Need help converting HAProxy config to Caddy

Started by Inxsible, March 05, 2023, 11:19:39 PM

Previous topic - Next topic
I have a working HAProxy configuration. It took me quite some time to figure out the nitty gritties in order to add SSL offloading for each of my services via the Acme Client plugin.

However, now that caddy is also available as a plugin in the mimugmail repo, I would like to switch over to caddy2 since configurations are easier to find for caddy2. Will the Acme Client plugin still be needed after switching to caddy since caddy handles the LE certs automatically?

Can someone help me to convert the HAProxy config into caddy config? I want this to be seamless because once I switch over to caddy, I want all my services to be accessible as I have my password manager as 1 of them. Having no access to that would cause a lot of consternation.

Once the caddy2 config is built, do I just have to paste it under the Caddy plugin from mimugmail, enable the Caddy service and disable HAProxy service?

Here's my HAProxy config:

#
# Automatically generated configuration.
# Do not edit this file manually.
#

global
    uid                         80
    gid                         80
    chroot                      /var/haproxy
    daemon
    stats                       socket /var/run/haproxy.socket group proxy mode 775 level admin
    nbthread                    1
    hard-stop-after             60s
    no strict-limits
    tune.ssl.default-dh-param   2048
    spread-checks               2
    tune.bufsize                16384
    tune.lua.maxmem             0
    log                         /var/run/log local0 debug
    lua-prepend-path            /tmp/haproxy/lua/?.lua

defaults
    log     global
    option redispatch -1
    timeout client 30s
    timeout connect 30s
    timeout server 30s
    retries 3
    default-server init-addr last,libc

# autogenerated entries for ACLs


# autogenerated entries for config in backends/frontends

# autogenerated entries for stats




# Frontend: https (HAProxy  Public Service for all LAN services)
frontend https
    http-response set-header Strict-Transport-Security "max-age=15768000"
    bind 192.168.1.1:443 name 192.168.1.1:443 ssl prefer-client-ciphers ssl-min-ver TLSv1.2 ciphers ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256 ciphersuites TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256 crt-list /tmp/haproxy/ssl/605e453acf0e75.09310296.certlist
    mode http
    option http-keep-alive
    option forwardfor

    # logging options
    # ACL: nc_caldav
    acl acl_6075fbe5edde88.14416266 path_end -i /.well-known/caldav
    # ACL: nextcloud
    acl acl_6068e929c25802.40129836 hdr(host) -i nextcloud.mydomain.com
    # ACL: nc_carddav
    acl acl_6075f978b44654.46404459 path_end -i /.well-known/carddav
    # ACL: nc_nodeinfo
    acl acl_609d839568e351.48169054 path /.well-known/nodeinfo
    # ACL: nc_webfinger
    acl acl_609d8379f35913.09534187 path /.well-known/webfinger
    # ACL: firefly
    acl acl_60b8e127010005.49996293 hdr(host) -i firefly.mydomain.com
    # ACL: adguard
    acl acl_633c7fddce7da1.80920986 hdr_reg(host) -i ^[adguard|agh]+\.mydomain\.com$
    # ACL: amcrest
    acl acl_60d3aaa0ca9ba7.98361344 hdr(host) -i cam1.mydomain.com
    # ACL: apnet
    acl acl_605e44279e3b56.98854478 hdr(host) -i apnet.mydomain.com
    # ACL: dl
    acl acl_606945b7508907.10161822 hdr(host) -i dl.mydomain.com
    # ACL: dl2
    acl acl_60694bc7097d72.55498217 hdr(host) -i dl2.mydomain.com
    # ACL: home
    acl acl_605e77060755c7.74232910 hdr(host) -i home.mydomain.com
    # ACL: homer
    acl acl_62351a098660c6.48798884 hdr(host) -i homer.mydomain.com
    # ACL: emby
    acl acl_6068ee14c01084.16274607 hdr(host) -i emby.mydomain.com
    # ACL: jellyfin
    acl acl_60affb35076bb2.76934816 hdr(host) -i jellyfin.mydomain.com
    # ACL: nas
    acl acl_6068e7c9290ad9.26389997 hdr(host) -i nas.mydomain.com
    # ACL: netdata
    acl acl_6068e847835b87.41206608 hdr(host) -i netdata.mydomain.com
    # ACL: office
    acl acl_6068e93d924d11.74924956 hdr(host) -i office.mydomain.com
    # ACL: omada1
    acl acl_6068e953c1b204.65701206 hdr(host) -i omada.mydomain.com
    # ACL: pbs
    acl acl_631fdfac2e34a6.66731673 hdr(host) -i pbs.mydomain.com
    # ACL: proxmox
    acl acl_60695b2ef32f30.68592514 hdr(host) -i proxmox.mydomain.com
    # ACL: scanner
    acl acl_6068e967a37f63.90582969 hdr(host) -i scanner.mydomain.com
    # ACL: shinobi
    acl acl_60d2b1089c1d58.17520071 hdr_reg(host) -i ^[shinobi|cctv]+\.mydomain\.com$
    # ACL: switch
    acl acl_605e444bbaa5f0.93057342 hdr(host) -i switch.mydomain.com
    # ACL: ups
    acl acl_605e7dd7be0f73.35996982 hdr(host) -i ups.mydomain.com
    # ACL: vaultwarden
    acl acl_63276269c65d47.19509789 hdr_reg(host) -i ^[bit|vault]+warden\.mydomain\.com$
    # ACL: x9scl
    acl acl_6068e97b2a02f8.85789703 hdr(host) -i x9scl.mydomain.com
    # ACL: x10slh
    acl acl_6068e98e041167.98049410 hdr(host) -i x10slh.mydomain.com

    # ACTION: nc_caldav
    http-request redirect code 301 location /remote.php/dav if acl_6075fbe5edde88.14416266 acl_6068e929c25802.40129836
    # ACTION: nc_carddav
    http-request redirect code 301 location /remote.php/dav if acl_6075f978b44654.46404459 acl_6068e929c25802.40129836
    # ACTION: nc_nodeinfo
    http-request redirect code 301 location /index.php%[capture.req.uri] if acl_609d839568e351.48169054 acl_6068e929c25802.40129836
    # ACTION: nc_webfinger
    http-request redirect code 301 location /index.php%[capture.req.uri] if acl_609d8379f35913.09534187 acl_6068e929c25802.40129836
    # ACTION: fireflyHeaderProto
    http-request set-header X-Forwarded-Proto https if acl_60b8e127010005.49996293
    # ACTION: adguard
    use_backend adguard if acl_633c7fddce7da1.80920986
    # ACTION: amcrest
    use_backend amcrest if acl_60d3aaa0ca9ba7.98361344
    # ACTION: apnet
    use_backend apnet if acl_605e44279e3b56.98854478
    # ACTION: dl
    use_backend dl if acl_606945b7508907.10161822
    # ACTION: dl2
    use_backend dl2 if acl_60694bc7097d72.55498217
    # ACTION: home
    use_backend home if acl_605e77060755c7.74232910
    # ACTION: homer
    use_backend homer if acl_62351a098660c6.48798884
    # ACTION: emby
    use_backend emby if acl_6068ee14c01084.16274607
    # ACTION: firefly
    use_backend firefly if acl_60b8e127010005.49996293
    # ACTION: jellyfin
    use_backend jellyfin if acl_60affb35076bb2.76934816
    # ACTION: nas
    use_backend nas if acl_6068e7c9290ad9.26389997
    # ACTION: netdata
    use_backend netdata if acl_6068e847835b87.41206608
    # ACTION: nextcloud
    use_backend nextcloud if acl_6068e929c25802.40129836
    # ACTION: office
    use_backend office if acl_6068e93d924d11.74924956
    # ACTION: omada
    use_backend omada if acl_6068e953c1b204.65701206
    # ACTION: pbs
    use_backend pbs if acl_631fdfac2e34a6.66731673
    # ACTION: proxmox
    use_backend proxmox if acl_60695b2ef32f30.68592514
    # ACTION: scanner
    use_backend scanner if acl_6068e967a37f63.90582969
    # ACTION: shinobi
    use_backend shinobi if acl_60d2b1089c1d58.17520071
    # ACTION: switch
    use_backend switch if acl_605e444bbaa5f0.93057342
    # ACTION: ups
    use_backend ups if acl_605e7dd7be0f73.35996982
    # ACTION: vaultwarden
    use_backend vaultwarden if acl_63276269c65d47.19509789
    # ACTION: x9scl
    use_backend x9scl if acl_6068e97b2a02f8.85789703
    # ACTION: x10slh
    use_backend x10slh if acl_6068e98e041167.98049410

# Backend: apnet ()
backend apnet
    # health checking is DISABLED
    mode http
    balance source
    # stickiness
    stick-table type ip size 50k expire 30m 
    stick on src
    http-reuse safe
    server apnet 192.168.1.6:443 ssl verify none

# Backend: switch ()
backend switch
    # health checking is DISABLED
    mode http
    balance source
    # stickiness
    stick-table type ip size 50k expire 30m 
    stick on src
    http-reuse safe
    server switch 192.168.1.9:443 ssl verify none

# Backend: home ()
backend home
    # health checking is DISABLED
    mode http
    balance source
    # stickiness
    stick-table type ip size 50k expire 30m 
    stick on src
    http-reuse safe
    server home 192.168.1.20:443 ssl verify none

# Backend: ups ()
backend ups
    # health checking is DISABLED
    mode http
    balance source
    # stickiness
    stick-table type ip size 50k expire 30m 
    stick on src
    http-reuse safe
    server ups 192.168.1.8:80

# Backend: nas ()
backend nas
    # health checking is DISABLED
    mode http
    balance source
    # stickiness
    stick-table type ip size 50k expire 30m 
    stick on src
    http-reuse safe
    server nas 192.168.1.3:443 ssl verify none

# Backend: netdata ()
backend netdata
    # health checking is DISABLED
    mode http
    balance source
    # stickiness
    stick-table type ip size 50k expire 30m 
    stick on src
    http-reuse safe
    server netdata 192.168.1.5:19999

# Backend: nextcloud ()
backend nextcloud
    # health checking is DISABLED
    mode http
    balance source
    # stickiness
    stick-table type ip size 50k expire 30m 
    stick on src
    http-reuse safe
    server nextcloud 192.168.1.23:80

# Backend: office ()
backend office
    # health checking is DISABLED
    mode http
    balance source
    # stickiness
    stick-table type ip size 50k expire 30m 
    stick on src
    http-reuse safe
    server office 192.168.1.24:9980

# Backend: omada ()
backend omada
    # health checking is DISABLED
    mode http
    balance source
    # stickiness
    stick-table type ip size 50k expire 30m 
    stick on src
    # ACL: omada1
    acl acl_6068e953c1b204.65701206 hdr(host) -i omada.mydomain.com
    # ACL: omada2
    acl acl_6328cfa6578730.30147092 hdr_reg(host) -i ^omada\.mydomain\.com(:([0-9]){1,5})?$

    # ACTION: omada_header_set
    http-request set-header host omada.mydomain.com:8043 if acl_6068e953c1b204.65701206 || acl_6328cfa6578730.30147092
    # ACTION: omada_response_replace
    # NOTE: actions with no ACLs/conditions will always match
    http-response replace-value location 8043 %[hdr(location),regsub(8043,443)]
    http-reuse safe
    server omada 192.168.1.10:8043 ssl verify none

# Backend: scanner ()
backend scanner
    # health checking is DISABLED
    mode http
    balance source
    # stickiness
    stick-table type ip size 50k expire 30m 
    stick on src
    http-reuse safe
    server scanner 192.168.1.7:80

# Backend: x9scl ()
backend x9scl
    # health checking is DISABLED
    mode http
    balance source
    # stickiness
    stick-table type ip size 50k expire 30m 
    stick on src
    http-reuse safe
    server x9scl 192.168.1.2:80

# Backend: x10slh ()
backend x10slh
    # health checking is DISABLED
    mode http
    balance source
    # stickiness
    stick-table type ip size 50k expire 30m 
    stick on src
    http-reuse safe
    server x10slh 192.168.1.4:80

# Backend: emby ()
backend emby
    # health checking is DISABLED
    mode http
    balance source
    # stickiness
    stick-table type ip size 50k expire 30m 
    stick on src
    http-reuse safe
    server emby 192.168.1.30:8096

# Backend: dl ()
backend dl
    # health checking is DISABLED
    mode http
    balance source
    # stickiness
    stick-table type ip size 50k expire 30m 
    stick on src
    http-reuse safe
    server dl 192.168.1.22:9091

# Backend: dl2 ()
backend dl2
    # health checking is DISABLED
    mode http
    balance source
    # stickiness
    stick-table type ip size 50k expire 30m 
    stick on src
    http-reuse safe
    server dl2 192.168.1.29:9091

# Backend: proxmox ()
backend proxmox
    # health checking is DISABLED
    mode http
    balance source
    # stickiness
    stick-table type ip size 50k expire 30m 
    stick on src
    http-reuse safe
    server proxmox 192.168.1.5:8006 ssl verify none

# Backend: jellyfin ()
backend jellyfin
    # health checking is DISABLED
    mode http
    balance source
    # stickiness
    stick-table type ip size 50k expire 30m 
    stick on src
    http-reuse safe
    server jellyfin 192.168.1.21:8096

# Backend: firefly ()
backend firefly
    # health checking is DISABLED
    mode http
    balance source
    # stickiness
    stick-table type ip size 50k expire 30m 
    stick on src
    http-reuse safe
    server firefly 192.168.1.26:80

# Backend: shinobi ()
backend shinobi
    # health checking is DISABLED
    mode http
    balance source
    # stickiness
    stick-table type ip size 50k expire 30m 
    stick on src
    http-reuse safe
    server shinobi 192.168.1.28:8080

# Backend: amcrest ()
backend amcrest
    # health checking is DISABLED
    mode http
    balance source
    # stickiness
    stick-table type ip size 50k expire 30m 
    stick on src
    http-reuse safe
    server amcrest 192.168.4.2:80

# Backend: homer ()
backend homer
    # health checking is DISABLED
    mode http
    balance source
    # stickiness
    stick-table type ip size 50k expire 30m 
    stick on src
    http-reuse safe
    server homer 192.168.1.32:80

# Backend: pbs ()
backend pbs
    # health checking is DISABLED
    mode http
    balance source
    # stickiness
    stick-table type ip size 50k expire 30m 
    stick on src
    http-reuse safe
    server pbs 192.168.1.33:8007 ssl verify none

# Backend: vaultwarden ()
backend vaultwarden
    # health checking is DISABLED
    mode http
    balance source
    # stickiness
    stick-table type ip size 50k expire 30m 
    stick on src
    http-reuse safe
    server vaultwarden 192.168.1.25:8000

# Backend: adguard ()
backend adguard
    # health checking is DISABLED
    mode http
    balance source
    # stickiness
    stick-table type ip size 50k expire 30m 
    stick on src
    http-reuse safe
    server adguard 192.168.1.1:81



# statistics are DISABLED