Tutorial: Caddy (Reverse Proxy) + Let's Encrypt Certificates + Dynamic DNS

Started by Monviech (Cedrik), February 09, 2024, 01:31:44 PM

Previous topic - Next topic
Print
Go Down Pages 1 ... 17 18 19 20 21
User actions
February 03, 2025, 05:09:21 AM #270
Quote from: Monviech (Cedrik) on January 31, 2025, 05:15:27 PMHey good to know you got it to work with Authentik.

Yeah I just got to be careful with how much to include and caddy-security seems to have some history.

Totally understand!  Admittedly, I was not aware of the caddy-security plugin history.
Quote from: Monviech (Cedrik) on January 31, 2025, 05:15:27 PMHey good to know you got it to work with Authentik.

Yeah I just got to be careful with how much to include and caddy-security seems to have some history.


Admitedly, I was not aware of the history with the caddy-security plugin but dug this up... https://github.com/greenpau/caddy-security/issues/349.  Dropping it here for future reference/context.  Totally get the need to keep the risk profile low w/ the included caddy build. All good!
February 09, 2025, 08:39:16 PM #271
Quote from: smoofus on January 31, 2025, 04:31:27 PM
Quote from: Monviech (Cedrik) on January 19, 2025, 06:29:36 AMHey there,

I will not add the caddy security package or make it configurable in the GUI. I suggest you use forward_auth instead with the supported Auth Providers in the plugin.

https://docs.opnsense.org/manual/how-tos/caddy.html#forward-auth

This method is more lightweight and flexible and there are no known issues.


All good, I'm currently using Organizr and the caddy-security plugin for my forward_auth needs so I figured it wouldn't hurt to ask.  I've got Authentik running now and although it's a bit overkill for my homelab needs it does the trick.  Thanks again for making this happen!

Hey,

sorry for dropping in, but could you give me more Feedback on how you got Authentik running with Caddy ? I'm struggeling to get it running with setting Authentik as Forward Auth.

br
Schubdog
February 13, 2025, 05:54:40 AM #272
Quote from: schubdog on February 09, 2025, 08:39:16 PMHey,

sorry for dropping in, but could you give me more Feedback on how you got Authentik running with Caddy ? I'm struggeling to get it running with setting Authentik as Forward Auth.

br
Schubdog

Happy to help if I can.  Are you having issues with the authentik config or the caddy Auth Provider config?

Caddy Auth Provider config:
 Forward Auth Provider: Authentik
 Protocol: http://
 Forward Auth Domain: ip or domain of host running authentik
 Forward Auth Port: 9000
 Forward Auth URI: /outpost.goauthentik.io/auth/caddy
 Copy Headers: Select any headers you need to forward. Most my stuff needs the X-Authentik-Username, X-Authentik-Groups and X-Authentik-Email headers

I think the auth port and uri are default and should work unless you changed them when configuring authentik.  You can verify by going to Applications -> Providers in authentik, select the forward auth provider for your app and then click on the "Caddy(Standalone)" section under the setup section.  You will see the # forward authentication to outpost snippet with the needed port and uri. Mine looks like this...

Code Select
# forward authentication to outpost
        forward_auth http://outpost.company:9000 {
            uri /outpost.goauthentik.io/auth/caddy

High level Authentik config:
Create a new application and proxy provider (I typically use the wizard and then tweak if needed after)

Application:
Nothing of note to call out here

Provider:
Select 'Proxy Provider'
Choose the 'implicit' Authorization flow
Select the "Forward auth (single application) box
Add the url of the app you want to forward auth to

Outposts:
Edit the authentik Embedded Outpost
Pick your application on the left and add it to the outpost with the >
Save

Caddy Handler:
When configuring the handler enable advanced mode, upper left, and tick the 'Forward Auth' setting


February 13, 2025, 07:06:28 AM #273
copy headers can be left empty, the needed headers are added automatically by the template generation. Its just for additional headers like "Authorization" when Authentik sends a Basic Auth Header for example.
Hardware:
DEC740
February 13, 2025, 10:14:29 PM #274
Hey,

thank your for the reply. I got it now worky partly, so i can access my proxied Domains secure by Authentik from outside my lan.

But there are two things i'm still struggeling.

1. Bypass with API. I'm used to work with Authelia and was able to set bypass rules with API Keys for Vaultwarden and notifiarr but i don't get it working with Caddy and Authentik

2. How can i access my proxied domain in Lan ?

br

Schubdog
February 14, 2025, 03:50:42 AM #275
Quote from: schubdog on February 13, 2025, 10:14:29 PMHey,

thank your for the reply. I got it now worky partly, so i can access my proxied Domains secure by Authentik from outside my lan.

But there are two things i'm still struggeling.

1. Bypass with API. I'm used to work with Authelia and was able to set bypass rules with API Keys for Vaultwarden and notifiarr but i don't get it working with Caddy and Authentik

2. How can i access my proxied domain in Lan ?

br

Schubdog

For #1, go to Applications -> Providers ->  (edit the application proxy prorivider for the app you want to bypass api) -> Advanced protocol settings -> Unauthenticated Paths, and then add the api path to the "Unauthenticated Paths" field.

For example:
Unauthenticated Paths:  */api/.*

For #2, not sure I follow 100% here.  Maybe add local dns entries to point to your wan ip? 
March 08, 2025, 12:56:41 AM #276
Great plugin (once I figured it out!)

I'm not a networking expert, more of a homelabber. I have OPNSense setup with Adguard Home and Unbound with DNS over TLS.

I was having some trouble getting the Caddy access lists working to restrict some services to my LAN IPs only. To get this all working I had to setup overrides in Unbound that point these URLs back to my Caddy when on my LAN. i.e. I setup example.website.com in Caddy and then in Unbound I had to setup an override to point this URL back to 192.168.1.1 (where Caddy is running on my opnsense router).

My assumption was that because they were encrypted with DNS over TLS that the Caddy reverse proxy can't intercept them?

I think the only other way to get Caddy working with this setup was using the layer4 proxy? I took a look but the options and setup was just a bit too confusing for me. Downside is I just need to setup an override for every service but it really isn't that bad.

Just posting in case anyone has feedback or other ideas here. I was hoping to not require setting these up but it works now.

If there is any feedback on the layer4 proxy with my setup or another way to avoid the overrides in Unbound, I'd love to hear it!
March 12, 2025, 07:21:36 PM #277
I need assistance with two Caddy issues

1.  I started using Caddy for a reverse proxy last week.  Once I got it work, I started having issues when it had been running for 6 - 12 hours.  The reverse proxy was working and then it would stop.  I didn't see anything in the logs that indicated what the problem is.  I'm not using a dyndns service.

2.  I followed the instructions to use Caddy as a Layer 4/7 proxy for SSH.  When trying to SSH in, all I got was a message stating the connection had been reset.  I couldn't log into SSH.  I didn't see anything unusual in the logs.

I can post any config or logs that are needed.

Thanks!
March 12, 2025, 07:26:43 PM #278
If you use UDP (only UDP matters) in the layer 4 proxy right now there is an open issue that can make it crash after a while:

https://github.com/mholt/caddy-l4/issues/295

For SSH, last time I tested it was working. Don't know what could be the issue if its like in the docs.

Hardware:
DEC740
March 13, 2025, 04:17:21 PM #279
Thank you for the info on the UDP bug.  I don't recall seeing and option to turn UDP off for Layer 4 to work properly.
March 13, 2025, 04:18:30 PM #280
You just don't define any UDP rules in the layer4 proxy and you should be fine (for now until the bug is fixed upstream).

Though you can take a look at /var/log/caddy/caddy.log to see if you can find any panics in there.
Hardware:
DEC740
March 15, 2025, 04:14:49 AM #281 Last Edit: March 15, 2025, 04:19:38 AM by OPNenthu
Hi Cedrik, apologies if this is answered elsewhere (I didn't find it)-

I've changed the Caddy user to 'www' from 'root' and set the ports to 8080 and 8443 respectively.  Issue now is that I am getting permission errors in the log.  Example:

Code Select
2025-03-14T23:03:05-04:00    Error    caddy    "error","ts":"2025-03-15T03:03:05Z","logger":"admin.api","msg":"request error","error":"loading config: loading new config: starting caddy administration endpoint: unable to set permissions (--w--w----) on /var/run/caddy/caddy.sock: chmod /var/run/caddy/caddy.sock: operation not permitted","status_code":400}

I've stopped/started the Caddy service and also rebooted OPNsense but it didn't fix it.  Should I need to change some permissions manually on the filesystem?
"The power of the People is greater than the people in power." - Wael Ghonim

Site 1 | N5105 | 8GB | 256GB | 4x 2.5GbE (I226-V)
Site 2 |  J4125 | 8GB | 256GB | 4x 1GbE (I210)
March 15, 2025, 06:06:47 AM #282
Its weird to see that error it should have been fixed here:

https://github.com/opnsense/plugins/pull/4403

Which version of the plugin do you use?
Hardware:
DEC740
March 15, 2025, 07:00:52 AM #283
I have plugin version 1.8.3.  I did a fresh install of OPN 25.1 and upgraded along the way to 25.1.3, and then installed os-caddy.
"The power of the People is greater than the people in power." - Wael Ghonim

Site 1 | N5105 | 8GB | 256GB | 4x 2.5GbE (I226-V)
Site 2 |  J4125 | 8GB | 256GB | 4x 1GbE (I210)
March 15, 2025, 11:31:19 AM #284
Well you should be able to delete the socket file, it will get recreated automatically when caddy starts.

I gonna see if there are issues next week.
Hardware:
DEC740
Print
Go Up Pages 1 ... 17 18 19 20 21
User actions