Caddy Plugin

[guest15389]

Adding to the new production forum as this was my Caddy question and hopefully getting it included in this version.

https://forum.opnsense.org/index.php?topic=11412.0

[mimugmail]

Most of this can be done by nginx plugin

[guest15389]

You can do automatic HTTPS with LetsEncrypt and Google oAuth out of the box with NGINX?

I moved away from NGINX as it misses those two key items and in general, Caddy is super simple.

My Caddy config is a few lines compared to pages in NGINX.

[fabian]

Yes, when you combine it with the ACME plugin, you can automatically request Let's Encrypt certificates.

Any authentication server can be used via Basic auth, which is configured on OPNsense via the nginx plugin.
So any SSO vendor can be used, when it can be made compatible with OPNsense core (since version 1.5 of the plugin).

nginx, not the plugin itself, supports also JWT: https://nginx.org/en/docs/http/ngx_http_auth_jwt_module.html

[guest15389]

When I install NGINX via the plugin and check the module, I don't see it listed there. Am I missing something?

[fabian]

the acme plugin works on its own. the checkbox in the http server enables everything needed by the acme plugin to get valid certificates.

[guest15389]

I can see the ACME part works fine.

I'm trying to figure out if the jwt module for NGINX as there as I use Google oAuth to secure my logins.

[fabian]

As I wrote: JWT is not in the plugin.

[guest15389]

Got it.

Misread the first time.

Thanks for the quick reply.

[guest15389]

After a bit more checking and test, Caddy is just a far simpler install/setup/config than going through LetsEncrypt/NGinx and trying to get oAuth working.

The amount of steps compared is really amazing.

My entire plex config once I get caddy installed is this:

Code: [Select]

# Plex Server
plex.somewhere.us {
gzip
timeouts none
log /opt/caddy/logs/plex.log
tls {
        dns cloudflare
}
proxy / 127.0.0.1:32400 {
        transparent
        websocket
    }
}
That handles my certificate automatically, works with updating my cloudflare DNS and since it's public as it's got it own auth, I'm done.

No other steps.

I've been using this setup over letsencrypt/nginx on my Debian box for about 1/2 year without issue.

Since it's a couple steps to setup on FreeBSD and just works, I see no issues with just installing manually, but man, a plugin would be superb.

[fabian]

It is still no reason to build a plugin in the size of nginx again for a feature that is already there.
It took me a half year (slightly more) to build. It's very likely that nobody is going to work on this soon.
BTW: https://github.com/opnsense/plugins/issues/1044

[guest15389]

I'm sure that's due to the complexity of NGINX compared to an easier proxy server to setup.

My NGINX Plex config was over 100 lines.
My Caddy Plex config is 10 lines.

Just offering a different view to share what works better for me and my setup.

If someone comes along and thinks the plugin is worth it to setup, great.

Until that time, I can easily just install and set it up with less config/effort than doing ACME/NGINX even though they are plugins.

My install is just getting the proper binary.

Code: [Select]

pkg install wget
wget "https://caddyserver.com/download/freebsd/amd64?plugins=http.cache,http.cgi,http.jwt,http.login,tls.dns.cloudflare&license=personal&telemetry=on

Can uncompress it and drop the caddy binary in /usr/local/bin

I added the startup:

Code: [Select]

root@phoenix:/etc # cat rc.conf
netdata_enable=YES
caddy_enable=YES

I add in the startup script  and I just left most of my logs just in the same spot:

Code: [Select]

root@phoenix:/usr/local/etc/rc.d # cat caddy
#!/bin/sh
#
# PROVIDE: caddy
# REQUIRE: networking
# KEYWORD: shutdown

#
# Add the following lines to /etc/rc.conf to enable caddy:
# caddy_enable (bool):        Set to "NO" by default.
#                             Set it to "YES" to enable caddy
#
# caddy_cert_email (str):     Set to "" by default.
#                             Defines the SSL certificate issuer email. By providing an
#                             email address you automatically agree to letsencrypt.org's
#                             general terms and conditions
#
# caddy_bin_path (str):       Set to "/usr/local/bin/caddy" by default.
#                             Provides the path to the caddy server executable
#
# caddy_cpu (str):            Set to "99%" by default.
#                             Configures, how much CPU capacity caddy may gain
#
# caddy_config_path (str):    Set to "/usr/local/www/Caddyfile" by default.
#                             Defines the path for the configuration file caddy will load on boot
#
# caddy_user (str):           Set to "root" by default.
#                             Defines the user that caddy will run on
#
# caddy_group (str):        Set to "wheel" by default.
#                             Defines the group that caddy files will be attached to
#
# caddy_logfile (str)       Set to "/var/log/caddy.log" by default.
#       Defines where the process log file is written, this is not a web access log
#
# caddy_env (str)       Set to "" by default.
#       This allows environment variable to be set that may be required, for example when using "DNS Challenge" account credentials are required.
#       e.g. (in your rc.conf)   caddy_env="CLOUDFLARE_EMAIL=me@domain.com CLOUDFLARE_API_KEY=my_api_key"
#

. /etc/rc.subr

caddy_env="CLOUDFLARE_API_KEY=someAPIKEY CLOUDFLARE_EMAIL=someone@gmail.com"

name="caddy"
rcvar="${name}_enable"

load_rc_config ${name}

: ${caddy_enable:="NO"}
: ${caddy_cert_email="someone@gmail.com"}
: ${caddy_bin_path="/usr/local/bin/caddy"}
: ${caddy_cpu="99%"} # was a bug for me that caused a crash within jails
: ${caddy_config_path="/var/lib/caddy/Caddyfile"}
: ${caddy_logfile="/var/lib/caddy/logs/caddy.log"}
: ${caddy_user="root"}
: ${caddy_group="wheel"}

if [ "$caddy_cert_email" = "" ]
then
    echo "rc variable \$caddy_cert_email is not set. Please provide a valid SSL certificate issuer email."
    exit 1
fi

pidfile="/var/run/${name}.pid"
procname="${caddy_bin_path}" #enabled builtin pid checking for start / stop
command="/usr/sbin/daemon"
command_args="-p ${pidfile} /usr/bin/env ${caddy_env} ${procname} -cpu ${caddy_cpu} -log stdout -conf ${caddy_config_path} -agree -email ${caddy_cert_email} < /dev/null >> ${caddy_logfile} 2>&1"

start_precmd="caddy_startprecmd"

caddy_startprecmd()
{
if [ ! -e "${pidfile}" ]; then
install -o "${caddy_user}" -g "${caddy_group}" "/dev/null" "${pidfile}"
fi

if [ ! -e "${caddy_logfile}" ]; then
install -o "${caddy_user}" -g "${caddy_group}" "/dev/null" "${caddy_logfile}"
fi
}

required_files="${caddy_config_path}"

run_rc_command "$1"

And left my Caddyfile here:

Code: [Select]

root@phoenix:/var/lib/caddy # ls
Caddyfile logs ssl

I do a quick copy each night via ssh to make sure I have a copy elsewhere should I need to reinstall.