Caddy plugin

cloudz · March 22, 2024, 12:01:48 PM

It doesn't always need to be a problem that's posted here, I think.

Thank you so much, development team, for the Caddy plugin. I've been able to remove a lot of complexity on my network due to this.

The setup was child's play and it works beautifully well.

Monviech (Cedrik) · March 22, 2024, 12:23:04 PM

Hey I'm really happy you like it. :)

Can you share in which kind of configuration you use it? I'm interested if you use DNS Providers (especially Dynamic DNS and DNS-01 challenge) for example. I don't have a lot of Feedback regarding this feature (since I don't use it myself).

cloudz · March 22, 2024, 12:42:39 PM

I don't use it either at this moment. I would be using cloudflare .. can give it a try but my domains mostly resolve by CNAME to my router A record. So no need to update them all when it changes.

I do have an internal RP running on Caddy that's not externally accessible and runs on an internal DNS zone. maybe I can remove that one too. Let me see over the weekend.

Monviech (Cedrik) · March 22, 2024, 12:46:55 PM

Oh, no you don't have to try it. I know that cloudflare works since that was my test case (and its the biggest provider plugin). One of the more obscure choices would have been rather interesting.

Have fun with it. ^^

cloudz · March 24, 2024, 08:41:52 AM

@monviech - wouldn't it be possible to add the tls_skip_verify as an advanced option with an explicit warning or so?

I'm having a few internal services that are impossible to provide with a decent certificate, eg. Unifi controller, Scrypted, my Synology.

Monviech (Cedrik) · March 24, 2024, 08:53:00 AM

Since it's literally the number one requested feature, I will just add it in the next version for backwards compatibility with old services.

I just dislike the idea that it will be an easy way out and people will use it for all scenarios where they could use proper certificate handling instead...

EDIT: It's on my WIP list: https://github.com/opnsense/plugins/pull/3865

Monviech (Cedrik) · March 24, 2024, 04:48:51 PM

If you edit the files in /usr/local/opnsense/... with the changes in this commit you can already try it out:

https://github.com/Monviech/opnsense-plugins/commit/9ea33e88f6cadbf1c5e3d94508e1f2818613c578

Please only change what is shown in this commit, don't copy the whole files from that branch since there are more changes that aren't tested thoroughly yet.

Example path, the other files can be found and edited like this too:

Code Select

/usr/local/opnsense/mvc/app/controllers/OPNsense/Caddy/forms/dialogHandle.xml

cloudz · March 24, 2024, 07:54:49 PM

Awesome. I can wait. That UDM/Unifi controller thing stays one of the worst things out there.

Monviech (Cedrik) · April 02, 2024, 08:56:23 PM

It's going to be in 24.1.5, my pull request was merged.

Here's the full changes for the next version: https://github.com/opnsense/plugins/commit/354782cf9beff470c46580859556d8e070aa2416

Patrick M. Hausen · April 02, 2024, 08:58:23 PM

Woohoo! 8)

Monviech (Cedrik) · April 02, 2024, 08:59:36 PM

@Patrick

There's also one more change (thats kinda beta), the HTTP-01 challenge redirection (passthrough). I'm really interested how this one will play out.

EDIT:

I just had this weird Idea to use this for Caddy in HA. If you redirect the HTTP-01 challenge to the backup firewall, it can also issue Let's Encrypt certificates... maybe? Worth a try. :o

EDIT2:

Wow I just tested this with 2 Caddys daisychained and it actually works. Both could get a Let's Encrypt certificate for the same domain. The first one used TLS-ALPN-01 challenge, and the second one the HTTP-01 challenge proxied through the first one.

cloudz · April 03, 2024, 01:29:41 PM

Looking forward to that "Today is patchday!" announcement!

cloudz · April 05, 2024, 08:06:07 AM

Updated & removed an additional 2 Caddy's from my Proxmox environment. Thanks!

Monviech (Cedrik) · April 05, 2024, 10:32:47 AM

Glad to hear its working fine for you. If you experience any problems, check github. There are already a few fixes in the pipeline if caddy takes a long time to start or stop.

maxteo · March 05, 2025, 01:02:57 AM

Hi Monviech

Thank you for this wonderful plugin but i am using cloudflared-tunnel as a lxc on my proxmox and opnSense as a VM. I just installed your caddy reverse proxy plugin and i understood as a dns-challange to use cloudflare but how i can use with cloudflared tunnel ? I won't expose directly via opnsense so because of that is there any way to use caddy plug-in on opnsense which i have already cloudflared-tunnel ?

Caddy plugin

cloudz

March 22, 2024, 12:01:48 PM

Monviech (Cedrik)

March 22, 2024, 12:23:04 PM #1

cloudz

March 22, 2024, 12:42:39 PM #2 Last Edit: March 22, 2024, 12:44:39 PM by cloudz

Monviech (Cedrik)

March 22, 2024, 12:46:55 PM #3

cloudz

March 24, 2024, 08:41:52 AM #4

Monviech (Cedrik)

March 24, 2024, 08:53:00 AM #5 Last Edit: March 24, 2024, 08:58:58 AM by Monviech

Monviech (Cedrik)

March 24, 2024, 04:48:51 PM #6

cloudz

March 24, 2024, 07:54:49 PM #7

Monviech (Cedrik)

April 02, 2024, 08:56:23 PM #8

Patrick M. Hausen

April 02, 2024, 08:58:23 PM #9

Monviech (Cedrik)

April 02, 2024, 08:59:36 PM #10 Last Edit: April 03, 2024, 04:29:06 PM by Monviech

cloudz

April 03, 2024, 01:29:41 PM #11

cloudz

April 05, 2024, 08:06:07 AM #12

Monviech (Cedrik)

April 05, 2024, 10:32:47 AM #13

maxteo

March 05, 2025, 01:02:57 AM #14