Comment on How do I use HTTPS on a private LAN without self-signed certs?

mouse@midwest.social ⁨1⁩ ⁨week⁩ ago

I use Caddy for this. I’ll leave links to the documentation as well as a few examples.

Here’s the documentation for wildcard certs. caddyserver.com/docs/automatic-https#wildcard-cer…

Here’s how you add DNS providers to Caddy without Docker. caddy.community/t/…/8148

Here’s how you do it with Docker. github.com/docker-library/docs/tree/master/caddy#…

Look for the DNS provider in this repository first. github.com/caddy-dns

Here’s documentation about using environment variables. caddyserver.com/docs/caddyfile/concepts#environme…

Docker

A few examples of Dockerfiles. These will build Caddy with DNS support.

DuckDNS

FROM caddy:2-builder AS builder
RUN xcaddy build --with github.com/caddy-dns/duckdns

FROM caddy:2
COPY --from=builder /usr/bin/caddy /usr/bin/caddy

Cloudflare

FROM caddy:2-builder AS builder
RUN xcaddy build --with github.com/caddy-dns/cloudflare

FROM caddy:2
COPY --from=builder /usr/bin/caddy /usr/bin/caddy

Porkbun

FROM caddy:2-builder AS builder
RUN xcaddy build --with github.com/caddy-dns/porkbun

FROM caddy:2
COPY --from=builder /usr/bin/caddy /usr/bin/caddy

Configure DNS provider

This is what to add the the Caddyfile, I’ve used these in the examples that follow this section. You can look at the repository for the DNS provider to see how to configure it for example.

DuckDNS

github.com/caddy-dns/cloudflare?tab=readme-ov-fil…

tls {
	dns duckdns {env.DUCKDNS_API_TOKEN}
}

CloudFlare

github.com/caddy-dns/cloudflare?tab=readme-ov-fil… Dual-key

tls {
	dns cloudflare {
		zone_token {env.CF_ZONE_TOKEN}
		api_token {env.CF_API_TOKEN}
	}
}

Single-key

tls {
	dns cloudflare {env.CF_API_TOKEN}
}

PorkBun

github.com/caddy-dns/porkbun?tab=readme-ov-file#c… Global

{
	acme_dns porkbun {
			api_key {env.PORKBUN_API_KEY}
			api_secret_key {env.PORKBUN_API_SECRET_KEY}
	}
}

or per site

tls {
	dns porkbun {
			api_key {env.PORKBUN_API_KEY}
			api_secret_key {env.PORKBUN_API_SECRET_KEY}
	}
}

Caddyfile

And finally the Caddyfile examples.

DuckDNS

Here’s how you do it with DuckDNS.

*.example.org {
        tls {
                dns duckdns {$DUCKDNS_TOKEN}
        }

        @hass host home-assistant.example.org
        handle @hass {
                reverse_proxy home-assistant:8123
        }
}

Also you can use environment variables like this.

*.{$DOMAIN} {
        tls {
                dns duckdns {$DUCKDNS_TOKEN}
        }

        @hass host home-assistant.{$DOMAIN}
        handle @hass {
                reverse_proxy home-assistant:8123
        }
}

CloudFlare.

*.{$DOMAIN} {
        tls {
	        dns cloudflare {env.CF_API_TOKEN}
        }

        @hass host home-assistant.{$DOMAIN}
        handle @hass {
                reverse_proxy home-assistant:8123
        }
}

Porkbun

*.{$DOMAIN} {
        tls {
	        dns porkbun {
			api_key {env.PORKBUN_API_KEY}
			api_secret_key {env.PORKBUN_API_SECRET_KEY}
	        }
        }

        @hass host home-assistant.{$DOMAIN}
        handle @hass {
                reverse_proxy home-assistant:8123
        }
}

source

Sort:hotnew top

eneff@discuss.tchncs.de ⁨1⁩ ⁨week⁩ ago
thank you for providing such a thorough reply, good shit

source
theparadox@lemmy.world ⁨1⁩ ⁨week⁩ ago
Thanks for being so detailed!

I use caddy for straightforward https, but every time I try to use it for a service that isn’t just a reverse_proxy entry, I really struggle to find resources I understand… and most of the time the “solutions” I find are outdated and don’t seem to work. The most recent example of this for me would be Baikal.

Do you have any recommendations for where I might get good examples and learn more about how do troubleshoot and improve my Caddyfile entries?

Thanks!

source
- sugar_in_your_tea@sh.itjust.works ⁨1⁩ ⁨week⁩ ago
  
  Baikal
  
  Ah, PHP, there’s your problem. 😀
  
  Honestly, I just proxy to a separate nginx server to handle the PHP bits, it’s not worth cluttering up my nice, clean Caddy setup with that nonsense.
  
  source
- mouse@midwest.social ⁨1⁩ ⁨week⁩ ago
  Unfortunately that’s one area I am bad with, I tend to use reverse_proxy for most such as Baikal running with the ckulka/baikal Docker image (which runs Nginx or Apache), otherwise I only static sites.
  
  I’d start by looking at Baikal’s config for Apache and Nginx, sabre.io/baikal/install/ and comparing to the directives for Caddy, caddyserver.com/docs/caddyfile/directives and
  
  Since it uses PHP, it will need that, caddyserver.com/docs/caddyfile/patterns#php
  
  Upon my searches I came across this, it talks about running Baikal with Caddy specifically. github.com/caddyserver/caddy/issues/497
  
  I hope that this provided some helpful directions.
  
  source
conrad82@lemmy.world ⁨1⁩ ⁨week⁩ ago
I do the same!

I have a provider that is not supported by caddy, but I can still use it via duckdns delegation!

github.com/caddy-dns/duckdns?tab=readme-ov-file#c…

Challenge delegation

To obtain a certificate using ACME DNS challenges, you’d use this module as described above. But, if you have a different domain (say, my.example.com) CNAME’d to your Duck DNS domain, you have two options:

Not use this module: Use a module matching the DNS provider for my.example.com.

Delegate the challenge to Duck DNS.
source
sugar_in_your_tea@sh.itjust.works ⁨1⁩ ⁨week⁩ ago
I did basically this w/ Cloudflare, and it worked perfectly. I used to do ACME requests, but this is simpler and doesn’t require me to route traffic into my LAN. I now expose a handful of services, but I used to have to expose all services for TLS cert renewal to work.

source
Monument@lemmy.sdf.org ⁨1⁩ ⁨week⁩ ago
The advice I needed and have not been able to find. I could kiss you. Or at least give you a fond nod.

source

Docker

DuckDNS

Cloudflare

Porkbun

Configure DNS provider

DuckDNS

CloudFlare

PorkBun

Caddyfile

DuckDNS

CloudFlare.

Porkbun

Challenge delegation