[os-caddy] Handle HTTPS and SSH traffic together

Started by Rumor, April 05, 2024, 11:52:30 PM

Previous topic - Next topic
Print
Go Down Pages1
User actions
April 05, 2024, 11:52:30 PM Last Edit: April 05, 2024, 11:55:27 PM by Rumor
Hi,

Newcomer to OPNSense and Caddy plugin for my homelab, so bear with me, please. Googles, searched this and Caddy forums with no luck.

What I have: opnsense 24.1.4 (with web UI on 4433 port), os-caddy 1.5.2 on 443 port, both reside on the same host 192.168.1.1.

What I need:
1) add/expose a mydomain.tld from OPNSense's Unbound to my home network which (domain) will point to my intranet IP with a real server (RealServer below).
2) when someone opens https://<mydomain.tld> he should be redirected to RealServer:port.
3) when someone SSH to mydomain.tld:22 he should eventually SSH to RealServer:22.
4) nice to have: if someone reaches mydomain.tld:any_port_except_443 he should reach the same RealServer:any_port_except_443

What I did:
OPNSense:
* add mydomain.tld to Unbound and point it out to 192.168.1.1 so the caddy will route its requests.
Caddy:
* add the mydomain.tld to domains tab and a handler for it to proxify mydomain.tld:443 to RealServer:port.

So far so good, if I open https://mydomain.tld I indeed received the RealServer:port web page.

The problem is with SSH (22) TCP port which isn't HTTP and doesn't auto-handled by caddy. I was trying to add the second same domain (caddy/Domains tab) but with Reverse Proxy Port=22 and a corresponding handler to RealServer:22 but that didn't help (SSH connection was successful but I've connected to my OPNSesne box instead of RealServer since mydomain.tld points to 192.168.1.1 in Unbound).

So the question, how to define a single reverse proxy domain and multiple handlers for https and tcp source ports pointing to the same destination server but different ports?
Ideally, if I could define one handler to proxify mydomain.tld:443 -> RealServer:someport and another 'wildcard' handler mydomain.tld:anyport -> RealServer:anyport, but if I will need to define a handler per specific port explicitly I could live with it.

I've found that Caddy has the Layer4 app which seems fullfils my needs to proxify TCP traffic but os-caddy isn't built with it and doesn't support it so it's kinda a hard way I would like to ommit for now.

@Monviech, your help will be very appreciated. Thanks for the plugin a lot, BTW.
April 06, 2024, 05:45:55 AM #1 Last Edit: April 06, 2024, 05:50:35 AM by Monviech
Hey there, please read the FAQ:

https://docs.opnsense.org/manual/how-tos/caddy.html#faq

You could have caught this before implementhing the plugin. The layer 4 proxy won't be implemented (its also still marked as experimental/ in developement) since there is HA-Proxy and Nginx for that usecase already. This one is purely for HTTP streams.
Hardware:
DEC740
April 06, 2024, 10:48:21 AM #2
Thank you for the reference, I've missed that 'TCP/UDP support' notice.

I've looked at the caddy.layer4 app and apart its alpha status it currently supports only a json config which isn't compatible with caddyfile. So seems the only way here is to move to an other reverse proxy.
April 06, 2024, 11:55:03 AM #3
There is actually a Caddyfile plugin for the layer 4 plugin, but yeah it might be better to wait this one out for a while and take another option.
Hardware:
DEC740
April 06, 2024, 12:27:00 PM #4
Quote from: Rumor on April 06, 2024, 10:48:21 AM
I've looked at the caddy.layer4 app and apart its alpha status it currently supports only a json config which isn't compatible with caddyfile. So seems the only way here is to move to an other reverse proxy.
Or use sslh in front of Caddy. I have not tried if that can be configured from the UI in OPNsense but fundamentally it would work.
Deciso DEC750
People who think they know everything are a great annoyance to those of us who do. (Isaac Asimov)
Print
Go Up Pages1
User actions