The advice I needed and have not been able to find. I could kiss you. Or at least give you a fond nod.
Comment on How do I use HTTPS on a private LAN without self-signed certs?
mouse@midwest.social 11 months ago
I use Caddy for this. I’ll leave links to the documentation as well as a few examples.
Here’s the documentation for wildcard certs. caddyserver.com/docs/automatic-https#wildcard-cer…
Here’s how you add DNS providers to Caddy without Docker. caddy.community/t/…/8148
Here’s how you do it with Docker. github.com/docker-library/docs/tree/master/caddy#…
Look for the DNS provider in this repository first. github.com/caddy-dns
Here’s documentation about using environment variables. caddyserver.com/docs/caddyfile/concepts#environme…
Docker
A few examples of Dockerfiles. These will build Caddy with DNS support.
DuckDNS
FROM caddy:2-builder AS builder RUN xcaddy build --with github.com/caddy-dns/duckdns FROM caddy:2 COPY --from=builder /usr/bin/caddy /usr/bin/caddy
Cloudflare
FROM caddy:2-builder AS builder RUN xcaddy build --with github.com/caddy-dns/cloudflare FROM caddy:2 COPY --from=builder /usr/bin/caddy /usr/bin/caddy
Porkbun
FROM caddy:2-builder AS builder RUN xcaddy build --with github.com/caddy-dns/porkbun FROM caddy:2 COPY --from=builder /usr/bin/caddy /usr/bin/caddy
Configure DNS provider
This is what to add the the Caddyfile, I’ve used these in the examples that follow this section. You can look at the repository for the DNS provider to see how to configure it for example.
DuckDNS
github.com/caddy-dns/cloudflare?tab=readme-ov-fil…
tls { dns duckdns {env.DUCKDNS_API_TOKEN} }
CloudFlare
github.com/caddy-dns/cloudflare?tab=readme-ov-fil… Dual-key
tls { dns cloudflare { zone_token {env.CF_ZONE_TOKEN} api_token {env.CF_API_TOKEN} } }
Single-key
tls { dns cloudflare {env.CF_API_TOKEN} }
PorkBun
github.com/caddy-dns/porkbun?tab=readme-ov-file#c… Global
{ acme_dns porkbun { api_key {env.PORKBUN_API_KEY} api_secret_key {env.PORKBUN_API_SECRET_KEY} } }
or per site
tls { dns porkbun { api_key {env.PORKBUN_API_KEY} api_secret_key {env.PORKBUN_API_SECRET_KEY} } }
Caddyfile
And finally the Caddyfile examples.
DuckDNS
Here’s how you do it with DuckDNS.
*.example.org { tls { dns duckdns {$DUCKDNS_TOKEN} } @hass host home-assistant.example.org handle @hass { reverse_proxy home-assistant:8123 } }
Also you can use environment variables like this.
*.{$DOMAIN} { tls { dns duckdns {$DUCKDNS_TOKEN} } @hass host home-assistant.{$DOMAIN} handle @hass { reverse_proxy home-assistant:8123 } }
CloudFlare.
*.{$DOMAIN} { tls { dns cloudflare {env.CF_API_TOKEN} } @hass host home-assistant.{$DOMAIN} handle @hass { reverse_proxy home-assistant:8123 } }
Porkbun
*.{$DOMAIN} { tls { dns porkbun { api_key {env.PORKBUN_API_KEY} api_secret_key {env.PORKBUN_API_SECRET_KEY} } } @hass host home-assistant.{$DOMAIN} handle @hass { reverse_proxy home-assistant:8123 } }
Monument@lemmy.sdf.org 11 months ago
conrad82@lemmy.world 11 months ago
I do the same!
I have a provider that is not supported by caddy, but I can still use it via duckdns delegation!
github.com/caddy-dns/duckdns?tab=readme-ov-file#c…
Challenge delegation
To obtain a certificate using ACME DNS challenges, you’d use this module as described above. But, if you have a different domain (say,
my.example.com) CNAME’d to your Duck DNS domain, you have two options:- Not use this module: Use a module matching the DNS provider for
my.example.com. - Delegate the challenge to Duck DNS.
- Not use this module: Use a module matching the DNS provider for
theparadox@lemmy.world 11 months ago
Thanks for being so detailed!
I use caddy for straightforward https, but every time I try to use it for a service that isn’t just a reverse_proxy entry, I really struggle to find resources I understand… and most of the time the “solutions” I find are outdated and don’t seem to work. The most recent example of this for me would be Baikal.
Do you have any recommendations for where I might get good examples and learn more about how do troubleshoot and improve my Caddyfile entries?
Thanks!
sugar_in_your_tea@sh.itjust.works 11 months ago
Baikal
Ah, PHP, there’s your problem. 😀
Honestly, I just proxy to a separate nginx server to handle the PHP bits, it’s not worth cluttering up my nice, clean Caddy setup with that nonsense.
mouse@midwest.social 11 months ago
Unfortunately that’s one area I am bad with, I tend to use reverse_proxy for most such as Baikal running with the ckulka/baikal Docker image (which runs Nginx or Apache), otherwise I only static sites.
I’d start by looking at Baikal’s config for Apache and Nginx, sabre.io/baikal/install/ and comparing to the directives for Caddy, caddyserver.com/docs/caddyfile/directives and
Since it uses PHP, it will need that, caddyserver.com/docs/caddyfile/patterns#php
Upon my searches I came across this, it talks about running Baikal with Caddy specifically. github.com/caddyserver/caddy/issues/497
I hope that this provided some helpful directions.
eneff@discuss.tchncs.de 11 months ago
thank you for providing such a thorough reply, good shit
sugar_in_your_tea@sh.itjust.works 11 months ago
I did basically this w/ Cloudflare, and it worked perfectly. I used to do ACME requests, but this is simpler and doesn’t require me to route traffic into my LAN. I now expose a handful of services, but I used to have to expose all services for TLS cert renewal to work.