Tutorial: Caddy (Reverse Proxy) + Let's Encrypt Certificates + Dynamic DNS

[Monviech (Cedrik)]

Hello, I don't see the TLS block in your domain. It should look like this:

Code Select Expand


# Reverse Proxy Domain: "d5c1169f-8f95-4091-823b-7095c15fbb5f"
example.com {
tls {
dns cloudflare secretapikeyhere
}

handle {
reverse_proxy 172.16.100.1 {
}
}
}


Did you check the Checkbox "Dns-01 Challenge" in your domain in "Trust"?

[felixao]

Puh, thanks alot! :-[ - got a certificate now:

Code Select Expand


2024-07-11T22:11:37 Informational caddy "info","ts":"2024-07-11T20:11:37Z","logger":"dynamic_dns","msg":"updating DNS record","zone":"vault.domain.xyz","type":"AAAA","name":"@","value":"IPv6","ttl":0}
2024-07-11T22:11:37 Informational caddy "info","ts":"2024-07-11T20:11:37Z","logger":"dynamic_dns","msg":"updating DNS record","zone":"vault.domain.xyz","type":"A","name":"@","value":"IPv4","ttl":0}
2024-07-11T22:11:35 Debug caddy "debug","ts":"2024-07-11T20:11:35Z","logger":"events","msg":"event","name":"cached_managed_cert","id":"30f5dd13-a0ea-4f72-8ab9-ef83302c2b13","origin":"tls","data":{"sans":["vault.domain.xyz"]}}
2024-07-11T22:11:35 Debug caddy "debug","ts":"2024-07-11T20:11:35Z","logger":"tls.cache","msg":"added certificate to cache","subjects":["vault.domain.xyz"],"expiration":"2024-10-09T09:55:23Z","managed":true,"issuer_key":"acme-v02.api.letsencrypt.org-directory","hash":"51760c73851d473ec28884675ecde4e5413d434e12f04760093aecb819909f51","cache_size":1,"cache_capacity":10000}


I already thought it was such a small thing...

Now of course I have the next problem, namely that I can't reach the domain and get an error at Cloudflare (error code 521). Host is reachable, CNAME is also configured. Is there anything else I need to consider for Cloudflare?

[Monviech (Cedrik)]

If Cloudflare is only your DNS Proviser and nothing more (no CDN or Cloudflare tunnels etc), then nothing else has to be considered there.

Now the issue should be your upstream. If you get a blank page + certificate in the browser, then there is a connection issue to the upstream (so your internal service+port).

The most likely cause is that the internal service listens on https instead of http, so try to enable "TLS Insecure Skip Verify" in the handler and see if it works then.

[felixao]

You are the man! Thank you so much for the great support! Everything is now working as it should.  :D :D :D

[MeroP]

Hello,
may i ask for your help @Monviech. i would like to install stalwart mailserver behind the caddy plugin. according to the documentation https://stalw.art/docs/server/reverse-proxy/caddy/, the following must be done to enable Proxy Protocol support directly within Caddy.
It is mentioned that the plugin called proxy_protocol should be used. As I understand it this is already integrated in Caddy.

Caddyfile example

Code Select Expand


mail.example.com {
    redir https://example.com{uri}
}

example.com {
    # Set this path to your site's directory.
    root * /usr/share/caddy

    # Enable the static file server.
    file_server
}

mail.example.com {
    reverse_proxy 127.0.0.1:8080
}


In addition, crontab must be created in order to automate copying the certificates obtained by Caddy

Code Select Expand


0 3 * * * cat /var/lib/caddy/.local/share/caddy/certificates/acme-v02.api.letsencrypt.org-directory/example.com/example.com.crt > /opt/stalwart-mail/cert/example.com.pem
0 3 * * * cat /var/lib/caddy/.local/share/caddy/certificates/acme-v02.api.letsencrypt.org-directory/example.com/example.com.key > /opt/stalwart-mail/cert/example.com.priv.pem


My questions:
1. can this be implemented with the plugin and the GUI or do I have to use Custom Configuration File
2. How do I create the automated copying oft the certificates obtained by Caddy to the stalwart container

Thank you very much for your help and for your great plugin. It has helped me on many levels and also given me a lot of insight.

[Monviech (Cedrik)]

Hello, anything could be implemented into the plugin. The question is if it makes sense. For edge cases like these the custom configuration files are the best choice.

I don't understand why they need a fileserver and a root web directory. It's not needed for the reverse proxy. If this is a requirement, please /don't/ set it up on the OPNsense.

Also this cronjob can break since Caddy creates more than just Lets Encrypt folder, it also creates a ZeroSSL folder.

[Aergernis]

Hi,
would love to see MultiWAN support for dynamic DNS so that all public IPs get a DNS entry (in my case 2)

[Monviech (Cedrik)]

If you leave the checks empty, Caddy will check your current IP with a default HTTP check, and update your A and AAAA Records accordingly. If the default route of the OPNsense to the internet should change, Caddy will update your entries with the other WAN IP at the next check interval.

[sharkpunch]

Great plugin however when i set it up and try to navigate to the domain i've configured (as per tutorial )

subdomain.domain.com uses an unsupported protocol.
ERR_SSL_VERSION_OR_CIPHER_MISMATCH

I'm using the dns challenge to generate the certificate, any ideas why this would cause a problem?

[Monviech (Cedrik)]

Hey, to help you I need your Caddyfile (please redact any api keys or passwords).

And I need some debug logs. Put your log settings to debug, do the request that fails and post them here.

[sharkpunch]

Thanks, I've attached the caddyfile and log and the letsencrypt challenge works successfully so it has been able to request a certificate, its when i navigate to the page I get that error in my browser

[Monviech (Cedrik)]

Which application do you reverse proxy? Does it listen internally on HTTP or HTTPS?

For HTTPS enable "TLS Insecure Skip Verify" in the handler.

Or better, use HTTP internally.

Sadly the log doesnt show anything.

[sharkpunch]

i tried both sonarr and portainer (one with and without ssl) and neither are working.
its worth mentioning I only forwarded the internal 80/443 on my LAN rather than exposing on the WAN - I assume this is fine if I don't want any of my servers to be public facing.

any other idea's on what to test? my opnsense is more or less out of the box, I'm not doing anything particularly interesting with my configuration outside of this.

[Monviech (Cedrik)]

I have no experience with the configuration you are doing.

I am always using the public domain name pointing to the public IP address of the OPNsense, and use Access Lists to restrict access to internal networks.

Reference: https://docs.opnsense.org/manual/how-tos/caddy.html#restrict-access-to-internal-ips

Another reference where I explained my preferred setup in detail: https://www.reddit.com/r/opnsense/comments/1dwbr88/issue_using_oscaddy_to_generate_wildcard_cert/

In your case, you might have to use Split DNS, to avoid NAT Reflection/Hairpinning problems. (https://docs.opnsense.org/manual/how-tos/nat_reflection.html)

[Monviech (Cedrik)]

Just FYI for all os-caddy users.

Version os-caddy-1.6.1 which will be part of 24.7 will be the point the plugin stays feature wise for now. New feature requests will be weighted heavily for benefit vs. making the UI more cluttered due to being an edge case.

It can do a lot of things, it can fit many usecases, and it is still pretty simple to configure. I think this is the right point to stop active developement and go into full maintaining mode.

That means:
- Fixing Bugs
- Maintaining the code base
- Maintaining/Updating the build of the caddy binary and dns providers

The point where active developement would start again is when new features are introduced, like Layer 4 proxy support in the Caddyfile, which could happen somewhere next year.

Thank you all ^^