Caddy in docker as reverse proxy for HTTPS connection to home server

ltstein · October 23, 2020, 9:07pm

1. Caddy version (`caddy version`):

v2.2.1 h1:Q62GWHMtztnvyRU+KPOpw6fNfeCD3SkwH7SfT1Tgt2c=

2. How I run Caddy:

a. System environment:

Running on RaspberryPi 4 4GB using portainer with docker compose on top of OpenMediaVault5. I am running adguard and dnsmasq to resolve my subdomains.

b. Command:

caddy run --config /etc/caddy/Caddyfile --adapter caddyfile

c. Service/unit/compose file:

version: "2"
services:

  caddy:
    image: caddy
    container_name: caddy
    hostname: caddy
    restart: unless-stopped
    ports:
      - "80:80"
      - "443:443"
    environment:
      - MY_DOMAIN
    volumes:
      - /srv/dev-disk-by-label-data/data/appdata/Config/Caddy/Caddyfile:/etc/caddy/Caddyfile:ro
      - /srv/dev-disk-by-label-data/data/appdata/Config/Caddy/data:/data
      - /srv/dev-disk-by-label-data/data/appdata/Config/Caddy/config:/config

networks:
  default:
    external:
      name: bridge

MY_DOMAIN = lxiscs.duckdns.org

d. My complete Caddyfile or JSON config:

Caddyfile

lxiscs.duckdns.org
{
    # acme_ca https://acme-staging-v02.api.letsencrypt.org/directory
}

tiddlywiki.{$MY_DOMAIN} {
    reverse_proxy 192.168.0.29:8081
}

grocy.{$MY_DOMAIN} {
    reverse_proxy https://192.168.0.29:32771 {
		transport http {
			tls_insecure_skip_verify
		}
	}
}

3. The problem I’m having:

I am just getting into self hosting applications and needed a way to use HTTPS with grocy(in order to access from Android app) and since I would like to be able to access services(home assistant, grocy, eventually from outside my network I started with Caddy. My current setup seems to be working ok, I am mostly concerned if I am opening up any security risks with the tls_insecure_skip_verify between Caddy and the end applications when they are both running inside my network? Is there anything else I should keep in mind as I add more servers/services?

4. Error messages and/or full log output:

5. What I already tried:

6. Links to relevant resources:

francislavoie · October 24, 2020, 2:20am

If someone gains access to your network (access to your wifi or whatever), they could intercept traffic between Caddy and your other service and mess with it. But otherwise, not really. It’s fine.

But, you could ensure that Caddy trusts whatever certificate your other service is using. That would mitigate that problem.

Or, you could run all the services and Caddy on the same machine or docker stack, or in a private network that only Caddy also has access to.

But anyways, the risk is pretty low in this specific case (as long as you trust whoever has access to your network).

ltstein · October 24, 2020, 3:46pm

Thanks for your reply. I will look into the certificate and networking solution you suggested as I get into this deeper. Seems like the networking way may reduce hassle later on as I add services since I won’t need to set up their certs each time.

system · November 22, 2020, 9:07pm

This topic was automatically closed after 30 days. New replies are no longer allowed.