Tutorial: Caddy (Reverse Proxy) + Let's Encrypt Certificates + Dynamic DNS

[Monviech (Cedrik)]

It really doesnt tell me mich, Ive never seen errors like these before.

Maybe Caddy Debug logs of the failed requests or HTTP access logs can show whats happening. Right now Im just as much in the dark as you though, sorry.

It looks like a weirder problem, maybe https://caddy.community can help better.

[spocko]

I am a noob and try to play arround with caddy in opnsense'

i have a question regarding certificates that are showing up in the lobby dashboard but not needed anymore. Is there a way to delete those certificates?

thanks in advance

[Monviech (Cedrik)]

Hello, these certificates should be eventually cleaned up by caddy's storage cleanup routine. But that can take till past expiry or longer.

You can delete them manually in the filesystem.

Code: [Select]

/var/db/caddy/data/caddy/certificates/

[vorago]

Hello, caddy doesn't seem to like the firewall live log view. Auto-refresh will not stay enabled. I don't have this problem when viewing logs via direct IP.

Caddy logs show this "context canceled" error when it happens:

Code: [Select]

"debug","ts":"2024-11-18T13:32:10Z","logger":"http.handlers.reverse_proxy","msg":"upstream roundtrip","upstream":"192.168.5.1:444","duration":0.001754159,"request":{"remote_ip":"192.168.5.4","remote_port":"59054","client_ip":"192.168.5.4","proto":"HTTP/2.0","method":"GET","host":"opn.example.com","uri":"/api/diagnostics/firewall/log/?digest=91a55b1d9ceb232a54b94da9ad86d84e&limit=1000","headers":{"Accept":["application/json, text/javascript, */*; q=0.01"],"Sec-Gpc":["1"],"Sec-Fetch-Mode":["cors"],"Accept-Language":["en-US,en;q=0.5"],"X-Csrftoken":["EzCqIYHuVYedZX-dW038qA"],"Sec-Fetch-Dest":["empty"],"Cookie":["REDACTED"],"X-Forwarded-For":["192.168.5.4"],"Referer":["https://opn.example.com/ui/diagnostics/firewall/log"],"Sec-Fetch-Site":["same-origin"],"Te":["trailers"],"Dnt":["1"],"User-Agent":["Mozilla/5.0 (X11; Linux x86_64; rv:132.0) Gecko/20100101 Firefox/132.0"],"X-Requested-With":["XMLHttpRequest"],"Content-Type":["application/json"],"X-Forwarded-Proto":["https"],"X-Forwarded-Host":["opn.example.com"],"Accept-Encoding":["gzip, deflate, br, zstd"]},"tls":{"resumed":true,"version":772,"cipher_suite":4865,"proto":"h2","server_name":"opn.example.com"}},"error":"context canceled"}
What could be the problem?

[Monviech (Cedrik)]

Hello, I just tested the firewall live log with both the layer 4 proxy and the reverse proxy and auto refresh always worked for me.

My WebGUI runs on HTTPS and 4444.

Here is my Caddyfile section:

Code: [Select]

vpn1.example.com {
handle {
reverse_proxy 127.0.0.1:4444 {
transport http {
tls
tls_insecure_skip_verify
}
}
}
}


[vorago]

I wonder what I'm doing wrong then. My section looks similar to yours, with the addition of the certificate, I just have the WebUI bound to a specific interface:

Code: [Select]

handle {
reverse_proxy 192.168.5.1:444 {
transport http {
tls
tls_trust_pool file /var/db/caddy/data/caddy/certificates/temp/670931cbb863a.pem
tls_server_name OPNsense.localdomain
}
}
}

[Monviech (Cedrik)]

Can you try if the same issue happens with the layer4 proxy?

It's really easy, just add this to "Layer4 Proxy". You do not even have to disable your Reverse Proxy for the OPNsense Webgui configuration since Layer 4 will match first:

Services: Caddy Web Server: Layer4 Proxy
Edit Layer4 Route
Description: OPNsense WebGUI
Matchers: TLS (SNI Client Hello)
Domain: opnsense.example.com (Your opnsense domain name)
Upstream Domain: 127.0.0.1 (Or your IP address if the WebGUI does not listen on ALL interfaces)
Upstream Port: 444

Save, Apply.

Reopen the WebGUI and it should serve the self signed certificate through Caddy instead of the Lets Encrypt one. Test if the LiveLog still doesn't work.

[vorago]

Live logs work with that method. So is the issue somehow with the LE cert? I'd much prefer to use my LE cert for this.

Edit: it seems to be a browser issue. Live logs work fine with my original set up in Brave, but not librewolf. Strange.

[vorago]

It's the combination of the ResistFingerprinting setting and Caddy with LE certs that seems to be the problem, for me at least.

Never mind, was looking via direct IP and didn't notice.

[Monviech (Cedrik)]

Oh okay so things work now with a different browser? I tested with Blink based one, Chrome on Mac.

[vorago]

They do. I tried in normal Firefox and it also works fine there. So I'm guessing it's some hardening setting in Librewolf. Thanks for helping me narrow this down! I'll keep digging into the settings of LW.

[pacman]

I need some help with this great plugin. I want to use Caddy, as reverse proxy. I have in my local network, a immich-server running.

If I make the configuration with only http:// everthing works perfect. But i want to use it with https://.

I always get this error in the browser.

Fehlercode: SSL_ERROR_INTERNAL_ERROR_ALERT

[Monviech (Cedrik)]

Where do you want to use https?

Domain (Frontend) or HTTP Handler (Upstream to Backend)?

[spocko]

Hi all I need some help with the following:

I configured caddy with subdomains and using cloudflare api.
The problem is i get a lots of errors in my log ( see example and no its not my real ip)

"debug","ts":"2024-12-02T03:28:36Z","logger":"http.stdlib","msg":"http: TLS handshake error from 34.38.48.249:37638: no certificate available for '22.200.100.002'"}

Can someone point me in the rightdirection to block this?

Thank in advance

[Monviech (Cedrik)]

Any request that hits caddy on its ports will trigger an evaluation if it should be further processed or not. So these are not warning or errors, but a debug message that the frontend received a connection request that could not be mapped to any configured hostname (thus no available certificate).

If you think its an attack block the requesting IP via Crowdsec or Firewall rules.