 proto udp from fe80::/10 to (self) port = dhcpv6-client keep state label "04bd2bc40ab1391b8ce89ff0fafd1e67"
pass out log quick on igb0 inet6 proto udp from (self) port = dhcpv6-server to fe80::/10 keep state label "0926e497e454bfe83d715b0d85fdfe3a"
block drop in log quick on igb1 inet from <bogons> to any label "b7cd97a164650b538506fb551a0369e7"
block drop in log quick on igb1 inet from 10.0.0.0/8 to any label "3d399f8f89b68d684701badb48eab085"
block drop in log quick on igb1 inet from 172.16.0.0/12 to any label "3d399f8f89b68d684701badb48eab085"
block drop in log quick on igb1 inet from 192.168.0.0/16 to any label "3d399f8f89b68d684701badb48eab085"
block drop in log quick on igb1 inet from 127.0.0.0/8 to any label "3d399f8f89b68d684701badb48eab085"
block drop in log quick on igb1 inet from 100.64.0.0/10 to any label "3d399f8f89b68d684701badb48eab085"
block drop in log quick on igb1 inet from 169.254.0.0/16 to any label "3d399f8f89b68d684701badb48eab085"
pass out log all flags S/SA keep state allow-opts label "fae559338f65e11c53669fc3642c93c2"
pass in log quick on igb0 proto tcp from any to (self) port = ssh flags S/SA keep state label "60533d555322b9f6a009f71c1c471480"
pass in log quick on igb0 proto tcp from any to (self) port = 8088 flags S/SA keep state label "971028be35480463b35e7facf3bbcd66"
pass out log route-to (igb1 82.65.33.254) inet from (igb1) to ! (igb1:network) flags S/SA keep state allow-opts label "761a166383f941c76dbf2c76c9e2f241"
pass in log quick on igb1 reply-to (igb1 82.65.33.254) inet proto tcp from any to <jellyfin_server> port = 8096 flags S/SA keep state label "1227ca08e20fd71d2318d95bca99f966"
pass in quick on igb1 reply-to (igb1 82.65.33.254) inet proto udp from any to <jellyfin_server> port 31336:31337 keep state label "c86810caf53c3bc125a2676cea7854dd"
pass in quick on igb1 reply-to (igb1 82.65.33.254) inet proto tcp from any to <HomeAssistant> port = 8123 flags S/SA keep state label "2c84ac984c100c4f901cae035eb09ef1"
pass in quick on igb1 reply-to (igb1 82.65.33.254) inet proto tcp from any to <yunohost> port = pop3 flags S/SA keep state label "e5f12f3ab2258b530949b45f37446e49"
pass in quick on igb1 reply-to (igb1 82.65.33.254) inet proto tcp from any to <yunohost> port = smtp flags S/SA keep state label "d592151a47f1a1e1fbf62dcff794591e"
pass in quick on igb1 reply-to (igb1 82.65.33.254) inet proto tcp from any to <yunohost> port = smtps flags S/SA keep state label "341ab3f63b31a4d39303aad2017848c0"
pass in quick on igb1 reply-to (igb1 82.65.33.254) inet proto tcp from any to <yunohost> port = imap flags S/SA keep state label "13cdad5b1f7f1e2b329c3261ced6ea81"
pass in quick on igb1 reply-to (igb1 82.65.33.254) inet proto tcp from any to <yunohost> port = imaps flags S/SA keep state label "5734a5755c6e9c6a68679887b82e942b"
pass in quick on igb1 reply-to (igb1 82.65.33.254) inet proto tcp from any to <yunohost> port = pop3s flags S/SA keep state label "5b11ddbcffd2ff0b78a31b22e8af7cea"
pass in quick on igb1 reply-to (igb1 82.65.33.254) inet proto tcp from any to <yunohost> port = submission flags S/SA keep state label "ed4ebfb209487d2a2232533cc0945054"
pass in quick on igb1 reply-to (igb1 82.65.33.254) inet proto tcp from any to <Firewall> port = http flags S/SA keep state label "7647f225e313a5606020dc74074d00f7"
pass in quick on igb1 inet6 proto tcp from any to <Firewall> port = http flags S/SA keep state label "7647f225e313a5606020dc74074d00f7"
pass in quick on igb1 reply-to (igb1 82.65.33.254) inet proto tcp from any to <Firewall> port = https flags S/SA keep state label "7326ef4d5c22a7a15d7babe8bfaa12a2"
pass in quick on igb1 reply-to (igb1 82.65.33.254) inet proto udp from any to <Firewall> port = https keep state label "7326ef4d5c22a7a15d7babe8bfaa12a2"
pass in quick on igb1 inet6 proto tcp from any to <Firewall> port = https flags S/SA keep state label "7326ef4d5c22a7a15d7babe8bfaa12a2"
pass in quick on igb1 inet6 proto udp from any to <Firewall> port = https keep state label "7326ef4d5c22a7a15d7babe8bfaa12a2"
pass in quick on igb0 inet from (igb0:network) to any flags S/SA keep state label "13edc3ec59be9ccf34af93f1d53fd386"
pass in quick on igb0 inet6 from (igb0:network) to any flags S/SA keep state label "065bc85f5cccf990df7a1e3e4693e012"
pass in quick on igb0 inet6 from fe80::/10 to any flags S/SA keep state label "065bc85f5cccf990df7a1e3e4693e012"
pass in quick on igb0 inet proto tcp from any to <Firewall> port = http flags S/SA keep state label "760e3b45c14244a4b862d86a97ab0ebb"
pass in quick on igb0 inet6 proto tcp from any to <Firewall> port = http flags S/SA keep state label "760e3b45c14244a4b862d86a97ab0ebb"
pass in quick on igb0 inet proto tcp from any to <Firewall> port = https flags S/SA keep state label "b733c938fe4d0abf5f3d22ed0548fca8"
pass in quick on igb0 inet proto udp from any to <Firewall> port = https keep state label "b733c938fe4d0abf5f3d22ed0548fca8"
pass in quick on igb0 inet6 proto tcp from any to <Firewall> port = https flags S/SA keep state label "b733c938fe4d0abf5f3d22ed0548fca8"
pass in quick on igb0 inet6 proto udp from any to <Firewall> port = https keep state label "b733c938fe4d0abf5f3d22ed0548fca8"
anchor "miniupnpd" all
Code Select
root@OPNsense:~ # pfctl -s nat
nat-anchor "miniupnpd" all
no nat proto carp all
nat on igb1 inet from (igb0:network) to any port = isakmp -> (igb1:0) static-port
nat on igb1 inet from (lo0:network) to any port = isakmp -> (igb1:0) static-port
nat on igb1 inet from 127.0.0.0/8 to any port = isakmp -> (igb1:0) static-port
nat on igb1 inet from (igb0:network) to any -> (igb1:0) port 1024:65535
nat on igb1 inet from (lo0:network) to any -> (igb1:0) port 1024:65535
nat on igb1 inet from 127.0.0.0/8 to any -> (igb1:0) port 1024:65535
nat on igb1 inet proto tcp from (igb1:network) to <yunohost> port = pop3 -> (igb1) port 1024:65535 round-robin
nat on igb0 inet proto tcp from (igb0:network) to <yunohost> port = pop3 -> (igb0) port 1024:65535 round-robin
nat on lo0 inet proto tcp from (lo0:network) to <yunohost> port = pop3 -> (lo0) port 1024:65535 round-robin
nat on igb1 inet proto tcp from (igb1:network) to <yunohost> port = submission -> (igb1) port 1024:65535 round-robin
nat on igb0 inet proto tcp from (igb0:network) to <yunohost> port = submission -> (igb0) port 1024:65535 round-robin
nat on lo0 inet proto tcp from (lo0:network) to <yunohost> port = submission -> (lo0) port 1024:65535 round-robin
nat on igb1 inet proto tcp from (igb1:network) to <yunohost> port = pop3s -> (igb1) port 1024:65535 round-robin
nat on igb0 inet proto tcp from (igb0:network) to <yunohost> port = pop3s -> (igb0) port 1024:65535 round-robin
nat on lo0 inet proto tcp from (lo0:network) to <yunohost> port = pop3s -> (lo0) port 1024:65535 round-robin
nat on igb1 inet proto tcp from (igb1:network) to <yunohost> port = imap -> (igb1) port 1024:65535 round-robin
nat on igb0 inet proto tcp from (igb0:network) to <yunohost> port = imap -> (igb0) port 1024:65535 round-robin
nat on lo0 inet proto tcp from (lo0:network) to <yunohost> port = imap -> (lo0) port 1024:65535 round-robin
nat on igb1 inet proto tcp from (igb1:network) to <yunohost> port = imaps -> (igb1) port 1024:65535 round-robin
nat on igb0 inet proto tcp from (igb0:network) to <yunohost> port = imaps -> (igb0) port 1024:65535 round-robin
nat on lo0 inet proto tcp from (lo0:network) to <yunohost> port = imaps -> (lo0) port 1024:65535 round-robin
nat on igb1 inet proto tcp from (igb1:network) to <yunohost> port = smtps -> (igb1) port 1024:65535 round-robin
nat on igb0 inet proto tcp from (igb0:network) to <yunohost> port = smtps -> (igb0) port 1024:65535 round-robin
nat on lo0 inet proto tcp from (lo0:network) to <yunohost> port = smtps -> (lo0) port 1024:65535 round-robin
nat on igb1 inet proto tcp from (igb1:network) to <yunohost> port = smtp -> (igb1) port 1024:65535 round-robin
nat on igb0 inet proto tcp from (igb0:network) to <yunohost> port = smtp -> (igb0) port 1024:65535 round-robin
nat on lo0 inet proto tcp from (lo0:network) to <yunohost> port = smtp -> (lo0) port 1024:65535 round-robin
nat on igb1 inet proto tcp from (igb1:network) to <jellyfin_server> port = 8096 -> (igb1) port 1024:65535 round-robin
nat on igb0 inet proto tcp from (igb0:network) to <jellyfin_server> port = 8096 -> (igb0) port 1024:65535 round-robin
nat on lo0 inet proto tcp from (lo0:network) to <jellyfin_server> port = 8096 -> (lo0) port 1024:65535 round-robin
nat on igb1 inet proto udp from (igb1:network) to <jellyfin_server> port 31336:31337 -> (igb1) port 1024:65535 round-robin
nat on igb0 inet proto udp from (igb0:network) to <jellyfin_server> port 31336:31337 -> (igb0) port 1024:65535 round-robin
nat on lo0 inet proto udp from (lo0:network) to <jellyfin_server> port 31336:31337 -> (lo0) port 1024:65535 round-robin
nat on igb1 inet proto tcp from (igb1:network) to <HomeAssistant> port = 8123 -> (igb1) port 1024:65535 round-robin
nat on igb0 inet proto tcp from (igb0:network) to <HomeAssistant> port = 8123 -> (igb0) port 1024:65535 round-robin
nat on lo0 inet proto tcp from (lo0:network) to <HomeAssistant> port = 8123 -> (lo0) port 1024:65535 round-robin
no rdr proto carp all
no rdr on igb0 proto tcp from any to (igb0) port = ssh
no rdr on igb0 proto tcp from any to (igb0) port = 8088
rdr on igb1 inet proto tcp from any to (igb1) port = pop3 -> <yunohost> port 110 round-robin
rdr on igb0 inet proto tcp from any to (igb1) port = pop3 -> <yunohost> port 110 round-robin
rdr on lo0 inet proto tcp from any to (igb1) port = pop3 -> <yunohost> port 110 round-robin
rdr on igb1 inet proto tcp from any to (igb1) port = submission -> <yunohost> port 587 round-robin
rdr on igb0 inet proto tcp from any to (igb1) port = submission -> <yunohost> port 587 round-robin
rdr on lo0 inet proto tcp from any to (igb1) port = submission -> <yunohost> port 587 round-robin
rdr on igb1 inet proto tcp from any to (igb1) port = pop3s -> <yunohost> port 995 round-robin
rdr on igb0 inet proto tcp from any to (igb1) port = pop3s -> <yunohost> port 995 round-robin
rdr on lo0 inet proto tcp from any to (igb1) port = pop3s -> <yunohost> port 995 round-robin
rdr on igb1 inet proto tcp from any to (igb1) port = imap -> <yunohost> port 143 round-robin
rdr on igb0 inet proto tcp from any to (igb1) port = imap -> <yunohost> port 143 round-robin
rdr on lo0 inet proto tcp from any to (igb1) port = imap -> <yunohost> port 143 round-robin
rdr on igb1 inet proto tcp from any to (igb1) port = imaps -> <yunohost> port 993 round-robin
rdr on igb0 inet proto tcp from any to (igb1) port = imaps -> <yunohost> port 993 round-robin
rdr on lo0 inet proto tcp from any to (igb1) port = imaps -> <yunohost> port 993 round-robin
rdr on igb1 inet proto tcp from any to (igb1) port = smtps -> <yunohost> port 465 round-robin
rdr on igb0 inet proto tcp from any to (igb1) port = smtps -> <yunohost> port 465 round-robin
rdr on lo0 inet proto tcp from any to (igb1) port = smtps -> <yunohost> port 465 round-robin
rdr on igb1 inet proto tcp from any to (igb1) port = smtp -> <yunohost> port 25 round-robin
rdr on igb0 inet proto tcp from any to (igb1) port = smtp -> <yunohost> port 25 round-robin
rdr on lo0 inet proto tcp from any to (igb1) port = smtp -> <yunohost> port 25 round-robin
rdr on igb1 inet proto tcp from any to (igb1) port = 8096 -> <jellyfin_server> port 8096 round-robin
rdr on igb0 inet proto tcp from any to (igb1) port = 8096 -> <jellyfin_server> port 8096 round-robin
rdr on lo0 inet proto tcp from any to (igb1) port = 8096 -> <jellyfin_server> port 8096 round-robin
rdr on igb1 inet proto udp from any to (igb1) port 31336:31337 -> <jellyfin_server> port 31336:31337 round-robin
rdr on igb0 inet proto udp from any to (igb1) port 31336:31337 -> <jellyfin_server> port 31336:31337 round-robin
rdr on lo0 inet proto udp from any to (igb1) port 31336:31337 -> <jellyfin_server> port 31336:31337 round-robin
rdr on igb1 inet proto tcp from any to (igb1) port = 8123 -> <HomeAssistant> port 8123 round-robin
rdr on igb0 inet proto tcp from any to (igb1) port = 8123 -> <HomeAssistant> port 8123 round-robin
rdr on lo0 inet proto tcp from any to (igb1) port = 8123 -> <HomeAssistant> port 8123 round-robin
rdr-anchor "miniupnpd" all
binat-anchor "miniupnpd" all
Code Select
root@OPNsense:~ # sockstat -l
USER     COMMAND    PID   FD  PROTO  LOCAL ADDRESS         FOREIGN ADDRESS
root     sshd-sessi 91512 9   stream (not connected)
root     sshd-sessi 90465 9   stream (not connected)
root     php-cgi    40039 0   stream /var/lib/php/tmp/php-fastcgi.socket-4
root     php-cgi    39631 0   stream /var/lib/php/tmp/php-fastcgi.socket-4
root     php-cgi    39274 0   stream /var/lib/php/tmp/php-fastcgi.socket-4
root     php-cgi    38745 0   stream /var/lib/php/tmp/php-fastcgi.socket-4
root     php-cgi    38282 0   stream /var/lib/php/tmp/php-fastcgi.socket-4
root     php-cgi    37937 0   stream /var/lib/php/tmp/php-fastcgi.socket-4
root     caddy      12224 5   stream /var/run/caddy/caddy.sock
root     caddy      12224 6   tcp46  *:443                 *:*
root     caddy      12224 7   tcp46  *:80                  *:*
root     php-cgi    91973 0   stream /var/lib/php/tmp/php-fastcgi.socket-2
root     crowdsec    2837 11  tcp4   127.0.0.1:8080        *:*
root     crowdsec    2837 172 tcp4   127.0.0.1:6060        *:*
root     php-cgi    67056 0   stream /var/lib/php/tmp/php-fastcgi.socket-3
root     php-cgi    31107 0   stream /var/lib/php/tmp/php-fastcgi.socket-3
www      php-fpm    65184 9   stream /var/run/php-www.socket
www      php-fpm    65165 9   stream /var/run/php-www.socket
root     php-fpm    64975 9   stream /var/run/php-webgui.socket
root     php-fpm    64785 9   stream /var/run/php-webgui.socket
root     php-fpm    64716 7   stream /var/run/php-webgui.socket
root     php-fpm    64716 8   stream /var/run/php-www.socket
root     ntpd       57992 20  udp6   *:123                 *:*
root     ntpd       57992 21  udp4   *:123                 *:*
root     ntpd       57992 22  udp4   192.168.0.254:123     *:*
root     ntpd       57992 23  udp4   82.65.33.149:123      *:*
root     ntpd       57992 24  udp6   ::1:123               *:*
root     ntpd       57992 25  udp6   fe80::1%lo0:123       *:*
root     ntpd       57992 26  udp4   127.0.0.1:123         *:*
root     snmpd      56802 8   udp4   192.168.0.254:161     *:*
root     snmpd      56802 9   tcp4   *:199                 *:*
root     miniupnpd  56576 6   tcp6   *:2189                *:*
root     miniupnpd  56576 8   tcp4   *:2189                *:*
root     miniupnpd  56576 9   udp4   *:1900                *:*
root     miniupnpd  56576 10  udp4   192.168.0.254:64158   *:*
nobody   dnsmasq    54142 4   udp4   *:67                  *:*
nobody   dnsmasq    54142 8   udp4   *:53                  *:*
nobody   dnsmasq    54142 9   tcp4   *:53                  *:*
nobody   dnsmasq    54142 10  udp6   *:53                  *:*
nobody   dnsmasq    54142 11  tcp6   *:53                  *:*
root     php-cgi    49063 0   stream /var/lib/php/tmp/php-fastcgi.socket-0
root     php-cgi    48808 0   stream /var/lib/php/tmp/php-fastcgi.socket-3
root     php-cgi    48550 0   stream /var/lib/php/tmp/php-fastcgi.socket-0
root     php-cgi    48223 0   stream /var/lib/php/tmp/php-fastcgi.socket-2
root     php-cgi    48173 0   stream /var/lib/php/tmp/php-fastcgi.socket-3
root     php-cgi    47819 0   stream /var/lib/php/tmp/php-fastcgi.socket-0
root     php-cgi    47640 0   stream /var/lib/php/tmp/php-fastcgi.socket-3
root     php-cgi    47479 0   stream /var/lib/php/tmp/php-fastcgi.socket-2
root     php-cgi    47339 0   stream /var/lib/php/tmp/php-fastcgi.socket-0
root     php-cgi    47093 0   stream /var/lib/php/tmp/php-fastcgi.socket-2
root     php-cgi    46833 0   stream /var/lib/php/tmp/php-fastcgi.socket-0
root     php-cgi    46567 0   stream /var/lib/php/tmp/php-fastcgi.socket-2
root     php-cgi    46213 0   stream /var/lib/php/tmp/php-fastcgi.socket-3
root     php-cgi    46185 0   stream /var/lib/php/tmp/php-fastcgi.socket-2
root     php-cgi    45928 0   stream /var/lib/php/tmp/php-fastcgi.socket-0
root     lighttpd   45779 7   tcp4   127.0.0.1:8088        *:*
root     lighttpd   45779 8   tcp6   ::1:8088              *:*
root     lighttpd   45779 9   tcp6   fe80::1%lo0:8088      *:*
root     lighttpd   45779 10  tcp4   192.168.0.254:8088    *:*
root     sshd       41539 6   tcp4   192.168.0.254:22      *:*
root     sshd       41539 7   tcp6   fe80::1%lo0:22        *:*
root     sshd       41539 8   tcp6   ::1:22                *:*
root     sshd       41539 9   tcp4   127.0.0.1:22          *:*
root     syslog-ng   9140 19  dgram  /var/run/caddy/log.sock <-
root     syslog-ng   9140 21  dgram  /var/run/log <-
root     syslog-ng   9140 22  dgram  /var/run/logpriv
root     syslog-ng   9140 23  dgram  /var/dhcpd/var/run/log
root     syslog-ng   9140 24  dgram  /var/unbound/var/run/log
root     syslog-ng   9140 28  stream /var/db/syslog-ng.ctl
root     devd         762 6   stream /var/run/devd.pipe
root     devd         762 7   seqpac /var/run/devd.seqpacket.pipe
root     python3.11   353 3   stream /var/run/configd.socket
root     python3.11   353 4   stream /var/run/configd.socket
root     python3.11   353 8   stream /var/run/configd.socket
root     python3.11   353 11  stream /var/run/configd.socket
Title: Re: Simple migration from host + caddy to opnsense + caddy plugin
Post by: Monviech (Cedrik) on September 03, 2025, 12:40:13 PM
Hello, thanks for sharing.

I think the issue is on igb1 (your WAN interface)

The rules only match on IPv6.

Set them on IPv4.

Title: Re: Simple migration from host + caddy to opnsense + caddy plugin
Post by: Singman on September 03, 2025, 01:17:31 PM
Pretty strange, because if I look at my WAN rules, I see them for IPv4 & IPv6

http://singman.free.fr/images/firewall1.png
Title: Re: Simple migration from host + caddy to opnsense + caddy plugin
Post by: Monviech (Cedrik) on September 03, 2025, 01:50:49 PM
Could you use the alias "This Firewall" instead of your own one?
Title: Re: Simple migration from host + caddy to opnsense + caddy plugin
Post by: Singman on September 03, 2025, 04:47:34 PM
Not permitted, no spaces in name :)
Title: Re: Simple migration from host + caddy to opnsense + caddy plugin
Post by: Monviech (Cedrik) on September 03, 2025, 04:55:08 PM
"This Firewall" is a predefined alias by the system. You can always select it in a Firewall rule source or destination.

You do not have to create an alias.
Title: Re: Simple migration from host + caddy to opnsense + caddy plugin
Post by: Singman on September 03, 2025, 07:04:46 PM
Some progress :
Code Select
2025-09-03T19:02:19Errorcaddy"warn","ts":"2025-09-03T17:02:19Z","logger":"tls","msg":"stapling OCSP","error":"no OCSP stapling for [jeu.ericdelcamp.fr]: no OCSP server specified in certificate","identifiers":["jeu.ericdelcamp.fr"]}
2025-09-03T19:02:14Warningcaddy"warn","ts":"2025-09-03T17:02:14Z","logger":"http","msg":"HTTP/2 skipped because it requires TLS","network":"tcp","addr":":80"}
2025-09-03T19:02:14Warningcaddy"warn","ts":"2025-09-03T17:02:14Z","logger":"http.auto_https","msg":"server is listening only on the HTTP port, so no automatic HTTPS will be applied to this server","server_name":"srv1","http_port":80}
2025-09-03T19:02:14Warningcaddy"warn","ts":"2025-09-03T17:02:14Z","logger":"admin","msg":"admin endpoint on open interface; host checking disabled","address":"unix//var/run/caddy/caddy.sock|0220"}
2025-09-03T19:02:12Warningcaddy"warn","ts":"2025-09-03T17:02:12Z","logger":"http.auto_https","msg":"server is listening only on the HTTP port, so no automatic HTTPS will be applied to this server","server_name":"srv1","http_port":80}
Don't know where "srv1" come from.
Title: Re: Simple migration from host + caddy to opnsense + caddy plugin
Post by: Monviech (Cedrik) on September 03, 2025, 07:41:25 PM
Check the json configuration in diagnostics, its whats adapted from the caddyfile (automatically by caddy adapt).

It shows srv1, probably.
Title: Re: Simple migration from host + caddy to opnsense + caddy plugin
Post by: Singman on September 04, 2025, 01:12:44 PM
Ok, I found the solution :
- on the Handler, I was selecting Upstream / Protocol / HTTPS so the communication between caddy and destination host was with TLS (HTTPS). I switched it to HTTP and it's working.

The result config :
Code Select
# Reverse Proxy Configuration

jeu.ericdelcamp.fr {
    log {
        output file /
            var/log/caddy/access/81916595-4bc5-4342-b83d-02c707ab7af7.log {
                roll_keep_for 5d
            }
    }
    handle {
        reverse_proxy web3.domain.lan {
            header_up Host {upstream_hostport}
        }
    }
}
Title: Re: Simple migration from host + caddy to opnsense + caddy plugin
Post by: Singman on September 04, 2025, 01:15:43 PM
A side note : the generated config file is a crap, too many extra lines and much more spaces than needed. Caddy have a config formatter, I think that plugin should use it :)

Now, the hard part : I need to make the config for a React js container on a different host + static pages served by Apache. A big headache in perspective
Title: Re: Simple migration from host + caddy to opnsense + caddy plugin
Post by: Monviech (Cedrik) on September 04, 2025, 03:33:31 PM
The formatter is in there since almost day one:

https://github.com/opnsense/plugins/blob/3a3984f01f9930bc70d5b7455515d28a293868c5/www/caddy/src/opnsense/scripts/OPNsense/Caddy/setup.sh#L54

But it only runs when caddy is enabled.
Text only | Text with Images