Are you sure? I managed to connect (see above), it just produced an SSL error because you don’t have a valid certificate yet:
Does http://naff.casa work, though? I can’t connect at all on port 80 to any of your subdomains at that IP address, for example.
There’s a point of order here that should be established regarding terminology.
Forwarding here effectively means accepting packets and sending them onwards to their next destination. Saying that Caddy and/or Traefik forward HTTP to HTTPS isn’t accurate, because it would imply that they… accept insecure HTTP connections and simply do HTTPS… to themselves? There is no benefit. The point of HTTPS is to secure the connection between the client and the server, not to accept insecure access from the client.
What both applications do under default configuration is accept HTTP requests and respond with a HTTP->S redirect, instructing the client, essentially, “leave and come back at the HTTPS port and we’ll talk”.
That said, no server exists on planet Earth which can do either of these things if port 80 is not open.
I can see that you’ve designated port 80 in your Docker Compose file as well, so there shouldn’t be any changes necessary there.
Next thing to check is your network edge; do you have a router with port forwarding of some kind?
Ok i’m not really sure what I’m doing with this command.
I copy and pasted yours and tried instering localhost instead of Host and the internal IP address of my linuxbox instead of Host and both gave me the ‘no url specified error’
This is the same as curl localhost (which just makes a command line HTTP request to localhost, shorthand for “this computer”); the goal is to confirm that the linux box itself is accepting port 80 requests and sending it to Caddy correctly.
The -H "Host:naff.casa flag just includes a header to tell Caddy - should we actually reach it - which website we’re asking for, since Caddy’s not configured to serve a website called localhost.
If this works, we know port 80 is fine locally and we can start expanding out from there to find out where packets are getting blocked. If it times out, we start maybe wondering if Docker has a problem.
Well, we can update our list of problems a little bit, at least.
Caddy is responding on port 80 to requests over LAN (although something else appears to be responding to localhost requests??) - might not be a problem
Somewhere between the internet and the LAN, packets for port 80 are still being dropped
OPNsense has some pretty good diagnostic tools, though.
Before we proceed in that direction, first, lets get one more curl, from Proxmox:
That’s… ostensibly a good result! From this we can infer that OPNsense is working as expected (and that it is hairpinning NAT, too).
The reason I say ostensibly is that now we have to blame something beyond OPNsense for the lack of external port 80 access - which means the issue may be beyond your ability to easily rectify yourself.
The first culprit I usually find in these situations is the ISP. Are you on a residential service? Could your ISP be blocking port 80?
Indeed, there’s absolutely no reason having port 80 blocked would prevent you from hosting services for the last year!
Caddy can also solve TLS-ALPN challenges that require only HTTPS on port 443 (i.e. 80 can be ignored/disabled).
The problem is, this requires a direct connection to Caddy itself as the challenge is “solved” during the TLS handshake. Putting something like Cloudflare in the way means that LetsEncrypt isn’t talking to Caddy, it’s talking to Cloudflare (which is then talking to Caddy), breaking TLS-ALPN challenges and leaving you with only HTTP challenges as a viable option to requisition certificates.
Your other subdomains (except for jellyfin?) are not proxied by Cloudflare (see the * record is DNS only) and so the HTTP challenge works for these.
So with Cloudflare in the way blocking TLS-ALPN, and your ISP in the way blocking HTTP, you’ve got no validation methods left by default.
I’ll note that some browsers like Firefox automatically try HTTPS if they can, so having a service unavailable on port 80 might have been a completely transparent/non-issue for you.
Your options are:
Enable DNS validation by installing the Cloudflare DNS provider module, or;
Fix TLS-ALPN validation by removing the Cloudflare proxy (grey-cloud all services), or;
Fix HTTP validation by calling your ISP and getting port 80 unblocked, or;