Tutorial: Caddy (Reverse Proxy) + Let's Encrypt Certificates + Dynamic DNS

Monviech (Cedrik) · October 24, 2025, 09:52:07 PM

Well think about it for a second how the proxy should receive the traffic if the firewall blocks it beforehand.

NeoDragon · October 24, 2025, 10:13:24 PM

I understand that, but i thought Caddy was listening from 80 and 443 and sending proxied UDP data from specified port to the specified local ip/port, like it's doing with basic reverse proxy.

Is there any advantage of using L4 if you're still opening the game server ports?

Monviech (Cedrik) · October 25, 2025, 08:34:33 AM

A remote client would contact the 2000 something port though, not 80 or 443.

The L4 module is if you wanne load balance or multiplex, or want to transform IPv6 from the outside to IPv4 on the inside. Advanced usecases, not just a simple port forward.

nixxda · October 27, 2025, 04:32:26 PM

Question from a now slightly confused newb!

using the example for "HTTP Eccess List" in the guide, I get:

Code Select

'''''''''''''''
@8a04f2f0-6d29-4e1b-831f-0ee048e5d83d_examplesite {
		not client_ip 192.168.0.0/16 172.16.0.0/12 10.0.0.0/8
	}
	handle @8a04f2f0-6d29-4e1b-831f-0ee048e5d83d_examplesite {
		abort
	}
'''''''''''''''''

Ticking the "Invert List" in the Access list I get:

Code Select

'''''''''''''''''
@8a04f2f0-6d29-4e1b-831f-0ee048e5d83d_examplesite {
		client_ip 192.168.0.0/16 172.16.0.0/12 10.0.0.0/8
	}
'''''''''''''''''

Shouldn't it be the other way around? Or is it just the help text being wrong??

opnsense 25.7.6 / os_caddy 2.0.4_1

Monviech (Cedrik) · October 27, 2025, 08:29:20 PM

The logic should be okay it was implemented quite a while ago here:

https://github.com/opnsense/plugins/pull/4245

If you tested it and it doesnt work we can revisit it. Though the original requesters in th linked issue confirmed it, and in my tests it worked like intended.

nixxda · October 28, 2025, 12:19:11 PM

I'm still struggling...

If the "Access List" in the GUI is a ALLOW_LIST and I get not allowed in the conf file seems wrong!
Vice versa ticking "Invert List" gives me allowed in the conf file??

Help Text for "Invert List" is:

QuoteIf checked, the access list logic will be inverted (i.e., the listed IPs will be blocked instead of allowed).

anyway.. It works perfectly if I do tick the "Invert List" box. It just took me a while to find that!
Not a big issue just wanted to know if it's me being dumb!-) again....

Monviech (Cedrik) · October 28, 2025, 12:57:16 PM

Access List: 192.168.1.1

Normal:

If it is /not/ 192.168.1.1, abort.

(meaning 8.8.8.8 will be aborted, 192.168.1.1 will be allowed)

When inverting:

If it is 192.168.1.1, abort.

(meaning 8.8.8.8 will be allowed, 192.168.1.1 will be aborted)

As you can see the inversion is not what you assume when looking at the Caddyfile, its a logical construct.

tomdh76 · December 24, 2025, 09:55:37 AM

Thx for this plugin. I was always using HAPproxy but this seems much more simple.
Everything works quite ok, except for 1 thing with Authelia

I have a protected subdomain for external connections say jellyseerr.domain.com. This works outside my LAN.

In Authelia I have a bypass for internal networks so no 2FA is needed. What I see however is that the first time going to jellyseerr.domain.com it works directly without 2FA. However if I visit the website later it resolves to jellyseerr.domain.com/api/authz/forward-auth and of course shows a 404 page not found. If I remove the cookies it works again (e.g going to jellyseer.domain.com without the forward appendages)

This is my config in Caddy (redacted by only showing the jellyseer domain)

Code Select

# DO NOT EDIT THIS FILE -- OPNsense auto-generated file


# caddy_user=root

# Global Options
{
	log {
		output net unixgram//var/run/caddy/log.sock {
		}
		format json {
			time_format rfc3339
		}
	}

	servers {
		protocols h1 h2
		trusted_proxies static xxxx
		client_ip_headers Cf-Connecting-Ip
		client_ip_headers X-Forwarded-For
	}

	dynamic_dns {
		provider cloudflare xxxxxx
		domains {
			jellyseerr.domain.com jellyseerr
		}
	}

	email xxx@xxx.com
	grace_period 10s
	skip_install_trust
	import /usr/local/etc/caddy/caddy.d/*.global
}

# Reverse Proxy Configuration


*.domain.com {
	tls {
		issuer acme {
			dns cloudflare xxxxx

			resolvers 1.1.1.1

jellyseerr.domain.com {
	handle {
		forward_auth http://192.168.20.40:9091 {
			uri /api/authz/forward-auth
			copy_headers Remote-User
			copy_headers Remote-Groups
			copy_headers Remote-Name
			copy_headers Remote-Email
		}
		reverse_proxy 192.168.20.64:5055 {
		}
	}
}

import /usr/local/etc/caddy/caddy.d/*.conf

Tutorial: Caddy (Reverse Proxy) + Let's Encrypt Certificates + Dynamic DNS

Monviech (Cedrik)

October 24, 2025, 09:52:07 PM #330

NeoDragon

October 24, 2025, 10:13:24 PM #331

Monviech (Cedrik)

October 25, 2025, 08:34:33 AM #332

nixxda

October 27, 2025, 04:32:26 PM #333

Monviech (Cedrik)

October 27, 2025, 08:29:20 PM #334

nixxda

October 28, 2025, 12:19:11 PM #335

Monviech (Cedrik)

October 28, 2025, 12:57:16 PM #336

tomdh76

December 24, 2025, 09:55:37 AM #337