Two Web Servers thru One Public IP

[spetrillo]

Does Caddy have a feature to allow internal access to the websites, sort of like split brain?

[Patrick M. Hausen]

Why split brain? You access your external IP address from inside. If you have the default "allow all" rule on LAN, things are just working.

[spetrillo]

I thought split brain was for cert reasons...guess i was wrong.

[Patrick M. Hausen]

The single interesting point with respect to certificates is the connection of any browser to your front end proxy or web server. If all requests, internal and external alike, connect to the Caddy server on your WAN IP, then there is only a single certificate to worry about and Caddy will already have taken care of that.

"Split" access is more of a DNS issue. If for some reason you prefer to have external access routed through Caddy but internal access directly to your services (by means of split DNS) then of course you also face the problem of generating and deploying valid certificates for both ways of access.

So the general recommendation is to just map the FQDN to your external IP address and use that everywhere. Caddy will take care of TLS and the certificate.

[spetrillo]

https://docs.opnsense.org/manual/how-tos/caddy.html

Monviech,

I noticed the Caddy website shows some functionality in orange, that are optional plugins. If I need SSH and PHP is that in the OPNsense plugin or do I need additional plugins?

Thanks,
Steve

[Monviech (Cedrik)]

I dont understand the question.

[spetrillo]

Sorry if I was not clear. If you look at the Caddy website you will see a statement that features in orange are provided by optional plugins. Further down there is a list of app modules and I would be looking for SSH and PHP. Since I am using the OPNsense plugin are these features in the plugin or do I need to add additional plugins to get SSH and PHP app functionality?

[Patrick M. Hausen]

The Caddy plugin in OPNsense supports only HTTP and HTTPS.

What is your use case for SSH and PHP support on a firewall based proxy?

[spetrillo]

PHP bc we are full PHP environment and will end up putting out edge apps that will need to talk back. It might work over HTTPS though.

[Monviech (Cedrik)]

The php and ssh module are for when caddy is used as ssh server and php server.

For a reverse proxy, only http/https are needed. You dont want to host actual applications on the opnsense itself. You only want to reverse proxy to them.

[spetrillo]

Hi Monviech,

So first off this has been an incredibly simple process. I am up and rolling in about an hour. I do have a couple of questions.

I have two Plesk servers, that serve up multiple websites. I noticed your section on Reverse Proxy to a Webserver with Vhosts and the internal/external hostnames. I have setup serveral DNS overrides in Unbound, so the external URL name resolves to the internal IP address. I did this bc our code has some external URL calls in it and we found the app would timeout without knowing where it was. Should I remove this and implement your Vhost section?

Second we use Cloudflare as our DNS provider. I noticed you have a section for DNS Providers and the DNS API standard field. Do you want my global API key here, or can I put my DNS Edit key there?

Lastly when I try to hit my website I am getting a blank screen back. Its like it does not know where to go. I wonder if this is back to the vhost piece.

Thanks,
Steve

[spetrillo]

Ok I think I figured out the blank screen and that is around the private IPs but now when I try to hit a website from the outside I am being told the site redirected me too many times. Whats that all about?

Also I am seeing this in my Caddy log every 10 minutes...do I need to add something?

Informational   caddy   "info","ts":"2024-06-15T16:09:16Z","logger":"http.auto_https","msg":"server is listening only on the HTTPS port but has no TLS connection policies; adding one to enable TLS","server_name":"srv0","https_port":443}

[Monviech (Cedrik)]

I'm sorry I don't have much experience with this kind of setup. You just have to try things out now until you figure things out. If not, go to the https://caddy.community . Make sure you fill out their full help template otherwise they can't help.

Also, please read all help texts in the plugin, they help.

Some hinty:
- Cloudflare API key should be only a scoped one for DNS.
- For plesk servers, there could be client side redirects interfering.
- plesk servers use nginx as another reverse proxy to apache. Could be a challenge to have two reverse proxies if not everything is configured just right.