Tutorial: Caddy (Reverse Proxy) + Let's Encrypt Certificates + Dynamic DNS

[Calimarina]

I configured my firewall to allow everything in and out for testing purposes, but it still doesn't work so it has to be something else. I'm going to try other CMS's like Joomla and Drupal to see if they work. Everything else I've tried like Kuma, unRaid, Proxmox, and Portainer all work just fine.

[Monviech (Cedrik)]

I didnt mean the firewall of the opnsense. I mean maybe theres a firewall on the host itself that serves wordpress, and it blocks the incoming connection. Maybe theres fail2ban or something on that host too. I would check anything that blocks IP addresses. I tried with my own wordpress and it "justworks TM".

[Calimarina]

I apologize I didn't understand what you meant. However since you showed me it could be done I went back and figured it out. I was using a template in Portainer. When I redeployed using stack method it worked. Thank you very much for your plugin. I couldn't get nginx or haproxy to work because they are too complicated for me.

[Baender]

Some weeks ago, there was an issue with the dynamic DNS for IONOS, where the API added new records instead of updating them. The issue was fixed, but I wonder when it will come to OPNsense caddy.

[Monviech (Cedrik)]

Today :)

If the caddy-custom is not updated automatically, just go to

/ui/core/firmware#packages

search the caddy-custom package and press "reinstall"

[Baender]

Nice. It became a very annoying routine, in the last few weeks, to clean old records. I am looking forward to the update.

[Monviech (Cedrik)]

I mean its in here: https://forum.opnsense.org/index.php?topic=42787

So already available.

[RobLatour]

This plug in looks great - but also a bit over my paygrade.

I've read thru the documentation, and this post, and have a request ...

Would it be possible to put together a youtube video showing a setup walk through for the following scenario (which I suspect would be beneficial for many homelab users):

Assuming the user already has a registered domain name ( for example: example.com )
Assuming they are already set up with a Cloudflare account

The video to show what would be required in OPNSense / the caddy plug in to:

set up to have a certificate that automatically renews associated with example.com

set up to have caddy used to securely reference specific internal addresses such as:

opnsense.example.com
homeassistant.example.com
openmediavault.example.com
jellyfin.example.com
etc.
(on which ever ports are required)

setup to ensure none of the above can be accessed externally from the internet  (i.e. access only applies to internal accesses)

setup to have the external ip address of example.com updated via Cloudflare when it changes.

[Baender]

In addition to Caddy on the OPNsense, I set up a Caddy proxy in a subnet 192.168.50.10. In that Caddy file, I would like to add the global trusted_proxies directive:

Enabling this causes trusted requests to have the real client IP parsed from HTTP headers (by default,

Is the IP address of the trusted proxy, the gateway of the subnet? 192.168.50.1? So to say, the Caddy proxy of the OPNsense is a trusted source?

[frauhottelmann]

I feel like I should add this here as well:

How to enable HSTS for the "official" Nextcloud docker.

Go to Caddy --> Reverse Proxy --> HTTP Headers and add a new one.
Header: header_down
Header Type: +Strict-Transport-Security
Header Value:  max-age=31536000;

Save and add it to your Nextcloud http handler. Save and apply.

[baragsen]

Heya,
Thanks a lot for your work and for the tutorial. It really helped me out a lot.
There is one small issue that I am having with Caddy and  my nextcloud (of course) container.
I can access it using my domain from outside my local network, but when trying to connect it through my local network, I keep getting ERR_SOCKET_NOT_CONNECTED or PR_END_OF_FILE_ERROR issues. I did not mess with NAT reflection nor with Unbound DNS as the tutorial says that there won't be a need for it, but I still cannot get access locally.
My caddyfile is as follows:

Code Select Expand

# DO NOT EDIT THIS FILE -- OPNsense auto-generated file


# caddy_user=root

# Global Options
{
log {
output net unixgram//var/run/caddy/log.sock {
}
format json {
time_format rfc3339
}
level DEBUG
}

dynamic_dns {
provider cloudflare xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
domains {
example.com *
example.com nc
}
}

email example@mail.com
grace_period 10s
import /usr/local/etc/caddy/caddy.d/*.global
}

# Reverse Proxy Configuration


# Reverse Proxy Domain: "a46e07f0-97d6-40ee-a4ba-c219beee103f"
*.example.com {
tls {
issuer acme {
dns cloudflare xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
}
}

@f601ec75-1d72-4165-a41c-34322ad8a17a {
host nc.example.com
}
handle @f601ec75-1d72-4165-a41c-34322ad8a17a {
handle {
reverse_proxy 10.150.0.10:8666 {
header_down +Strict-Transport-Security "max-age=31536000;"
}
}
}
}

import /usr/local/etc/caddy/caddy.d/*.conf

Unfortunately no logs from caddy as nothing shows up when trying to access it internally. When using nslookup on the domain, I get my opnsense ip.

Code Select Expand

Server:  firewall.home.lan
Address:  10.150.0.1

Name:    nc.example.com
Address:  10.150.0.1

Any help would be appreciated!!

[Monviech (Cedrik)]

Did you create the same Firewall rule for WAN also for LAN/other interfaces you use?

You shouldn't use Split DNS Zones with Caddy, just use the external IP address from internally and externally. I can see your nextcloud resolves to the internal IP of your OPNsense. (Technically its possible and people do it but it complicates some firewall rules and stuff)

https://docs.opnsense.org/manual/how-tos/caddy.html#caddy-troubleshooting

If nothing of these hints work please post some debug logs where caddy logged the error you see happening.

[baragsen]

Did you create the same Firewall rule for WAN also for LAN/other interfaces you use?

You shouldn't use Split DNS Zones with Caddy, just use the external IP address from internally and externally. I can see your nextcloud resolves to the internal IP of your OPNsense. (Technically its possible and people do it but it complicates some firewall rules and stuff)

https://docs.opnsense.org/manual/how-tos/caddy.html#caddy-troubleshooting

If nothing of these hints work please post some debug logs where caddy logged the error you see happening.

The Split DNS setup in Unbound was remaining config from my old HAProxy setup, that's fixed now. But it did not solve my issue. The actual problem I found was that I was checking the Dynamic DNS box in both Domains and Subdomains, and I have some misconfiguration as well on the Cloudflare dashboard. Since cleaning all that up, it has been working perfectly.

Thanks a lot!

Edit: Quick question, is there any way to use other caddy directives in the GUI e.g. php_fastcgi and fileserver? It would be an improvement for me to use caddy instead of using Nextcloud with its own embedded Apache web server.

[Monviech (Cedrik)]

Great that you figured it out.

No you can only use the directives in the GUI that you can see in the GUI.

For custom stuff you can always use custom configuration files:
https://docs.opnsense.org/manual/how-tos/caddy.html#custom-configuration-files

I advice against it though. Use it only as reverse proxy. Do not serve static files with it (on the OPNsense).

[DivHunter]

I can't add multiple ports for load balancing? Am I missing something?