Example: TP-Link Omada Controller

I spent some time today building a Caddyfile example for TP-Link Omada Controller software. Decided to share (and so fellow Googlers might save themselves some headaches going forward).

CaddyFile:

(snippet) {
        header {
                Strict-Transport-Security "max-age=31536000; includeSubdomains"
                X-XSS-Protection "1; mode=block"
                X-Frame-Options "DENY"
                -server
        }
        tls me@email.com {
                dns cloudflare {env.CLOUDFLARE_API_TOKEN}
        }
        log {
                output file /data/logs/caddy.log {
                        roll_size 20MiB
                        roll_keep 5
                }
        }
}

omada.url.com {
        reverse_proxy https://1.2.3.4:8043 {
                transport http {
                        tls_trusted_ca_certs
                }
                header_up Host "omada.url.com:443"
        }
        import snippet
}

Few things to note:

  1. I forward 8043 > 443 in my docker config. I used to do 8043>8043 but my setup changed that wouldn’t allow for that.
  2. set 1.2.3.4 to your Omada controller. Also check your controller’s HTTPS port - the default for docker is 8043, which is what I’m using, personally. To confirm - you should be able to navigate to https://1.2.3.4:8043 (replacing with your values) and the controller should work great. If it doesn’t, this won’t work either.
  3. My snippet has some me-specific things that might not apply to you (Cloudflare DNS challenge, for example).
  4. Set your Omada Controller Hostname/IP in the controller to be omada.url.com:443
  5. You MUST use the header_up host header modification. It modifies the host header sent to the Omada controller to append the :8043 port. If this port isn’t in the host header, the Omada 302s the request to ensure HTTPs is being used (what a silly design, but whatever).
  6. An FYI - tls_insecure_skip_verify is inherently insecure. But since I trust the source, I’m not personally concerned. Ideally you would instead specify tls_trusted_ca_certs to trust the known certificate from the upstream. And the most ideal situation would be to add a valid cert to your Omada controller.

With this in place, my TPLink Omada Controller loads up great via Caddy!

3 Likes

What version of the Omada Controller are you running?

I’m not having any luck with the posted config, have you made any updates?

Hey @warllo, I’d suggest you might want to start a Help post and fill out some details. Link to this wiki page when you post it, but still fill out all the relevant information; we’d be much better equipped to sort out whatever issue you’re running into this way.

2 Likes

Eventually got it working for me, had to use tls_insecure_skip_verify to get it to work.