Caddy Reverse Proxy Config

[pomology]

Is there a Caddy reverse-proxy template available? It would be extremely helpful to have one. Thank you!

[CrimsonFez]

there isn't. However you can look in infrastructure_files/getting-started-with-zitadel.sh for an example.

I've modified it for my own usage:

netbird.example.net {
    reverse_proxy /* netbird-dash:80
    reverse_proxy /signalexchange.SignalExchange/* h2c://netbird-signal
    reverse_proxy /api/* netbird-mgmt
    reverse_proxy /management.ManagementService/* h2c://netbird-mgmt
    header * {
        Strict-Transport-Security "max-age=3600; includeSubDomains; preload"
        X-Content-Type-Options "nosniff"
        X-Frame-Options "DENY"
        X-XSS-Protection "1; mode=block"
        -Server
        Referrer-Policy strict-origin-when-cross-origin
    }
}

[pomology]

Thank you so much for pointing out that helpful source!

So then, the docker-compose.yml file would need this section added under "services":

  caddy:
    image: caddy
    restart: unless-stopped
    networks: [ netbird ]
    ports:
      - '443:443'
      - '80:80'
    volumes:
      - netbird_caddy_data:/data
      - ./Caddyfile:/etc/caddy/Caddyfile

And under "volumes" add:

netbird_caddy_data:

Besides that, are there any other config changes you made for caddy to work?

Thank you so much for your help! I really appreciate your input.

[sfnemis]

Thank you so much for pointing out that helpful source!

So then, the docker-compose.yml file would need this section added under "services":

  caddy:
    image: caddy
    restart: unless-stopped
    networks: [ netbird ]
    ports:
      - '443:443'
      - '80:80'
    volumes:
      - netbird_caddy_data:/data
      - ./Caddyfile:/etc/caddy/Caddyfile

And under "volumes" add:

netbird_caddy_data:

Besides that, are there any other config changes you made for caddy to work?

Thank you so much for your help! I really appreciate your input.

Is this conf working with caddy ?

[pomology]

@sfnemis As far as the Compose file, yes that works with Caddy. I've pasted my sanitized Compose file below. I also pasted the CaddyFile config I'm using. Everything is working with this setup, except that all my peers are getting an identical private IP set as their "Public IP" (like 10.89.1.53). I'm not sure why, and I have an open bug submission here on it. Anyway, here's what I've got so far! I'll post again when we get the IP issue figured out.

Here is my Caddyfile, from NetBird's default configs:

{
  debug
    servers :80,:443 {
    protocols h1 h2c
  }
}

(security_headers) {
    header * {

        Strict-Transport-Security "max-age=3600; includeSubDomains; preload"
        X-Content-Type-Options "nosniff"
        X-Frame-Options "DENY"
        X-XSS-Protection "1; mode=block"
        -Server
        Referrer-Policy strict-origin-when-cross-origin
    }
}

:80, REDACTED.REDACTED.com:443 {
    import security_headers
    reverse_proxy /signalexchange.SignalExchange/* h2c://signal:10000
    reverse_proxy /api/* management:80
    reverse_proxy /management.ManagementService/* h2c://management:80
    reverse_proxy /* dashboard:80
}

And here's my compose.yml, again just built on NetBird's default:

version: "3"
services:
 # Caddy reverse proxy
  caddy:
    image: caddy:latest
    restart: unless-stopped
    networks:
      - netbird
    ports:
      - '443:443'
      - '80:80'
    volumes:
      - netbird_caddy_data:/data
      - ./Caddyfile:/etc/caddy/Caddyfile

  #UI dashboard
  dashboard:
    image: netbirdio/dashboard:latest
    restart: unless-stopped
    networks:
      - netbird
    environment:
      # Endpoints
      - NETBIRD_MGMT_API_ENDPOINT=https://REDACTED.REDACTED.com:443
      - NETBIRD_MGMT_GRPC_API_ENDPOINT=https://REDACTED.REDACTED.com:443
      # OIDC
      - AUTH_AUDIENCE=REDACTED
      - AUTH_CLIENT_ID=REDACTED
      - AUTH_CLIENT_SECRET=
      - AUTH_AUTHORITY=https://REDACTED.okta.com
      - USE_AUTH0=false
      - AUTH_SUPPORTED_SCOPES=openid profile email
      - AUTH_REDIRECT_URI=/auth
      - AUTH_SILENT_REDIRECT_URI=/silent-auth
      - NETBIRD_TOKEN_SOURCE=idToken

  # Signal
  signal:
    image: netbirdio/signal:latest
    restart: unless-stopped
    networks:
      - netbird

  # Management
  management:
    image: netbirdio/management:latest
    restart: unless-stopped
    networks:
      - netbird
    depends_on:
      - dashboard
    volumes:
      - netbird-mgmt:/var/lib/netbird
      - ./management.json:/etc/netbird/management.json
    command: [
      "--port", "80",
      "--log-file", "console",
      "--log-level", "info",
      "--disable-anonymous-metrics=false",
      "--single-account-mode-domain=REDACTED.REDACTED.com",
      "--dns-domain=netbird.selfhosted",
      "--idp-sign-key-refresh-enabled"
]

  # Coturn
  coturn:
    image: coturn/coturn:latest
    restart: unless-stopped
    domainname: REDACTED.REDACTED.com
    volumes:
      - ./turnserver.conf:/etc/turnserver.conf:ro
    network_mode: host
    command:
      - -c /etc/turnserver.conf

volumes:
  netbird-mgmt:
  netbird_caddy_data:

networks:
  netbird:

[ndziuba]

Maybe it helps somebody Using Azure AD as IdP and the Safari Browser i got the error AADSTS50011: The reply url specified in the request does not match the reply because Safari calles /auth using http. I added a rule catching all http requests and redirecting /auth to https manually and also needed to do the same for the dashboard otherwise the screen would just be blank.

http://<YOUR_DOMAIN> {
    @http protocol http

    handle_path /auth {
        redir @http https://{host}{uri} html
    }

    handle_path / {
        redir @http https://{host}{uri}
    }
}

:80, :443 {
    import security_headers
    reverse_proxy /signalexchange.SignalExchange/* h2c://signal:10000
    reverse_proxy /api/* management:80
    reverse_proxy /management.ManagementService/* h2c://management:80
    reverse_proxy /* dashboard:80
}