There has to be an option to set a certificate on handles, since Caddy doesn't allow "ignore certificate checks" anymore. If the backend server has a self signed certificate, that certificate has to be imported into the OPNsense Trust store, and then be able to be selected in the handle.
Right now this is possible (SSL Termination):
Internet <--HTTPS--> Caddy <--HTTP--> Backend Server
But this isn't possible:
Internet <--HTTPS--> Caddy <--HTTPS--> Backend Server
Example:
# Example Domain with Backend HTTPS:
foo.bar.example.com {
handle {
reverse_proxy 192.168.1.1 {
transport http {
tls
tls_trusted_ca_certs /usr/local/etc/caddy/certificates/temp/32423423.pem
}
}
}
}
## Example Subdomain with Backend HTTPS:
*.example.com:443 {
tls {
dns cloudflare 1484053787dJQB8vP1q0yc5ZEBnH6JGS4d3mBmvIeMrnnxFi3WtJdF
}
handle {
reverse_proxy 192.168.1.1:443 {
transport http {
tls
tls_trusted_ca_certs /usr/local/etc/caddy/certificates/temp/32423423.pem
}
}
}
}
@4c087454-ee7e-462d-a603-e58eee82a2b7 host foo.example.com
handle @4c087454-ee7e-462d-a603-e58eee82a2b7 {
handle /owa/* {
reverse_proxy 192.168.1.1:8443 {
transport http {
tls
tls_trusted_ca_certs /usr/local/etc/caddy/certificates/temp/32423423.pem
}
}
}
handle {
reverse_proxy 192.168.1.1:443 {
transport http {
tls
tls_trusted_ca_certs /usr/local/etc/caddy/certificates/temp/32423423.pem
}
}
}
}
}
[x] These self signed certificates or CA certificates have to be imported into "System: Trust: Authorities"
[x] The caddy_certificates.sh script has to write them into a temp folder with their carefid
[x] The Handle needs a certificatefield where a CA certificate can be chosen.
[x] The Handle needs a boolean field, where tls can be enabled or disabled.
[x] The Caddyfile template has to implement this option as an additional nesting inside the normal domains, and the subdomains.
There has to be an option to set a certificate on handles, since Caddy doesn't allow "ignore certificate checks" anymore. If the backend server has a self signed certificate, that certificate has to be imported into the OPNsense Trust store, and then be able to be selected in the handle.
Right now this is possible (SSL Termination): Internet <--HTTPS--> Caddy <--HTTP--> Backend Server
But this isn't possible: Internet <--HTTPS--> Caddy <--HTTPS--> Backend Server
Example:
Originally posted by @Monviech in https://github.com/Monviech/os-caddy-plugin/issues/36#issuecomment-1860190723