*Internal Only* Caddy Config

[fakebizprez]

Hello,

I have never used a reverse proxy plugin on OPNsense. I am testing out Home Assistant OS, and would like to route this, and the add-on containers on Home Assistant OS via the OPNsense Caddy Plugin without exposing these ports to the public internet.

The documentation states:

Creating a Simple Reverse Proxy:

The domain has to be externally resolvable. Create an A-Record on a public DNS server that points your domain to the external IP address of your OPNsense.

Is this still required for my use case?

[Monviech (Cedrik)]

Only if you want automatic certificates.

[fakebizprez]

Only if you want automatic certificates.

Thank you for the response. Can you elaborate on this more? What are the alternatives?

I am trying to setup a wildcard certificate so all addresses on the LAN have a secure connection.

I'm hesitant in setting up this way because I currently do not have any ports open (everything is configured via tunnels) and was hoping to keep it that way, if possible.

[meyergru]

If you use wildcard certificates, you do not need internet access to your HTTP(S) services. AFAIK, wildcard certificates work only via the ACME plugin, not via Caddy's own certificate mechanism.

I would always do it like that and also NOT use specific subdomain(s) besides the wildcard domain, which I explained here.

[fakebizprez]

AFAIK, wildcard certificates work only via the ACME plugin, not via Caddy's own certificate mechanism.

So I should use the ACME plugin to get a wildcard cert, and then select that cert in the drop down when configuring Caddy?