Caddy Plugin - Some basic guidelines, basic usage help/ instruction..

[gspannu]

I have just installed Caddy Plugin on OPNsense (version 23.7.9-amd64)

I am struggling to get the basic setup working, as in the ability to define the basic Caddy file.

Could anyone assist in providing the contents of the Caddyfile that would do the following?

1) Use Cloudflare DNS challenge for certs (as I own my own domain name) 2) Reverse proxy my subdomain to a local address.

I am trying something like this... but no luck.

(wildcard_cert) {
    tls {
    dns cloudflare xyzabcxyzabc123456789xyzabcabczyx123 #(api_token_value)
    }
}

mysub1.mydomain.com {
    import wildcard_cert
    proxy / 192.168.1.110:8000 {
        websocket
        transparent
    }
}

mysub2.mydomain.com {
    import wildcard_cert
    proxy / 192.168.1.63:8000 {
        websocket
        transparent
    }
}

Could someone correct my file above?

In addition, is there a way to not use the plugin GUI to paste the Caddyfile, or is that the only way to create the Caddyfile? Any method, where the GUI contents can be ignored, and the Caddyfile (/usr/local/etc/caddy/Caddyfile) be edited directly (and does not get overwritten)?

[mihakralj]

Your config is for Caddy 1.0 and you are probably using Caddy 2.0. Try this config instead of yours, it should do what you are asking for:

{
    acme_dns cloudflare <CLOUDFLARE_API_TOKEN>
}

mysub1.mydomain.com {
    reverse_proxy 192.168.1.110:8000 {
        header_up Host {http.reverse_proxy.upstream.hostport}
        header_up X-Real-IP {http.request.remote}
        header_up X-Forwarded-For {http.request.remote}
        header_up X-Forwarded-Port {http.request.port}
        header_up X-Forwarded-Proto {http.request.scheme}
    }
    tls {
        dns cloudflare <CLOUDFLARE_API_TOKEN>
    }
}

mysub2.mydomain.com {
    reverse_proxy 192.168.1.63:8000 {
        header_up Host {http.reverse_proxy.upstream.hostport}
        header_up X-Real-IP {http.request.remote}
        header_up X-Forwarded-For {http.request.remote}
        header_up X-Forwarded-Port {http.request.port}
        header_up X-Forwarded-Proto {http.request.scheme}
    }
    tls {
        dns cloudflare <CLOUDFLARE_API_TOKEN>
    }
}

acme_dns cloudflare configures Caddy to use Cloudflare's API to automatically obtain and renew TLS certificates from Let's Encrypt.

mysub1.mydomain.com defines a server block for that subdomain:

• It reverse proxies to 192.168.1.110:8000, forwarding headers like Host, remote IP, etc. to the upstream.
• Enables TLS using certificates from Let's Encrypt, with dns-01 validation via Cloudflare API.

• mysub2.mydomain.com does the same, but for the other subdomain/upstream server at 192.168.1.63:8000.

[gspannu]

I managed to find a solution that works with wild card certs too...

*.mydomain.com {
    tls {
        dns cloudflare <CLOUDFLARE_API_TOKEN>
    }

  # ----------------------------------------- #  

    @sub1 host mysub1.mydomain.com
    handle @sub1 {
        reverse_proxy 192.168.1.110:8000 {
            header_up Host {http.reverse_proxy.upstream.hostport}
            header_up X-Real-IP {http.request.remote}
            header_up X-Forwarded-For {http.request.remote}
            header_up X-Forwarded-Port {http.request.port}
            header_up X-Forwarded-Proto {http.request.scheme}    
        }
    }

  # ----------------------------------------- #  

    @sub2 host mysub2.mydomain.com
    handle @sub2 {
        reverse_proxy 192.168.1.63:8000 {
            transport http {
                tls
                tls_insecure_skip_verify
            }
        }
    }

    @sub3 host mysub3.mydomain.com
    handle @sub3 {
        reverse_proxy localhost:8444
    }

  # ----------------------------------------- #   

    # Fallback for unhandled domains
    handle {
        respond "      - - - This subdomain is undefined - - -      "
    }
}

I also had to fix another issue.... as the caddy binary included in the plugin is not compiled with Cloudflare module. So I had to get a FreeBSD (amd64) version and replace the binary installed by the plugin.

.... Got it woking .... 👍

[mihakralj]

Which version of caddy is required for Cloudflare? I see 2.7.5 in FreeBSD repo, mimugmail repo and in my repo - all the same build. Where do you get a flavor for Cloudflare?

[gspannu]

Goto caddy Server website to download your appropriate version.

For mine, I have selected (Platform: FreeBSD amd64 and Plugin: Cloudflare ) .... see screenshot below. Then click 'Download' to obtain your binary.

---

You may then execute the command caddy list-modules on your original and downloaded executable to compare the modules included the 2 versions.

1) I then simply overwrote the plugin version (/usr/local/bin/caddy) with my downloaded version. 2) Gave it proper ownership (root using chown) and made it executable (chmod a+x)