Tutorial: Caddy (Reverse Proxy) + Let's Encrypt Certificates + Dynamic DNS

[Aergernis]

would be awesome  waiting for the update.

I'll test it and report back (if i can remember). If i forget to report back then you can assume that it's working 

[Monviech (Cedrik)]

@Aergernis:

https://github.com/opnsense/plugins/pull/3989

[xm4rcell0x]

Hi! Thank you for this plugin! I just moved from the "other sense" so i'm a newb here....
I tried to configure caddy but it won't even start. It gave me these error:

Code: [Select]

2024-05-23T21:31:23 Informational caddy "info","ts":"2024-05-23T19:31:23Z","logger":"tls","msg":"finished cleaning storage units"}
2024-05-23T21:31:23 Error caddy "error","ts":"2024-05-23T19:31:23Z","logger":"tls","msg":"could not clean default/global storage","error":"unable to acquire storage_clean lock: context canceled"}
2024-05-23T21:31:23 Informational caddy "info","ts":"2024-05-23T19:31:23Z","logger":"tls.cache.maintenance","msg":"stopped background certificate maintenance","cache":"0x87024b400"}
2024-05-23T21:31:23 Informational caddy "info","ts":"2024-05-23T19:31:23Z","logger":"http.log","msg":"server running","name":"srv0","protocols":["h1","h2","h3"]}
2024-05-23T21:31:23 Informational caddy "info","ts":"2024-05-23T19:31:23Z","logger":"http","msg":"enabling HTTP/3 listener","addr":":443"}
2024-05-23T21:31:23 Informational caddy "info","ts":"2024-05-23T19:31:23Z","logger":"http.auto_https","msg":"enabling automatic HTTP->HTTPS redirects","server_name":"srv0"}
2024-05-23T21:31:23 Informational caddy "info","ts":"2024-05-23T19:31:23Z","logger":"http.auto_https","msg":"server is listening only on the HTTPS port but has no TLS connection policies; adding one to enable TLS","server_name":"srv0","https_port":443}
2024-05-23T21:31:23 Informational caddy "info","ts":"2024-05-23T19:31:23Z","logger":"tls.cache.maintenance","msg":"started background certificate maintenance","cache":"0x87024b400"}
2024-05-23T21:31:23 Informational caddy "info","ts":"2024-05-23T19:31:23Z","logger":"admin","msg":"admin endpoint started","address":"unix//var/run/caddy/caddy.sock","enforce_origin":false,"origins":["//::1","","//127.0.0.1"]}
2024-05-23T21:30:58 Informational caddy "info","ts":"2024-05-23T19:30:58Z","logger":"tls","msg":"finished cleaning storage units"}
2024-05-23T21:30:58 Error caddy "error","ts":"2024-05-23T19:30:58Z","logger":"tls","msg":"could not clean default/global storage","error":"unable to acquire storage_clean lock: context canceled"}
2024-05-23T21:30:58 Informational caddy "info","ts":"2024-05-23T19:30:58Z","logger":"tls.cache.maintenance","msg":"stopped background certificate maintenance","cache":"0x870496380"}

If i press play it won't start at all. I already tried to uninstall, reboot and reinstall.



problem seems to be Auto HTTPS "On". If i turn off or any other one it starts automatically

[Monviech (Cedrik)]

Hey, did you follow the docs? If that happens it sounds like you didnt disable the WebGui redirect rule of the OPNsense. AutoHTTPs enables port 80, if thats already used then Caddy cant bind to it and wont start.

https://docs.opnsense.org/manual/how-tos/caddy.html#prepare-opnsense-for-caddy-after-installation

[Aergernis]

@Aergernis:

https://github.com/opnsense/plugins/pull/3989

is this already< included in 1.5.5_1?  If so, it's not working. The only difference is that there are now 2 @ entries for the domain

Code: [Select]

dynamic_dns {
provider ionos *****
domains {
domian.tld @
domian.tld @
}

[Monviech (Cedrik)]

Oh no its not, you have to use opnsense-patch to include it:

Code: [Select]

opnsense-patch -c plugins f3532fc9d878e1f8b13dd0b6242f2ee6918b9b72

Its gonna be in 1.5.6.

Docs about opnsense-patch: https://docs.opnsense.org/manual/opnsense_tools.html#id2

[Aergernis]

Oh no its not, you have to use opnsense-patch to include it:

Code: [Select]

opnsense-patch -c plugins f3532fc9d878e1f8b13dd0b6242f2ee6918b9b72

Its gonna be in 1.5.6.

Docs about opnsense-patch: https://docs.opnsense.org/manual/opnsense_tools.html#id2

Perfect. Working now, thanks 

[Monviech (Cedrik)]

Awesome, thank you for testing and creating this issue. Your efforts helped to make the plugin better. ^^

[xm4rcell0x]

Hey, did you follow the docs? If that happens it sounds like you didnt disable the WebGui redirect rule of the OPNsense. AutoHTTPs enables port 80, if thats already used then Caddy cant bind to it and wont start.

https://docs.opnsense.org/manual/how-tos/caddy.html#prepare-opnsense-for-caddy-after-installation

Sorry for my late reply.
You're right, i didn't disable the webgui redirect , my fault, after that the plugin works perfectly!

Thank you again for your work!!

[Monviech (Cedrik)]

Thanks for the feedback. Im working on adding a validation so it won't happen again to others.

https://github.com/opnsense/plugins/pull/3999

[xm4rcell0x]

You said, in another thread this :"I just dislike the idea that it will be an easy way out and people will use it for all scenarios where they could use proper certificate handling instead..." regarding the TLS insecure skip verify.

At the moment the only way to make nextcloud and plex work behind caddy is thanks to this check.
If i'd like uncheck this, could be a good way follow this approach ? https://docs.opnsense.org/manual/how-tos/caddy.html#reverse-proxy-the-opnsense-webui

I completely understand if you don't want explaining something that may seem trivial to you, no problem at all
And sorry if i made a dumb question, again...   

[Monviech (Cedrik)]

Yes this approach is the right one.

You have to build trust between Caddy (which is the client) communicating with plex or nextcloud (which is the server)

To establish the connection over TLS, the certificates have to be trusted.

When your PC is the client towards Caddy, they trust each other because your PC has a root certificate for Lets Encrypt installed automatically.

When Caddy is the Client towards a server with a self signed certificate (like Nextcloud), it doesnt have any root certificate stored for that. Thats why it needs to be explicitely added, and the SAN name of the certificate has to match.

Though, if you don't get it to work, there is no shame using the Skip Verify, if your upstream is in your private LAN. Its mostly important if your upstream is in the internet again.

[Patrick M. Hausen]

If the upstream is in the same private infrastructure as Caddy or any other reverse proxy a perfectly valid option in my opinion is to drop TLS for the backend connection altogether.

That's how I run Confluence and all that other Java/Tomcat based stuff because managing certificates in Java just sucks.

[youmas]

-///-

[Amodin]

So I am a little confused on this - forgive me, new to Caddy and setting up reverse proxies.

First off - having issues with Firewall Rules after implementing this, and I am already weak with them, but no matter what I'm doing with rules, I can't ever seem to get them working with Caddy.

I know in the documentation it says:

Port Forwards, NAT Reflection, Split Horizon DNS or DNS Overrides in Unbound are not required. Only create Firewall rules that allow traffic to the default ports of Caddy.
So are we creating rules that just point to 80 and 443?  I tried that, didn't go so well, lol.

Second thing, under Creating the Simple Proxy section - for the Upstream Domain IP:  Is this our firewall IP, or our hosted DNS name?  The documentation doesn't do a good job for me on this.  Currently, I just have my domain name there, but at first believed it would have been my OPN.