Tutorial: Caddy (Reverse Proxy) + Let's Encrypt Certificates + Dynamic DNS

[Monviech (Cedrik)]

No the GUI only allows for the same port being used on all backend webservers in the same loadbalancing group.

Whats the usecase for different ports there?

Since all webservers that load balance should be configured the same way, why serve them on different ports?

[DivHunter]

Multiple instances per machine/GPU for the service.

Looking at the caddy config I did wonder why it was not just one field with ip:port entries so you could do any combination as you can in the config itself.

[Monviech (Cedrik)]

It has grown historically while building the plugin and now its hard to change it without breaking existing setups.

Its one of these things.

There are some validations attached tp the port field too, since when you change to the www user it gets validated extensively.

Im sure it could all be somehow resolved with migrations and different fieldtypes but the usecase is very small so somebody who needs it would have to invest time there.

[DivHunter]

Is what it is, I'll just use something else for now.

It's a pain when you have things tied up in validation and existing configs.

It's very cool to have the additional functions of caddy available on opnsense.

[Monviech (Cedrik)]

well you could work around it by having multiple virtual IPs on that host and bind one GPU instance per virtual IP on the same port for each. Then each socket on the same host would also be unique even with the same port.

But yeah this wont be resolved anytime soon.

Or write your own config file for that one usecase. You can still use the GUI for all other things.

https://docs.opnsense.org/manual/how-tos/caddy.html#custom-configuration-files

[Gautier]

Hi,
I install Caddy and configure follow the tutorial but I have error:
"error","ts":"2024-10-11T07:26:56Z","logger":"tls.obtain","msg":"could not get certificate from issuer","identifier":"toto.pequod.sokil.fr","issuer":"acme-v02.api.letsencrypt.org-directory","error":"HTTP 400 urn:ietf:params:acme:error:connection - 89.219.181.98: Timeout during connect (likely firewall problem)"}

I really don't know where to start
I also on freeBSD and debian install caddy to test with the same error.

I have another site with OPNsense and caddy on debian behind without error, I miss something but what ?

[Monviech (Cedrik)]

Well I get no connection to your IP either. So its either a firewall problem, the IP is a CGNAT IP, you have to troubleshoot that with curl for example:

curl -v 89.219.181.98
*   Trying 89.219.181.98:80...
^C
curl -v 89.219.181.98:443
*   Trying 89.219.181.98:443...
^C

See theres nothing, no response. So Let's Encrypt can not connect either.

[Gautier]

https://imgur.com/a/y2YyIJN

I created nat port forward to my server directly with the port 80 and everything work.
If I forward 443 to 80, can be considerate as a good test to check if ISP block something ?

https://imgur.com/n3XyyQt I reach the webserver

[Monviech (Cedrik)]

Maybe the This Firewall alias does not work for you for some reason.

Try to disable the port forward rule.

Set the rules on WAN to "WAN address" instead.

[Baender]

I have a similar problem. From time to time, my domains are not reachable. I restricted them to the LAN network. Some services and my vacuum robot. The only thing that helps, is to perform a restart of the OPNsense and to get a new IP and new Records for the domains. A restart of caddy won't work. The services are reachable by their IP, when the problem occurs.

Would it help to set caddy to debug and send the log from the beginning, when it's working until the moment it fails? It could be a lot of log data, because I don't know when it will happen. Moreover I think, that this is related to a problem with IPv6 prefix delegation. In general, would it be a good idea, to combine the caddy logs, with the logs of the OPNSENSE system? Is this only manually possible?

[Monviech (Cedrik)]

I do think such a problem is out of scope for me to troubleshoot. Sorry.

[Gautier]

I m agree with you, it's firewall problem config but witch checkbox  ;D
I continue to search

[Baender]

Hey there, thank you very much, for bringing Caddy to OPNsense. It is a real pleasure, to such wonderful tool on the sense. I even like it that much, that I use Caddy as a webserver or reverse proxy in other projects as well.

I would like to add a TURN and STUN Server (Coturn: https://github.com/coturn/coturn) to my infrastructure. It is a requirement for my Nextcloud. At first I tried to an additional subdomain to Caddy, that extents to my nextcloud.example.com.

• nextcloud.example.com
• nextcloud.example.com:3478

However, that required to have a wildcard domain with the port 3478 and the actual subdomain nextcloud.example.com:3478. Not to mention opening another port on the firewall.

Would it be possible to use the Caddy: Layer4 Routes feature for my project? Is it an TLS (SNI) type then and moreover, is it still required to open the port 3478 for it?

[Monviech (Cedrik)]

Using Nextcloud Talk is notoriously difficult.

I would rather use IPv6 where a stun and turn server is not needed, because webrtc can create a direct socket from endpoint to endpoint.

[Patrick M. Hausen]

Would it be possible to use the Caddy: Layer4 Routes feature for my project? Is it an TLS (SNI) type then and moreover, is it still required to open the port 3478 for it?

STUN and TURN is UDP, so no. You need inbound NAT port forwarding for that. Which answers the port question, I guess :)