1. Caddy version (caddy version): v2.5.1 h1:bAWwslD1jNeCzDa+jDCNwb8M3UJ2tPa8UZFFzPVmGKs=. This is a custom caddy build with the duck dns plugin.
2. How I run Caddy:
I mounted the custom caddy binary inside the docker container. I’m using docker desktop to run a compose file for each of my services (including one for caddy). I initially used the acme http-01 challenge to get certs. I setup port forwarding on my router to my computer. This worked flawlessly.
a. System environment:
I’m using docker desktop on macos, and aim to transfer my setup to a raspberry pi.
b. Command:
I’m using docker compose, see next section
c. Docker compose file:
version: '3'
services:
caddy:
image: caddy:2
container_name: caddy
restart: always
ports:
- 80:80 # Needed for the ACME HTTP-01 challenge.
- 443:443
volumes:
- ./Caddyfile:/etc/caddy/Caddyfile:ro
- caddy:/data
- ./caddy_linux_arm64_custom_duckdns:/usr/bin/caddy
networks:
- caddy
- vaultwarden
- libreddit
- bibliogram
env_file: ./caddy.env
environment:
- LOG_DIR=/data
networks:
caddy:
name: caddy
vaultwarden:
external: true
libreddit:
external: true
pihole:
external: true
bibliogram:
external: true
volumes:
caddy:
external: true
d. My complete Caddyfile or JSON config:
https://reddit.hybras.dev:443 {
log {
level INFO
output file {$LOG_DIR}/reddit.log {
roll_size 10MB
roll_keep 10
}
}
# Use the ACME HTTP-01 challenge to get a cert for the configured domain.
tls {$EMAIL}
# This setting may have compatibility issues with some browsers
# (e.g., attachment downloading on Firefox). Try disabling this
# if you encounter issues.
encode gzip
# Proxy everything else to Rocket
reverse_proxy libreddit:8080 {
# Send the true remote IP to Rocket, so that vaultwarden can put this in the
# log, so that fail2ban can ban the correct IP.
header_up X-Real-IP {remote_host}
}
}
https://vault.hybras.dev:443 {
log {
level INFO
output file {$LOG_DIR}/vaultwarden.log {
roll_size 10MB
roll_keep 10
}
}
# Use the ACME HTTP-01 challenge to get a cert for the configured domain.
tls {$EMAIL}
# This setting may have compatibility issues with some browsers
# (e.g., attachment downloading on Firefox). Try disabling this
# if you encounter issues.
encode gzip
# Notifications redirected to the WebSocket server
reverse_proxy /notifications/hub vaultwarden:3012
# Proxy everything else to Rocket
reverse_proxy vaultwarden:80 {
# Send the true remote IP to Rocket, so that vaultwarden can put this in the
# log, so that fail2ban can ban the correct IP.
header_up X-Real-IP {remote_host}
}
}
3. The problem I’m having:
I no longer want my services to be public. I’m mostly following the directions here to setup https with my private services. I changed my public domains from A records to CNAMES pointing to a duck dns domain so I can use ddns. I’m also following this section of caddy’s duckdns module.
4. Error messages and/or full log output:
{"level":"info","ts":1654547160.0730753,"msg":"using provided configuration","config_file":"/etc/caddy/Caddyfile","config_adapter":"caddyfile"}
{"level":"info","ts":1654547160.091791,"logger":"admin","msg":"admin endpoint started","address":"tcp/localhost:2019","enforce_origin":false,"origins":["//localhost:2019","//[::1]:2019","//127.0.0.1:2019"]}
{"level":"warn","ts":1654547160.0922208,"logger":"http","msg":"server is listening only on the HTTP port, so no automatic HTTPS will be applied to this server","server_name":"srv1","http_port":80}
{"level":"info","ts":1654547160.09224,"logger":"http","msg":"server is listening only on the HTTPS port but has no TLS connection policies; adding one to enable TLS","server_name":"srv0","https_port":443}
{"level":"info","ts":1654547160.0922606,"logger":"http","msg":"enabling automatic HTTP->HTTPS redirects","server_name":"srv0"}
{"level":"info","ts":1654547160.0942128,"logger":"tls.cache.maintenance","msg":"started background certificate maintenance","cache":"0x4000510690"}
{"level":"info","ts":1654547160.1001198,"logger":"tls","msg":"cleaning storage unit","description":"FileStorage:/data/caddy"}
{"level":"info","ts":1654547160.10068,"logger":"http","msg":"enabling automatic TLS certificate management","domains":["reddit.hybras.dev","vault.hybras.dev","insta.hybras.dev"]}
{"level":"info","ts":1654547160.119333,"logger":"tls","msg":"finished cleaning storage units"}
{"level":"info","ts":1654547160.128496,"msg":"autosaved config (load with --resume flag)","file":"/config/caddy/autosave.json"}
{"level":"info","ts":1654547160.1285338,"msg":"serving initial configuration"}
5. What I already tried:
I tried replaces the tls sections of my caddyfile with the following to use the new challenge type. Caddy didn’t do anything however. I wanted to confirm before deleting caddy’s data dir, or if some other step was required, since the docs caution against doing so.
tls {
dns duckdns <token> {
override_domain hybras.duckdns.org
}
}
6. Links to relevant resources:
[1]: https://github.com/dani-garcia/vaultwarden/wiki/Running-a-private-vaultwarden-instance-with-Let%27s-Encrypt-certs
[2]: https://github.com/caddy-dns/duckdns#challenge-delegation