You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: source/manual/how-tos/caddy.rst
+15-10Lines changed: 15 additions & 10 deletions
Original file line number
Diff line number
Diff line change
@@ -35,6 +35,8 @@ Installation
35
35
36
36
* Install "os-caddy" from the OPNsense Plugins.
37
37
38
+
.. _prepare-opnsense-caddy:
39
+
38
40
39
41
---------------------------------------------
40
42
Prepare OPNsense for Caddy After Installation
@@ -88,7 +90,7 @@ FAQ
88
90
.. spacer::
89
91
* Firewall rules to allow Caddy to reach upstream destinations are not required. OPNsense has a default rule that allows all traffic originating from it to be allowed.
90
92
.. spacer::
91
-
* ACME Clients on reverse proxied upstream destinations will not be able to issue certificates. Caddy intercepts ``/.well-known/acme-challenge``. This can be solved by using the `HTTP-01 challenge redirection` option in the advanced mode of domains. Please check the tutorial section for an example.
93
+
* ACME Clients on reverse proxied upstream destinations will not be able to issue certificates. Caddy intercepts ``/.well-known/acme-challenge``. This can be solved by using the `HTTP-01 Challenge Redirection` option in the advanced mode of domains. Please check the tutorial section for an example.
92
94
.. spacer::
93
95
* When using Caddy with IPv6, the best choice is to have a GUA (Global Unicast Address) on the WAN interface, since otherwise the TLS-ALPN-01 challenge might fail.
94
96
.. spacer::
@@ -105,7 +107,7 @@ FAQ
105
107
Caddy: Tutorials
106
108
================
107
109
108
-
.. Attention:: The tutorial section implies that `Prepare OPNsense for Caddy after installation` has been followed.
110
+
.. Attention:: The tutorial section implies that :ref:`Prepare OPNsense for Caddy after installation <prepare-opnsense-caddy>` has been followed.
109
111
.. Note:: Filling out `Description` fields is mandatory because they are used to display and reference items in forms and error messages.
110
112
111
113
@@ -148,6 +150,8 @@ Options Values
148
150
149
151
.. Note:: After just a few seconds the automatic certificate will be installed, check the Logfile.
150
152
153
+
.. _accesslist-opnsense-caddy:
154
+
151
155
152
156
-------------------------------
153
157
Restrict Access to Internal IPs
@@ -181,7 +185,7 @@ Options Values
181
185
182
186
* Press **Save** and **Apply**
183
187
184
-
Now, all connections not having a private IPv4 address will be served an empty page for the chosen domain. To outright refuse the connection, the option ``Abort Connections`` in `Services: Caddy Web Server: General Settings` should be additionally enabled.
188
+
Now, all connections not having a private IPv4 address will be served an empty page for the chosen domain. To outright refuse the connection, the option ``Abort Connections`` in :menuselection:`Services-->Caddy Web Server--> General Settings` should be additionally enabled.
185
189
186
190
.. Note:: Some applications might demand a HTTP Error code instead of having their connection aborted, an example could be monitoring systems. For these a custom ``HTTP Response Code`` can be enabled.
187
191
@@ -202,7 +206,7 @@ Go to :menuselection:`Services --> Caddy Web Server --> General Settings --> Dyn
202
206
* Choose if `DynDns IP Version` should include IPv4 and/or IPv6.
203
207
* Press **Save**
204
208
205
-
Go to :menuselection:`Services --> Caddy Web Server --> Reverse Proxy –-> Domains`
209
+
Go to :menuselection:`Services --> Caddy Web Server --> Reverse Proxy --> Domains`
206
210
207
211
* Press **+** to create a new `Domain`. ``mydomain.duckdns.org`` is an example if `duckdns` is used as DNS Provider.
208
212
@@ -226,7 +230,8 @@ Options Values
226
230
227
231
* Press **Save** and **Apply**
228
232
229
-
.. Tip:: Check the Logfile for the dynamic dns updates.
233
+
.. Tip:: Check the Logfile for the dynamic dns updates. Filter for the chosen domain.
234
+
.. Tip:: In addition to `Dynamic DNS`, the `DNS-01 Challenge` can also be selected.
230
235
231
236
232
237
---------------------------------
@@ -280,7 +285,7 @@ Go to :menuselection:`System --> Settings --> Administration`
280
285
* Press **Save**
281
286
282
287
.. Note:: Open ``https://opn.example.com`` and it should serve the reverse proxied OPNsense WebUI. Check the log file for errors if it does not work, most of the time the `TLS Server Name` doesn't match the SAN of the `TLS Trusted CA Certificate`. Caddy does not support certificates with only a CN `Common Name`.
283
-
.. Attention:: Create an `Access List` to restrict access to the WebUI.
288
+
.. Attention:: Create an :ref:`Access List <accesslist-opnsense-caddy>` to restrict access to the WebUI.
284
289
.. Tip:: The same approach can be used for any upstream destination using TLS and a self-signed certificate.
285
290
286
291
@@ -294,7 +299,7 @@ Sometimes an application behind Caddy uses its own ACME Client to get certificat
294
299
295
300
.. Attention:: It is mandatory that the domain in Caddy uses an ``empty port`` or ``443`` in the GUI, otherwise it can not use the TLS-ALPN-01 challenge for itself. The upstream destination has to listen on Port ``80`` and serve ``/.well-known/acme-challenge/``, for the same domain that is configured in Caddy.
296
301
297
-
Go to :menuselection:``Services - Caddy Web Server - Reverse Proxy - Domains``
302
+
Go to :menuselection:`Services --> Caddy Web Server --> Reverse Proxy --> Domains`
298
303
299
304
* Press **+** to create a new `Domain`
300
305
@@ -428,8 +433,8 @@ There are three methods that support XMLRPC sync:
428
433
.. Note:: These methods can be mixed, just make sure to use a coherent configuration. It is best to decide for one method. Only `Domains` need configuration, `Subdomains` do not need any configuration for HA.
429
434
430
435
* Using custom certificates from the OPNsense Trust store for all `Domains`.
431
-
* Using the `DNS-01 challenge` in the settings of `Domains`.
432
-
* Using the `HTTP-01 challenge redirection` option in the advanced settings of `Domains`.
436
+
* Using the `DNS-01 Challenge` in the settings of `Domains`.
437
+
* Using the `HTTP-01 Challenge Redirection` option in the advanced settings of `Domains`.
433
438
434
439
Since the `HTTP-01 Challenge Redirection` needs some additional steps to work, it should be set up as followed:
435
440
@@ -506,4 +511,4 @@ Using Custom Configuration Files
506
511
* ``*.global`` files will be imported into the global block of the Caddyfile.
507
512
* ``*.conf`` files will be imported at the end of the Caddyfile. Don't forget to test the custom configuration with ``caddy validate --config /usr/local/etc/caddy/Caddyfile``.
508
513
509
-
.. Note:: With these imports, the full potential of Caddy can be unlocked. The GUI options will remain focused on the reverse proxy. There is no community support for configurations that have not been created with the offered GUI.
514
+
.. Note:: With these imports, the full potential of Caddy can be unlocked. The GUI options will remain focused on the reverse proxy. There is no OPNsense community support for configurations that have not been created with the offered GUI. For customized configurations, the Caddy community is the right place to ask.
Go to :menuselection:`Firewall --> Settings --> Advanced`
165
-
Enable *Reflection for port forwards* to create automatic rules for all entries :menuselection:`Firewall --> NAT --> Port Forward` that have ``WAN`` as interface.
165
+
Enable *Reflection for port forwards* to create automatic rules for all entries :menuselection:`Firewall --> NAT --> Port Forward` that have ``WAN`` as interface.
0 commit comments