Tutorial: Caddy (Reverse Proxy) + Let's Encrypt Certificates + Dynamic DNS

Started by Monviech (Cedrik), February 09, 2024, 01:31:44 PM

Previous topic - Next topic
Print
Go Down Pages 1 ... 21 22 23
User actions
October 24, 2025, 09:52:07 PM #330
Well think about it for a second how the proxy should receive the traffic if the firewall blocks it beforehand.
Hardware:
DEC740
October 24, 2025, 10:13:24 PM #331
I understand that, but i thought Caddy was listening from 80 and 443 and sending proxied UDP data from specified port to the specified local ip/port, like it's doing with basic reverse proxy.

Is there any advantage of using L4 if you're still opening the game server ports?
October 25, 2025, 08:34:33 AM #332
A remote client would contact the 2000 something port though, not 80 or 443.

The L4 module is if you wanne load balance or multiplex, or want to transform IPv6 from the outside to IPv4 on the inside. Advanced usecases, not just a simple port forward.
Hardware:
DEC740
October 27, 2025, 04:32:26 PM #333
Question from a now slightly confused newb!

using the example for "HTTP Eccess List" in the guide, I get:


Code Select
'''''''''''''''
@8a04f2f0-6d29-4e1b-831f-0ee048e5d83d_examplesite {
not client_ip 192.168.0.0/16 172.16.0.0/12 10.0.0.0/8
}
handle @8a04f2f0-6d29-4e1b-831f-0ee048e5d83d_examplesite {
abort
}
'''''''''''''''''

Ticking the "Invert List" in the Access list I get:

Code Select
'''''''''''''''''
@8a04f2f0-6d29-4e1b-831f-0ee048e5d83d_examplesite {
client_ip 192.168.0.0/16 172.16.0.0/12 10.0.0.0/8
}
'''''''''''''''''

Shouldn't it be the other way around? Or is it just the help text being wrong??


opnsense 25.7.6 / os_caddy 2.0.4_1 
October 27, 2025, 08:29:20 PM #334
The logic should be okay it was implemented quite a while ago here:

https://github.com/opnsense/plugins/pull/4245

If you tested it and it doesnt work we can revisit it. Though the original requesters in th linked issue confirmed it, and in my tests it worked like intended.

Hardware:
DEC740
October 28, 2025, 12:19:11 PM #335
I'm still struggling...

If the "Access List" in the GUI is a ALLOW_LIST and I get not allowed in the conf file seems wrong!
Vice versa ticking "Invert List" gives me allowed in the conf file??

Help Text for "Invert List" is:
QuoteIf checked, the access list logic will be inverted (i.e., the listed IPs will be blocked instead of allowed).

anyway.. It works perfectly if I do tick the "Invert List" box. It just took me a while to find that!
Not a big issue just wanted to know if it's me being dumb!-) again....
October 28, 2025, 12:57:16 PM #336
Access List: 192.168.1.1


Normal:

If it is /not/ 192.168.1.1, abort.

(meaning 8.8.8.8 will be aborted, 192.168.1.1 will be allowed)

When inverting:

If it is 192.168.1.1, abort.

(meaning 8.8.8.8 will be allowed, 192.168.1.1 will be aborted)

As you can see the inversion is not what you assume when looking at the Caddyfile, its a logical construct.

Hardware:
DEC740
December 24, 2025, 09:55:37 AM #337
Thx for this plugin. I was always using HAPproxy but this seems much more simple.
Everything works quite ok, except for 1 thing with Authelia

I have a protected subdomain for external connections say jellyseerr.domain.com. This works outside my LAN.

In Authelia I have a bypass for internal networks so no 2FA is needed. What I see however is that the first time going to jellyseerr.domain.com it works directly without 2FA. However if I visit the website later it resolves to jellyseerr.domain.com/api/authz/forward-auth and of course shows a 404 page not found. If I remove the cookies it works again (e.g going to jellyseer.domain.com without the forward appendages)

This is my config in Caddy (redacted by only showing the jellyseer domain)

Code Select
# DO NOT EDIT THIS FILE -- OPNsense auto-generated file


# caddy_user=root

# Global Options
{
log {
output net unixgram//var/run/caddy/log.sock {
}
format json {
time_format rfc3339
}
}

servers {
protocols h1 h2
trusted_proxies static xxxx
client_ip_headers Cf-Connecting-Ip
client_ip_headers X-Forwarded-For
}

dynamic_dns {
provider cloudflare xxxxxx
domains {
jellyseerr.domain.com jellyseerr
}
}

email xxx@xxx.com
grace_period 10s
skip_install_trust
import /usr/local/etc/caddy/caddy.d/*.global
}

# Reverse Proxy Configuration


*.domain.com {
tls {
issuer acme {
dns cloudflare xxxxx

resolvers 1.1.1.1

jellyseerr.domain.com {
handle {
forward_auth http://192.168.20.40:9091 {
uri /api/authz/forward-auth
copy_headers Remote-User
copy_headers Remote-Groups
copy_headers Remote-Name
copy_headers Remote-Email
}
reverse_proxy 192.168.20.64:5055 {
}
}
}

import /usr/local/etc/caddy/caddy.d/*.conf
December 29, 2025, 10:37:58 PM #338
Quote from: ceeeeej on March 08, 2025, 12:56:41 AMI have OPNSense setup with Adguard Home and Unbound with DNS over TLS.

I was having some trouble getting the Caddy access lists working to restrict some services to my LAN IPs only. To get this all working I had to setup overrides in Unbound that point these URLs back to my Caddy when on my LAN. i.e. I setup example.website.com in Caddy and then in Unbound I had to setup an override to point this URL back to 192.168.1.1 (where Caddy is running on my opnsense router).

My assumption was that because they were encrypted with DNS over TLS that the Caddy reverse proxy can't intercept them?

Just posting in case anyone has feedback or other ideas here. I was hoping to not require setting these up but it works now.

Hello

You may no longer be concerned about this, but it could help others in the future.

When using AdGuard with DNS over TLS and LAN IP only, you need to use the DNS rewrite of AdGuard.

Go to AdGuard then menu Filter > DNS rewrite > Add DNS rewrite.
For "domain name or wildcard", I specified *.mydomain.tld
For "Enter IP address or domaine name", I specified the IP address of Caddy host so OPNSense IP address.
Print
Go Up Pages 1 ... 21 22 23
User actions