Caddy tutorial needed please

Configuration
1

I hear a lot of good things from Caddy, that being said, I see very little here or on the web on how to install on a Raspberry Pi.

I assume that with this setup, I could still use Alexa and other cloud hosed devices such as Automatic and Eight Sleep … correct?

If so, I wonder if someone could spend time for a detailed writeup on how to succesfully install Caddy for use with Home assistant.

Install instructions for folks using AIO, what user to install it under (pi or homeassistant) I would also prefer to use DynDNS isntead of duckdns. Finally what port to open up on the router not only to access from the outside, but also to assist with cert renewal.

I am finally at a point that my setup is working well and would hate to mess it up by me hacking around. Lastly, if someone could chime in on how secure this is, I would mostly be concerned about someone getting to my secret.yaml file to get user accounts and passwords. Thanks

2

See this thread for a lot of pointers:

Or if you’re running hass.io then there is caddy plugin in this repo:

3

@hijinx Thanks for your reply. Yes, I did use that thread as a guide to assist along with steps from this script https://gist.github.com/Jamesits/2a1e2677ddba31fae62d022ef8aa54dc which was pretty useful. I think that I am on the home stretch, but still couldn’t make the connection last night. I am still not 100% sure that my certificates are readable by Home Assistant, not sure how I can validate. Also not 100% sure how my port forwarding should be setup. This (below) is the post that I have at the bottom of the thread that you pointed. Any comments would be appreciated.

In your configuration.yaml file, did you use base URL?

Ex.: base_url: your.site.org:8123
Also does your cert setup look like this?

ssl_certificate: /etc/ssl/caddy/acme/acme-v01.api.letsencrypt.org/sites/your.site.org/your.site.org.crt

ssl_key: /etc/ssl/caddy/acme/acme-v01.api.letsencrypt.org/sites/your.site.org/your.site.org.key
Lastly for port forwarding do you forward 80 --> 80 and 443 --> 8123?

4

HA does not have to read the certs. Caddy “wraps” the HTTP with HTTPS (SSL/TLS).
As far as HA is concerned it is not using SSL/TLS.

Ports should be 80–>80 and 433–>433 only. Both are required for letsencrypt to interact with the proxy and provide the certificates.
The reverse proxy will be responsible to map HA port 8123 to a subdomain of your domain.

Yes. I have homeassistant.mydomain.com

I use docker so caddy is running in a container.
This means that Caddyfile and cert locations are flexible because they are mapped into the container.
I am using the caddy image from here: Docker

My caddyfile looks something like this:

homeassistant.mydomain.com {
proxy / <internalhassipaddress>:8123 {
websocket
transparent
}
}

NOTEs:

  1. You need to update your DNS so that there is an A record for homeassistant.mydomain.com pointing to your IP
    This may not be a problem if you’re using a dynamic DNS provide such as the ever popular duckdns…
  2. Your router must support DNS hairpinning to be able to access the external URL internally
1 Like
5

@hijinx Thanks for your help, I made great strides, I think that it was an issue with formatting of my Caddyfile.

I am almost there … as a matter of fact, I had it working for a short time and was able to access the site from my phone (since I don’t think that my router is capable of NAT hairpin). But the issue was that it let me in straight through without a password. So I cam home and remove the “trusted_networks:” entry from my configuration.yaml, then I started getting 403: Forbidden error messages. even when I reversed the changes, I am still getting a 403: Forbidden error. So now I have to troubleshoot this some more.

6

Found my issue for the 403: Forbidden error and wanted to document it here in case someone else runs into the same issue.

For some reason, the IP address of my Raspberry Pi (the box that houses Home Assistant) listed itself in the ip_bans.yaml file. So the server was blocking itself. Removing the entry from this file fixed the issue.

2 Likes
8

Can anyone share a sample config for the Caddy Proxy Hassio Addon.

I am having difficulty getting the Hassio add-on to accept the most basic of configurations, with only minor changes made to the default settings.

With my changes below, I get an error message: Missing option vhosts in root for dictionary value @ data[‘options’].

{
“homeassistant”: “homeassistant.mydomain.com”,
“email”: “[email protected]
}

Eventually I would like to proxy various sites as vhosts, but I’m stumbling at the first block.

9

@phildapunk

I got the hassio caddy plugin by @bestlibre working as follows:

{
	"homeassistant": "mydomain.duckdns.org",
	"vhosts": [{
			"vhost": "www.mydomain.com",
			"port": "8123"
		}, {
			"vhost": "mysubdomain.mydomain.com",
			"port": "8123"
		}, {
			"vhost": "someotherwebserver.mydomain.com",
			"remote": "192.168.0.100"
			"port": "80"
		}
	],
	"email": "[email protected]"
}

I use duckdns as dynamic dns provider, so I put it in homeassistant property. I have my duckdns domain CNAME’d so i can use my own custom domain. I added those as vhosts. If you have another HTTP server running somewhere in your network you can point caddy to that remote server as well by specifying the remote. If the remote is empty (like with the home assistants ones) it will point to the docker host (172.17.0.1) by default.

Check out the offical documentation here: https://github.com/bestlibre/hassio-addons/tree/master/caddy_proxy

In your case you should put the vhosts array back but just leave it empty:

{
	"homeassistant": "homeassistant.mydomain.com",
	"vhosts": [],
	"email": "[email protected]"
}
10

Hi

When I try to configure like this it doesn’t let me save as it is missing parameters (raw_config, disable_http_chalenge)

I put in this:

“raw_config”: “caddy_config”,
“disable_http_chalenge”: true

But not really sure what the raw_config does.

But even if I put these in and manage to start the plugin I think I might not understand correctly what it does.

Lets assume I have the following:

  • a.duckdns.org pointed at my public ip
  • I have redirected in my router 443 to 192.168.0.44 (rpi local ip) port 8123.
  • I have gafana addon installed on port 3000 (192.168.0.44:3000)

How would do a setup to reach gafana?

I am also struggling to run caddy and the dashboard (AppDaemon) at the same time as they are both on port 80, and the App daemon only works on 80 (cannot modify it according to the manual) so I cannot run Caddy and AppDaemon at the same time.

I am keen to understand how it all works but could not find a good place to see the whole picture. :frowning:
I think it would be good if someone would explain to a dummy like me how the ports work in the containers as I get really confused, and cannot really work out how to make it all work.

11

Hi @newcmr ,

I believe it’s currently not supported to have configure subdirectories with this hassio implementation of caddy. So to get grafana working you should get another domain name with duckdns.

So lets say you have a.duckdns.org for home assistant and b.duckdnsorg for grafana.

You would need the following config:

{
	"homeassistant": "a.duckdns.org",
	"vhosts": [{
			"vhost": "b.duckdns.org",
			"port": "3000"
		},
	],
	"email": "[email protected]"
}

You can resolve the conflicting ports with AppDaemon by changing the port of the caddy container from 80 to something else. You can do this in the panel below the caddy configuration json. Then just forward port 80 on your router to port 81 on your rasperry pi.

Then it will route as follows: internet -> router:80 -> rpi:81 -> caddy:80 -> homeassistant:8123 / grafana:3000. Just use a.duckdns.org for home assistant and b.duckdns.org for grafana.

12

I’m trying to get Caddy setup to work with Node RED and Configurator and while I’m able to access the Hassio frontend I cannot access Node RED or Configurator, they both give me a “502 bad gateway” error. This is how I have the options in Caddy set up. Wondering if someone can point me in the right direction?

{
  "homeassistant": "a.duckdns.org",
  "vhosts": [
    {
      "vhost": "b.duckdns.org",
      "port": "3218"
    },
    {
      "vhost": "c.duckdns.org",
      "port": "1880"
    }
  ],
  "email": "[email protected]"
}
13

Are you running node red on top of hassio as an add-on or is it running elsewhere in the network? If running elsewhere you need to specify the host in your configuration. If not, can you share the port configuration in the add-on configuration?

14

It’s running as an add-on. Sorry, I’m pretty green to all of this, but I don’t see any port configurations in the node red add on, this is what I have set for the options

{
  "ssl": false,
  "certfile": "fullchain.pem",
  "keyfile": "privkey.pem",
  "users": [
    {
      "username": "blahblahblah",
      "password": "blahblahblah",
      "permissions": "*"
    }
  ],
  "http_node_user": [
    {
      "username": "blahblahblah",
      "password": "blahblahblah"
    }
  ]
}
15

Well I seem to have gotten it to work by clearing my browsers cache.

1 Like
16

Trying to setup the following configuration, could you please help?

(internet) -------- (router) ------ (pi3 with hassio+caddy, hassio not used is just because is easier to have caddy)

On the same LAN:

  1. (nuc with hassio; zoneminder; appdaemon+hadashboard)
  2. (other pi3 with various services)
  3. (qnap)
17

What have you tried? What is working and what isn’t?

18

Oh, I tried so many combination that now I don’t know how to answer. Everything I did was not working, SO I guess I need a (also simple) tutorial, or sort of

19

Can you at least share a (redacted) version of your caddy configuration?

20

Sorry I was not clear. I tried my settings with Nginx and didn’t succeed, that’s why I was looking to install Caddy

21

{
“homeassistant”: “xxx3.duckdns.org”,
“vhosts”: [],
“email”: “[email protected]
}

I do not understand vhosts, and how/what to put in

Email is the email associated with my duckdns.org account