So I have Caddy running for a few years on an RPI3 and did not touch anything for years either. The usecase is simple: I have multiple servers running and do not want to open up multiple ports on my router.
Is this indeed a âsafeâ configuration or should I have used other configuration parameters for this simple use case?
My firewall (firewalla) sends me notifications when my network performs abnormal uploads to the outside worls. This is great. But for the 2 servers that are âgatedâ by Caddy I only get the name of the Caddy Server back (eg âCaddy Proxy has uploaded 30mb to 113.161.194.198 at 9:19AMâ) instead of the actual server that is uploading (eg bi.gerard.com for instance). I guess that is because my firewall is presented the encrypted data and only sees the caddy server as the sender. Is there any configuration parameter I can add so my firewall can actually see which server (behind caddy) that is uploading traffic?
Spend the last few hours trying to get upgraded but not getting far. Pls note that I did several searches but canât find the solution. p.s. as I had a spare RPI Iâm trying to get v2 running first and then swap with my old v1 RPI.
Got a message which I did not write down but related to not being able to bind to localhost:2019
Tried to modify caddyfile in ect/caddy > no succes, created root user , logged in as root and could change caddyfile
When I try to reload I get âreload: sending configuration to instance: performing request: Post âhttp://localhost:2019/loadâ: dial tcp [::1]:2019: connect: connection refusedâ
So there seems the api cannot be called (and caddyfile cannot be loaded) due to issue with port 2019
How are you trying to run Caddy? Did you try to run caddy run in your terminal after installing the package? You shouldnât do that because Caddy will already be running as a systemd service. See the instructions here for how to use Caddy as a service:
Are you sure you need tls for this one? Try without.
You can shorten it to this:
reverse_proxy 192.168.1.39:8123
Otherwise, please show your logs. Just saying âno luckâ tells us absolutely nothing about whatâs wrong, so we can only make guesses. Please be specific about what isnât working.
If I look at the logs of the V2 version (which I feel a bit uncomfortable posting on a public website) Homeassisitant sees the the incoming but refuses it. My assumption is due to missing information in the incoming request like the real IP address (remote IP) of the proxy which I know Homeassistant wants to see to allow a connection.
Could you help with the V2 syntax of above V1 settings?
Update: Also tried below version which -i might wrongly assume- includes the correct v2 syntax (replicating my v1 version that works) but connection is still refused, getting a 400 bad request
You definitely donât need any of those header_up for Home Assistant, Caddy already sets them correctly. If you use those lines, you end up clobbering Caddyâs own automatic behaviour.
You just need to change a bit of configuration in HA to have it trust requests coming from an upstream proxy. See the HA docs for running it behind a reverse proxy.
My config (with IP of trusted proxies changed to new caddy v2 IP):
http:
base_url: http://192.168.1.39:8123 #Caddy v1 worked with this here. Tried with and without as docs show without
use_x_forwarded_for: true
trusted_proxies:
# - 192.168.1.41 #Caddy v1
- 192.168.1.181 #Caddy v2
- 172.30.33.0/24 #Tried with and without, was not needed for Caddy v1 anyway. Tries with and without
Is this indeed a âsafeâ configuration or should I have used other configuration parameters for this simple use case?
My firewall (firewalla) sends me notifications when my network performs abnormal uploads to the outside worls. This is great. But for the 2 servers that are âgatedâ by Caddy I only get the name of the Caddy Server back (eg âCaddy Proxy has uploaded 30mb to 113.161.194.198 at 9:19AMâ) instead of the actual server that is uploading (eg bi.gerard.com for instance). I guess that is because my firewall is presented the encrypted data and only sees the caddy server as the sender. Is there any configuration parameter I can add so my firewall can actually see which server (behind caddy) that is uploading traffic?
Iâm certain you can remove X-Real-IP. Caddy sends X-Forwarded-For which has the same information, and you configured HA to read from that header already.
Probably not, because itâs encrypted. Just watch Caddyâs logs, I guess.