Caddy: Reverse Proxy¶
Caddy: Reverse Proxy¶ Index Caddy: Reverse Proxy Features Installation Prepare OPNsense for Caddy After Installation FAQ Caddy: Tutorials Creating a Simple Reverse Proxy Restrict Access to Internal IPs Using Dynamic DNS Creating a Wildcard Reverse Proxy Reverse Proxy the OPNsense WebUI Redirect ACME HTTP-01 Challenge Reverse Proxy to a Webserver with Vhosts Integrating Caddy with CrowdSec Caddy and High Availability Setups Keeping Track of Large Configurations Advanced Troubleshooting Using Custom Configuration Files Features¶ Reverse Proxy HTTP, HTTPS, FastCGI, WebSockets, gRPC, FastCGI (usually PHP), and more! WWW: https://caddyserver.com/ Main features of this plugin: Easy to configure and reliable! Reverse Proxy any HTTP/HTTPS or WebSocket application in minutes. Hard to break! Extensive validations of the configuration on each save and apply. Automatic Let’s Encrypt and ZeroSSL Certificates with HTTP-01 and TLS-ALPN-01 challenge DNS-01 challenge and Dynamic DNS with supported DNS Providers built right in Use custom certificates from OPNsense certificate store Wildcard Domain and Subdomain support Access Lists to restrict access based on static networks Basic Auth to restrict access by username and password Syslog-ng integration and HTTP Access Log NTLM Transport Header manipulation Simple load balancing with passive health check Installation¶ Install “os-caddy” from the OPNsense Plugins. Prepare OPNsense for Caddy After Installation¶ Attention Caddy uses port 80 and 443. So the OPNsense WebUI or other plugins can’t bind to these ports. Go to System ‣ Settings ‣ Administration Change the TCP Port to 8443 (example), do not forget to adjust the firewall rules to allow access to the WebUI. On LAN there is a hidden anti-lockout rule that takes care of this automatically. On other interfaces, make sure to add explicit rules. Enable the checkbox for HTTP Redirect - Disable web GUI redirect rule. Go to Firewall ‣ Rules ‣ WAN Create Firewall rules that allow HTTP and HTTPS to destination This Firewall on WAN Option Values Interface WAN TCP/IP Version IPv4+IPv6 Protocol TCP Source Any Destination This Firewall Destination port range from: HTTP to: HTTP Description Caddy Reverse Proxy HTTP Option Values Interface WAN TCP/IP Version IPv4+IPv6 Protocol TCP/UDP Source Any Destination This Firewall Destination port range from: HTTPS to: HTTPS Description Caddy Reverse Proxy HTTPS Go to Firewall ‣ Rules ‣ LAN and create the same rules for the LAN interface. Now external and internal clients can connect to Caddy, and Let’s Encrypt or ZeroSSL certificates will be issued automatically. FAQ¶ A DNS Provider is not required. With a static WAN IP, just skip the DNS Provider configuration and do not check the DNS-01 challenge and Dynamic DNS checkboxes. Let’s Encrypt or ZeroSSL will work with HTTP-01 (Port 80) or TLS-ALPN-01 (Port 443) challenge automatically. Port Forwards, NAT Reflection, Split Horizon DNS or DNS Overrides in Unbound are not required. Only create Firewall rules that allow traffic to the default ports of Caddy. Firewall rules to allow Caddy to reach upstream destinations are not required. OPNsense has a default rule that allows all traffic originating from it to be allowed. ACME Clients on reverse proxied upstream destinations will not be able to issue certificates. Caddy intercepts /.well-known/acme-challenge. This can be solved by using the HTTP-01 Challenge Redirection option in the advanced mode of domains. Please check the tutorial section for an example. When using Caddy with IPv6, the best choice is to have a GUA (Global Unicast Address) on the WAN interface, since otherwise the TLS-ALPN-01 challenge might fail. Let’s Encrypt or ZeroSSL can not be explicitely chosen. Caddy automatically issues one of these options, determined by speed and availability. These certificates can be found in /var/db/caddy/data/caddy/certificates. When an Upstream Destination only supports TLS connections, yet does not offer a valid certificate, enable TLS Insecure Skip Verify in a Handler to mitigate connection problems. Attention There is no TCP/UDP stream and WAF (Web Application Firewall) support in this plugin. For a business grade Reverse Proxy with WAF functionality, use os-OPNWAF. For TCP/UDP streaming, use either os-nginx or os-haproxy. Tip As an alternative to a WAF, it is simple to integrate Caddy with CrowdSec. Check the tutorial section for guidance.
Index Caddy: Reverse Proxy Features Installation Prepare OPNsense for Caddy After Installation FAQ Caddy: Tutorials Creating a Simple Reverse Proxy Restrict Access to Internal IPs Using Dynamic DNS Creating a Wildcard Reverse Proxy Reverse Proxy the OPNsense WebUI Redirect ACME HTTP-01 Challenge Reverse Proxy to a Webserver with Vhosts Integrating Caddy with CrowdSec Caddy and High Availability Setups Keeping Track of Large Configurations Advanced Troubleshooting Using Custom Configuration Files
