-
Important Announcement for the TrueNAS Community.
The TrueNAS Community has now been moved. This forum will now become READ-ONLY for historical purposes. Please feel free to join us on the new TrueNAS Community Forums
Resource icon
Reverse Proxy using Caddy (with optional automatic TLS)
- Thread starter danb35
- Start date
So I've managed to get tautulli and sonarr working too. Radarr returns a Bad Request error which I've read can be due to the user it is run under. Also when I try to add a subdomain to the caddyfile, all stop working. Can you advise on the code needed when adding a new subdomain? For example
Code:
example.com {
tls {
dns cloudflare
}
gzip
root /usr/local/www/html/
proxy /transmission http://local IP:9091 {
transparent
}
unifi.example.com {
gzip
proxy / local IP:8443 {
header_upstream -Authorization
insecure_skip_verify
websocket
transparent
}
andrewzah
Cadet
- Joined
- Aug 11, 2019
- Messages
- 9
This is why the "simple" syntax caddy shows by default is bad. I don't understand why Caddy accepts this sort of syntax or shows examples for it.
You are indeed missing two ending braces, so the file should look like the following:
Code:
example.com {
tls {
dns cloudflare
}
gzip
root /usr/local/www/html/
proxy /transmission http://local IP:9091 {
transparent
}
}
unifi.example.com {
gzip
proxy / localIP:8443 {
header_upstream -Authorization
insecure_skip_verify
websocket
transparent
}
}
Much easier to read with indentation.
Thank you @danb35 and @andrewzah
Unifi controller and Unifi Video both work as above. They don't work as domain.com/app
Unifi controller and Unifi Video both work as above. They don't work as domain.com/app
andrewzah
Cadet
- Joined
- Aug 11, 2019
- Messages
- 9
Is that an issue with unifi controller/video, or caddy?
Something like this ought to work:
Code:
example.com {
tls {
dns cloudflare
}
gzip
root /usr/local/www/html/
proxy /transmission http://localhost:9091/ {
transparent
}
proxy /unifi http://localhost:8443/ {
header_upstream -Authorization
insecure_skip_verify
websocket
transparent
}
}
with localhost being replaced if the services are on a different ip.
I believe it's due to the unifi controller, but I'm not sure why.
I tried that plus variations but couldn't get it to work.
Also unifi controller and unifi video require 'https://ipaddress: port/'
rmblr
Dabbler
- Joined
- Jul 16, 2019
- Messages
- 13
The link to the resource docs is 404ing, I think it should point to
https://www.ixsystems.com/community...-using-caddy-with-optional-automatic-tls.114/
https://www.ixsystems.com/community...-using-caddy-with-optional-automatic-tls.114/
danb35
Hall of Famer
- Joined
- Aug 16, 2011
- Messages
- 15,504
Caddy does handle web socket connections, but the directives are different--check the Caddy docs. Start here: https://caddyserver.com/docs/proxy
@danb35
This probably is kind of out of the scope of this forum however with the websocket thing -- if I had this proxy sitting in front of another Apache reverse proxy which then forwarded to websocket host -- I'm not sure how I would configure things. Clearing the reverse proxy is looking for the connection/upgrade headers contained within the request and then upgrading the connection to ws/wss and then passing the request to the ws/wss server. This is very similar to how Apache's proxy_wstunnel works. In this circumstance however, I really don't want the request to be processed but just passed to the next reverse proxy in the chain. Just proxying the request to the next reverse proxy as http/https however doesn't work since I think for whatever reason the document headers are re-written. This is all a guess on my part since I don't have any great tool or method to examine the headers -- pre and post proxy traversal.
This probably is kind of out of the scope of this forum however with the websocket thing -- if I had this proxy sitting in front of another Apache reverse proxy which then forwarded to websocket host -- I'm not sure how I would configure things. Clearing the reverse proxy is looking for the connection/upgrade headers contained within the request and then upgrading the connection to ws/wss and then passing the request to the ws/wss server. This is very similar to how Apache's proxy_wstunnel works. In this circumstance however, I really don't want the request to be processed but just passed to the next reverse proxy in the chain. Just proxying the request to the next reverse proxy as http/https however doesn't work since I think for whatever reason the document headers are re-written. This is all a guess on my part since I don't have any great tool or method to examine the headers -- pre and post proxy traversal.
Hey danb, I finally got around to setting this up. It works much better than I thought with handling certs and stuff so thats pretty cool.
However I could not get nextcloud to work. I used your nextcloud guide to set it up manually (before you had the script) and was wondering if you knew how to get caddy to work with it. I have a seperate dns that I use only for nextcloud so getting it to work with dns.com or dns.com/nextcloud doesnt matter, I just want it to work with caddy so that my other apps can renew their certs without me manually port forwarding every 3 months to renew them.
However I could not get nextcloud to work. I used your nextcloud guide to set it up manually (before you had the script) and was wondering if you knew how to get caddy to work with it. I have a seperate dns that I use only for nextcloud so getting it to work with dns.com or dns.com/nextcloud doesnt matter, I just want it to work with caddy so that my other apps can renew their certs without me manually port forwarding every 3 months to renew them.
danb35
Hall of Famer
- Joined
- Aug 16, 2011
- Messages
- 15,504
The script (which has been using Caddy as the webserver for a while now) is the only guide I've done, so it would have been another user's guide. But that shouldn't make a difference. I haven't run Nextcloud behind a reverse proxy before, but this may give you some ideas of things to put in your Caddyfile:
https://github.com/caddyserver/exam...ud/caddy-reverseproxy-nginx-backend-nextcloud
sheenegarmi
Dabbler
- Joined
- Jul 26, 2019
- Messages
- 18
I try to open a link but I get
Oops! We ran into some problems.
You do not have permission to view this page or perform this action.
what i did wrong
danb35
Hall of Famer
- Joined
- Aug 16, 2011
- Messages
- 15,504
Looks like iX have broken something else on the forums. There's another copy here: https://forum.freenas-community.org/t/reverse-proxy-using-caddy-with-optional-automatic-tls/27
Edit: Or just click "Overview" toward the top of the page:
Edit: Or just click "Overview" toward the top of the page:
ecomstock
Cadet
- Joined
- Nov 25, 2018
- Messages
- 7
I've followed the guide here:
https://www.ixsystems.com/community...-using-caddy-with-optional-automatic-tls.114/
and additionally installed a version of caddy with a Namecheap TLS DNS plugin by running:
Everything is working fine when running unsecured. However, when I attempt to secure my sites using TLS by
adding the following lines to a site in my Caddyfile:
I can then run
Error during parsing: Setting up DNS provider 'namecheap': namecheap: some credentials information are missing: NAMECHEAP_API_USER,NAMECHEAP_API_KEY
I've added the NAMECHEAP_API_USER and NAMECHEAP_API_KEY to the login.config file for the jail, and if I run the "env" command as root I see the proper environment variables and values:
It seems like when running the "
Can anyone offer any advice as to what may be happening? Is there another place that I can configure the environment variables needed by the TLS DNS Plugin?
Thanks!
Everett
https://www.ixsystems.com/community...-using-caddy-with-optional-automatic-tls.114/
and additionally installed a version of caddy with a Namecheap TLS DNS plugin by running:
curl https://getcaddy.com | bash -s personal tls.dns.namecheapEverything is working fine when running unsecured. However, when I attempt to secure my sites using TLS by
adding the following lines to a site in my Caddyfile:
Code:
tls {
dns namecheap
}I can then run
service caddy start, but the service stops immediately with the following message in the caddy.log file:Error during parsing: Setting up DNS provider 'namecheap': namecheap: some credentials information are missing: NAMECHEAP_API_USER,NAMECHEAP_API_KEY
I've added the NAMECHEAP_API_USER and NAMECHEAP_API_KEY to the login.config file for the jail, and if I run the "env" command as root I see the proper environment variables and values:
Code:
TERM=xterm-256color NAMECHEAP_API_KEY=************************** NAMECHEAP_API_USER=******************* BLOCKSIZE=K
It seems like when running the "
service caddy start" command that caddy is being run as a user other than root.Can anyone offer any advice as to what may be happening? Is there another place that I can configure the environment variables needed by the TLS DNS Plugin?
Thanks!
Everett
danb35
Hall of Famer
- Joined
- Aug 16, 2011
- Messages
- 15,504
Yes, in the rc.conf file. I cover this in the resource, though the example is for Cloudflare:
For your credentials, it'd be
sysrc caddy_env="NAMECHEAP_API_KEY=************************** NAMECHEAP_API_USER=*******************".
blueether
Patron
- Joined
- Aug 6, 2018
- Messages
- 259
Hi @danb35
I have used you guide as a starting point for setting up caddy in a debian lxc on proxmox to handle a wordpress site (also a proxmox lxc) and nextcloud under freenas (installed via you script)
HTTPS is working great for the wordpress site that I've set up for the wife, but for the nextcloud I'm getting
Before I break tne nextcloud jail is there any thing that you would suggest?
I have used you guide as a starting point for setting up caddy in a debian lxc on proxmox to handle a wordpress site (also a proxmox lxc) and nextcloud under freenas (installed via you script)
HTTPS is working great for the wordpress site that I've set up for the wife, but for the nextcloud I'm getting
502 Bad Gateway. I'm assuming this is because there is caddy and https already setup on the nextcloud jail.Before I break tne nextcloud jail is there any thing that you would suggest?
Code:
village*****.org.nz {
gzip
proxy / 10.1.1.56/ {
transparent
}
}
www.village*****.org.nz {
gzip
proxy / 10.1.1.56/ {
transparent
}
}
cloud.******.net:443 {
gzip
proxy / https://10.1.1.55/ {
transparent
}
}Similar threads
