Use Caddy for external and internal access

1. The problem I’m having:

I would like to use Caddy for external and internal access.

From outside my network, all DNS names point to a single IP (Caddy) that receives requests and reverse proxy internal services.

From inside my network, each service is a container with it’s own IP address and respective DNS name.

When accessing from outside my network, I will use the URL adguard.home.arpa and Caddy will automatically use HTTPS and reverse proxy from port 3000.

But when accessing from inside my network, if I use the URL adguard.home.arpa browser will go direct to container IP, without use HTTPS and certificate provided by Caddy besides the fact that I must then add port 3000 to URL.

Can I use another DNS name to use caddy internally? For example, using URL caddy.home.arpa/adguard to reach internal AdGuard by Caddy instead of adguard.home.arpa:3000 (directly).

If yes, how should be the respective Caddyfile block?

2. Error messages and/or full log output:

No errors, just blank pages or 403 errors on some tryouts.

3. Caddy version:

v2.6.4 h1:2hwYqiRwk1tf3VruhMpLcYTg+11fCdr8S3jhNAdnPy8=

4. How I installed and ran Caddy:

a. System environment:

Operating System: Debian GNU/Linux 12 (bookworm
Kernel: Linux 6.2.16-5-pve

b. Command:

apt clean && apt update && apt -y upgrade && apt -y install caddy
wget -q -O caddy "https://caddyserver.com/api/download?os=linux&arch=amd64&p=github.com%2Fcaddy-dns%2Fcloudflare"
cp caddy /usr/bin/caddy

c. Service/unit/compose file:

# caddy.service
#
# For using Caddy with a config file.
#
# Make sure the ExecStart and ExecReload commands are correct
# for your installation.
#
# See https://caddyserver.com/docs/install for instructions.
#
# WARNING: This service does not use the --resume flag, so if you
# use the API to make changes, they will be overwritten by the
# Caddyfile next time the service is restarted. If you intend to
# use Caddy's API to configure it, add the --resume flag to the
# `caddy run` command or use the caddy-api.service file instead.

[Unit]
Description=Caddy
Documentation=https://caddyserver.com/docs/
After=network.target network-online.target
Requires=network-online.target

[Service]
Type=notify
User=caddy
Group=caddy
ExecStart=/usr/bin/caddy run --environ --config /etc/caddy/Caddyfile
ExecReload=/usr/bin/caddy reload --config /etc/caddy/Caddyfile --force
TimeoutStopSec=5s
LimitNOFILE=1048576
LimitNPROC=512
PrivateTmp=true
ProtectSystem=full
AmbientCapabilities=CAP_NET_BIND_SERVICE

[Install]
WantedBy=multi-user.target

d. My complete Caddy config:

{
        debug
        acme_ca https://acme-v02.api.letsencrypt.org/directory
        #acme_ca https://acme-staging-v02.api.letsencrypt.org/directory
}

(cloudflare) {
        tls username@domain {
                dns cloudflare <secret>
        }
}

(vips_only) {
        @fuck_off_world {
                not remote_ip 10.111.111.0/24 201.100.100.100/32 201.101.101.101/32 186.102.102.102/32
        }
        respond @fuck_off_world 403
}

pve.home.arpa {
        import cloudflare
        import vips_only
        reverse_proxy https://pve.home.arpa:8006 {
                transport http {
                        tls_insecure_skip_verify
                }
        }
}

adguard.home.arpa {
        import cloudflare
        import vips_only
        reverse_proxy http://adguard.home.arpa:3000
}

graylog.home.arpa {
        import cloudflare
        import vips_only
        reverse_proxy http://graylog.home.arpa:9000
}

caddy.home.arpa {
        import cloudflare
        import vips_only

        #handle /adguard/* {
        #       # The path still retains "/adguard"
        #       reverse_proxy http://adguard.home.arpa:3000
        #}

        #handle_path /adguard/* {
        #        # The path has the "/adguard" prefix stripped
        #        reverse_proxy http://adguard.home.arpa:3000
        #}

}

5. Links to relevant resources:

I suggest doing something like adguard.caddy.home.arpa or something like that. Always easier to use subdomains for each app than subpaths. You can definitely configure Caddy to serve those sites.

Thanks @francislavoie , could got what I wanted and I think it becomes even better organized and accessible!

New Caddyfile (wip):

{
        debug
        acme_ca https://acme-v02.api.letsencrypt.org/directory
        #acme_ca https://acme-staging-v02.api.letsencrypt.org/directory
}

(cloudflare) {
        tls username@domain {
                dns cloudflare <secret>
        }
}

(vips_only) {
        @fuck_off_world {
                not remote_ip 10.111.111.0/24 201.100.100.100/32 201.101.101.101/32 186.102.102.102/32
        }
        respond @fuck_off_world 403
}

caddy.home.arpa {
        import cloudflare
        import vips_only
        respond "Caddy!"
}

*.caddy.home.arpa {
        import cloudflare
        import vips_only

        @adguard host adguard.caddy.home.arpa
        handle @adguard {
                #respond "AdGuard!"
                reverse_proxy http://adguard.home.arpa:3000
        }

        @graylog host graylog.caddy.home.arpa
        handle @graylog {
                #respond "Graylog!"
                reverse_proxy http://graylog.home.arpa:9000
        }

        @pve host pve.caddy.home.arpa
        handle @pve {
                reverse_proxy https://pve.home.arpa:8006 {
                        transport http {
                                tls_insecure_skip_verify
                        }
                }
        }

        # Fallback for otherwise unhandled domains
        handle {
                abort
        }
}

adguard.home.arpa {
        import cloudflare
        import vips_only
        reverse_proxy http://adguard.home.arpa:3000
}

graylog.home.arpa {
        import cloudflare
        import vips_only
        reverse_proxy http://graylog.home.arpa:9000
}

pve.home.arpa {
        import cloudflare
        import vips_only
        reverse_proxy https://pve.home.arpa:8006 {
                transport http {
                        tls_insecure_skip_verify
                }
        }
}
1 Like

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.