Reverse Proxy using Caddy (with optional automatic TLS)

[ByteNick]

Useful reference. Did you ever get Plex-pass working with Caddy?

Yes, but only as a subdomain, i.e. plex.mydomain.com. The relevant Caddyfile sequence would be:

plex.mydomain.com { gzip tls { dns cloudflare # I use cloudflare } timeouts none # Separate log file for Plex server log /config/logs/plex_access.log { rotate_size 1 # Rotate after 1 MB rotate_age 7 # Keep log files for 7 days rotate_keep 2 # Keep at most 2 log files } errors /config/logs/plex_error.log { rotate_size 1 # Set max size 1 MB rotate_age 7 # Keep log files for 7 days rotate_keep 2 # Keep at most 2 log files } proxy / 192.168.1.10:32400 { # internal jail IP transparent } }

I am not sure the formatting will paste well, but I trust you'll understand the syntax.

 

[danb35]

I am not sure the formatting will paste well,

You'd want to use code tags for that, not inline code. Inline code tags work best for things that are less than one line.

 

[Basil Hendroff]

Yes, but only as a subdomain, i.e. plex.mydomain.com. The relevant Caddyfile sequence would be:

Code:

plex.mydomain.com {
  gzip
  tls {
    dns cloudflare   # I use cloudflare
  }
  timeouts none

  # Separate log file for Plex server

  log /config/logs/plex_access.log {
    rotate_size 1          # Rotate after 1 MB
    rotate_age  7          # Keep log files for 7 days
    rotate_keep 2          # Keep at most 2 log files
  }

  errors /config/logs/plex_error.log {
    rotate_size 1          # Set max size 1 MB
    rotate_age  7          # Keep log files for 7 days
    rotate_keep 2          # Keep at most 2 log files
  }

  proxy / 192.168.1.10:32400 {    # internal jail IP
    transparent
  }
}

Nice! I understand what you're doing with logs now.

 

[ByteNick]

You'd want to use code tags for that, not inline code. Inline code tags work best for things that are less than one line.

Thanks for the tip. I will do it next time.

 

[ByteNick]

@danb35: I think a resource containing your both reverse proxy using caddy and nextcloud guides (and possibly others) should be compiled in one guide or the nexcloud one better described with regards to nextcloud+caddy as reverse proxy configuration, as many people seem to be willing to use caddy as reverse proxy due to its TLS capabilities.

Here, the users should describe how they configure the caddyfile for various apps as some are not easy to configure and caddy does not offer enough documentation or examples. Moreover, if going the Organizr route (like I did), a single sign on in Organizr should help logging in all apps. I saw some attempts in various places, but none complete. I am still struggling with it.

 

[Basil Hendroff]

I'm trying to set up Caddy to act as a proxy for Tautulli, but I'm running into an issue.

This is what the relevant section of my Caddyfile looks like.

Code:

www.mydomain.com.au mydomain.com.au {
  tls {
        dns cloudflare
  }
  gzip
  root /usr/local/www/html/
  proxy /tautulli http://10.1.1.26:8181/ {
        transparent
        header_upstream X-Forwarded-For {remote}
  }
}

I can access Tautulli at http://10.1.1.26:8181.

When I restart the Caddy jail and check the log file, there's nothing obvious that I can see might be a problem.

Code:

root@caddy:~ # cat /var/log/caddy.log
2020/03/17 12:58:48 [INFO] Caddy version: v1.0.4
2020/03/17 12:58:48 [INFO][cache:0xc0000b8910] Started certificate maintenance routine
Activating privacy features... done.

Serving HTTP on port 80
http://www.mydomain.com.au
http://mydomain.com.au
http://cloud.mydomain.com.au
http://plex.mydomain.com.au

2020/03/17 12:58:48 [INFO] Serving http://www.mydomain.com.au
2020/03/17 12:58:48 [INFO] Serving http://mydomain.com.au
2020/03/17 12:58:48 [INFO] Serving http://cloud.mydomain.com.au
2020/03/17 12:58:48 [INFO] Serving http://plex.mydomain.com.au

Serving HTTPS on port 443
https://www.mydomain.com.au
https://mydomain.com.au
https://cloud.mydomain.com.au
https://plex.mydomain.com.au

2020/03/17 12:58:48 [INFO] Serving https://www.mydomain.com.au
2020/03/17 12:58:48 [INFO] Serving https://mydomain.com.au
2020/03/17 12:58:48 [INFO] Serving https://cloud.mydomain.com.au
2020/03/17 12:58:48 [INFO] Serving https://plex.mydomain.com.au

However, if I attempt to access Tautulli at mydomain.com.au/tautulli, I get a 404 Not Found error and the message The path '/tautulli' was not found.

I'm missing something and would appreciate another set of eyes on this, please.

 

[blueether]

This is what the relevant section of my Caddyfile looks like.

Code:

www.mydomain.com.au mydomain.com.au {
  tls {
        dns cloudflare
  }
  gzip
  root /usr/local/www/html/
  proxy /tautulli http://10.1.1.26:8181/ {
        transparent
        header_upstream X-Forwarded-For {remote}
  }
}

Why do you have a root and proxy set?

 

[Basil Hendroff]

Why do you have a root and proxy set?

I've tried to mimic the example in the Discussion for the Caddy resource. My understanding, correct me if I'm wrong, is that the root provides the landing page for (www.)mydomain.com.au, while the proxy enables secure access to Tautulli using mydomain.com.au/tautulli rather than with IP:8181.

 

[blueether]

You may be correct looking at the other examples. (i'm no expert, I was just looking how I'd set mine up)

Do you need the landing page at the moment? could you strip it out to test that the proxy is working by it's self?

 

[Basil Hendroff]

could you strip it out to test that the proxy is working by it's self?

I commented it out and restarted the Caddy jail. No change, except that accessing mydomain.com.au now gives me a 404 error as well. I guess this is to be expected as there isn't a landing page.

 

[danb35]

I'm thinking the 404 means you need to set the HTTP Root setting in Tautulli to /tautulli. For reference, here's the Caddyfile block I have for that app:

Code:

proxy /tautulli http://192.168.1.23:8181 {
        transparent
        header_upstream X-Forwarded-For {remote}
}

 

[Basil Hendroff]

I'm thinking the 404 means you need to set the HTTP Root setting in Tautulli to /tautulli. For reference, here's the Caddyfile block I have for that app:

That's basically what I have in my Caddyfile. Anyway, just to confirm, I replaced the code block I have for Tautulli with the one that you have supplied and just changed the IP address to suit proxy /tautulli http://10.1.1.26:8181 {. I get the same error when I try to access mydomain.com.au/tautulli.

Curiously, if I change the first line of the code block to proxy /abc http://10.1.1.26:8181 {, and then try to access mydomain.com.au/tautulli, I get the same error, but it's presented differently.

 

[danb35]

I'm thinking the 404 means you need to set the HTTP Root setting in Tautulli to /tautulli.

 

[Basil Hendroff]

I'm thinking the 404 means you need to set the HTTP Root setting in Tautulli to /tautulli.

The penny's dropped.

 

[azzkickr]

Guys?
I am under the impression my previous reply got lost somewhere...
Umm... What permissions do I need to see this resource?
Is it some kind of Jedi-business only for the chosen ones?

 

[danb35]

I am under the impression my previous reply got lost somewhere...

You only have one post, so there is no "previous reply."

What permissions do I need to see this resource?

Shouldn't need any special permissions, just click the "Overview" link at the top of the page:

 

[azzkickr]

You only have one post, so there is no "previous reply."

Shouldn't need any special permissions, just click the "Overview" link at the top of the page:
View attachment 36688

Ha, thanks. I was clicking the "Resource" link in the OP.

 

[Basil Hendroff]

The more I become familiar with this Caddy resource, the more I find uses for it. I thought I'd give back a little. This tip is for Fritz!Box users. I know there are quite a few of you on this forum, and a number of you using this Caddy resource.

The Fritz!Box does use a letsencrypt certificate to allow it to be accessed securely from the internet (see bottom half of the screenshot below). However, the FritzBox has a unique and unmemorable internet address and port (see top half of the screenshot). Furthermore, communication with the Fritz!Box on the local network is still unsecured.

Using this Caddy resource, I'm able to address both these issues i.e. provide secure communications to the FritzBox both inside and outside the local network, and, use a memorable address to access it. It's surprisingly straightforward to do, requiring just three steps.

Step 1: Add a Caddy code block

Code:

gatekeeper.mydomain.com.au {
  tls {
        dns cloudflare
  }
  gzip
  proxy / http://10.1.1.1/ {
        transparent
  }
}

Step 2: Add an exception for DNS rebind protection

In the Fritz!Box, add the address used in the Caddy code block as an exception for DNS rebind protection. If you stop at step 2, you will have secure communication with the Fritz!Box on the private network.

Step 3: Add a CNAME record for the subdomain

To access the Fritz!Box externally using this new address, at your DNS provider, add a CNAME record for the subdomain e.g. with Cloudflare

 

[rio236]

Hello.
I'm trying to install Caddy jail - TLS with DNS validation.
Here's what I did but Caddy does not start!

# iocage create --name="caddy" -r 11.3-RELEASE ip4_addr="vnet0|192.168.1.90/24" defaultrouter="192.168.1.1" boot="on" host_hostname="caddy" vnet="on"
# iocage console caddy
# pkg install curl bash nano caddy
# mkdir -p /usr/local/www
# mkdir -p /usr/local/www/html
# nano /usr/local/www/Caddyfile

Code:

your_domain_name {
tls {
        dns cloudflare
}
gzip
root /usr/local/www/html/
proxy /tautulli http://192.168.1.41:8181 {
        transparent
        header_upstream X-Forwarded-For {remote}
}
...
}

# nano /usr/local/www/html/index.html

Code:

<!DOCTYPE html>
<html lang="en">
<head>

  <!-- Basic Page Needs -->
  <meta charset="utf-8">
  <title>MyDomain LAN Services</title>
  <meta name="description" content="Landing page for apps.mydomain.com, explaining and giving links to available services">
  <meta name="author" content="danb35">

  <!-- Mobile Specific Metas -->
  <meta name="viewport" content="width=device-width, initial-scale=1">

  <!-- FONT -->
  <link href="//fonts.googleapis.com/css?family=Raleway:400,300,600" rel="stylesheet" type="text/css">

  <!-- CSS -->
  <link rel="stylesheet" href="css/normalize.css">
  <link rel="stylesheet" href="css/skeleton.css">

  <!-- Favicon -->
  <link rel="icon" type="image/png" href="images/favicon.png">

</head>
<body>

  <!-- Primary Page Layout -->
  <div class="container">
    <div class="row">
      <h2><strong>MyDomain LAN Services</strong></h2>
      <p>This server provides TLS termination and proxies for a variety of services provided in other FreeNAS jails and elsewhere on the LAN, as described and linked below.</p>
    </div>

  <div class="row">
    <div class="two columns"></div>
    <div class="ten columns">
      <h4>Installed web applications</h4>
      <ul>
        <li><a href="/radarr/" target="_blank">Radarr</a>:  Radarr is an automated movie indexing and downloading system.</li>
        <li><a href="/sonarr/" target="_blank">Sonarr</a>:  Sonarr functions as a DVR, indexing and downloading episodes of specified TV shows.</li>
        <li><a href="/tautulli/" target="_blank">Tautulli</a>:  Tautulli (formerly PlexPy) monitors the status of the Plex Media Server.</li>
        <li><a href="/transmission/" target="_blank">Transmission</a>:  Transmission is a Bittorrent client.</li>
        <li><a href="https://urb.mydomain.com/" target="_blank">Urbackup</a>:  Urbackup is a backup server for computers on the LAN.</li>
      </ul>
    </div>
    </div>
  </div>
<!-- End Document -->
</body>
</html>

# pkg lock caddy
# curl https://getcaddy.com | bash -s personal tls.dns.cloudflare
# sysrc caddy_env="CLOUDFLARE_EMAIL=(cloudflare_account_email) CLOUDFLARE_API_KEY=(global_api_key)"
# sysrc caddy_cert_email="me@domain.com
# sysrc caddy_enable="YES"
# service caddy start
# service caddy status

and Caddy does not start.
Please help.

 

[danb35]

and Caddy does not start.

What's showing in /var/log/caddy.log?