Extreme Beginner, just looking to redirect ports


(Matt Thomas) #1

I am wanting to make accessing all my web portals easier by not having to remember every different port for every different service. For example instead of remembering unifi.dom.tld:8443 I’d like to just go to unifi.dom.tld. Is Caddy the right service for this job?

Also, I have my own external wildcard cert so most of my services are already secured with that. Will this help or hinder me?

Thanks in advance!


(Alexander Henderson) #2

Yes Caddy can remove the port from the end of your url. My current caddy config:

www.mydomain.net, mydomain.net {
        gzip
        proxy /tautulli 192.168.1.60:8181 {
                transparent
                header_upstream X-Forwarded-Host {host}
                }
        proxy /sonarr 192.168.1.60:8989 {
                transparent
                }
        proxy /radarr 192.168.1.60:7878 {
                transparent
                }
        proxy /wac/ https://192.168.1.47:8443 {
                without /wac/
                transparent
                insecure_skip_verify
                }
        proxy /portainer/ 192.168.1.60:9000 {
                without /portainer
                transparent
                header_upstream -Connection
                }
        proxy /portainer/api/websocket/ 192.168.1.60:9000 {
                without /portainer
                transparent
                websocket
                }
}

plex.mydomain.net {
        gzip
        timeouts none
        proxy / 192.168.1.55:32400 {
                transparent
                }
}

unms.mydomain.net {
        gzip
        proxy / https://192.168.1.60 {
                transparent
                insecure_skip_verify
                }
}

unifi.mydomain.net {
        gzip
        proxy / https://192.168.1.60:8443 {
                websocket
                transparent
                insecure_skip_verify
                }
}

Now for your wildcard cert, if its from Let’s Encrypt you could have Caddy manage the renewal automatically.


(Matt Thomas) #3

the wildcard cert is an externally signed card from COMODO I think. I might just try out the cert feature of Caddy and see, just sucks that I might have wasted that money on a wildcard cert.


(Alexander Henderson) #4

You can disable the cert generation in caddy and continue to use the cert you have. Disable tls in Caddy/use own cert.


(Matt Thomas) #5

This is were I get confused. I’m unsure of what syntax to use and where to use it?


(Alexander Henderson) #6

I believe it would go under your root entries so ex:

mydomain.net {
    tls <root path of cert.cert> <cert key>
    gzip
    proxy / 127.0.0.5:8080 {
        transparent
        }
}

subnet.mydomain.net {
    tls <root path of cert.cert> <cert key>
}

Unfortunately I am not 100% sure as I have my setup using the built in automatic TLS certificate handling rather than using my own certificate.


(Matt Thomas) #7

Thanks for the info. I guess I will just keep messing with this until I either get it or give up haha.


(Matt Holt) #8

Maybe this’ll help a bit.

Caddy can help with this, but you have to configure your network correctly first. Are you running this at home or on a publicly-facing server?

You can continue to use that if you want, but you have to keep it renewed (and reload Caddy each time you renew it) and set up HTTP->HTTPS redirects by yourself, etc. If you let Caddy manage it for you, then it’s all automatic.

You’ll need to make a file called Caddyfile and then put your sites in it, as shown by others above.

If you use your own certificate, you’ll use the tls directive in the Caddyfile (as shown you) to tell Caddy where to load it from. If you want Caddy to manage free wildcard certificates for you, you will have to use the tls directive a little differently to enable the DNS challenge. It’s easy though:

tls {
    dns providername
}

replacing “providername” with your DNS provider name from the second column of this table. Then just set the necessary environment variables with your credentials and you’re good to go!


(Matt Thomas) #9

All of my webservices are internal only. The only public service I have is my Hassio server. Which is another reason I was wanting to use my external wildcard cert so I dont have to move ports in my firewall.

I have my Caddyfile set, but I’m honestly not sure it is working correctly. I am trying to use the docker image but am wondering if I should just spin up a dedicated Ubuntu VM until I know what I’m doing.


(Matt Holt) #10

Hmm; well I’m not a Docker user so I can’t help you there, but let’s start back at square 1. What parts of the setup do you need help understanding? Go ahead and list out all the questions.


(Matt Thomas) #11

OK, so I spun up a quick Ubuntu 16.04 LTS server and installed Caddy.
This is my Caddyfile

http://test-hassio
  tls off
  proxy / http://hassio:8123 {
    transparent
    websocket
  }
}

But when I go to http://test-hassio I get an ERR_EMPTY_RESPONSE page


(Alexander Henderson) #12

Unless you are pointing caddy at a local dns server or you have a host record setup for your domain youll have to specify the machine’s ip that your service is running on.


(Matt Thomas) #13

Yes, my Caddy server is correctly resolving my local DNS and can ping my hassio server

Just to make sure, I set it’s static IP in there and got the same result.


(Alexander Henderson) #14

:+1:

Hmm and if you go to http://ip-address:8123 in a regular browser session it works fine?


(Matt Thomas) #15

Yep, that server is working just fine, I can access it via IP or DNS.


(Alexander Henderson) #16

Try:

http://test-hassio
  tls off
  proxy / hassio:8123 {
    transparent
    websocket
  }
}

(Matt Thomas) #17

Same thing. ERR_EMPTY_RESPONSE
Should I see anything else when I run the ‘caddy’ command?
This is all I see

ADMIN@SRV-Caddy:~$ caddy
Activating privacy features... done.
http://:2015
WARNING: File descriptor limit 1024 is too low for production servers. At least 8192 is recommended. Fix with "ulimit -n 8192".

(Matt Holt) #18

Try running Caddy with -log stderr to get a process log that writes to your terminal. You can also add the errors directive to your Caddyfile to get request-based errors written to a log.


(Matt Thomas) #19

This is all I get when running ‘caddy -log stderr’

Activating privacy features... done.
http://:2015
2018/06/21 15:50:32 http://:2015
WARNING: File descriptor limit 1024 is too low for production servers. At least 8192 is recommended. Fix with "ulimit -n 8192".

(Matthew Fay) #20

Probably unnecessary, Docker only has a few quirks to keep in mind. Mind sharing your Docker configuration for this project? I run Caddy in Docker and might be able to provide some pointers there.

Yes, ideally it should print http://test-hassio in the place where http://:2015 is currently showing. You’ll need to reference the Caddyfile you’ve written when you run Caddy - either by using the -conf /path/to/Caddyfile flag, or by having the Caddyfile present in the directory when you issue the caddy command.