Messages

1

Tutorials and FAQs / Re: Tutorial: Caddy (Reverse Proxy) + Let's Encrypt Certificates + Dynamic DNS

« on: March 12, 2024, 02:32:18 am »

Disregard - uninstall, reboot, reinstall worked.

Thank you!

This is a great plug-in and I appreciate your efforts.  Weird things always happen - appreciate the help

The new handlers are working as expected - one with TLS and the other clear.  Straightforward and works well.

2

Tutorials and FAQs / Re: Tutorial: Caddy (Reverse Proxy) + Let's Encrypt Certificates + Dynamic DNS

« on: March 10, 2024, 09:12:17 pm »

Hello - I recently upgraded and am wondering if something isn't quite working as expected.

Short version -

1) upgraded OPNsense to 24.1.3_1

2) I had two new subdomains I wanted to add (in addition to the ones I've already created).  However, I am unable to get these to work.  Other/previous subdomains are still working without issue.

3) To troubleshoot, I enabled "http access log" for my domain and also enabled Log HTTP Access in JSON Format.

4) Have hit apply, save, and even restarted the Caddy service a few times.

No logs in
:/var/log/caddy/access # ls
:/var/log/caddy/access #

nothing is showing in the caddy.log either for access

The Caddyfile looks correct with the new host and handle
The autosave.json in /usr/local/etc/caddy/.config/caddy does not have the new host and handle (don't think that  is an issue, but just mentioning it).

Any ideas to tell me what I am doing wrong?


edit: To troubleshoot further, I modified an existing working "Handle" via the Caddy UI.  I changed the IP and port to be of the settings for one of the new domains.  After saving and applying, I am still presented the original configuration in the browser when I access that Handler subdomain.  Seems like something isn't being persisted properly based on this test; at worst, I should receive an error, but instead things still work, albeit for the original subdomain configuration.

edit2:  Since the plugin is close to being or is already available natively, do I need to do some cleanup steps with the repo since I installed the plugin prior to the native access?

3

Tutorials and FAQs / Re: Tutorial: Caddy (Reverse Proxy) + Let's Encrypt Certificates + Dynamic DNS

« on: February 21, 2024, 03:01:21 am »

Appreciate the work you've done and the help on github.

I have several handlers working now for my domain.  Only one is accessible externally (Internet) and the rest are all available internally only on my LAN or VPN via the Access lists functions.  This was far easier than HAProxy or nginx for my needs.  I've actually disabled the configs I had there and migrated them to Caddy since my use cases are straightforward.

In an effort to try and give something back, I've front-ended my Unifi console with this Caddy plugin and wish to share a quick tutorial here.  There are many ways to do this (e.g. update the cert for Unifi itself to a Trusted Cert).  However, this method is potentially an easier way where we will just trust the Unifi cert.  Every 2 years or so, this cert will need to be updated.

Step 1 - Get the Unifi CA cert:  Many ways to do this, but opted for lazy way.  Navigate to your Unifi console in any browser.  Click the cert icon in the address bar (most likely will say "Not secure").  Then click the "cert is not valid" link or the link your browser has to show the cert.  Go to the details tab and find "Export".  Export the cert and save it to a location with a name you'll recognize (e.g. Unifi.crt).

Step 2 - Get the cert text: Right click on the "Unifi.crt" or whatever you named it and open it with notepad or notepad++ or vi or nano or your text editor of choice.  Copy the details to your clipboard:
At time of this writing for my version of the Unifi console the text for the Unifi.crt is/was:
-----BEGIN CERTIFICATE-----
MIIDfTCCAmWgAwIBAgIEZVl1bjANBgkqhkiG9w0BAQsFADBrMQswCQYDVQQGEwJV
UzERMA8GA1UECAwITmV3IFlvcmsxETAPBgNVBAcMCE5ldyBZb3JrMRYwFAYDVQQK
DA1VYmlxdWl0aSBJbmMuMQ4wDAYDVQQLDAVVbmlGaTEOMAwGA1UEAwwFVW5pRmkw
HhcNMjMxMTE5MDIzOTQyWhcNMjYwMjIxMDIzOTQyWjBrMQswCQYDVQQGEwJVUzER
MA8GA1UECAwITmV3IFlvcmsxETAPBgNVBAcMCE5ldyBZb3JrMRYwFAYDVQQKDA1V
YmlxdWl0aSBJbmMuMQ4wDAYDVQQLDAVVbmlGaTEOMAwGA1UEAwwFVW5pRmkwggEi
MA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCaxheTfuaMfIltQuageZS7T55k
cs9xGlvgP3QGGpqeEpk43lHJBZaJmhUtI91dFkfBxyMUBe5AcSWoazRpLYmIuDqI
6T1GDzwe38Hjsy+sCl/CLtjBqga4FCVhqDwMppqqgyBAU6eSLdHr3mTNQk21X5VS
rgU5/zNx9Yon9ChhIxxukqCqMneVXDr8gSGWB3n9AxwTeVm8xVEWWxd+1ho0KP+T
6mxy3UhygoKbgJgxGH8rXgoAwxV8J7YG/soJ5SrJBHm3mZEquUZkFnjmd7Vd0Sl0
6y+44mkxOa0f0evh9LYpvCfXT7Q/705Ucqn9u0lSK86yZN2hjf3GUU5koiOJAgMB
AAGjKTAnMBMGA1UdJQQMMAoGCCsGAQUFBwMBMBAGA1UdEQQJMAeCBVVuaUZpMA0G
CSqGSIb3DQEBCwUAA4IBAQCS9KXCOjT7tqplCrMR3CyeYQAOJsyr1fAGK6AF9jHO
KD7CidfR7ZJi/ocZABr7i+F2zSaPXw9PwHrbRF44uiTxHt5jlXLDhYNI/MqI2Yx/
yx1ddT1UiJF3MM4v8xx7CBpvBKYl6Wr8D561wT7ywb/PcGZ/N7TZbT3yqEr/W3CB
5LhDitlf+DZ0F/SmDFvmFdf0Y9vQuqrylYnTwTr4di7UUoPYbBFf3w4Uu4DAfROX
MoB9Jr0jBi7+nH+MtUHFtn1vcrRU8Q8O4TCq0S+WLGhbrILzBbrX6hCbsrzxEYzW
tzDGic7FQrRpqGfwfeCHsEU42LpBPpaIGKZXt3EhzYo9
-----END CERTIFICATE-----

Step 3 - Add cert to OPNsense trusted store:  Login to OPNsense console and go to System-> Trust -> Authorities.  Click the + to add a Trust Authority.
Descriptive name : Unifi's Self-Signed Console CA
Method: Import an existing Certificate Authority
Certificate data: paste the full text from Step 2
Click Save
(We will need to edit this trusted cert once it expires and replace it with the newly issued one.  with my current Unifi console version, that will be February 20th, 2026.  If upgrading the console version, the cert may change and need to be updated as well - depends on what Ubiquiti does with the Unifi Console)


Step 3 - Create the Unifi handler: Assuming domains, subdomains, etc. are all configured via other tutorials.
 Create a "handler" in Caddy "Handlers" as normal like you would for any other http site with the backend server domain and port for the Unifi console in your infrastructure.  Unifi's console requires https, so to avoid the 502 and similar errors, we need to configure Caddy to "handle" the https.  This is completed by supplying the Subject Alternative Name (SAN) value from the Unifi.crt which is DNS Name=Unifi, the CA we added to the trusted authorities for OPNsense, and utilizing TLS between caddy and the Unifi console.

Handle type: handle
handle path: (blank).
backend server domain: your unifi's IP / hostname
backend server port: your unifi's port (usually 8443)
TLS: "checked"
TLS Trust CA Certificate: select the item named from Step 2 (e.g. Unifi's Self-Signed Console CA).
TLS Server Name: Unifi

Add a description, save and apply.  Navigate to the handler for Unifi's console and your connection should now be encrypted and trusted: https -> Caddy -> https to Unifi server.