Tutorial: Caddy (Reverse Proxy) + Let's Encrypt Certificates + Dynamic DNS

Monviech (Cedrik) · March 29, 2024, 06:12:19 AM

Glad you could find the option you need. I think the ACME Plugin and Caddy can run at the same time and issue certificates too, I don't think there are regressions, but I don't know.

Its interesting to use the build in certificate generation of caddy because it also does automatic ocsp stapling.

Also, make sure you create an automation that restarts caddy when the Lets Encrypt certificates are renewed by the ACME Plugin if you continue using it. Otherwise the certs wont be reloaded if theyre reissued.

I'll check if I can create a pull request to add that as automation like nginx and haproxy.

EDIT: https://github.com/opnsense/plugins/pull/3877

bucky2780 · March 30, 2024, 04:59:16 AM

Thanks monviech... I gave caddy another try... I currently run HAProxy, but dont really need load balancing for the home network, caddy is simpler.
My results were uneven... thus far. Here is what I did....
- Turned off ddns as relying on opnsense for that
- Gave the domain a custom cert located in the opnsense trust store.
- Gave the domain a custom port of 30000, as haproxy is currently binding to 443 and 80.
- With this approach, caddy does not terminate the connection. Seems to work however if I give it default 443

- Further to this... I disabled haproxy, and enabled caddy
- created a brand new domain and opnsense LE cert.
- bound caddy to 443 and seemed to work ok
- Home assistant loaded fine, the backend is unencrypted
- when backend was encrypted however, I checked the tls box for the backend, but alas failed to certify
- this was the opnsense gui... which I put on a different port (41443)
- Gui failed to load.
- Similar approach seems to work in haproxy... where you check tls but dont bother to certify.

I will try again in a few days... to see if I can work around some of these things...
best regards,

Monviech (Cedrik) · March 30, 2024, 06:20:19 AM

Caddy has port 80 and 443 as a requirement for itself. Running it at the same time as other services that use it is not supported.

When using the build in certificate generation, any port on the Domain works, even ports like 30000 etc. I know that cause a small project uses this plugin where they have the same domain from 30000 to 30050 listening on the front end, reverse proxying each port to a different handler. (Reverse Proxying a lot of stable diffusion instances for the API.)

For the "check a box that just skips TLS verification" there is a new feature for that coming in the next version that allows that.

Otherwise the docs have examples how it works with the OPNsense GUI right now.

Thanks for trying the plugin. ^^

pieter123 · March 31, 2024, 05:55:34 PM

Hi,

I would like to install this plug in but can't find it in the Plugins list under firmware.

Opnsense version 24.1.b_130

Any suggestions?

Thanks!

Patrick M. Hausen · March 31, 2024, 06:17:59 PM

It's in 24.1.4

pieter123 · March 31, 2024, 08:16:59 PM

Quote from: Patrick M. Hausen on March 31, 2024, 06:17:59 PM
It's in 24.1.4

Got it, thanks!

thg0432 · May 04, 2024, 05:21:33 PM

Has anyone had issues with Google home devices (not the routers but the hubs or other display devices) losing functionality after implementing caddy directly on the firewall? I previously had nginx proxy manager and currently used zoraxy. Both of which i had a nat rule setup and everything works fine. I'd like to use caddy and have everything setup directly on the firewall but that's a deal breaker. I setup the wan/lan rules and removed the nat as noted in the guide. Everything works great with the exception of it breaking functionality of those devices

Monviech (Cedrik) · May 04, 2024, 08:12:02 PM

I'm using Google Home Minis and also Chromecasts. I didn't experience any breakage in functionality after implementing Caddy on my firewall.

I can't imagine what the problem should be, maybe a configuration problem of the Firewall or NAT rules.

Please check the firewall live log what happens when you voice command your google devices. Check if DNS fails (most probable cause), or packets get blocked.

thg0432 · May 04, 2024, 08:28:52 PM

that's the thing...I won't even load...it appears to be a dns issue. Because it can't contact google, it just hangs on the either the loading screen or it displays the clock but the clock never updates because it can't contact google. My tv's which have google built in work fine, but just an older lenovo google display device craps the bed whenever i've tried.

Monviech (Cedrik) · May 04, 2024, 09:12:35 PM

There's probably not much I can do about that without being able to know what exactly is going wrong, and how to reproduce it.

It's highly unlikely it has to do with running Caddy. Its more likely to be a firewall configuration issue.

thg0432 · May 05, 2024, 02:55:39 AM

I tend to agree. Just wanted to ask in case you'd heard anything like that before. I appreciate it

Aergernis · May 19, 2024, 07:16:11 PM

Hi,

how can i add a wildcard DNS entry with Ionos as DNS provider? The plugin is only creating the "@" entry

Monviech (Cedrik) · May 19, 2024, 08:02:19 PM

Hello,

I am using this module and the configuration examples from it: https://github.com/mholt/caddy-dynamicdns

If there is something my template does wrong, please give me a caddyfile configuration example, or ask in the issues of the plugin maintainer if you can update a full wildcard domain.

So far, the plugin either updates a base domain with @, or subdomains. I dont think *.example.com will be updated, but I dont know for sure since I programmed the template only with the given examples.

I also inquired further here before making the template: https://caddy.community/t/dynamic-dns-module-question-about-domain-configuration/22291

Aergernis · May 20, 2024, 10:07:56 AM

Hi,

i've addad a ddns.global file in /usr/local/etc/caddy/caddy.d with

Code Select

	dynamic_dns {
		provider ionos xyz-api-key
		domains {
			domain.tld * @
		}
		check_interval 5m
		versions ipv4
		ttl 1h
	}

an with this it's creating the @ and * DNS entry (at least for Ionos).
So a extra field in the config GUI would be nice to fill some extra DNS entrys and just use @ if nothing is enterd there :)

Monviech (Cedrik) · May 20, 2024, 10:54:22 AM

Looks good, thanks for testing. I will adjust the template to turn '@' into '*' if it is a wildcard domain like *.example.com, but leave it as '@' when it is a base domain like example.com.

A simple fix in the template logic should do it I think? Since *.example.com and example.com need to coexist anyway in the GUI when wildcard and base domain are both needed, since they don't include each other.

Tutorial: Caddy (Reverse Proxy) + Let's Encrypt Certificates + Dynamic DNS

Monviech (Cedrik)

March 29, 2024, 06:12:19 AM #15 Last Edit: March 29, 2024, 10:19:38 AM by Monviech

bucky2780

March 30, 2024, 04:59:16 AM #16

Monviech (Cedrik)

March 30, 2024, 06:20:19 AM #17 Last Edit: March 30, 2024, 06:24:52 AM by Monviech

pieter123

March 31, 2024, 05:55:34 PM #18

Patrick M. Hausen

March 31, 2024, 06:17:59 PM #19

pieter123

March 31, 2024, 08:16:59 PM #20

thg0432

May 04, 2024, 05:21:33 PM #21

Monviech (Cedrik)

May 04, 2024, 08:12:02 PM #22

thg0432

May 04, 2024, 08:28:52 PM #23

Monviech (Cedrik)

May 04, 2024, 09:12:35 PM #24

thg0432

May 05, 2024, 02:55:39 AM #25

Aergernis

May 19, 2024, 07:16:11 PM #26

Monviech (Cedrik)

May 19, 2024, 08:02:19 PM #27 Last Edit: May 19, 2024, 08:08:46 PM by Monviech

Aergernis

May 20, 2024, 10:07:56 AM #28

Monviech (Cedrik)

May 20, 2024, 10:54:22 AM #29 Last Edit: May 20, 2024, 10:56:09 AM by Monviech