Local domains with public certs

Huddeij · November 17, 2023, 8:43am

i don’t quite get that. i am a noob in this topic so excuse my wrong assumptions and terminology.

when I read

nextcloud.my.example.com {
	reverse_proxy https://office.roadrunner {
		header_up Host {upstream_hostport}
	}
}

I wonder why there is no ip address in the reverse proxy. why should i reverse something what is already proxied?
And I expect, that .roadrunner is the local tld, so one had to reverse proxy from an ip address to the local fqdn, and then rereverse it to nextcloud.my.example.com. Why?

do I really need three caddy servers?
could this work in docker at all?
can I use only one caddy server somehow?

francislavoie · November 17, 2023, 9:03am

A domain name simply is a pointer to an IP address (oversimplification, it does other things as well, but that’s the case in this context). So technically there is an IP address, it’s just fetched by using a DNS resolver.

It’s not “already proxied”, but I’m not sure what your line of thinking was to get there so I’m not sure what to say.

Correct, that’s a TLD that OP decided to use, but you could use any custom TLD you want as long as you have a DNS server in your home network to make it work.

No, not at all. I think the key point you’re missing is that this wiki article specifically aims to explain how to set up TLS between internal Caddy servers.

Most users don’t need this, it’s just one approach to setting up a network in a “paranoid” way, where all traffic is encrypted all the way to the app.

See Using Caddy as a reverse proxy in a home network for comparison, where the most common goal is simply to ensure traffic is encrypted over public networks, and once it’s inside of the home network it doesn’t matter as much so proxying can happen over HTTP (cleartext). Also, make sure to re-read the introduction of OP’s post, it explains that distinction.

You can certainly just use a single Caddy server and proxy directly to your apps in your home network. That’s the easiest thing to do, and totally sufficient, when you trust all the devices in your network.

The gap that this article closes is: if you have some untrusted device in the home network, then it could theoretically sniff traffic between internal Caddy servers (the front and back ones) and potentially perform a man-in-the-middle attack, injecting bad data or stealing data. But the risk of that is very low because it requires first having gained access to your network, in which case it’s already game-over anyway.

Yes, for sure. But I’m not sure if you’re asking about the multi-server setup or just “does Caddy work in Docker at all”. Either way, yes. Some things become simpler, some become more complicated when in Docker, but that’s fine.

Huddeij · November 17, 2023, 10:28am

Thanks for the answers. Should have given insight, that I already use caddy with letsencrypt certs and automatic tls for external services and self signed ones for local use. And I don’t want to use self-signed certs any longer nor do i want to use clear text traffic. That’s the reason I came here and posted in the first place.

I think my question is: How do I realize letsencrypt certs with a single caddy server for local domains? While having a paid external domain, which could serve as letsencrypt certificate entry, if I understood the tutorial correctly here, would it be possible to use *.local.example.com with external certs, but only locally?

Using already pihole as local dns server, which delivers several local.example.com services inside my network), while having other services externally hosted with example.com?

francislavoie · November 17, 2023, 11:03am

I moved the comments to a new topic, because it was getting off-topic.

To get a cert issued by a public issuer, you must use a domain that can be publicly validated with ACME challenges.

If your domain is only accessible locally (i.e. not on port 80/443 from the outside world), then your only other choice is to use the ACME DNS challenge to validate your domain.

What matters is what your domain resolves to publicly. What you do in your local network with DNS doesn’t matter for cert issuance.

Huddeij · November 17, 2023, 11:24am

for example:

{$DOMAIN} {
	reverse_proxy 192.168.0.28:8153
	acme_server
	encode zstd gzip
	header {
		Strict-Transport-Security max-age=31536000;
		X-Content-Type-Options nosniff
		X-Frame-Options DENY
		Referrer-Policy no-referrer-when-downgrade
		Content-Security-Policy upgrade-insecure-requests
	}
}

How do I serve the certificate to this local domain?

auto.local.{$DOMAIN} {
	reverse_proxy 192.168.0.28:1337
}

auto.local.example.com is addd to piholes CNAME dns list and local.example.com is added to the dns records. pihole is the onnly network wide dns-resolver

francislavoie · November 17, 2023, 11:39am

I’m confused, because you’re asking two different questions at the same time and they aren’t compatible with eachother.

Either you want mutual TLS between your home Caddy servers (which the wiki article explains), or you want publicly trusted certs (which you implied that you wanted in your previous comment). You can’t have both at the same time.

system · December 17, 2023, 11:40am

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.