I am wanting to make accessing all my web portals easier by not having to remember every different port for every different service. For example instead of remembering unifi.dom.tld:8443 I’d like to just go to unifi.dom.tld. Is Caddy the right service for this job?
Also, I have my own external wildcard cert so most of my services are already secured with that. Will this help or hinder me?
Thanks in advance!
Yes Caddy can remove the port from the end of your url. My current caddy config:
www.mydomain.net, mydomain.net {
gzip
proxy /tautulli 192.168.1.60:8181 {
transparent
header_upstream X-Forwarded-Host {host}
}
proxy /sonarr 192.168.1.60:8989 {
transparent
}
proxy /radarr 192.168.1.60:7878 {
transparent
}
proxy /wac/ https://192.168.1.47:8443 {
without /wac/
transparent
insecure_skip_verify
}
proxy /portainer/ 192.168.1.60:9000 {
without /portainer
transparent
header_upstream -Connection
}
proxy /portainer/api/websocket/ 192.168.1.60:9000 {
without /portainer
transparent
websocket
}
}
plex.mydomain.net {
gzip
timeouts none
proxy / 192.168.1.55:32400 {
transparent
}
}
unms.mydomain.net {
gzip
proxy / https://192.168.1.60 {
transparent
insecure_skip_verify
}
}
unifi.mydomain.net {
gzip
proxy / https://192.168.1.60:8443 {
websocket
transparent
insecure_skip_verify
}
}
Now for your wildcard cert, if its from Let’s Encrypt you could have Caddy manage the renewal automatically.
the wildcard cert is an externally signed card from COMODO I think. I might just try out the cert feature of Caddy and see, just sucks that I might have wasted that money on a wildcard cert.
You can disable the cert generation in caddy and continue to use the cert you have. Disable tls in Caddy/use own cert.
This is were I get confused. I’m unsure of what syntax to use and where to use it?
I believe it would go under your root entries so ex:
mydomain.net {
tls <root path of cert.cert> <cert key>
gzip
proxy / 127.0.0.5:8080 {
transparent
}
}
subnet.mydomain.net {
tls <root path of cert.cert> <cert key>
}
Unfortunately I am not 100% sure as I have my setup using the built in automatic TLS certificate handling rather than using my own certificate.
Thanks for the info. I guess I will just keep messing with this until I either get it or give up haha.
Maybe this’ll help a bit.
Caddy can help with this, but you have to configure your network correctly first. Are you running this at home or on a publicly-facing server?
You can continue to use that if you want, but you have to keep it renewed (and reload Caddy each time you renew it) and set up HTTP->HTTPS redirects by yourself, etc. If you let Caddy manage it for you, then it’s all automatic.
You’ll need to make a file called Caddyfile and then put your sites in it, as shown by others above.
If you use your own certificate, you’ll use the tls directive in the Caddyfile (as shown you) to tell Caddy where to load it from. If you want Caddy to manage free wildcard certificates for you, you will have to use the tls directive a little differently to enable the DNS challenge. It’s easy though:
tls {
dns providername
}
replacing “providername” with your DNS provider name from the second column of this table. Then just set the necessary environment variables with your credentials and you’re good to go!
All of my webservices are internal only. The only public service I have is my Hassio server. Which is another reason I was wanting to use my external wildcard cert so I dont have to move ports in my firewall.
I have my Caddyfile set, but I’m honestly not sure it is working correctly. I am trying to use the docker image but am wondering if I should just spin up a dedicated Ubuntu VM until I know what I’m doing.
Hmm; well I’m not a Docker user so I can’t help you there, but let’s start back at square 1. What parts of the setup do you need help understanding? Go ahead and list out all the questions.
OK, so I spun up a quick Ubuntu 16.04 LTS server and installed Caddy.
This is my Caddyfile
http://test-hassio tls off proxy / http://hassio:8123 { transparent websocket } }
But when I go to http://test-hassio I get an ERR_EMPTY_RESPONSE page
Unless you are pointing caddy at a local dns server or you have a host record setup for your domain youll have to specify the machine’s ip that your service is running on.
Yes, my Caddy server is correctly resolving my local DNS and can ping my hassio server
Just to make sure, I set it’s static IP in there and got the same result.
Yep, that server is working just fine, I can access it via IP or DNS.
Try:
http://test-hassio
tls off
proxy / hassio:8123 {
transparent
websocket
}
}Same thing. ERR_EMPTY_RESPONSE
Should I see anything else when I run the ‘caddy’ command?
This is all I see
ADMIN@SRV-Caddy:~$ caddy
Activating privacy features... done.
http://:2015
WARNING: File descriptor limit 1024 is too low for production servers. At least 8192 is recommended. Fix with "ulimit -n 8192".Try running Caddy with -log stderr to get a process log that writes to your terminal. You can also add the errors directive to your Caddyfile to get request-based errors written to a log.
This is all I get when running ‘caddy -log stderr’
Activating privacy features... done.
http://:2015
2018/06/21 15:50:32 http://:2015
WARNING: File descriptor limit 1024 is too low for production servers. At least 8192 is recommended. Fix with "ulimit -n 8192".Probably unnecessary, Docker only has a few quirks to keep in mind. Mind sharing your Docker configuration for this project? I run Caddy in Docker and might be able to provide some pointers there.
Yes, ideally it should print http://test-hassio in the place where http://:2015 is currently showing. You’ll need to reference the Caddyfile you’ve written when you run Caddy - either by using the -conf /path/to/Caddyfile flag, or by having the Caddyfile present in the directory when you issue the caddy command.