You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: source/manual/how-tos/caddy.rst
+65-61Lines changed: 65 additions & 61 deletions
Original file line number
Diff line number
Diff line change
@@ -17,7 +17,7 @@ Main features of this plugin:
17
17
18
18
* Easy to configure and reliable! Reverse Proxy any HTTP/HTTPS or WebSocket application in minutes.
19
19
* Hard to break! Extensive validations of the configuration on each save and apply.
20
-
* Automatic Let's Encrypt and ZeroSSL Certificates with HTTP-01 and TLS-ALPN-01 challenge
20
+
* Automatic Let's Encrypt and ZeroSSL certificates with HTTP-01 and TLS-ALPN-01 challenge
21
21
* DNS-01 challenge and Dynamic DNS with supported DNS Providers built right in
22
22
* Use custom certificates from OPNsense certificate store
23
23
* Wildcard Domain and Subdomain support
@@ -42,11 +42,11 @@ Installation
42
42
Prepare OPNsense for Caddy After Installation
43
43
---------------------------------------------
44
44
45
-
.. Attention:: Caddy uses port `80` and `443`. So the OPNsense WebUI or other plugins can't bind to these ports.
45
+
.. Attention:: Caddy uses port `80` and `443`. So the OPNsense WebGUI or other plugins can't bind to these ports.
46
46
47
47
Go to :menuselection:`System --> Settings --> Administration`
48
48
49
-
* Change the `TCP Port` to `8443` (example), do not forget to adjust the firewall rules to allow access to the WebUI. On `LAN` there is a hidden `anti-lockout` rule that takes care of this automatically. On other interfaces, make sure to add explicit rules.
49
+
* Change the `TCP Port` to `8443` (example), do not forget to adjust the firewall rules to allow access to the WebGUI. On `LAN` there is a hidden `anti-lockout` rule that takes care of this automatically. On other interfaces, make sure to add explicit rules.
50
50
* Enable the checkbox for `HTTP Redirect - Disable web GUI redirect rule`.
51
51
52
52
Go to :menuselection:`Firewall --> Rules --> WAN`
@@ -84,19 +84,13 @@ Go to :menuselection:`Firewall --> Rules --> LAN` and create the same rules for
84
84
FAQ
85
85
---
86
86
87
-
* A `DNS Provider` is not required. With a static WAN IP, just skip the `DNS Provider` configuration and do not check the `DNS-01 challenge` and `Dynamic DNS` checkboxes. `Let's Encrypt` or `ZeroSSL` will work with `HTTP-01` (Port 80) or `TLS-ALPN-01` (Port 443) challenge automatically.
88
-
.. spacer::
89
-
* `Port Forwards`, `NAT Reflection`, `Split Horizon DNS` or `DNS Overrides` in Unbound are not required. Only create Firewall rules that allow traffic to the default ports of Caddy.
90
-
.. spacer::
91
-
* Firewall rules to allow Caddy to reach upstream destinations are not required. OPNsense has a default rule that allows all traffic originating from it to be allowed.
92
-
.. spacer::
93
-
* ACME Clients on reverse proxied upstream destinations will not be able to issue certificates. Caddy intercepts ``/.well-known/acme-challenge``. This can be solved by using the `HTTP-01 Challenge Redirection` option in the advanced mode of domains. Please check the tutorial section for an example.
94
-
.. spacer::
95
-
* When using Caddy with IPv6, the best choice is to have a GUA (Global Unicast Address) on the WAN interface, since otherwise the TLS-ALPN-01 challenge might fail.
96
-
.. spacer::
97
-
* `Let's Encrypt` or `ZeroSSL` can not be explicitely chosen. Caddy automatically issues one of these options, determined by speed and availability. These certificates can be found in ``/var/db/caddy/data/caddy/certificates``.
98
-
.. spacer::
99
-
* When an `Upstream Destination` only supports TLS connections, yet does not offer a valid certificate, enable ``TLS Insecure Skip Verify`` in a `Handler` to mitigate connection problems.
87
+
* | A `DNS Provider` is not required. With a static WAN IP, just skip the `DNS Provider` configuration and do not check the `DNS-01 challenge` and `Dynamic DNS` checkboxes. `Let's Encrypt` or `ZeroSSL` will work with `HTTP-01` (Port 80) or `TLS-ALPN-01` (Port 443) challenge automatically.
88
+
* | `Port Forwards`, `NAT Reflection`, `Split Horizon DNS` or `DNS Overrides` in Unbound are not required. Only create Firewall rules that allow traffic to the default ports of Caddy.
89
+
* | Firewall rules to allow Caddy to reach upstream destinations are not required. OPNsense has a default rule that allows all traffic originating from it to be allowed.
90
+
* | ACME Clients on reverse proxied upstream destinations will not be able to issue certificates. Caddy intercepts ``/.well-known/acme-challenge``. This can be solved by using the `HTTP-01 Challenge Redirection` option in the advanced mode of domains. Please check the tutorial section for an example.
91
+
* | When using Caddy with IPv6, the best choice is to have a GUA (Global Unicast Address) on the WAN interface, since otherwise the TLS-ALPN-01 challenge might fail.
92
+
* | `Let's Encrypt` or `ZeroSSL` can not be explicitely chosen. Caddy automatically issues one of these options, determined by speed and availability. These certificates can be found in ``/var/db/caddy/data/caddy/certificates``.
93
+
* | When an `Upstream Destination` only supports TLS connections, yet does not offer a valid certificate, enable ``TLS Insecure Skip Verify`` in a `Handler` to mitigate connection problems.
100
94
101
95
.. Attention:: There is no TCP/UDP stream and WAF (Web Application Firewall) support in this plugin. For a business grade Reverse Proxy with WAF functionality, use ``os-OPNWAF``. For TCP/UDP streaming, use either ``os-nginx`` or ``os-haproxy``.
102
96
@@ -119,36 +113,43 @@ Creating a Simple Reverse Proxy
119
113
120
114
Go to :menuselection:`Services --> Caddy Web Server --> General Settings`
121
115
122
-
* Check **enabled**
123
-
* Input a valid Email address into the `Acme Email` field. This is mandatory to receive automatic `Let's Encrypt` and `ZeroSSL` certificates.
116
+
* Check **enabled** to enable Caddy
117
+
* Input a valid email address into the `Acme Email` field. This is mandatory to receive automatic `Let's Encrypt` and `ZeroSSL` certificates.
124
118
* Press **Save**
125
119
126
120
Go to :menuselection:`Services --> Caddy Web Server --> Reverse Proxy --> Domains`
127
121
128
-
* Press **+** to create a new `Domain`
122
+
* Press **+** to create a new `Domain`, this will be the frontend that receives the traffic for the chosen domain name.
.. Note:: After just a few seconds the automatic certificate will be installed, check the Logfile.
150
+
.. Note:: After just a few seconds the automatic certificate will be installed, check the Logfile. Now the frontend domain ``foo.example.com`` receives all requests on Port 80 and 443, and reverse proxies these requests to the upstream destination ``192.168.10.1:80``
151
+
152
+
.. Tip:: `TLS Insecure Skip Verify` can be used in private networks. If the upstream destination is in an insecure network, like the internet or a dmz, consider using proper :ref:`certificate handling <webgui-opnsense-caddy>`.
152
153
153
154
.. _accesslist-opnsense-caddy:
154
155
@@ -256,22 +257,26 @@ Go to :menuselection:`Services --> Caddy Web Server --> Reverse Proxy --> Handle
256
257
257
258
.. Tip:: If in doubt, do not use subdomains. If there should be ``foo.example.com``, ``bar.example.com`` and ``example.com``, just create them as three base domains. This way, there is the most flexibility, and the most features are supported.
258
259
260
+
.. _webgui-opnsense-caddy:
259
261
260
-
--------------------------------
261
-
Reverse Proxy the OPNsense WebUI
262
-
--------------------------------
263
262
264
-
* Open the OPNsense WebUI in a Browser (e.g. Chrome or Firefox). Inspect the certificate by clicking on the 🔒 in the address bar. Copy the SAN for later use. It can be a hostname, for example ``OPNsense.localdomain``.
265
-
* Save the certificate as ``.pem`` file. Open it up with a text editor, and copy the contents into a new entry in :menuselection:`System --> Trust --> Authorities`. Name the certificate ``opnsense-selfsigned``.
266
-
* Add a new `Domain` in Caddy, for example ``opn.example.com``.
267
-
* Add a new `Handler` with the following options:
263
+
---------------------------------
264
+
Reverse Proxy the OPNsense WebGUI
265
+
---------------------------------
266
+
267
+
.. Tip:: The same approach can be used for any upstream destination using TLS and a self-signed certificate.
268
+
269
+
* | Open the OPNsense WebGUI in a browser (e.g. Chrome or Firefox). Inspect the certificate by clicking on the 🔒 in the address bar. Copy the SAN for later use. It can be a hostname, for example ``OPNsense.localdomain``.
270
+
* | Save the certificate as ``.pem`` file. Open it up with a text editor, and copy the contents into a new entry in :menuselection:`System --> Trust --> Authorities`. Name the certificate ``opnsense-selfsigned``.
271
+
* | Add a new `Domain` in Caddy, for example ``opn.example.com``.
272
+
* | Add a new `Handler` with the following options:
**TLS Trusted CA Certificates:** ``opnsense-selfsigned``
277
282
**TLS Server Name:** ``OPNsense.localdomain``
@@ -284,9 +289,8 @@ Go to :menuselection:`System --> Settings --> Administration`
284
289
* Input ``opn.example.com`` in `Alternate Hostnames` to prevent the error ``The HTTP_REFERER "https://opn.example.com/" does not match the predefined settings``
285
290
* Press **Save**
286
291
287
-
.. Note:: Open ``https://opn.example.com`` and it should serve the reverse proxied OPNsense WebUI. Check the log file for errors if it does not work, most of the time the `TLS Server Name` doesn't match the SAN of the `TLS Trusted CA Certificate`. Caddy does not support certificates with only a CN `Common Name`.
288
-
.. Attention:: Create an :ref:`Access List <accesslist-opnsense-caddy>` to restrict access to the WebUI.
289
-
.. Tip:: The same approach can be used for any upstream destination using TLS and a self-signed certificate.
292
+
.. Note:: Open ``https://opn.example.com`` and it should serve the reverse proxied OPNsense WebGUI. Check the log file for errors if it does not work, most of the time the `TLS Server Name` doesn't match the SAN of the `TLS Trusted CA Certificate`. Caddy does not support certificates with only a CN `Common Name`.
293
+
.. Attention:: Create an :ref:`Access List <accesslist-opnsense-caddy>` to restrict access to the WebGUI.
290
294
291
295
292
296
-------------------------------
@@ -417,7 +421,7 @@ Next, connect to the OPNsense via SSH or console, go into the shell with Option
417
421
labels:
418
422
type: caddy
419
423
420
-
* Go into the OPNsense WebUI and restart CrowdSec.
424
+
* Go into the OPNsense WebGUI and restart CrowdSec.
421
425
422
426
423
427
----------------------------------
@@ -432,16 +436,16 @@ There are three methods that support XMLRPC sync:
432
436
433
437
.. Note:: These methods can be mixed, just make sure to use a coherent configuration. It is best to decide for one method. Only `Domains` need configuration, `Subdomains` do not need any configuration for HA.
434
438
435
-
* Using custom certificates from the OPNsense Trust store for all `Domains`.
436
-
* Using the `DNS-01 Challenge` in the settings of `Domains`.
437
-
* Using the `HTTP-01 Challenge Redirection` option in the advanced settings of `Domains`.
439
+
#. Using custom certificates from the OPNsense Trust store for all `Domains`.
440
+
#. Using the `DNS-01 Challenge` in the settings of `Domains`.
441
+
#. Using the `HTTP-01 Challenge Redirection` option in the advanced settings of `Domains`.
438
442
439
443
Since the `HTTP-01 Challenge Redirection` needs some additional steps to work, it should be set up as followed:
440
444
441
-
* Configure Caddy on the master OPNsense until the whole initial configuration is completed.
442
-
* On the master OPNsense, select each `Domain`, and set the IP Address in `HTTP-01 Challenge Redirection` to the same value as in `Synchronize Config to IP` found in :menuselection:`System --> High Availability --> Settings`.
443
-
* Create a new Firewall rule on the master OPNsense that allows Port ``80`` and ``443`` to ``This Firewall`` on the interface that has the prior selected IP Address (most likely a LAN or VLAN interface).
444
-
* Sync this configuration with XMLRPC sync.
445
+
* | Configure Caddy on the master OPNsense until the whole initial configuration is completed.
446
+
* | On the master OPNsense, select each `Domain`, and set the IP Address in `HTTP-01 Challenge Redirection` to the same value as in `Synchronize Config to IP` found in :menuselection:`System --> High Availability --> Settings`.
447
+
* | Create a new Firewall rule on the master OPNsense that allows Port ``80`` and ``443`` to ``This Firewall`` on the interface that has the prior selected IP Address (most likely a LAN or VLAN interface).
448
+
* | Sync this configuration with XMLRPC sync.
445
449
446
450
.. Note:: Now both Caddy instances will be able to issue ACME certificates at the same time. Caddy on the master OPNsense uses the TLS-ALPN-01 challenge for itself and reverse proxies the HTTP-01 challenge to the Caddy of the backup OPNsense. Please make sure, that the master and backup OPNsense are both listening on their WAN and LAN (or VLAN) interfaces on port ``80`` and ``443``, since both ports are required for these challenges to work.
447
451
@@ -482,23 +486,23 @@ Now the ``reverse_proxy`` debug logs will be visible and can be downloaded.
482
486
483
487
Go to :menuselection:`Services --> Caddy Web Server --> Diagnostics --> Caddyfile`
484
488
485
-
* Press the `Validate Caddyfile` button to make sure the current Caddyfile is valid.
486
-
* Press the `Download` button to get this current Caddyfile.
487
-
* If there are custom imports in ``/usr/local/etc/caddy/caddy.d/``, download the JSON configuration.
489
+
* | Press the `Validate Caddyfile` button to make sure the current Caddyfile is valid.
490
+
* | Press the `Download` button to get this current Caddyfile.
491
+
* | If there are custom imports in ``/usr/local/etc/caddy/caddy.d/``, download the JSON configuration.
488
492
489
493
.. Note:: Rarely, a performance profile might be requested. For this, a special admin endpoint can be activated.
490
494
491
495
.. Attention:: This admin endpoint is deactivated by default. To enable it and access it on the OPNsense, follow these additional steps. Do not forget to deactivate it after use. Anybody with network access to the admin endpoint can use REST API to change the running configuration of Caddy, without authentication.
492
496
493
-
* SSH into the OPNsense shell
494
-
* Stop Caddy with ``configctl caddy stop``
495
-
* Go to ``/usr/local/etc/caddy/caddy.d/``
496
-
* Create a new file called ``admin.global`` and put the following content into it: ``admin :2019``
497
-
* After saving the file, go to ``/usr/local/etc/caddy`` and run ``caddy validate`` to ensure the configuration is valid.
498
-
* Start Caddy with ``configctl caddy start``
499
-
* Use sockstat to see if the admin endpoint has been created. ``sockstat -l | grep -i caddy`` - it should show the endpoint ``*:2019``.
500
-
* Create a firewall rule on ``LAN`` that allows ``TCP`` to destination ``This Firewall`` and destination port ``2019``.
501
-
* Open the admin endpoint: ``http://YOUR_LAN_IP:2019/debug/pprof/``
497
+
* | SSH into the OPNsense shell
498
+
* | Stop Caddy with ``configctl caddy stop``
499
+
* | Go to ``/usr/local/etc/caddy/caddy.d/``
500
+
* | Create a new file called ``admin.global`` and put the following content into it: ``admin :2019``
501
+
* | After saving the file, go to ``/usr/local/etc/caddy`` and run ``caddy validate`` to ensure the configuration is valid.
502
+
* | Start Caddy with ``configctl caddy start``
503
+
* | Use sockstat to see if the admin endpoint has been created. ``sockstat -l | grep -i caddy`` - it should show the endpoint ``*:2019``.
504
+
* | Create a firewall rule on ``LAN`` that allows ``TCP`` to destination ``This Firewall`` and destination port ``2019``.
505
+
* | Open the admin endpoint: ``http://YOUR_LAN_IP:2019/debug/pprof/``
502
506
503
507
.. Note:: Follow the instructions on https://caddyserver.com/docs/profiling how to debug and profile Caddy.
504
508
@@ -507,8 +511,8 @@ Go to :menuselection:`Services --> Caddy Web Server --> Diagnostics --> Caddyfil
507
511
Using Custom Configuration Files
508
512
--------------------------------
509
513
510
-
* The Caddyfile has an additional import from the path ``/usr/local/etc/caddy/caddy.d/``. Place custom configuration files inside that adhere to the Caddyfile syntax.
511
-
* ``*.global`` files will be imported into the global block of the Caddyfile.
512
-
* ``*.conf`` files will be imported at the end of the Caddyfile. Don't forget to test the custom configuration with ``caddy validate --config /usr/local/etc/caddy/Caddyfile``.
514
+
* | The Caddyfile has an additional import from the path ``/usr/local/etc/caddy/caddy.d/``. Place custom configuration files inside that adhere to the Caddyfile syntax.
515
+
* | ``*.global`` files will be imported into the global block of the Caddyfile.
516
+
* | ``*.conf`` files will be imported at the end of the Caddyfile. Don't forget to test the custom configuration with ``caddy validate --config /usr/local/etc/caddy/Caddyfile``.
513
517
514
518
.. Note:: With these imports, the full potential of Caddy can be unlocked. The GUI options will remain focused on the reverse proxy. There is no OPNsense community support for configurations that have not been created with the offered GUI. For customized configurations, the Caddy community is the right place to ask.
0 commit comments