Messages

Hello,
may i ask for your help @Monviech. i would like to install stalwart mailserver behind the caddy plugin. according to the documentation https://stalw.art/docs/server/reverse-proxy/caddy/, the following must be done to enable Proxy Protocol support directly within Caddy.
It is mentioned that the plugin called proxy_protocol should be used. As I understand it this is already integrated in Caddy.

Caddyfile example

Code Select Expand


mail.example.com {
    redir https://example.com{uri}
}

example.com {
    # Set this path to your site's directory.
    root * /usr/share/caddy

    # Enable the static file server.
    file_server
}

mail.example.com {
    reverse_proxy 127.0.0.1:8080
}


In addition, crontab must be created in order to automate copying the certificates obtained by Caddy

Code Select Expand


0 3 * * * cat /var/lib/caddy/.local/share/caddy/certificates/acme-v02.api.letsencrypt.org-directory/example.com/example.com.crt > /opt/stalwart-mail/cert/example.com.pem
0 3 * * * cat /var/lib/caddy/.local/share/caddy/certificates/acme-v02.api.letsencrypt.org-directory/example.com/example.com.key > /opt/stalwart-mail/cert/example.com.priv.pem


My questions:
1. can this be implemented with the plugin and the GUI or do I have to use Custom Configuration File
2. How do I create the automated copying oft the certificates obtained by Caddy to the stalwart container

Thank you very much for your help and for your great plugin. It has helped me on many levels and also given me a lot of insight.

[11000]

Because some questions have already arisen here regarding a Nextcloud installation behind an opnsense with reversproxy caddy plugin. A small guide:

1. Follow the Documentation of this great plugin of Monviech [do it exactly as described]
https://docs.opnsense.org/manual/how-tos/caddy.html#how-to-install
- 1. Installation
- 2. Prepare OPNsense for Caddy after installation

2. Create an A-Record with an external DNS Provider that points to the external IP Address of the OPNsense

3. Create a VM/SERVER/LXC/CONTAINER on your favorite hypervisor
- must be accessible from the opnsense via a static ip
- For example 192.168.10.1

4. Create a simple-reverse-proxy for nextcloud
https://docs.opnsense.org/manual/how-tos/caddy.html#creating-a-simple-reverse-proxy
For example:

[FRONTEND]
Domain: nextcloud.yourdomain.eu
Port: Leave empty to use port 443 with automatic redirection from port 80
Description: nextcloud.yourdomain.eu - frontend

[BACKEND]
Domain: nextcloud.yourdomain.eu
Description: nextcloud.yourdomain.eu - backend
Upstream Domain:192.168.10.1
Upstream Port: 11000 [IMPORTANT - you need to reach the apache web server in the nextcloud instance]

DONT FORGET TO APPLY

5. Run a shell in the VM/SERVER/LXC/CONTAINER and prepare the nextcloud installation

Code Select Expand

sudo apt update && apt upgrade && apt-get install unattended-upgrades && apt install curl -y

curl -fsSL https://get.docker.com | sudo sh

docker version

mkdir /nextcloud

mkdir /mnt/data

6. Create a docker-compose.yml file for the nextcloud container

nano /nextcloud/docker-compose.yml

[PASTE]
services:
  nextcloud-aio-mastercontainer:
    image: nextcloud/all-in-one:latest
    init: true
    restart: always
    container_name: nextcloud-aio-mastercontainer
    volumes:
      - nextcloud_aio_mastercontainer:/mnt/docker-aio-config
      - /var/run/docker.sock:/var/run/docker.sock:ro
    ports:
      - 8080:8080   
    environment:
      AIO_DISABLE_BACKUP_SECTION: false
      APACHE_PORT: 11000
      APACHE_IP_BINDING: 0.0.0.0
      NEXTCLOUD_DATADIR: /mnt/data
      NEXTCLOUD_MOUNT: /mnt/
      NEXTCLOUD_UPLOAD_LIMIT: 20G
      NEXTCLOUD_MAX_TIME: 7200
      NEXTCLOUD_MEMORY_LIMIT: 4096M
      NEXTCLOUD_TRUSTED_CACERTS_DIR: /path/to/my/cacerts
      NEXTCLOUD_STARTUP_APPS: deck twofactor_totp tasks calendar contacts notes
      TALK_PORT: 3478
      WATCHTOWER_DOCKER_SOCKET_PATH: /var/run/docker.sock

volumes:
  nextcloud_aio_mastercontainer:
    name: nextcloud_aio_mastercontainer

7. Go to https://192.168.10.1:8080
- Login the AIO installer with pw seed
- Enter nextcloud.yourdomain.eu
- Follow the Nextcloud AIO installer as shown

8. Go to https://nextcloud.yourdomain.eu
- reverse proxy and ssl-cert via caddy plugin
- If you wish restrict access to only internal IPs
- https://scan.nextcloud.com
- https://www.ssllabs.com/ssltest/


For further reading: https://github.com/nextcloud/all-in-one

Many thanks for your advice. I followed your tutorials - it works perfectly.
(Self-signed) certificates from OPNsense, Unifi, Proxmox TLS works between proxy and backend.

However, it is unclear to me how this should work for virtual machines, containers - which do not yet have a certificate.
Was under the assumption that the certificate that Caddy issues externally can also be used for the connection between ReversProxy and the backend.

Or should I simply create an override in Unbound?

Like:
host.example.com ---- unbound----opnsense 127.0.0.1-----caddy----TLS----backend

Somehow I can't see the way right now.

My utmost respect. This is a very successful plugin. Simple, direct and, above all, easy to use for inexperienced users.
The alternative HAProxy/Nginx are really not characterized by their user-friendliness and simplicity.

WHERE CAN I BUY YOU A BEER OR COFFEE? would like to support your work!

Perhaps it would be possible to add a few more aspects, pitfalls and tips to the above tutorial.

- Specific syntax of the API key for the DNS challenge
- Where to find Subject Alternative Name (SAN)
- Instructions for e.g. Nextcloud etc.

What I have not yet managed to get right.

That the OPNsense internal calls are forwarded directly to the backend server and certificates are still issued by Caddy. All connections only succeed via HTTP without certificates. Could you help with an example or give me a hint? I have now tried it with Vaultwarden and Sterling PDF (both in a docker container), resolution to external works without problems even with wildcard, but to internal only as described above.

Many thanks for the great work and good luck with the integration in OPNsense!

Hallo OpnSense Gemeinde,

Ziel:
Portforwarding von Webserver_Ports_External (80,443) von OpnSense an DMZ (NginxProxyManager) 192.168.10.50

Problem:
Ports werden nicht nach extern geöffnet, wenn ich es über LTE überprüfe.
Seltsamerweise werden offene Ports via Browser und einen Portchecker angezeigt

Internet: Vodafone Kabel, Router/Modem in den bridge-mode versetzt, statische IP
OpnSense: v23.7.9 ; DNS ist Unbound ; CrowdSec, Admin Zugang ist Port 8443

WAN
LAN/Managment
DMZ VLAN 10 (NGINX PROXY MANAGER)
APP VLAN 20
IOT VLAN 30
USER VLAN 40
GUEST VLAN 50

Folgende Schritte habe ich bereits versucht

Code Select Expand


Firewall: Settings: Advanced

Reflection for port forwards: enabled
Automatic outbound NAT for Reflection: enabled
Disable reply-to on WAN rule: enabled


Code Select Expand


Firewall: NAT: Port Forward

WAN TCP * * WAN address Webserver_Ports_External  NginxProxyManager  Webserver_Ports_External

Filter rule association: PASS
   

Code Select Expand

Firewall: Rules: WAN

IPv4    TCP * * WAN address Webserver_Ports_External        *     *

Bis dato habe ich wirklich alle Dinge mit etwas nachlesen hinbekommen, aber an dieser Stelle ist irgendwie der Wurm drin.

Wäre euch sehr dankbar für Hilfe, Hinweise und TroubleShooting Ansätze