Hello,
I have never used a reverse proxy plugin on OPNsense. I am testing out Home Assistant OS, and would like to route this, and the add-on containers on Home Assistant OS via the OPNsense Caddy Plugin
without exposing these ports to the public internet.
The documentation states:
QuoteCreating a Simple Reverse Proxy:
The domain has to be externally resolvable. Create an A-Record on a public DNS server that points your domain to the external IP address of your OPNsense.
Is this still required for my use case?
Only if you want automatic certificates.
Quote from: Monviech (Cedrik) on September 16, 2025, 09:35:00 AMOnly if you want automatic certificates.
Thank you for the response. Can you elaborate on this more? What are the alternatives?
I am trying to setup a wildcard certificate so all addresses on the LAN have a secure connection.
I'm hesitant in setting up this way because I currently do not have any ports open (everything is configured via tunnels) and was hoping to keep it that way, if possible.
If you use wildcard certificates, you do not need internet access to your HTTP(S) services. AFAIK, wildcard certificates work only via the ACME plugin, not via Caddy's own certificate mechanism.
I would always do it like that and also NOT use specific subdomain(s) besides the wildcard domain, which I explained here (https://forum.opnsense.org/index.php?msg=189393).
Quote from: meyergru on September 16, 2025, 11:36:09 PMAFAIK, wildcard certificates work only via the ACME plugin, not via Caddy's own certificate mechanism.
So I should use the ACME plugin to get a wildcard cert, and then select that cert in the drop down when configuring Caddy?
Obviously, yes.