This is the same as curl localhost (which just makes a command line HTTP request to localhost, shorthand for “this computer”); the goal is to confirm that the linux box itself is accepting port 80 requests and sending it to Caddy correctly.
The -H "Host:naff.casa flag just includes a header to tell Caddy - should we actually reach it - which website we’re asking for, since Caddy’s not configured to serve a website called localhost.
If this works, we know port 80 is fine locally and we can start expanding out from there to find out where packets are getting blocked. If it times out, we start maybe wondering if Docker has a problem.
Well, we can update our list of problems a little bit, at least.
Caddy is responding on port 80 to requests over LAN (although something else appears to be responding to localhost requests??) - might not be a problem
Somewhere between the internet and the LAN, packets for port 80 are still being dropped
OPNsense has some pretty good diagnostic tools, though.
Before we proceed in that direction, first, lets get one more curl, from Proxmox:
That’s… ostensibly a good result! From this we can infer that OPNsense is working as expected (and that it is hairpinning NAT, too).
The reason I say ostensibly is that now we have to blame something beyond OPNsense for the lack of external port 80 access - which means the issue may be beyond your ability to easily rectify yourself.
The first culprit I usually find in these situations is the ISP. Are you on a residential service? Could your ISP be blocking port 80?
Indeed, there’s absolutely no reason having port 80 blocked would prevent you from hosting services for the last year!
Caddy can also solve TLS-ALPN challenges that require only HTTPS on port 443 (i.e. 80 can be ignored/disabled).
The problem is, this requires a direct connection to Caddy itself as the challenge is “solved” during the TLS handshake. Putting something like Cloudflare in the way means that LetsEncrypt isn’t talking to Caddy, it’s talking to Cloudflare (which is then talking to Caddy), breaking TLS-ALPN challenges and leaving you with only HTTP challenges as a viable option to requisition certificates.
Your other subdomains (except for jellyfin?) are not proxied by Cloudflare (see the * record is DNS only) and so the HTTP challenge works for these.
So with Cloudflare in the way blocking TLS-ALPN, and your ISP in the way blocking HTTP, you’ve got no validation methods left by default.
I’ll note that some browsers like Firefox automatically try HTTPS if they can, so having a service unavailable on port 80 might have been a completely transparent/non-issue for you.
Your options are:
Enable DNS validation by installing the Cloudflare DNS provider module, or;
Fix TLS-ALPN validation by removing the Cloudflare proxy (grey-cloud all services), or;
Fix HTTP validation by calling your ISP and getting port 80 unblocked, or;
Yes, you can set it back to the way it was before you incorporated my extra config.
Believe it or not, all of this is stuff you can pick up at the enthusiast level. We’ve just done some network troubleshooting, essentially, with the advantage of some in-depth knowledge of ACME and Caddy. I appreciate the compliment though!
If you want to sysadmin for a business, practice with things that businesses use.
Whether that’s bread and butter Windows Server VMs on ESXI or Hyper-V serving AD/Storage/RDS (maybe with hybrid cloud?), or whether that’s picking one of the big clouds (AWS/Azure/GCP) and mastering deployment of their technological stacks and securing and scaling them, or maybe going hard into container orchestration with K8s or something.
Whatever you do, practice business-class service levels, with business-class technologies.
“Serve www.naff.casa and redirect everything to https://www.naff.casa”, which is an infinite loop.
If you want to redirect www.naff.casa to naff.casa, you will have to use
www.naff.casa {
redir https://naff.casa
}
The uri option you mentioned, which would look like
www.naff.casa {
redir https://naff.casa{uri}
}
keeps the uri when redirecting:
For example, https://www.naff.casa/example would then redirect to https://naff.casa/example - keeping the /example part.
redir https://naff.casa on the other hand, would drop it.
So, https://www.naff.casa/example would always redirect to https://naff.casa/.