OPNsense Forum

Archive => 19.1 Legacy Series => Topic started by: guest15389 on February 01, 2019, 03:44:02 pm

Title: Caddy Plugin
Post by: guest15389 on February 01, 2019, 03:44:02 pm

Adding to the new production forum as this was my Caddy question and hopefully getting it included in this version.

https://forum.opnsense.org/index.php?topic=11412.0

Title: Re: Caddy Plugin
Post by: mimugmail on February 01, 2019, 04:15:53 pm

Most of this can be done by nginx plugin

Title: Re: Caddy Plugin
Post by: guest15389 on February 01, 2019, 04:18:11 pm

You can do automatic HTTPS with LetsEncrypt and Google oAuth out of the box with NGINX?

I moved away from NGINX as it misses those two key items and in general, Caddy is super simple.

My Caddy config is a few lines compared to pages in NGINX.

Title: Re: Caddy Plugin
Post by: fabian on February 01, 2019, 05:17:32 pm

Yes, when you combine it with the ACME plugin, you can automatically request Let's Encrypt certificates.

Any authentication server can be used via Basic auth, which is configured on OPNsense via the nginx plugin.
So any SSO vendor can be used, when it can be made compatible with OPNsense core (since version 1.5 of the plugin).

nginx, not the plugin itself, supports also JWT: https://nginx.org/en/docs/http/ngx_http_auth_jwt_module.html

Title: Re: Caddy Plugin
Post by: guest15389 on February 01, 2019, 05:28:28 pm

When I install NGINX via the plugin and check the module, I don't see it listed there. Am I missing something?

Title: Re: Caddy Plugin
Post by: fabian on February 01, 2019, 05:30:16 pm

the acme plugin works on its own. the checkbox in the http server enables everything needed by the acme plugin to get valid certificates.

Title: Re: Caddy Plugin
Post by: guest15389 on February 01, 2019, 05:31:48 pm

I can see the ACME part works fine.

I'm trying to figure out if the jwt module for NGINX as there as I use Google oAuth to secure my logins.

Title: Re: Caddy Plugin
Post by: fabian on February 01, 2019, 05:33:50 pm

As I wrote: JWT is not in the plugin.

Title: Re: Caddy Plugin
Post by: guest15389 on February 01, 2019, 05:36:50 pm

Got it.

Misread the first time.

Thanks for the quick reply.

Title: Re: Caddy Plugin
Post by: guest15389 on February 02, 2019, 03:06:12 pm

After a bit more checking and test, Caddy is just a far simpler install/setup/config than going through LetsEncrypt/NGinx and trying to get oAuth working.

The amount of steps compared is really amazing.

My entire plex config once I get caddy installed is this:

Code: [Select]

# Plex Server
plex.somewhere.us {
gzip
timeouts none
log /opt/caddy/logs/plex.log
tls {
        dns cloudflare
}
proxy / 127.0.0.1:32400 {
        transparent
        websocket
    }
}
That handles my certificate automatically, works with updating my cloudflare DNS and since it's public as it's got it own auth, I'm done.

No other steps.

I've been using this setup over letsencrypt/nginx on my Debian box for about 1/2 year without issue.

Since it's a couple steps to setup on FreeBSD and just works, I see no issues with just installing manually, but man, a plugin would be superb.

Title: Re: Caddy Plugin
Post by: fabian on February 02, 2019, 08:11:27 pm

It is still no reason to build a plugin in the size of nginx again for a feature that is already there.
It took me a half year (slightly more) to build. It's very likely that nobody is going to work on this soon.
BTW: https://github.com/opnsense/plugins/issues/1044

Title: Re: Caddy Plugin
Post by: guest15389 on February 02, 2019, 10:47:19 pm

I'm sure that's due to the complexity of NGINX compared to an easier proxy server to setup.

My NGINX Plex config was over 100 lines.
My Caddy Plex config is 10 lines.

Just offering a different view to share what works better for me and my setup.

If someone comes along and thinks the plugin is worth it to setup, great.

Until that time, I can easily just install and set it up with less config/effort than doing ACME/NGINX even though they are plugins.

My install is just getting the proper binary.

Code: [Select]

pkg install wget
wget "https://caddyserver.com/download/freebsd/amd64?plugins=http.cache,http.cgi,http.jwt,http.login,tls.dns.cloudflare&license=personal&telemetry=on

Can uncompress it and drop the caddy binary in /usr/local/bin

I added the startup:

Code: [Select]

root@phoenix:/etc # cat rc.conf
netdata_enable=YES
caddy_enable=YES

I add in the startup script  and I just left most of my logs just in the same spot:

Code: [Select]

root@phoenix:/usr/local/etc/rc.d # cat caddy
#!/bin/sh
#
# PROVIDE: caddy
# REQUIRE: networking
# KEYWORD: shutdown

#
# Add the following lines to /etc/rc.conf to enable caddy:
# caddy_enable (bool):        Set to "NO" by default.
#                             Set it to "YES" to enable caddy
#
# caddy_cert_email (str):     Set to "" by default.
#                             Defines the SSL certificate issuer email. By providing an
#                             email address you automatically agree to letsencrypt.org's
#                             general terms and conditions
#
# caddy_bin_path (str):       Set to "/usr/local/bin/caddy" by default.
#                             Provides the path to the caddy server executable
#
# caddy_cpu (str):            Set to "99%" by default.
#                             Configures, how much CPU capacity caddy may gain
#
# caddy_config_path (str):    Set to "/usr/local/www/Caddyfile" by default.
#                             Defines the path for the configuration file caddy will load on boot
#
# caddy_user (str):           Set to "root" by default.
#                             Defines the user that caddy will run on
#
# caddy_group (str):        Set to "wheel" by default.
#                             Defines the group that caddy files will be attached to
#
# caddy_logfile (str)       Set to "/var/log/caddy.log" by default.
#       Defines where the process log file is written, this is not a web access log
#
# caddy_env (str)       Set to "" by default.
#       This allows environment variable to be set that may be required, for example when using "DNS Challenge" account credentials are required.
#       e.g. (in your rc.conf)   caddy_env="CLOUDFLARE_EMAIL=me@domain.com CLOUDFLARE_API_KEY=my_api_key"
#

. /etc/rc.subr

caddy_env="CLOUDFLARE_API_KEY=someAPIKEY CLOUDFLARE_EMAIL=someone@gmail.com"

name="caddy"
rcvar="${name}_enable"

load_rc_config ${name}

: ${caddy_enable:="NO"}
: ${caddy_cert_email="someone@gmail.com"}
: ${caddy_bin_path="/usr/local/bin/caddy"}
: ${caddy_cpu="99%"} # was a bug for me that caused a crash within jails
: ${caddy_config_path="/var/lib/caddy/Caddyfile"}
: ${caddy_logfile="/var/lib/caddy/logs/caddy.log"}
: ${caddy_user="root"}
: ${caddy_group="wheel"}

if [ "$caddy_cert_email" = "" ]
then
    echo "rc variable \$caddy_cert_email is not set. Please provide a valid SSL certificate issuer email."
    exit 1
fi

pidfile="/var/run/${name}.pid"
procname="${caddy_bin_path}" #enabled builtin pid checking for start / stop
command="/usr/sbin/daemon"
command_args="-p ${pidfile} /usr/bin/env ${caddy_env} ${procname} -cpu ${caddy_cpu} -log stdout -conf ${caddy_config_path} -agree -email ${caddy_cert_email} < /dev/null >> ${caddy_logfile} 2>&1"

start_precmd="caddy_startprecmd"

caddy_startprecmd()
{
if [ ! -e "${pidfile}" ]; then
install -o "${caddy_user}" -g "${caddy_group}" "/dev/null" "${pidfile}"
fi

if [ ! -e "${caddy_logfile}" ]; then
install -o "${caddy_user}" -g "${caddy_group}" "/dev/null" "${caddy_logfile}"
fi
}

required_files="${caddy_config_path}"

run_rc_command "$1"

And left my Caddyfile here:

Code: [Select]

root@phoenix:/var/lib/caddy # ls
Caddyfile logs ssl

I do a quick copy each night via ssh to make sure I have a copy elsewhere should I need to reinstall.