Tutorial: Caddy (Reverse Proxy) + Let's Encrypt Certificates + Dynamic DNS

[Monviech (Cedrik)]

Glad you could find the option you need. I think the ACME Plugin and Caddy can run at the same time and issue certificates too, I don't think there are regressions, but I don't know.

Its interesting to use the build in certificate generation of caddy because it also does automatic ocsp stapling.

Also, make sure you create an automation that restarts caddy when the Lets Encrypt certificates are renewed by the ACME Plugin if you continue using it. Otherwise the certs wont be reloaded if theyre reissued.

I'll check if I can create a pull request to add that as automation like nginx and haproxy.

EDIT: https://github.com/opnsense/plugins/pull/3877

[bucky2780]

Thanks monviech...  I gave caddy another try... I currently run HAProxy, but dont really need load balancing for the home network, caddy is simpler.
My results were uneven... thus far. Here is what I did....
- Turned off ddns as relying on opnsense for that
- Gave the domain a custom cert located in the opnsense trust store.
- Gave the domain a custom port of 30000, as haproxy is currently binding to 443 and 80.
- With this approach, caddy does not terminate the connection. Seems to work however if I give it default 443

- Further to this... I disabled haproxy, and enabled caddy
- created a brand new domain and opnsense LE cert.
- bound caddy to 443 and seemed to work ok
- Home assistant loaded fine, the backend is unencrypted
- when backend was encrypted however, I checked the tls box for the backend, but alas failed to certify
  - this was the opnsense gui... which I put on a different port (41443)
  - Gui failed to load.
  - Similar approach seems to work in haproxy... where you check tls but dont bother to certify.

I will try again in a few days... to see if I can work around some of these things...
best regards,

[Monviech (Cedrik)]

Caddy has port 80 and 443 as a requirement for itself. Running it at the same time as other services that use it is not supported.

When using the build in certificate generation, any port on the Domain works, even ports like 30000 etc. I know that cause a small project uses this plugin where they have the same domain from 30000 to 30050 listening on the front end, reverse proxying each port to a different handler. (Reverse Proxying a lot of stable diffusion instances for the API.)

For the "check a box that just skips TLS verification" there is a new feature for that coming in the next version that allows that.

Otherwise the docs have examples how it works with the OPNsense GUI right now.

Thanks for trying the plugin. ^^

[pieter123]

Hi,

I would like to install this plug in but can't find it in the Plugins list under firmware.

Opnsense version 24.1.b_130

Any suggestions?

Thanks!

[Patrick M. Hausen]

It's in 24.1.4

[pieter123]

It's in 24.1.4

Got it, thanks!

[thg0432]

Has anyone had issues with Google home devices (not the routers but the hubs or other display devices) losing functionality after implementing caddy directly on the firewall?  I previously had nginx proxy manager and currently used zoraxy.  Both of which i had a nat rule setup and everything works fine.  I'd like to use caddy and have everything setup directly on the firewall but that's a deal breaker.  I setup the wan/lan rules and removed the nat as noted in the guide.  Everything works great with the exception of it breaking functionality of those devices

[Monviech (Cedrik)]

I'm using Google Home Minis and also Chromecasts. I didn't experience any breakage in functionality after implementing Caddy on my firewall.

I can't imagine what the problem should be, maybe a configuration problem of the Firewall or NAT rules.

Please check the firewall live log what happens when you voice command your google devices. Check if DNS fails (most probable cause), or packets get blocked.

[thg0432]

that's the thing...I won't even load...it appears to be a dns issue.  Because it can't contact google, it just hangs on the either the loading screen or it displays the clock but the clock never updates because it can't contact google.  My tv's which have google built in work fine, but just an older lenovo google display device craps the bed whenever i've tried.

[Monviech (Cedrik)]

There's probably not much I can do about that without being able to know what exactly is going wrong, and how to reproduce it.

It's highly unlikely it has to do with running Caddy. Its more likely to be a firewall configuration issue.

[thg0432]

I tend to agree.  Just wanted to ask in case you'd heard anything like that before.  I appreciate it

[Aergernis]

Hi,

how can i add a wildcard DNS entry with Ionos as DNS provider? The plugin is only creating the "@" entry

[Monviech (Cedrik)]

Hello,

I am using this module and the configuration examples from it: https://github.com/mholt/caddy-dynamicdns

If there is something my template does wrong, please give me a caddyfile configuration example, or ask in the issues of the plugin maintainer if you can update a full wildcard domain.

So far, the plugin either updates a base domain with @, or subdomains. I dont think *.example.com will be updated, but I dont know for sure since I programmed the template only with the given examples.

I also inquired further here before making the template: https://caddy.community/t/dynamic-dns-module-question-about-domain-configuration/22291

[Aergernis]

Hi,

i've addad a ddns.global file in /usr/local/etc/caddy/caddy.d with

Code: [Select]

dynamic_dns {
provider ionos xyz-api-key
domains {
domain.tld * @
}
check_interval 5m
versions ipv4
ttl 1h
}
an with this it's creating the @ and * DNS entry (at least for Ionos).
So a extra field in the config GUI would be nice to fill some extra DNS entrys and just use @ if nothing is enterd there 

[Monviech (Cedrik)]

Looks good, thanks for testing. I will adjust the template to turn '@' into '*' if it is a wildcard domain like *.example.com, but leave it as '@' when it is a base domain like example.com.

A simple fix in the template logic should do it I think? Since *.example.com and example.com need to coexist anyway in the GUI when wildcard and base domain are both needed, since they don't include each other.