Tutorial: Caddy (Reverse Proxy) + Let's Encrypt Certificates + Dynamic DNS

[Monviech (Cedrik)]

I made a video to show off the new widgets, and how fast a reverse proxy is set up with this plugin.

https://www.youtube.com/watch?v=6ip8Sx4zcDA

[Monviech (Cedrik)]

Out of nowhere, the Caddyfile Layer 4 support came.

I have implemented TLS SNI matching of hostnames, and streaming this traffic to an upstream without tls termination:

https://github.com/opnsense/plugins/pull/4112

If anybody wants to test it, I would love some feedback, since it is a complicated new feature (still tried to keep the scope small and make it very easy to configure)

https://cloud.pischem.com/index.php/s/rw8Z86AzkEx3673

- Install the .pkg and replace the caddy binary with the new one

- Go to "General Settings" - Enable the advanced options - Enable "Enable Layer4"
- Go to the "Layer4 Routes" Tab, and create a route for a domain. All matched TLS traffic will then be sent to an upstream without being terminated.

- If you don't want the Layer4 Support anymore, just deactivate the option and it will be gone completely.

At the same time, the normal Reverse Proxy continues to work. Since this is all based on SNI, both the Layer4 Routes and the HTTP Reverse Proxy work on the same ports, giving maximum flexibility how your traffic is handled.

EDIT:
Already rewriting the feature slightly. I want to allow multiple domains per matcher, and also a not matcher.

EDIT2:
New version is uploaded that can do more stuff. Read the PR for examples.

[Baender]

It worked once yesterday, then the DHCP went haywire and I had to reset the config. Now a day later, updated caddy to 1.6.0 and re-entered the exact same information, it doesn't want to anymore.

The goal was to make my Unify controller reachable on controller.example.com within my LAN. So it is not accessable from outside. I am on IONOS, so I have set up the following accordingly:

General Settings
- ACME Email: my address from IONOS
- DNS Provider: IONOS
- DNS API Standard Field: my API Key

Reverse Proxy
Domains
- example.com
  - DNS: Dynamic DNS [ x ]

This means that I can at least see the current WAN IP in my IONOS account, as my WAN IP is dynamic. Wonderful then. I create a wildcard domain:

Domains
- *.example.com
  - DNS-01 Challenge [ x ]

Subdomains
- controller.example.com
  - Domain: *.example.com
  - Subdomain: controller.example.com
  - Access List: private_ipv4

Handlers
- controller.example.com
  - Domain: *.example.com
  - Subdomain: controller.example.com
  - Upstream domain 192.168.10.10
  - Upstream Port: 8443

I don't see any errors in the Caddy log and on the other hand, my browser just says "Page could not be found".

[Monviech (Cedrik)]

Shouldnt dynamic DNS be activated on the subdomain too? Otherwise it won't update "controller.example.com" at ionos.

Please post your Caddyfile for further analysis.

[Baender]

I tried that now, but it won't work. My browser still complains, that the site could not be found. However, at IONOS, an entry for the subdomain was added. However, I set this subdomain in caddy, to be only accessible from LAN 192.168.0.0/16. I have the feeling, that caddy won't update the local side..

Just to inform you, I'm going to sleep now, but I'll be back tomorrow.

[Monviech (Cedrik)]

I have checked your Caddyfile and it looks fine.

The only thing I can see is that "Dynamic DNS" is activated for the wildcard domain "*.example.com" too. That means, all subdomains under the wildcard domain are matched automatically by the dynamic DNS entry for the wildcard domain.

Otherwise, I don't see any mistakes here, so I am at a loss without some logs. If you don't see any logs, it must mean that Caddy does not receive anything.

Check the HTTP Access logs for your domains in the filesystem if your requests get through to Caddy.

[Baender]

After some time had passed and it still wasn't working, I decided to take a very radical step. I reinstalled OPNsense completely using a previous config that I created before I started to use Caddy. Then I followed the same procedure as before. So one domain for example.com and one for *.example.com. I have activated DynDNS for both. Even if I wasn't sure - especially after your statement for the wildcard. However, I absolutely wanted to avoid a limitation by LetsEncrypt. It then successfully created a certificate for both domains. I then created a subdomain unify.example.com. I specified the wildcard domain as the domain. I wonder under what circumstances I would select example.com as the domain if I were to create a subdomain.

I have given the handler 192.168.10.10 with port 8443. TLS and Skip Verify are checked.

The only explanation I can come up with is that I was either limited and that's why it didn't work, or that something was wrong with the configuration of Caddy.

By the way. OPNsense with the widgets is a real cool and helpful bonus.

[Monviech (Cedrik)]

Im happy it works again, and you like the widgets. Maybe something went wrong somewhere.

Also, you /only/ need to add "example.com" if you want to route traffic directed /exactly/ to that domain.

For example you have:
example.com - Your website is hosted there.
cloud.example.com - Your nextcloud is there.

*.example.com would /not/ match example.com.

So if you don't have any use for example.com cause nothing matches that domain exactly, you can remove or deactivate it.

[Baender]

Thank you. Is it correct, that if I only want to have nextcloud.example.com available internally, that I still need to activate DynDNS?

[Monviech (Cedrik)]

If you have activated the DNS-01 challenge for a domain, Caddy does not necessarily have to be opened to the outside and does not really need to have Dynamic DNS activated.

You could just as well work with an internal DNS Server (Split DNS Zone) that points "nextcloud.example.com" to an internal IP address like "192.168.1.1".

How you set it all up depends on your usecase. It's very flexible, but when you stray too far from the documentation I wrote, things might get harder to set up and maintain.

[Baender]

Are there any more information to NAT reflection, related to Caddy? I found some forum posts, issues from users and blog entries related to NGINX. However, it would be nice to have it on a similar easy level, as it is on the Caddy OPNsense documentation.
In addition to that, I would be interested in any advantages or disadvantages to a override in UBound..

[Monviech (Cedrik)]

You do not have any NAT when using Caddy in any scenario.

Caddy listens on "any" interface.

That means, if it receives a request from the internet, e.g. from 1.1.1.1, that targets the external IP of the OPNsense, e.g. 2.2.2.2 (DNS record of nextcloud.example.com), the request will be taken by Caddy, and then proxied to an internal IP, e.g. 192.168.1.2 (actual IP of nextcloud server). No NAT here.

Same happens when Caddy receives something from an internal IP address. E.g., there is an Unbound DNS override that points the nextcloud.example.com to an interface IP address of the OPNsense, e.g. 192.168.1.1. When one of your internal clients, e.g. 192.168.1.10 sends a request to nextcloud.example.com, it will hit 192.168.1.1 where Caddy listens. Cady proxies that request to 192.168.1.2 (where the actual nextcloud server listens.) Also no NAT.

[Baender]

I think you got me wrong. Similar to the documentation "Prepare OPNsense for Caddy After Installation" https://docs.opnsense.org/manual/how-tos/caddy.html#id4, I would like to know, how to setup NAT reflection or a Domain override in OPNsense.

One side note, am I correct that if I use Caddy for a subdomain that is actually only accessible from LAN (set access to LAN), I at least get the benefit of a valid certificate?

[Monviech (Cedrik)]

You understood me wrong. Why do you want NAT Reflection if there is no NAT to begin with?

I explained that in my last post.

If you meant you search for tutorials because you want to NAT other services, here you go: https://docs.opnsense.org/manual/how-tos/nat_reflection.html

[NeoDragon]

Hi, i'm trying to switch from a docker install of NGINX Proxy Manager behind the opnsense firewall to this caddy plugin right on the firewall.
I got a couple of internal address i use that can be accessed only on the local network.
There's a wildcard setup with a proper certificate ( *local.domain.tld ) and it works on NGINX.

After following the guide at the first page, it does not seem to work on caddy.

I got 2 domains : 1 with the main domain.tld, one with the wildcard.
Under subdomains, i've setup the first one there under the wildcard *.local.domain.tld
I got 2 handlers, 1 with the main domain link to localhost under upstream, 1 with the wildcard+subdomain linked to a local lan address with a specified port.

The main domain link works and gets a proper page/certificate
The subdomain is unreachable/can't connect

What am i missing?!