Messages

A side note : the generated config file is a crap, too many extra lines and much more spaces than needed. Caddy have a config formatter, I think that plugin should use it :)

Now, the hard part : I need to make the config for a React js container on a different host + static pages served by Apache. A big headache in perspective

[Upstream / Protocol / HTTPS]

Ok, I found the solution :
- on the Handler, I was selecting Upstream / Protocol / HTTPS so the communication between caddy and destination host was with TLS (HTTPS). I switched it to HTTP and it's working.

The result config :

Code Select Expand

# Reverse Proxy Configuration

jeu.ericdelcamp.fr {
    log {
        output file /
            var/log/caddy/access/81916595-4bc5-4342-b83d-02c707ab7af7.log {
                roll_keep_for 5d
            }
    }
    handle {
        reverse_proxy web3.domain.lan {
            header_up Host {upstream_hostport}
        }
    }
}

Some progress :

Code Select Expand

2025-09-03T19:02:19Errorcaddy"warn","ts":"2025-09-03T17:02:19Z","logger":"tls","msg":"stapling OCSP","error":"no OCSP stapling for [jeu.ericdelcamp.fr]: no OCSP server specified in certificate","identifiers":["jeu.ericdelcamp.fr"]}
2025-09-03T19:02:14Warningcaddy"warn","ts":"2025-09-03T17:02:14Z","logger":"http","msg":"HTTP/2 skipped because it requires TLS","network":"tcp","addr":":80"}
2025-09-03T19:02:14Warningcaddy"warn","ts":"2025-09-03T17:02:14Z","logger":"http.auto_https","msg":"server is listening only on the HTTP port, so no automatic HTTPS will be applied to this server","server_name":"srv1","http_port":80}
2025-09-03T19:02:14Warningcaddy"warn","ts":"2025-09-03T17:02:14Z","logger":"admin","msg":"admin endpoint on open interface; host checking disabled","address":"unix//var/run/caddy/caddy.sock|0220"}
2025-09-03T19:02:12Warningcaddy"warn","ts":"2025-09-03T17:02:12Z","logger":"http.auto_https","msg":"server is listening only on the HTTP port, so no automatic HTTPS will be applied to this server","server_name":"srv1","http_port":80}
Don't know where "srv1" come from.

Not permitted, no spaces in name :)

Pretty strange, because if I look at my WAN rules, I see them for IPv4 & IPv6

http://singman.free.fr/images/firewall1.png

Yes, I have 2 rules on WAN and 2 rules on LAN for 80/443 to my firewall, as written in https://docs.opnsense.org/manual/how-tos/caddy.html#prepare-opnsense-for-caddy-after-installation
WebGUI run on port 8088.
I disabled (not removed) my port forward rules.

The errors :

Code Select Expand

2025-09-03T11:34:19Errorcaddy"error","ts":"2025-09-03T09:34:19Z","logger":"tls.obtain","msg":"could not get certificate from issuer","identifier":"jeu.ericdelcamp.fr","issuer":"acme-v02.api.letsencrypt.org-directory","error":"HTTP 400 urn:ietf:params:acme:error:connection - 82.65.33.149: Timeout during connect (likely firewall problem)"}
2025-09-03T11:34:19Errorcaddy"error","ts":"2025-09-03T09:34:19Z","msg":"validating authorization","identifier":"jeu.ericdelcamp.fr","problem":{"type":"urn:ietf:params:acme:error:connection","title":"","detail":"82.65.33.149: Timeout during connect (likely firewall problem)","instance":"","subproblems":null},"order":"https://acme-v02.api.letsencrypt.org/acme/order/2636342801/424304084391","attempt":2,"max_attempts":3,"stacktrace":"github.com/mholt/acmez/v3.(*Client).ObtainCertificate\n\tgithub.com/mholt/acmez/v3@v3.1.2/client.go:152\ngithub.com/caddyserver/certmagic.(*ACMEIssuer).doIssue\n\tgithub.com/caddyserver/certmagic@v0.23.0/acmeissuer.go:489\ngithub.com/caddyserver/certmagic.(*ACMEIssuer).Issue\n\tgithub.com/caddyserver/certmagic@v0.23.0/acmeissuer.go:382\ngithub.com/caddyserver/caddy/v2/modules/caddytls.(*ACMEIssuer).Issue\n\tgithub.com/caddyserver/caddy/v2@v2.10.0/modules/caddytls/acmeissuer.go:288\ngithub.com/caddyserver/certmagic.(*Config).obtainCert.func2\n\tgithub.com/caddyserver/certmagic@v0.23.0/config.go:626\ngithub.com/caddyserver/certmagic.doWithRetry\n\tgithub.com/caddyserver/certmagic@v0.23.0/async.go:104\ngithub.com/caddyserver/certmagic.(*Config).obtainCert\n\tgithub.com/caddyserver/certmagic@v0.23.0/config.go:700\ngithub.com/caddyserver/certmagic.(*Config).ObtainCertAsync\n\tgithub.com/caddyserver/certmagic@v0.23.0/config.go:505\ngithub.com/caddyserver/certmagic.(*Config).manageOne.func1\n\tgithub.com/caddyserver/certmagic@v0.23.0/config.go:415\ngithub.com/caddyserver/certmagic.(*jobManager).worker\n\tgithub.com/caddyserver/certmagic@v0.23.0/async.go:73"}
2025-09-03T11:34:19Errorcaddy"error","ts":"2025-09-03T09:34:19Z","msg":"challenge failed","identifier":"jeu.ericdelcamp.fr","challenge_type":"tls-alpn-01","problem":{"type":"urn:ietf:params:acme:error:connection","title":"","detail":"82.65.33.149: Timeout during connect (likely firewall problem)","instance":"","subproblems":null},"stacktrace":"github.com/mholt/acmez/v3.(*Client).pollAuthorization\n\tgithub.com/mholt/acmez/v3@v3.1.2/client.go:557\ngithub.com/mholt/acmez/v3.(*Client).solveChallenges\n\tgithub.com/mholt/acmez/v3@v3.1.2/client.go:378\ngithub.com/mholt/acmez/v3.(*Client).ObtainCertificate\n\tgithub.com/mholt/acmez/v3@v3.1.2/client.go:136\ngithub.com/caddyserver/certmagic.(*ACMEIssuer).doIssue\n\tgithub.com/caddyserver/certmagic@v0.23.0/acmeissuer.go:489\ngithub.com/caddyserver/certmagic.(*ACMEIssuer).Issue\n\tgithub.com/caddyserver/certmagic@v0.23.0/acmeissuer.go:382\ngithub.com/caddyserver/caddy/v2/modules/caddytls.(*ACMEIssuer).Issue\n\tgithub.com/caddyserver/caddy/v2@v2.10.0/modules/caddytls/acmeissuer.go:288\ngithub.com/caddyserver/certmagic.(*Config).obtainCert.func2\n\tgithub.com/caddyserver/certmagic@v0.23.0/config.go:626\ngithub.com/caddyserver/certmagic.doWithRetry\n\tgithub.com/caddyserver/certmagic@v0.23.0/async.go:104\ngithub.com/caddyserver/certmagic.(*Config).obtainCert\n\tgithub.com/caddyserver/certmagic@v0.23.0/config.go:700\ngithub.com/caddyserver/certmagic.(*Config).ObtainCertAsync\n\tgithub.com/caddyserver/certmagic@v0.23.0/config.go:505\ngithub.com/caddyserver/certmagic.(*Config).manageOne.func1\n\tgithub.com/caddyserver/certmagic@v0.23.0/config.go:415\ngithub.com/caddyserver/certmagic.(*jobManager).worker\n\tgithub.com/caddyserver/certmagic@v0.23.0/async.go:73"}
Infos:

Code Select Expand

root@OPNsense:~ # pfctl -s rules
scrub in all fragment reassemble
block drop in log on ! igb0 inet from 192.168.0.0/24 to any
block drop in log inet from 192.168.0.254 to any
block drop in log on ! igb1 inet from 82.65.33.0/24 to any
block drop in log inet from 82.65.33.149 to any
block drop in log quick inet6 all label "5d75d96ba523ccd456ab15a327c7fed5"
block drop in log inet all label "02f4bab031b57d1e30553ce08e0ec131"
block drop in log inet6 all label "02f4bab031b57d1e30553ce08e0ec131"
block drop in log quick inet proto tcp from any port = 0 to any label "7b5bdc64d7ae74be1932f6764a591da5"
block drop in log quick inet proto udp from any port = 0 to any label "7b5bdc64d7ae74be1932f6764a591da5"
block drop in log quick inet6 proto tcp from any port = 0 to any label "7b5bdc64d7ae74be1932f6764a591da5"
block drop in log quick inet6 proto udp from any port = 0 to any label "7b5bdc64d7ae74be1932f6764a591da5"
block drop in log quick inet proto tcp from any to any port = 0 label "ae69f581dc429e3484a65f8ecd63baa5"
block drop in log quick inet proto udp from any to any port = 0 label "ae69f581dc429e3484a65f8ecd63baa5"
block drop in log quick inet6 proto tcp from any to any port = 0 label "ae69f581dc429e3484a65f8ecd63baa5"
block drop in log quick inet6 proto udp from any to any port = 0 label "ae69f581dc429e3484a65f8ecd63baa5"
block drop in log quick proto tcp from <sshlockout> to (self) port = ssh label "669143f420c3ab4118bcb0bf4b5fd823"
block drop in log quick proto tcp from <sshlockout> to (self) port = 8088 label "fa0ee49818eb8f6fd6b88f7b914f2321"
block drop in log quick from <virusprot> to any label "8e367e2f9944d93137ae56d788c5d5e1"
pass in log quick on igb1 proto udp from any port = bootps to any port = bootpc keep state label "f994f615e00b8be0042263f86c79913f"
pass out log quick on igb1 proto udp from any port = bootpc to any port = bootps keep state label "5cf7ab808da1fcbca1ddb9ba9b46b669"
block drop in log quick inet from <crowdsec_blocklists> to any label "5557b4052ac9b83fbc9ccd5f036668ed" tag CrowdSec
block drop out log quick inet from any to <crowdsec_blocklists> label "bc11f472cb987650ae6ef72250a50a93" tag CrowdSec
block drop in log quick inet6 from <crowdsec6_blocklists> to any label "9434d19f24afce5f12a288eff72f757c" tag CrowdSec
block drop out log quick inet6 from any to <crowdsec6_blocklists> label "37d8b7c0be7542115c9359bfd7cd0791" tag CrowdSec
pass in log quick on igb0 inet proto udp from any port = bootpc to 255.255.255.255 port = bootps keep state label "56d97e04b8ce723a8524bdda932fe056"
pass in log quick on igb0 proto udp from any port = bootpc to (self) port = bootps keep state label "ac5d6855f1bc6d537c949fd7ce458587"
pass out log quick on igb0 proto udp from (self) port = bootps to any port = bootpc keep state label "4071f735e7cf9dcad8b9305970c17911"
pass in log quick on igb0 inet6 proto udp from fe80::/10 to fe80::/10 port = dhcpv6-client keep state label "600d48bc4d9a060084eea027fa54cfdc"
pass in log quick on igb0 inet6 proto udp from fe80::/10 to ff02::/16 port = dhcpv6-client keep state label "600d48bc4d9a060084eea027fa54cfdc"
pass in log quick on igb0 inet6 proto udp from fe80::/10 to ff02::/16 port = dhcpv6-server keep state label "0e8cdb22b7059277a934591353ae2214"
pass in log quick on igb0 inet6 proto udp from ff02::/16 to fe80::/10 port = dhcpv6-server keep state label "06e2b143a84862bc38acb6bac5090d14"
pass in log quick on igb0 inet6 proto udp from fe80::/10 to (self) port = dhcpv6-client keep state label "04bd2bc40ab1391b8ce89ff0fafd1e67"
pass out log quick on igb0 inet6 proto udp from (self) port = dhcpv6-server to fe80::/10 keep state label "0926e497e454bfe83d715b0d85fdfe3a"
block drop in log quick on igb1 inet from <bogons> to any label "b7cd97a164650b538506fb551a0369e7"
block drop in log quick on igb1 inet from 10.0.0.0/8 to any label "3d399f8f89b68d684701badb48eab085"
block drop in log quick on igb1 inet from 172.16.0.0/12 to any label "3d399f8f89b68d684701badb48eab085"
block drop in log quick on igb1 inet from 192.168.0.0/16 to any label "3d399f8f89b68d684701badb48eab085"
block drop in log quick on igb1 inet from 127.0.0.0/8 to any label "3d399f8f89b68d684701badb48eab085"
block drop in log quick on igb1 inet from 100.64.0.0/10 to any label "3d399f8f89b68d684701badb48eab085"
block drop in log quick on igb1 inet from 169.254.0.0/16 to any label "3d399f8f89b68d684701badb48eab085"
pass out log all flags S/SA keep state allow-opts label "fae559338f65e11c53669fc3642c93c2"
pass in log quick on igb0 proto tcp from any to (self) port = ssh flags S/SA keep state label "60533d555322b9f6a009f71c1c471480"
pass in log quick on igb0 proto tcp from any to (self) port = 8088 flags S/SA keep state label "971028be35480463b35e7facf3bbcd66"
pass out log route-to (igb1 82.65.33.254) inet from (igb1) to ! (igb1:network) flags S/SA keep state allow-opts label "761a166383f941c76dbf2c76c9e2f241"
pass in log quick on igb1 reply-to (igb1 82.65.33.254) inet proto tcp from any to <jellyfin_server> port = 8096 flags S/SA keep state label "1227ca08e20fd71d2318d95bca99f966"
pass in quick on igb1 reply-to (igb1 82.65.33.254) inet proto udp from any to <jellyfin_server> port 31336:31337 keep state label "c86810caf53c3bc125a2676cea7854dd"
pass in quick on igb1 reply-to (igb1 82.65.33.254) inet proto tcp from any to <HomeAssistant> port = 8123 flags S/SA keep state label "2c84ac984c100c4f901cae035eb09ef1"
pass in quick on igb1 reply-to (igb1 82.65.33.254) inet proto tcp from any to <yunohost> port = pop3 flags S/SA keep state label "e5f12f3ab2258b530949b45f37446e49"
pass in quick on igb1 reply-to (igb1 82.65.33.254) inet proto tcp from any to <yunohost> port = smtp flags S/SA keep state label "d592151a47f1a1e1fbf62dcff794591e"
pass in quick on igb1 reply-to (igb1 82.65.33.254) inet proto tcp from any to <yunohost> port = smtps flags S/SA keep state label "341ab3f63b31a4d39303aad2017848c0"
pass in quick on igb1 reply-to (igb1 82.65.33.254) inet proto tcp from any to <yunohost> port = imap flags S/SA keep state label "13cdad5b1f7f1e2b329c3261ced6ea81"
pass in quick on igb1 reply-to (igb1 82.65.33.254) inet proto tcp from any to <yunohost> port = imaps flags S/SA keep state label "5734a5755c6e9c6a68679887b82e942b"
pass in quick on igb1 reply-to (igb1 82.65.33.254) inet proto tcp from any to <yunohost> port = pop3s flags S/SA keep state label "5b11ddbcffd2ff0b78a31b22e8af7cea"
pass in quick on igb1 reply-to (igb1 82.65.33.254) inet proto tcp from any to <yunohost> port = submission flags S/SA keep state label "ed4ebfb209487d2a2232533cc0945054"
pass in quick on igb1 reply-to (igb1 82.65.33.254) inet proto tcp from any to <Firewall> port = http flags S/SA keep state label "7647f225e313a5606020dc74074d00f7"
pass in quick on igb1 inet6 proto tcp from any to <Firewall> port = http flags S/SA keep state label "7647f225e313a5606020dc74074d00f7"
pass in quick on igb1 reply-to (igb1 82.65.33.254) inet proto tcp from any to <Firewall> port = https flags S/SA keep state label "7326ef4d5c22a7a15d7babe8bfaa12a2"
pass in quick on igb1 reply-to (igb1 82.65.33.254) inet proto udp from any to <Firewall> port = https keep state label "7326ef4d5c22a7a15d7babe8bfaa12a2"
pass in quick on igb1 inet6 proto tcp from any to <Firewall> port = https flags S/SA keep state label "7326ef4d5c22a7a15d7babe8bfaa12a2"
pass in quick on igb1 inet6 proto udp from any to <Firewall> port = https keep state label "7326ef4d5c22a7a15d7babe8bfaa12a2"
pass in quick on igb0 inet from (igb0:network) to any flags S/SA keep state label "13edc3ec59be9ccf34af93f1d53fd386"
pass in quick on igb0 inet6 from (igb0:network) to any flags S/SA keep state label "065bc85f5cccf990df7a1e3e4693e012"
pass in quick on igb0 inet6 from fe80::/10 to any flags S/SA keep state label "065bc85f5cccf990df7a1e3e4693e012"
pass in quick on igb0 inet proto tcp from any to <Firewall> port = http flags S/SA keep state label "760e3b45c14244a4b862d86a97ab0ebb"
pass in quick on igb0 inet6 proto tcp from any to <Firewall> port = http flags S/SA keep state label "760e3b45c14244a4b862d86a97ab0ebb"
pass in quick on igb0 inet proto tcp from any to <Firewall> port = https flags S/SA keep state label "b733c938fe4d0abf5f3d22ed0548fca8"
pass in quick on igb0 inet proto udp from any to <Firewall> port = https keep state label "b733c938fe4d0abf5f3d22ed0548fca8"
pass in quick on igb0 inet6 proto tcp from any to <Firewall> port = https flags S/SA keep state label "b733c938fe4d0abf5f3d22ed0548fca8"
pass in quick on igb0 inet6 proto udp from any to <Firewall> port = https keep state label "b733c938fe4d0abf5f3d22ed0548fca8"
anchor "miniupnpd" all


Code Select Expand

root@OPNsense:~ # pfctl -s nat
nat-anchor "miniupnpd" all
no nat proto carp all
nat on igb1 inet from (igb0:network) to any port = isakmp -> (igb1:0) static-port
nat on igb1 inet from (lo0:network) to any port = isakmp -> (igb1:0) static-port
nat on igb1 inet from 127.0.0.0/8 to any port = isakmp -> (igb1:0) static-port
nat on igb1 inet from (igb0:network) to any -> (igb1:0) port 1024:65535
nat on igb1 inet from (lo0:network) to any -> (igb1:0) port 1024:65535
nat on igb1 inet from 127.0.0.0/8 to any -> (igb1:0) port 1024:65535
nat on igb1 inet proto tcp from (igb1:network) to <yunohost> port = pop3 -> (igb1) port 1024:65535 round-robin
nat on igb0 inet proto tcp from (igb0:network) to <yunohost> port = pop3 -> (igb0) port 1024:65535 round-robin
nat on lo0 inet proto tcp from (lo0:network) to <yunohost> port = pop3 -> (lo0) port 1024:65535 round-robin
nat on igb1 inet proto tcp from (igb1:network) to <yunohost> port = submission -> (igb1) port 1024:65535 round-robin
nat on igb0 inet proto tcp from (igb0:network) to <yunohost> port = submission -> (igb0) port 1024:65535 round-robin
nat on lo0 inet proto tcp from (lo0:network) to <yunohost> port = submission -> (lo0) port 1024:65535 round-robin
nat on igb1 inet proto tcp from (igb1:network) to <yunohost> port = pop3s -> (igb1) port 1024:65535 round-robin
nat on igb0 inet proto tcp from (igb0:network) to <yunohost> port = pop3s -> (igb0) port 1024:65535 round-robin
nat on lo0 inet proto tcp from (lo0:network) to <yunohost> port = pop3s -> (lo0) port 1024:65535 round-robin
nat on igb1 inet proto tcp from (igb1:network) to <yunohost> port = imap -> (igb1) port 1024:65535 round-robin
nat on igb0 inet proto tcp from (igb0:network) to <yunohost> port = imap -> (igb0) port 1024:65535 round-robin
nat on lo0 inet proto tcp from (lo0:network) to <yunohost> port = imap -> (lo0) port 1024:65535 round-robin
nat on igb1 inet proto tcp from (igb1:network) to <yunohost> port = imaps -> (igb1) port 1024:65535 round-robin
nat on igb0 inet proto tcp from (igb0:network) to <yunohost> port = imaps -> (igb0) port 1024:65535 round-robin
nat on lo0 inet proto tcp from (lo0:network) to <yunohost> port = imaps -> (lo0) port 1024:65535 round-robin
nat on igb1 inet proto tcp from (igb1:network) to <yunohost> port = smtps -> (igb1) port 1024:65535 round-robin
nat on igb0 inet proto tcp from (igb0:network) to <yunohost> port = smtps -> (igb0) port 1024:65535 round-robin
nat on lo0 inet proto tcp from (lo0:network) to <yunohost> port = smtps -> (lo0) port 1024:65535 round-robin
nat on igb1 inet proto tcp from (igb1:network) to <yunohost> port = smtp -> (igb1) port 1024:65535 round-robin
nat on igb0 inet proto tcp from (igb0:network) to <yunohost> port = smtp -> (igb0) port 1024:65535 round-robin
nat on lo0 inet proto tcp from (lo0:network) to <yunohost> port = smtp -> (lo0) port 1024:65535 round-robin
nat on igb1 inet proto tcp from (igb1:network) to <jellyfin_server> port = 8096 -> (igb1) port 1024:65535 round-robin
nat on igb0 inet proto tcp from (igb0:network) to <jellyfin_server> port = 8096 -> (igb0) port 1024:65535 round-robin
nat on lo0 inet proto tcp from (lo0:network) to <jellyfin_server> port = 8096 -> (lo0) port 1024:65535 round-robin
nat on igb1 inet proto udp from (igb1:network) to <jellyfin_server> port 31336:31337 -> (igb1) port 1024:65535 round-robin
nat on igb0 inet proto udp from (igb0:network) to <jellyfin_server> port 31336:31337 -> (igb0) port 1024:65535 round-robin
nat on lo0 inet proto udp from (lo0:network) to <jellyfin_server> port 31336:31337 -> (lo0) port 1024:65535 round-robin
nat on igb1 inet proto tcp from (igb1:network) to <HomeAssistant> port = 8123 -> (igb1) port 1024:65535 round-robin
nat on igb0 inet proto tcp from (igb0:network) to <HomeAssistant> port = 8123 -> (igb0) port 1024:65535 round-robin
nat on lo0 inet proto tcp from (lo0:network) to <HomeAssistant> port = 8123 -> (lo0) port 1024:65535 round-robin
no rdr proto carp all
no rdr on igb0 proto tcp from any to (igb0) port = ssh
no rdr on igb0 proto tcp from any to (igb0) port = 8088
rdr on igb1 inet proto tcp from any to (igb1) port = pop3 -> <yunohost> port 110 round-robin
rdr on igb0 inet proto tcp from any to (igb1) port = pop3 -> <yunohost> port 110 round-robin
rdr on lo0 inet proto tcp from any to (igb1) port = pop3 -> <yunohost> port 110 round-robin
rdr on igb1 inet proto tcp from any to (igb1) port = submission -> <yunohost> port 587 round-robin
rdr on igb0 inet proto tcp from any to (igb1) port = submission -> <yunohost> port 587 round-robin
rdr on lo0 inet proto tcp from any to (igb1) port = submission -> <yunohost> port 587 round-robin
rdr on igb1 inet proto tcp from any to (igb1) port = pop3s -> <yunohost> port 995 round-robin
rdr on igb0 inet proto tcp from any to (igb1) port = pop3s -> <yunohost> port 995 round-robin
rdr on lo0 inet proto tcp from any to (igb1) port = pop3s -> <yunohost> port 995 round-robin
rdr on igb1 inet proto tcp from any to (igb1) port = imap -> <yunohost> port 143 round-robin
rdr on igb0 inet proto tcp from any to (igb1) port = imap -> <yunohost> port 143 round-robin
rdr on lo0 inet proto tcp from any to (igb1) port = imap -> <yunohost> port 143 round-robin
rdr on igb1 inet proto tcp from any to (igb1) port = imaps -> <yunohost> port 993 round-robin
rdr on igb0 inet proto tcp from any to (igb1) port = imaps -> <yunohost> port 993 round-robin
rdr on lo0 inet proto tcp from any to (igb1) port = imaps -> <yunohost> port 993 round-robin
rdr on igb1 inet proto tcp from any to (igb1) port = smtps -> <yunohost> port 465 round-robin
rdr on igb0 inet proto tcp from any to (igb1) port = smtps -> <yunohost> port 465 round-robin
rdr on lo0 inet proto tcp from any to (igb1) port = smtps -> <yunohost> port 465 round-robin
rdr on igb1 inet proto tcp from any to (igb1) port = smtp -> <yunohost> port 25 round-robin
rdr on igb0 inet proto tcp from any to (igb1) port = smtp -> <yunohost> port 25 round-robin
rdr on lo0 inet proto tcp from any to (igb1) port = smtp -> <yunohost> port 25 round-robin
rdr on igb1 inet proto tcp from any to (igb1) port = 8096 -> <jellyfin_server> port 8096 round-robin
rdr on igb0 inet proto tcp from any to (igb1) port = 8096 -> <jellyfin_server> port 8096 round-robin
rdr on lo0 inet proto tcp from any to (igb1) port = 8096 -> <jellyfin_server> port 8096 round-robin
rdr on igb1 inet proto udp from any to (igb1) port 31336:31337 -> <jellyfin_server> port 31336:31337 round-robin
rdr on igb0 inet proto udp from any to (igb1) port 31336:31337 -> <jellyfin_server> port 31336:31337 round-robin
rdr on lo0 inet proto udp from any to (igb1) port 31336:31337 -> <jellyfin_server> port 31336:31337 round-robin
rdr on igb1 inet proto tcp from any to (igb1) port = 8123 -> <HomeAssistant> port 8123 round-robin
rdr on igb0 inet proto tcp from any to (igb1) port = 8123 -> <HomeAssistant> port 8123 round-robin
rdr on lo0 inet proto tcp from any to (igb1) port = 8123 -> <HomeAssistant> port 8123 round-robin
rdr-anchor "miniupnpd" all
binat-anchor "miniupnpd" all


Code Select Expand

root@OPNsense:~ # sockstat -l
USER     COMMAND    PID   FD  PROTO  LOCAL ADDRESS         FOREIGN ADDRESS
root     sshd-sessi 91512 9   stream (not connected)
root     sshd-sessi 90465 9   stream (not connected)
root     php-cgi    40039 0   stream /var/lib/php/tmp/php-fastcgi.socket-4
root     php-cgi    39631 0   stream /var/lib/php/tmp/php-fastcgi.socket-4
root     php-cgi    39274 0   stream /var/lib/php/tmp/php-fastcgi.socket-4
root     php-cgi    38745 0   stream /var/lib/php/tmp/php-fastcgi.socket-4
root     php-cgi    38282 0   stream /var/lib/php/tmp/php-fastcgi.socket-4
root     php-cgi    37937 0   stream /var/lib/php/tmp/php-fastcgi.socket-4
root     caddy      12224 5   stream /var/run/caddy/caddy.sock
root     caddy      12224 6   tcp46  *:443                 *:*
root     caddy      12224 7   tcp46  *:80                  *:*
root     php-cgi    91973 0   stream /var/lib/php/tmp/php-fastcgi.socket-2
root     crowdsec    2837 11  tcp4   127.0.0.1:8080        *:*
root     crowdsec    2837 172 tcp4   127.0.0.1:6060        *:*
root     php-cgi    67056 0   stream /var/lib/php/tmp/php-fastcgi.socket-3
root     php-cgi    31107 0   stream /var/lib/php/tmp/php-fastcgi.socket-3
www      php-fpm    65184 9   stream /var/run/php-www.socket
www      php-fpm    65165 9   stream /var/run/php-www.socket
root     php-fpm    64975 9   stream /var/run/php-webgui.socket
root     php-fpm    64785 9   stream /var/run/php-webgui.socket
root     php-fpm    64716 7   stream /var/run/php-webgui.socket
root     php-fpm    64716 8   stream /var/run/php-www.socket
root     ntpd       57992 20  udp6   *:123                 *:*
root     ntpd       57992 21  udp4   *:123                 *:*
root     ntpd       57992 22  udp4   192.168.0.254:123     *:*
root     ntpd       57992 23  udp4   82.65.33.149:123      *:*
root     ntpd       57992 24  udp6   ::1:123               *:*
root     ntpd       57992 25  udp6   fe80::1%lo0:123       *:*
root     ntpd       57992 26  udp4   127.0.0.1:123         *:*
root     snmpd      56802 8   udp4   192.168.0.254:161     *:*
root     snmpd      56802 9   tcp4   *:199                 *:*
root     miniupnpd  56576 6   tcp6   *:2189                *:*
root     miniupnpd  56576 8   tcp4   *:2189                *:*
root     miniupnpd  56576 9   udp4   *:1900                *:*
root     miniupnpd  56576 10  udp4   192.168.0.254:64158   *:*
nobody   dnsmasq    54142 4   udp4   *:67                  *:*
nobody   dnsmasq    54142 8   udp4   *:53                  *:*
nobody   dnsmasq    54142 9   tcp4   *:53                  *:*
nobody   dnsmasq    54142 10  udp6   *:53                  *:*
nobody   dnsmasq    54142 11  tcp6   *:53                  *:*
root     php-cgi    49063 0   stream /var/lib/php/tmp/php-fastcgi.socket-0
root     php-cgi    48808 0   stream /var/lib/php/tmp/php-fastcgi.socket-3
root     php-cgi    48550 0   stream /var/lib/php/tmp/php-fastcgi.socket-0
root     php-cgi    48223 0   stream /var/lib/php/tmp/php-fastcgi.socket-2
root     php-cgi    48173 0   stream /var/lib/php/tmp/php-fastcgi.socket-3
root     php-cgi    47819 0   stream /var/lib/php/tmp/php-fastcgi.socket-0
root     php-cgi    47640 0   stream /var/lib/php/tmp/php-fastcgi.socket-3
root     php-cgi    47479 0   stream /var/lib/php/tmp/php-fastcgi.socket-2
root     php-cgi    47339 0   stream /var/lib/php/tmp/php-fastcgi.socket-0
root     php-cgi    47093 0   stream /var/lib/php/tmp/php-fastcgi.socket-2
root     php-cgi    46833 0   stream /var/lib/php/tmp/php-fastcgi.socket-0
root     php-cgi    46567 0   stream /var/lib/php/tmp/php-fastcgi.socket-2
root     php-cgi    46213 0   stream /var/lib/php/tmp/php-fastcgi.socket-3
root     php-cgi    46185 0   stream /var/lib/php/tmp/php-fastcgi.socket-2
root     php-cgi    45928 0   stream /var/lib/php/tmp/php-fastcgi.socket-0
root     lighttpd   45779 7   tcp4   127.0.0.1:8088        *:*
root     lighttpd   45779 8   tcp6   ::1:8088              *:*
root     lighttpd   45779 9   tcp6   fe80::1%lo0:8088      *:*
root     lighttpd   45779 10  tcp4   192.168.0.254:8088    *:*
root     sshd       41539 6   tcp4   192.168.0.254:22      *:*
root     sshd       41539 7   tcp6   fe80::1%lo0:22        *:*
root     sshd       41539 8   tcp6   ::1:22                *:*
root     sshd       41539 9   tcp4   127.0.0.1:22          *:*
root     syslog-ng   9140 19  dgram  /var/run/caddy/log.sock <-
root     syslog-ng   9140 21  dgram  /var/run/log <-
root     syslog-ng   9140 22  dgram  /var/run/logpriv
root     syslog-ng   9140 23  dgram  /var/dhcpd/var/run/log
root     syslog-ng   9140 24  dgram  /var/unbound/var/run/log
root     syslog-ng   9140 28  stream /var/db/syslog-ng.ctl
root     devd         762 6   stream /var/run/devd.pipe
root     devd         762 7   seqpac /var/run/devd.seqpacket.pipe
root     python3.11   353 3   stream /var/run/configd.socket
root     python3.11   353 4   stream /var/run/configd.socket
root     python3.11   353 8   stream /var/run/configd.socket
root     python3.11   353 11  stream /var/run/configd.socket

Hello,

You still need firewall rules to allow 80/443 to "This Firewall". What you do not need are Port Forward rules, since caddy runs directly on the OPNsense. You only need firewall rules:

https://docs.opnsense.org/manual/how-tos/caddy.html#prepare-opnsense-for-caddy-after-installation

Why did you set "Redirect HTTP-01 challenge"? Remove it if you do not need it:

https://docs.opnsense.org/manual/how-tos/caddy.html#redirect-acme-http-01-challenge

You can do the missing "header_up" directive using the header menu, and attach it to a handler:

https://docs.opnsense.org/manual/how-tos/caddy.html#reverse-proxy-a-webserver-with-vhosts
 

Ok, I have already done the 1st part, now added the headers and fixed HTTP-01 challenge.
When started, I get these errors in logs :

Code Select Expand

"error","ts":"2025-09-03T08:09:48Z","msg":"challenge failed","identifier":"jeu.ericdelcamp.fr","challenge_type":"http-01","problem":{"type":"urn:ietf:params:acme:error:connection","title":"","detail":"82.65.33.149: Fetching http://jeu.ericdelcamp.fr/.well-known/acme-challenge/ynspH8y139vndg-RHdX2jfRN52I4XHElC13_AVIyfFs: Timeout during connect (likely firewall problem)","instance":"","subproblems":null},"stacktrace":"github.com/mholt/acmez/v3.(*Client).pollAuthorization\n\tgithub.com/mholt/acmez/v3@v3.1.2/client.go:557\ngithub.com/mholt/acmez/v3.(*Client).solveChallenges\n\tgithub.com/mholt/acmez/v3@v3.1.2/client.go:378\ngithub.com/mholt/acmez/v3.(*Client).ObtainCertificate\n\tgithub.com/mholt/acmez/v3@v3.1.2/client.go:136\ngithub.com/caddyserver/certmagic.(*ACMEIssuer).doIssue\n\tgithub.com/caddyserver/certmagic@v0.23.0/acmeissuer.go:489\ngithub.com/caddyserver/certmagic.(*ACMEIssuer).Issue\n\tgithub.com/caddyserver/certmagic@v0.23.0/acmeissuer.go:382\ngithub.com/caddyserver/caddy/v2/modules/caddytls.(*ACMEIssuer).Issue\n\tgithub.com/caddyserver/caddy/v2@v2.10.0/modules/caddytls/acmeissuer.go:288\ngithub.com/caddyserver/certmagic.(*Config).obtainCert.func2\n\tgithub.com/caddyserver/certmagic@v0.23.0/config.go:626\ngithub.com/caddyserver/certmagic.doWithRetry\n\tgithub.com/caddyserver/certmagic@v0.23.0/async.go:104\ngithub.com/caddyserver/certmagic.(*Config).obtainCert\n\tgithub.com/caddyserver/certmagic@v0.23.0/config.go:700\ngithub.com/caddyserver/certmagic.(*Config).ObtainCertAsync\n\tgithub.com/caddyserver/certmagic@v0.23.0/config.go:505\ngithub.com/caddyserver/certmagic.(*Config).manageOne.func1\n\tgithub.com/caddyserver/certmagic@v0.23.0/config.go:415\ngithub.com/caddyserver/certmagic.(*jobManager).worker\n\tgithub.com/caddyserver/certmagic@v0.23.0/async.go:73"}

Code Select Expand

"error","ts":"2025-09-03T08:09:48Z","msg":"validating authorization","identifier":"jeu.ericdelcamp.fr","problem":{"type":"urn:ietf:params:acme:error:connection","title":"","detail":"82.65.33.149: Fetching http://jeu.ericdelcamp.fr/.well-known/acme-challenge/ynspH8y139vndg-RHdX2jfRN52I4XHElC13_AVIyfFs: Timeout during connect (likely firewall problem)","instance":"","subproblems":null},"order":"https://acme-v02.api.letsencrypt.org/acme/order/2636342801/424284910961","attempt":1,"max_attempts":3,"stacktrace":"github.com/mholt/acmez/v3.(*Client).ObtainCertificate\n\tgithub.com/mholt/acmez/v3@v3.1.2/client.go:152\ngithub.com/caddyserver/certmagic.(*ACMEIssuer).doIssue\n\tgithub.com/caddyserver/certmagic@v0.23.0/acmeissuer.go:489\ngithub.com/caddyserver/certmagic.(*ACMEIssuer).Issue\n\tgithub.com/caddyserver/certmagic@v0.23.0/acmeissuer.go:382\ngithub.com/caddyserver/caddy/v2/modules/caddytls.(*ACMEIssuer).Issue\n\tgithub.com/caddyserver/caddy/v2@v2.10.0/modules/caddytls/acmeissuer.go:288\ngithub.com/caddyserver/certmagic.(*Config).obtainCert.func2\n\tgithub.com/caddyserver/certmagic@v0.23.0/config.go:626\ngithub.com/caddyserver/certmagic.doWithRetry\n\tgithub.com/caddyserver/certmagic@v0.23.0/async.go:104\ngithub.com/caddyserver/certmagic.(*Config).obtainCert\n\tgithub.com/caddyserver/certmagic@v0.23.0/config.go:700\ngithub.com/caddyserver/certmagic.(*Config).ObtainCertAsync\n\tgithub.com/caddyserver/certmagic@v0.23.0/config.go:505\ngithub.com/caddyserver/certmagic.(*Config).manageOne.func1\n\tgithub.com/caddyserver/certmagic@v0.23.0/config.go:415\ngithub.com/caddyserver/certmagic.(*jobManager).worker\n\tgithub.com/caddyserver/certmagic@v0.23.0/async.go:73"}
The web browser return "ERR_SSL_PROTOCOL_ERROR"

Hi,

I have the following configuration working perfectly:
- two firewall rules that redirect ports 80/443 to a "proxy" host
- caddy configured on "proxy" which redirects to multiple hosts depending on the URL.

I want to transfer this configuration to the caddy OpnSense plugin. Following the documentation, I created the configuration and deleted the firewall rules, but the plugin is unable to retrieve the certificates. This is strange because in the previous configuration, Caddy retrieved the certificate directly from the destination and didn't attempt to obtain a new one from Let's Encrypt.

Old config

Code Select Expand

jeu.ericdelcamp.fr {
    reverse_proxy web3.domain.lan {
        header_up Host {upstream_hostport}
    }
}
OPNSense config

Code Select Expand

http://jeu.ericdelcamp.fr {
    handle /.well-known/acme-challenge/* {
        reverse_proxy web3.domain.lan
    }
    handle {
        redir https://{host}{uri} 308
    }
}

Code Select Expand

jeu.ericdelcamp.fr {
    handle  {
        reverse_proxy https://web3.domain.lan {
        }
    }
}

You are right on theory but not in practise. Every DHCP I know (Ubuntu, Windows, ...) allow reservations inside DHCP range.  That mean when a computer request DHCP an IP address, it's always the same one.

[big]

Hi,
I have a big problem I could not resolve : one IP address, marked as reserved in the DHCP, is still allocated to another host as dynamic allocation.

The DHCP range is 192.168.0.50 - 192.168.0.200 and even if I delete the dynamic allocation, it's still appear again each time a host is asking for a new IP.

Thanks, i will make some tests with that.

Hi,

I have 2 web servers on my LAN, they should dispatched by a classic Nginx setup like :

Code Select Expand

server {
    listen 80;
    server_name web1.domain.eu;

    location / {
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header Host $host;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_pass http://<host1>:80;
    }
}

server {
    listen 80;
    server_name web2.domain.eu;

    location / {
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header Host $host;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_pass http://<host2>:80;
    }
}


How to included that config on OPNSense Nginx configuration ? How to preserve it when the module will be updated ? There is no GUI for that kind of rules in web interface.

115 views and still no reply, look like nodody use Tor plugin :/

Hi,
I'm searching a real tutorial to understand how to setup a Tor relay with exit.
The documentation for the Tor plugin is just a basic description with no real setup.

For now, I'm blocked on the step where my Tor node is ok but not showing on map (https://metrics.torproject.org/rs.html#search/Singman). I think I'm missing some open ports or ACL somewhere...

Bonjour,

Non rien n'a marché.
J'ai du refaire une installation "from scratch" en formatant tout. Impossible de trouver d'où venait le bug.