Caddy plugin

[cloudz]

It doesn't always need to be a problem that's posted here, I think.

Thank you so much, development team, for the Caddy plugin. I've been able to remove a lot of complexity on my network due to this.

The setup was child's play and it works beautifully well.

[Monviech (Cedrik)]

Hey I'm really happy you like it. 

Can you share in which kind of configuration you use it? I'm interested if you use DNS Providers (especially Dynamic DNS and DNS-01 challenge) for example. I don't have a lot of Feedback regarding this feature (since I don't use it myself).

[cloudz]

I don't use it either at this moment. I would be using cloudflare .. can give it a try but my domains mostly resolve by CNAME to my router A record. So no need to update them all when it changes.

I do have an internal RP running on Caddy that's not externally accessible and runs on an internal DNS zone. maybe I can remove that one too. Let me see over the weekend.

[Monviech (Cedrik)]

Oh, no you don't have to try it. I know that cloudflare works since that was my test case (and its the biggest provider plugin). One of the more obscure choices would have been rather interesting.

Have fun with it. ^^

[cloudz]

@monviech - wouldn't it be possible to add the tls_skip_verify as an advanced option with an explicit warning or so?

I'm having a few internal services that are impossible to provide with a decent certificate, eg. Unifi controller, Scrypted, my Synology.

[Monviech (Cedrik)]

Since it's literally the number one requested feature, I will just add it in the next version for backwards compatibility with old services.

I just dislike the idea that it will be an easy way out and people will use it for all scenarios where they could use proper certificate handling instead...

EDIT: It's on my WIP list: https://github.com/opnsense/plugins/pull/3865

[Monviech (Cedrik)]

If you edit the files in /usr/local/opnsense/... with the changes in this commit you can already try it out:

https://github.com/Monviech/opnsense-plugins/commit/9ea33e88f6cadbf1c5e3d94508e1f2818613c578

Please only change what is shown in this commit, don't copy the whole files from that branch since there are more changes that aren't tested thoroughly yet.

Example path, the other files can be found and edited like this too:

Code: [Select]

/usr/local/opnsense/mvc/app/controllers/OPNsense/Caddy/forms/dialogHandle.xml

[cloudz]

Awesome. I can wait. That UDM/Unifi controller thing stays one of the worst things out there.

[Monviech (Cedrik)]

It's going to be in 24.1.5, my pull request was merged.

Here's the full changes for the next version: https://github.com/opnsense/plugins/commit/354782cf9beff470c46580859556d8e070aa2416

[Patrick M. Hausen]

Woohoo! 

[Monviech (Cedrik)]

@Patrick

There's also one more change (thats kinda beta), the HTTP-01 challenge redirection (passthrough). I'm really interested how this one will play out.

EDIT:

I just had this weird Idea to use this for Caddy in HA. If you redirect the HTTP-01 challenge to the backup firewall, it can also issue Let's Encrypt certificates... maybe? Worth a try. 

EDIT2:

Wow I just tested this with 2 Caddys daisychained and it actually works. Both could get a Let's Encrypt certificate for the same domain. The first one used TLS-ALPN-01 challenge, and the second one the HTTP-01 challenge proxied through the first one.

[cloudz]

Looking forward to that "Today is patchday!" announcement!

[cloudz]

Updated & removed an additional 2 Caddy's from my Proxmox environment. Thanks!

[Monviech (Cedrik)]

Glad to hear its working fine for you. If you experience any problems, check github. There are already a few fixes in the pipeline if caddy takes a long time to start or stop.