Port Forwarding for AdGuard Home (Port 80)

Kevin_T · August 12, 2020, 7:56pm

I have Caddy Version v2.1.1

My setup: I have a Raspberry Pi 4 (Running on Raspberry OS version buster) and on there I am running Caddy, Adguard Home (A DNS Service), and Wireguard. I also have a QNAP server which I have apps running on different ports. I am able to use Caddy to reverse proxy my domain paths to the different applications on my QNAP server, so that is all good (unless anyone has any better suggestions for my Caddyfile which I have shared below).

Caddyfile:

mydomain.com {
       reverse_proxy /radarr* 192.168.80.120:7878
       reverse_proxy /sonarr* 192.168.80.120:8989
       reverse_proxy /sabnzbd* 192.168.80.120:8282
       reverse_proxy /ombi* 192.168.80.120:8976
       reverse_proxy /tautulli* 192.168.80.120:8660
}

192.168.80.131 {
        reverse_proxy /* 192.168.80.131:88
#       redir http://192.168.80.131:88
}

My problem lies with setting up AdGuard home correctly. I have dedicated Port 80 to be setup with Caddy. Usually AdGuard Home would also be setup with Port 80, but I figured I can setup Adgurad Home at port 88 and use Caddy to take connections coming in to port 80 and point it to port 88. This way I can still use the Raspberry’s IP as my DNS IP address while still reserving Port 80 for Caddy. As you can see in my Caddyfile I am unsure if I should be using a “reverse_proxy” or a “redir”.

The problems I have found: With “redir”, when I go to the IP address of my Raspberry Pi, the URL changes to “192.168.80.131:88”, and I am unsure if that is appropriate for DNS servers. And, when I use “reverse_proxy”, I also get taken to the Adguard Home Dashboard, but there are SSL Cert issues on the Chrome browser.

So I am wondering if I am doing this correctly or is there a way to turn off the need to check for SSL for local IP addresses.

To run Caddy, I am using “sudo caddy run --watch”. On Reboots, I have the system run “sudo caddy start --config /home/ktron/Caddyfile” (If anyone has a better way to reboot and have caddy know where the Caddyfile is, please let me know as I am just using @reboot)

Here are some of the errors I have been getting:

2020/08/12 12:53:33 http: TLS handshake error from 192.168.80.115:50682: remote error: tls: unknown certificate
2020/08/12 12:53:41 http: TLS handshake error from 192.168.80.115:50691: remote error: tls: unknown certificate

I have already tried replacing the Raspberry Pi’s IP address in the Caddyfile with “localhost” for both reverse_proxy and redir and for the to and from portion of the file.

francislavoie · August 12, 2020, 8:57pm

The redir directive issues a redirect, which in other words, tells the client to make a new request at a different URL. This is done via the Location header which is set in the response.

You can use the officially maintained apt repo, which sets up a systemd service to keep Caddy running:

Unfortunately I don’t know enough about AdGuard Home to effectively help there. I’m not sure I understand what you’re trying to do.

Kevin_T · August 12, 2020, 9:00pm

Thank you for the feedback. Please let me clarify. Just think of Adguard home as another application running on the Raspberry pi that requires port 80. Instead I had changed it to listen to port 88 so that Caddy can listen on port 80. I need to know how to setup the Caddyfile to to send traffic going to port 80 to port 88.

francislavoie · August 12, 2020, 9:20pm

reverse_proxy is what you want then, but if you use an IP address as your listen address, Caddy won’t be able to have a TLS certificate issued for it - certificates are only valid for domains (with some exceptions that are not relevant here). If you were trying to connect to your server with https://192.168.80.131, that won’t work, you’ll need to do http://192.168.80.131 with that config, or proxy to AdGuard from a domain Caddy manages similarly to your mydomain.com example.

If you’re using a real domain (i.e. not a free dynamic DNS domain), I recommend using subdomains instead of subpaths for each of your services.

This wiki article may be relevant to explain the conundrum with proxying to subpaths:

Kevin_T · August 12, 2020, 9:36pm

Thank you, that was good information. I actually originally set it up so that Caddy points to a domain BUT then I realized that is a problem because the type of application AdGuard is, it needs to be an IP address. You see, AdGuard is a DNS Service, therefore in order to use it, the address to AdGuard needs to be an IP address. (Note: Not sure if you ever used Pi-Hole, but they both do the same thing). Just like how google’s DNS is 8.8.8.8, I am setting up AdGuard to be a DNS provider, so it has to be an IP address instead of a domain. Would this be fine with my reverse_proxy setup in my current Caddyfile? Or is there a better way? My listening IP address is 10.20.90.131 (which is my Raspberry Pi Caddy’s IP address, which I assume already listens to port 80). Now I am having all connections point to the same IP address but to port 88. Would it be better if I used “localhost” as the listening ip address?

francislavoie · August 12, 2020, 10:55pm

That should only be true for the piece that actually acts as the DNS server, i.e. port 53. It shouldn’t be an issue for the web management interface to use a domain otherwise.

Kevin_T · August 12, 2020, 11:07pm

Dang it, youre right! Totally forgot that the DNS has it’s own port. Your have been great help, thanks!

system · September 11, 2020, 7:56pm

This topic was automatically closed after 30 days. New replies are no longer allowed.