from Profligate_parasite@lemmy.world to selfhosted@lemmy.world on 01 Nov 13:39
https://lemmy.world/post/38171206
Hello Self Hosters! I am new-ish… got Jellyfin working great with tailscale remote access! I love it! I keep getting deeper into this stuff and geeking out… really excited to add my next service: Self-Hosted Nextcloud.
Would someone kindly walk me through setting up reverse proxy to my stuff with Caddy? I really just want HTTPS support, as my media files are one thing, but hosting all my personal info/docs on NextCloud is quite another thing to potentially expose…I want to make sure I harden properly, and HTTPS is clearly a part of that, even if I’m running a tailscale VPN. I have done my best following the docs/tutorial so far, but I’ve hit the wall with this “start” page… Here’s what I’ve got:
- pointed my domain “A” DNS to my website as a sub-domain… so my address in caddyfile is "sub.mydomain.com"
- I’ve installed caddy directly on my unbuntu server, but I admin my Jellyfin (and eventually Nextcloud) with Docker via CasaOS interface… is this a problem? Do I need to run Caddy in docker too?
- I’ve followed the instructions on this start page and I still only get the startpage at "sub.mydomain.com"
- my tailnet server IP address is what I’m using for the reverse proxy… that’s correct, yes?
- So many things/guides just say “reverse-proxy --to …” but when I do that, I get an error saying port 80 is ‘already in use’ I have combed my configs & devices on my router…nothing is using port 80 that I can see. Ports 80 and 443 ARE forwarded/open, before you ask! -My next big step in this journey is piHole, so if this will interfere/interact with that in some important way, I appreciate the heads-up mightily!
Thank you in advance, I appreciate it!
EDIT! - CasaOS uses 80 as default gateway, turns out! So, switched that… now Caddy is starting properly… STILL can’t get the ‘welcome’ page to go away… still a problem with my caddyfile I suppose.
threaded - newest
Can you give us your config file?
do you want config.php from Caddy or the docker compose?
At least for me it’s
/etc/caddy/CaddyFileIf you visit http://<caddy address> what do you see?
I see the welcome page in the image above
Ha, I completely ignored the picture because it’s a self post. So there is an instance of caddy running on port 80.
When you say you’re trying to reverse proxy, are you starting up another instance of it instead of restarting the already running service with a new config?
I’m no expert on caddy, so we’re rapidly reaching the limits of my ability to offer anything useful.
What does your caddyfile look like? I have a sneaking suspicion that you left the caddyfile as it comes installed, which indeed uses port 80 to deliver the Caddy success test. If you point your browser to the ip of your server, do you see the 'It Worked!" page that Caddy serves up?
sudo nano /etc/caddy/CaddyfileDon’t sweat the complications. I know it’s frustrating. Full disclosure, it took me a while to ‘get’ Caddy. Once I did tho, it really is easy peasy. I actually found Cloudflare Tunnels/ZeroTrust easier to set up. I realize some have ‘concerns’ about Cloudflare, which is understandable.
.
My caddyfile is just
sub.mydomain.com {
}
lol … obviously I annonymized it for this copypaste, but you get the idea… I am probably missing some things.
If you like, I can send you an example of the Caddyfiles, that I’m using (I used the import directive to split every service into its own Caddyfiles, you could just copy and paste everything in the same file). It will take a few hours until I get home, though.
But basically you can just put every subdomain and it’s target in a separate block and the add some things globally (e.g. passing the original IP, switching off the admin API of Caddy,…)
Something like this should work:
admin off servers { client_ip_headers X-Forwarded-For X-Real-IP } app.example.com { reverse_proxy 127.0.0.1:8080 } app2.example.com { reverse_proxy 127.0.0.1:8081 } api.example.com { reverse_proxy 127.0.0.1:8082 header { Access-Control-Allow-Methods "GET, OPTIONS" Access-Control-Allow-Origin "*" } }Thanks very much, this is really helpful… one thing I note is that I don’t know what “api.example.com” is … is that necessary to make this work or is it just an option? I haven’t mucked with API of Caddy at all…do I need to?
No, that’s just another hypothetical app that you’re using a reverse proxy for. I just included it to show how you can also set settings for a single subdomain/reverse proxy entry that isn’t used globally on all domains that get served. I used a hypothetical REST API that needs a CORS Header that other apps don’t need (or maybe serve themselves).
admin offdisables Caddy’s admin interface (which shouldn’t be public and if you’re using config files this usually isn’t needed. So just a bit of gardening)serverssets some general server options.and then I just inserted several blocks that each define a reverse proxy to a different app / backend to show that you can just dump them all in a single Caddyfile. And the last example to show that you can set specific settings only for a specific subdomain instead of globally. As I set headers mostly used by REST APIs, I just called that
api.example.cominstead ofapp3.example.com.I’ve tried this caddyfile version and one above, for both, I get “Problem loading page. Secure connection failed. Internal error.” Oddly, I get the ‘welcome to caddy’ page directly at my IP but at my sub domain I get the error.
It looks like Elvith Ma’for@feddit.org has you headed in the right direction, so I won’t muddle the waters.
I meant to include this in my earlier comment, but Caddy has a built in caddyfile validator:
Comes in very handy.
ooh I broke it as I was trying things and this was solid gold… thank you stranger!
Anytime bro. Did you get it going?
ugh. no. Now caddy wont start… various errors… sometimes it says listening port 80, port 80 in use. This morning after reset and caddy fmt --overwrite, it says: Error: loading initial config: loading new config: http app module: start: listening on :443: listen tcp :443: bind: permission denied Error: caddy process exited with error: exit status 1
You need to point your sub-domain in the Caddyfile to your designated local port. So just add an entry like this to your Caddyfile
sub.yourdomain.com { reverse_proxy XXX.XXX.XXX.XXX:PORT { header_up X-Real-IP {remote_host} } encode zstd gzip }``` Replace XXX with your public IP and PORT with the local port in your docker container / compose.unfortunately, it’s still not working. “Problem loading page. Secure connection failed”
Okey, so if you skip the whole DNS and use PUBLICIP:PORT for any of your docker services, does your browser reach them?
You said you have Caddy on bare metal Ubuntu and your services in CasaOS. Sadly I’ve never used that, but is that a VM on your Ubuntu Server and inside that run your docker containers? If so, maybe that’s what’s stopping Caddy from reaching your containers?! Just guessing tbh.
Yeah, had to go touch grass after having this drive me crazy for a second day. The reverse proxy is “working” according to caddy… and the DNS is all pointed in the right spots but it just wont go. The CasaOS is the only think I can think of too. CasaOS is just a frontend GUI for a headless server… easy to manage/move media files, etc. INstalls docker containers with a click. I will have to try doing Caddy as a docker and see what happens.
To answer your question, if I put in the publicip and port, I get my Jellyfin, it’s reaching them, and working just fine. Just can’t get my DNS pointers to be recognized/used by Caddy. I’ve tried two different domains at this point. Whatever. Infuriating, but whatever. My shit still works. Thanks for trying. I tried to use the Caddy forum but they literally make you format/type your whole issue in predesignated HTML and shit… I typed the whole thing out but I don’t know shit about HTML so the ‘issue’ showed up as blank. Fuck this. I can live without.
One last thing. I assume you checked if your DNS changes got propagated? I tend to use DNS Checker. And even if the changes are propagated, it can sometimes still not work because of DNS cache in
So assuming that you checked the DNS propagation and it was propagated enough, I’d also
I recently had the problem that the custom secure DNS I use on Firefox took almost a day to update their cache, while every other provider had my changes in a couple of minutes at most.
Something that might help with using Tailscale and reverse proxying: you don’t have to use the IPs given to you through the tailnet if you don’t want to. Something tailnet nodes can do is serve the local subnet theyre connected to, even if you’re running the self hosted version Headscale, which is what I do. This is how I am able to have my phone and one other pc connected through Headscale/Tailscale, but still access everything on my local network.
Im assuming your Jellyfin is on your local network, and you want to connect to it through Tailscale, but still use HTTPS? If that’s the case, you don’t need to do any kind of port forwarding on your router, as everything is funneled through Tailscale anyway.
Hey thanks for addressing that. So yes, I have my local ip as a subnet… you’re saying that means i don’t necessarily need the tailnet IPv4 as my pointer?
I’ve honestly never tried it, since I have the only node in my home network serve the local subnet. It allowed me to statically assign IPs at home and still use them outside of the house. I suppose there’s nothing stopping you from using the overlay network, especially if you have all devices involved on the Tailscale network, but I didn’t feel like doing that :)
The difference between having caddy or any other reverse proxy in docker alongside other apps/services, is that instead of having to expose ports for every container to the host, and then linking every service/app as,
localhost:<host-port>to caddy, you can have them on the same docker network and use<container-name>:<container-port>and only expose 80 443 to the host, meaning that the only way to access app/services is through caddy, that way if you disable port 80 after configuring SSL certificates, you can only access services with HTTPS.So, it sounds like you’re staying if I want all my services (jellyfin, nextcloud, etc) behind ONE reverse proxy/https then the easier method is to install Caddy as docker and use the containername:containerport method?.. did I understand correctly? Thanks
Yes, if the only exposed port to the host or outside, is 443 from caddy container, then the only way to access any of those services is HTTPS through caddy.