Access TLS Web Server from LAN

spetrillo · January 15, 2026, 7:25pm

1. The problem I’m having:

I would like to be able to access my Caddy proxied web server from my internal network. Is there a document that describes how to do this?

2. Error messages and/or full log output:

N/A

3. Caddy version:

2.0.4_3

4. How I installed and ran Caddy:

As a plugin to OPNsense

a. System environment:

OPNsense 25.7.11

b. Command:

c. Service/unit/compose file:

d. My complete Caddy config:

{
“apps”: {
“dynamic_dns”: {
“dns_provider”: {
“api_token”: “UsM2mO6O-7J3wyd04CmVKRSl-4WCrS5kuwgxRKhQ”,
“name”: “cloudflare”
},
“domains”: {
“www.petrilloconsulting.net”: [
“@”
]
},
“versions”: {
“ipv4”: true,
“ipv6”: false
}
},
“http”: {
“grace_period”: 10000000000,
“servers”: {
“srv0”: {
“listen”: [
“:443”
],
“protocols”: [
“h1”,
“h2”
],
“routes”: [
{
“handle”: [
{
“handler”: “subroute”,
“routes”: [
{
“handle”: [
{
“handler”: “subroute”,
“routes”: [
{
“handle”: [
{
“handler”: “reverse_proxy”,
“upstreams”: [
{
“dial”: “192.168.1.70:80”
}
]
}
]
}
]
}
]
}
]
}
],
“match”: [
{
“host”: [
“www.petrilloconsulting.net”
]
}
],
“terminal”: true
}
]
}
}
},
“pki”: {
“certificate_authorities”: {
“local”: {
“install_trust”: false
}
}
},
“tls”: {
“automation”: {
“policies”: [
{
“issuers”: [
{
“email”: “spetrillo@petrilloconsulting.net”,
“module”: “acme”
},
{
“ca”: “https://acme.zerossl.com/v2/DV90”,
“email”: “spetrillo@petrilloconsulting.net”,
“module”: “acme”
}
],
“subjects”: [
“www.petrilloconsulting.net”
]
}
]
}
}
},
“logging”: {
“logs”: {
“default”: {
“encoder”: {
“format”: “json”,
“time_format”: “rfc3339”
},
“writer”: {
“address”: “unixgram//var/run/caddy/log.sock”,
“output”: “net”
}
}
}
}
}

5. Links to relevant resources:

hmoffatt · January 15, 2026, 10:19pm

Umm, just do it? What problem are you having?

spetrillo · January 15, 2026, 10:34pm

I did and it did not bring me to the website. It just hung.

I am using the URL of the public web server, from an internal LAN IP. I thought Caddy would just proxy.

Mohammed90 · January 16, 2026, 9:48am

Well, we can’t help fixing it if you don’t share your config and logs.

spetrillo · January 16, 2026, 3:24pm

Added the config…

pauloappbr · January 17, 2026, 6:59pm

Hi Steven,

Since you are running Caddy on OPNsense and trying to access the public domain from inside your LAN, this is likely a networking issue known as NAT Hairpinning (NAT Loopback) or a DNS resolution issue.

When you access www.petrilloconsulting.net from your LAN, your computer resolves it to your Public WAN IP. Without NAT Reflection enabled, the firewall might drop traffic originating from the LAN destined for its own WAN address, causing the connection to hang.

The Solution (Split DNS / Host Override):

The best practice when using OPNsense is to configure a Host Override in your local DNS resolver (Unbound). This tells your internal devices to go directly to the OPNsense LAN IP instead of going out to the internet and back in.

Go to your OPNsense GUI.

Navigate to Services > Unbound DNS > Overrides.

Add a new Host Override:

Host: www

Domain: petrilloconsulting.net

IP: [Your OPNsense LAN IP] (e.g., 192.168.1.1)

Click Save and Apply.

Now, when you access that URL from inside your network, it will resolve directly to the internal IP where Caddy is listening (:443), bypassing NAT entirely.

Alternatively, you can enable NAT Reflection in: Firewall > Settings > Advanced, but Split DNS is generally cleaner and faster for local traffic.

spetrillo · January 19, 2026, 6:15pm

Thank you for this. It worked perfectly. I had just gotten to NAT hairpins and figured I was close!