Messages

Hi,

I've been using caddy plugin for a little while. Recently, http access started acting up and not allowing ip's included in the addresses, specifically opnvpn subnet.

VPN subnet is on 192.168.50.1/24
Local Subnet is on 192.168.0.0/16

Tried adding 192.168.0.0/16 and the 192.168.50.2 ip (the vpn user address) and it still doesn't work.

As soon as I remove access restriction, everything starts to work again.
------

As i was typing this, I figured it out looking to share the caddyfile.
Invert option might be "inverted", as in it denies access to ip address listed instead of allowing.

Inverted not checked : not client_ip 192.168.0.0/16 192.168.50.2
Inverted checked : client_ip 192.168.0.0/16 192.168.50.2

Would you happen to know where the www folder for caddy is located?
I'd like the main domain to point to a single html file inside caddy

something like this :

<!DOCTYPE html>
<html>
  <body style="overflow:hidden; margin:0; text-align:center;">
    <img src="image.jpg" style="height:100vh; max-width:100%; object-fit: contain;">
  </body>
</html>

Sorry I don't know then. Without some debug logs its uncertain what happens there. I need some info that is not anynomized so theres no mistakes due to wrong omissions.

- Check your DNS, does "nslookup yoursubdomainname" really resolve to the IP address of the OPNsense?

- If Yes, Whats the output of "curl -v subdomainname"

- What do the debug logs show when you try to reach it?

- Which kind of application is listening there? Is it a HTTP or HTTPS application.

- If the application demands a HTTPS connection, did you enable "TLS Insecure Skip Verify" like I asked?

- When you deactivate the handler for the subdomain AND disable "abort", do you at least see an empty webpage and the certificate?

If its a very complex issue, you can also go to https://caddy.community and fill out their help template. Show your old nginx configuration, and your current Caddyfile. That way they can see if theres a mistake.

So, thanks for the heads up! I finally managed to make it work.
As every time something ain't working in networking... its always dns !

For DNS resolving, i'm using pi-hole > unbound > DoT

Pi-hole was not resolving the "local" domain and was throwing "non-existing domain"

Adding a local dns record thru pihole, pointing to the firewall made it resolve.

Now works as intended !

You have enabled TLS, does that mean your internal service has a globally trusted certificate? Because if not, you need to make sure Caddy trusts the certificate.

Check this out, it explains it: https://docs.opnsense.org/manual/how-tos/caddy.html#reverse-proxy-the-opnsense-webgui

Otherwise, disable both TLS options you have set, and enable "TLS Insecure Skip Verify", it will skip certifocate handling and the internal HTTPS connection will "just work".

Disabling evrything TLS made no change.

'ive redacted wrongly sorry :

*.local.domain.tld {
   log 6a100fb9-863d-4a8e-a6dc-6aaad5598184

@febd140e-6307-4080-8419-d1de0c6a23b2 {
      host sub1.local.domain.tld

The Caddyfile does validate under diagnostics, but still won't proxy to the local server.

There you go!

Code Select Expand

# DO NOT EDIT THIS FILE -- OPNsense auto-generated file


# caddy_user=root

# Global Options
{
log {
include http.log.access.6a100fb9-863d-4a8e-a6dc-6aaad5598184
output net unixgram//var/run/caddy/log.sock {
}
format json {
time_format rfc3339
}
}

email *email*
grace_period 10s
import /usr/local/etc/caddy/caddy.d/*.global
}

# Reverse Proxy Configuration


# Reverse Proxy Domain: "ef64738b-136e-4bba-b267-f6307990db7b"
domain.tld {
tls /var/db/caddy/data/caddy/certificates/temp/66a3c470808dc.pem /var/db/caddy/data/caddy/certificates/temp/66a3c470808dc.key

handle {
reverse_proxy 127.0.0.1 {
transport http {
tls
}
}
}

abort
}
[u][b]
This section does not work[/b][/u]
# Reverse Proxy Domain: "6a100fb9-863d-4a8e-a6dc-6aaad5598184"
*.local.domain.tld {
log 6a100fb9-863d-4a8e-a6dc-6aaad5598184
tls /var/db/caddy/data/caddy/certificates/temp/66a26c37d9228.pem /var/db/caddy/data/caddy/certificates/temp/66a26c37d9228.key

@febd140e-6307-4080-8419-d1de0c6a23b2 {
host *.local.domain.tld
}
handle @febd140e-6307-4080-8419-d1de0c6a23b2 {
handle {
reverse_proxy *local 192 address*:port {
transport http {
tls
tls_server_name *.local.domain.tld
}
}
}

abort
}

@dbd15585-f172-4fbd-8524-13d6dcd351af {
client_ip local 192 address
}

handle @dbd15585-f172-4fbd-8524-13d6dcd351af {
}

abort
}


Hi, i'm trying to switch from a docker install of NGINX Proxy Manager behind the opnsense firewall to this caddy plugin right on the firewall.
I got a couple of internal address i use that can be accessed only on the local network.
There's a wildcard setup with a proper certificate ( *local.domain.tld ) and it works on NGINX.

After following the guide at the first page, it does not seem to work on caddy.

I got 2 domains : 1 with the main domain.tld, one with the wildcard.
Under subdomains, i've setup the first one there under the wildcard *.local.domain.tld
I got 2 handlers, 1 with the main domain link to localhost under upstream, 1 with the wildcard+subdomain linked to a local lan address with a specified port.

The main domain link works and gets a proper page/certificate
The subdomain is unreachable/can't connect

What am i missing?!

You should remove unbound from this chain, adguard can do it all without having to use unbound.
Any way, have you tried this :

Unbound:
DHCP Static Mappings    Register DHCP static mappings Ticked
DHCP Registration    Register DHCP leases  Ticked

AdguardHome:
Under Upstream DNS Server (make sure it is the first entry)
[/168.192.in-addr.arpa/]192.168.1.1

Change the adress accordingly to your own network.

Hi,

I've had trouble with updating aliases from cron job. All the URL were not updating unless i manually disabled and re-enabled them.
Cron job also didn't work.

I've found an issue rport on the github about it and user splooge seems to have a proper solution : https://github.com/opnsense/core/issues/5788#issuecomment-1489096388

Changing the service command of the aliases update in action_filter.conf to

Code Select Expand

rm -f /var/db/aliastables/* && /usr/local/opnsense/scripts/filter/update_tables.py seems to have worked.

[Also:]

I had an issue with DNS aswell.
Using :
Unbound on port 5353 - with DNS over TLS
Adguard on port 53 - pointing to unbound for upstream dns
Also:
I had a nat redirection and firewall rules to block any external dns and redirecting to adguard.

Fix :
Remove the external DNS block and redirection. The rules were applied following this guide : https://homenetworkguy.com/how-to/firewall-rules-cheat-sheet/

Thanks for sharing!
I tried https version, but i got this error:
* Closing connection -1
curl: (3) URL using bad/illegal format or missing URL
I tried plain http:
Ambiguous output redirect.

You might wanna try using the lan address and see if it works this way.

Solution picked from Adguard bug thread:


- SSH in your opnsense box
- Send this command, change USERNAME:PASSWORD to your Login/Pass of Adguard
- Specify port if you changed the default

Code Select Expand

curl -H 'Content-Type: application/json' -X POST -v 'http://USERNAME:PASSWORD@127.0.0.1/control/update'

If you are running adguard on SSL connection :

Code Select Expand

curl --insecure -H 'Content-Type: application/json' -X POST -v 'https://USERNAME:PASSWORD@127.0.0.1:443/control/update'

[pciconf -lv | grep -A1 -B3 network]

Hi,

I've encountered a small bug. It is not breaking anything really, just reporting false information.

My machine running opnsense 22.7_4:
Odyssey Blue X864105

This machine comes with 2x Intel NIC I211, however  opnsense is reporting the mac address as Realtek. Quick search for the first 6 MAC number on google does in fact report it as a realtek but running pciconf -lv | grep -A1 -B3 network tells me otherwise. See the 2 pictures attached.

Nothing breaking, but a bit annoying as I went down the rabbit hole to confirm the NIC were indeed Intel and not realtek so I could enable CRC, TSO and LRO without worry.

Thanks for the explanation !

Is there any way to confirm DoT is working from unbound to quad9 then?

Shouldn't the site able to test/tell me if the requests are sent with tls or not? It does with DNSSEC .