Home Assistant Add-on: Caddy 2

Hello all
Wondering if any of you media enthusiasts might be able to help me with my stack. Remote access to Plex seems a little flaky. Can I optimize my caddy file to make it more reliable? The plex web interface shows plex as intermittently not remotely accessible.
In plex under remote connections I have this:
Private_internal_plexserver_ip:32400 <-- Public_external_ip:443 <-- Internet
In Caddy 1 adding “transparent” to the caddy file for plex sorted this but I think this is the default for caddy 2.
Any feedback would be appreciated

Ok crickets around here. Any body have experience reverse proxying a unify controller(not the home assistant add-on) on the same machine

Just an FYI caddy has its own forum here. For specific caddy configuration and how to questions I’d recommend looking and asking there. Since that’s dedicated to caddy and where the caddy experts hang out

I was aware of the forum as it came up in my searches however any excerpts from that forum in my Caddyfile have not resulted in success. The configuration might have been encountered by other users here so I had hoped to hear from someone.

Thanks for the feedback. I will keep trying

I have recently started getting deceptive site warnings from chrome and when loading pages through my domain name they appear incomplete. I am using duckdns for my domain. I have also noted that my google assistant integration that I have had for a number of years has been not available with the statement "yourappname"testing is not available intermittently(as in works this time but not next time) I dont believe I made any changes to my setup.
Im definitely not up on my networking but it seems domain related maybe, do I thought I would try a new domain. What changes do I have to make to my Caddy file to use my new domain as I can see some duckdns entry near the top of that file?

I got crowdsec homeassistant addon to integrate with this addon. Posted a community guide, if it helps:

1 Like

@berichta I have and issue and I am not sure if its home assistant or this addon. The addon appears to be working but it shows as not started in home assistant. The logs dont show anything as far as I can tell. Hitting the start button doesn’t really do anything and doesn’t seem to evoke an error in the log. Any help with what’s going on?

edit: I do see some errors now not sure if its pertitnent
{"level":"error","ts":16686.370,"logger":"http.handlers.reverse_proxy","msg":"aborting with incomplete response","error":"http2: stream closed"} {"level":"error","ts":16686.472,"logger":"http.handlers.reverse_proxy","msg":"aborting with incomplete response","error":"http2: stream closed"}

Hi @dasbooter,
From what you describe I take that the UI isn’t matching the state of the add-on.
This can happen, or at least happened to me in a similar fashion. In such cases, I usually reloaded the webpage with cleard cache. For me (on Mac) it would be cmd + shift + r.

For the listed errors I have no clue yet. :slightly_frowning_face:

Thanks for replying. The behavior also made me think it was just a cache issue but I have cleared the cache and even tried a different browser but it still shows as not started with the red dot in the upper right corner
How would I completely scrub all parts of the addon so I can start from scratch with it. Would all the folders in the base ssl directory be purged also? I have tried reverting to previous configuration but that didnt fix the problem and I didnt realize that a back and forth with backups can be a little problematic with other things

this is the error showing now {"level":"error","ts":1668770179.934891,"logger":"http.handlers.reverse_proxy","msg":"aborting with incomplete response","error":"http2: stream closed"}

I have tried to use services to stop start restart the addon but they all give a failed to start service undefined error

final edit: Deleted anything I thought was caddy related including all folders in SSL(backed up but still probably shouldn’t have done that). Removed the addon restarted HA then also restarted the actual Virtual Machine. Reinstalled the addon and put back my Caddyfile. Now finally HA recognizes the addon as started. Problem with the shotgun approach is I dont know what the problem was.

Can somebody help me with simple mark down I cant get it right and I would like to incorporate the security back into my simple caddy file. Ive had to temporarily move away from duckdns for home assistant specifically as I am having problems with google assistant integration. I am still using duckdns as you can see for somethings. I cant seem to get the security part back into my caddy file without causing an error.
This part defined as common:

}
(common) {
	tls {
		dns duckdns redacted
		on_demand
	}
	header {
		Strict-Transport-Security "max-age=31536000; includeSubdomains; preload"
		X-XSS-Protection "1; mode=block"
		X-Content-Type-Options "nosniff"
		Referrer-Policy "same-origin"
		Content-Security-Policy "frame-ancestors redacted.duckdns.org *.redacted.duckdns.org"
		-Server
		Permissions-Policy "geolocation=(self), microphone=()"
	}
}
redacted.twilightparadox.com {
	reverse_proxy redacted:8123
}
ombi.redacted.duckdns.org {
	reverse_proxy redacted:3579
}
tautalli.redacted.duckdns.org {
	reverse_proxy redacted:8181
}
portainer.redacted.duckdns.org {
	reverse_proxy redacted:9000
}
plex.redacted.duckdns.org {
	reverse_proxy redacted:32400
}
redacted.redacted.duckdns.org {
	reverse_proxy redacted:redacted
}
redacted.redacted.duckdns.org {
	reverse_proxy redacted:redacted {
		transport http {
			tls
			tls_insecure_skip_verify
		}
	}
}
prowlarr.redacted.duckdns.org {
	reverse_proxy redacted:9696
}
sonarr.redacted.duckdns.org {
	reverse_proxy redacted:8989
}
radarr.redacted.duckdns.org {
	reverse_proxy redacted:7878
}
organizr.redacted.duckdns.org {
	reverse_proxy redacted:8006
}

OK? I tried to go back to my old caddy file which uses on duckdns with dns challenge and I am getting “Error during parsing: getting module named ‘dns.providers.duckdns’: module not registered: dns.providers.duckdns.” I thought this addon was compiled with the duckdns dns module? Nevermind it was not I had to download one from the caddywebisite with the addon (linux amd64 and name it caddy not Caddy in /share/caddy/

1 Like

Curious if anyone is getting a deceptive site warning using caddy2 in home assistant? mine started yesterday and all of my sites behind my router are showing deceptive, not just home assistant.

caddyfile

# Synology
https://liquidxpe.somename.com {
        reverse_proxy https://XX.XX.XX.48:5001 {
                transport http {
                        tls_insecure_skip_verify
                }
        }
}
# Unifi
https://liquiduni.somename.com {
        reverse_proxy https://XX.XX.XX.240:8443 {
                transport http {
                        tls_insecure_skip_verify
                }
        }
}
# Edgerouter
https://liquidrt.somename.com {
        reverse_proxy https://XX.XX.XX.1:8440 {
                transport http {
                        tls_insecure_skip_verify
                }
        }
}
# DSM Portainer
https://dsmportainer.somename.com {
        reverse_proxy https://XX.XX.XX.48:9443 {
                transport http {
                        tls_insecure_skip_verify
                }
        }
}
# HA Portainer
https://haportainer.somename.com {
        reverse_proxy http://XX.XX.XX.240:9000 {
                transport http
        }
}
# Radarr
https://radarr.somename.com {
        reverse_proxy http://XX.XX.XX.48:7878 {
                transport http
        }
}
# Sonarr
https://sonarr.somename.com {
        reverse_proxy http://XX.XX.XX.48:8989 {
                transport http
        }
}
# Readarr
https://read.somename.com {
        reverse_proxy http://XX.XX.XX.48:8787 {
                transport http
        }
}
# Lidarr
https://music.somename.com {
        reverse_proxy http://XX.XX.XX.48:8686 {
                transport http
        }
}
# SabNZBD
https://sab.somename.com {
        reverse_proxy http://XX.XX.XX.48:8080 {
                transport http
        }
}
# automate-myhome
https://automate-myhome.com {
        reverse_proxy http://XX.XX.XX.240:49153 {
                transport http
        }
}
# HomeAssist
https://homeaccess.somename.com {
        reverse_proxy https://XX.XX.XX.220:8123 {
                transport http {
                        tls_insecure_skip_verify
                }
        }
}
#Frigate
https://frigate.somename.com {
        reverse_proxy http://XX.XX.XX.75:5000 {
                transport http
        }
}
#Search
https://search.somename.com {
        reverse_proxy http://XX.XX.XX.48:5055 {
                transport http
        }
}
#Transcode
https://transcode.somename.com {
        reverse_proxy http://XX.XX.XX.75:8265 {
                transport http
        }
}
#Plex
https://watch.somename.com {
        reverse_proxy http://XX.XX.XX.75:32400 {
                transport http
        }
}

link dead now?

strange i cant even add your repository

nevermind. seems it works on Edge browser only…

can someone please show me their config for very basic https access to my HA machine?
what to put in here?

i only need local https://192.168.1.229:8123
as of now, i access my HA OS’s GUI via http://192.168.1.229:8123
i wont need to access the gui remotely or anything fancy like that

i did try but this does not work when i try to open tung.ha (tung.ha is not a real site)
image

When using the Home Assistant add-on, how do I use cloudflare for the DNS challenge? I’m getting the following error, which I assume means it isn’t included in the add-on.

Error during parsing: getting module named ‘dns.providers.cloudflare’: module not registered: dns.providers.cloudflare

I just launched Caddy2 a few hours ago and have hit this error also…

INFO: Run Caddy...
{"level":"info","ts":1680053243.2530215,"msg":"using provided configuration","config_file":"/share/caddy/Caddyfile","config_adapter":""}
Error: adapting config using caddyfile: parsing caddyfile tokens for 'tls': /share/caddy/Caddyfile:20 - Error during parsing: getting module named 'dns.providers.cloudflare': module not registered: dns.providers.cloudflare
INFO: Service caddy exited with code 1 (by signal 0)
                tls {
                        dns cloudflare {env.CLOUDFLARE_AUTH_TOKEN}
                }

                reverse_proxy localhost:<port>

Probably need to make a custom caddy binary with that module built in. Go to caddy website https://caddyserver.com/download select the computer architecture you are running, add the cloudfare dns, save the file as /share/caddy/caddy and the addon should use that binary instead next time you restart.

1 Like

Thak you! That worked!

image

I figured this out a while after my post. What I can’t figure out is no matter what I do to add the cloudflare IPs to my trusted_proxies section when I proxy via cloudflare, the sites will not load. They work just fine if I set the site to DNS Only in cloudflare.

EDIT: My problem is the non-standard port that I am using. It isn’t compatible with Cloudflare’s list of cached ports. I either need to use one of theirs or just disable the caching for that subdomain.

I’m using Cloudflared tunnels and I can’t get HA to work via them and Caddy 2, only Vaultwarden is working. With NPM, the reverse was true: HA worked fine but not Vaultwarden.

Just got it all working…

HA configuration.yaml:

homeassistant:
  auth_providers:
    - type: homeassistant
    - type: trusted_networks
      trusted_networks:
        - 192.168.1.0/24
        - fd12:3456:7890:1::fc
      trusted_users:
        192.168.1.100: 7c824b771254da39c719cddefae9008
        192.168.1.130: 30fd5dd9c3878e0a3c4fb48016b6197
      allow_bypass_login: true

http:
  ip_ban_enabled: true
  login_attempts_threshold: 3
  use_x_forwarded_for: true
  trusted_proxies:
    - ::1              # IPv6 localhost
    - 127.0.0.1        # IPv4 localhost - Caddy 2 reverse proxy
    - 172.30.32.0/23   # Docker subnets - Cloudflared tunnel(s)

Cloudflared:

external_hostname: ""
additional_hosts:
  - hostname: <ha>.<my_domain.com>
    service: http://192.168.1.104:8123
    disableChunkedEncoding: true
  - hostname: <vaultwarden>.<my_domain.com>
    service: https://192.168.1.104:<custom_port>
    disableChunkedEncoding: true
nginx_proxy_manager: false

Caddy 2:

args: []
env_vars:
  - name: CLOUDFLARE_AUTH_TOKEN
    value: <my_api_token>
log_level: info
non_caddyfile_config:
  destination: localhost
  domain: <ha>.<my_domain.com>
  email: <my_email@my_domain.com>
  port: 8123

Caddyfile:

{
        email <my_email@my_domain.com>
}

(common) {
        tls {
                dns cloudflare {env.CLOUDFLARE_AUTH_TOKEN}
        }

        header / {
                Strict-Transport-Security "max-age=31536000; includeSubdomains"
                X-XSS-Protection "1; mode=block"
                X-Content-Type-Options "nosniff"
                Referrer-Policy "same-origin"
                Permissions-Policy "geolocation=(self), microphone=()"
                Content-Security-Policy "frame-ancestors <my_domain.com>:XXXXX *.my_domain.com:XXXXX>
                -Server
        }
}

<ha>.<my_domain.com> {
        import common
        reverse_proxy localhost:8123 {
        }
}
<vaultwarden>.<my_domain.com> {
        import common
        reverse_proxy localhost:<my_custom_port> {
        }
}

I should add that I also utilized Cloudflare’s SSL/TLS encryption in Flexible mode as well as created an API Token in Cloudflare, My Profile, API Tokens with Zone.Zone:Read & Zone.DNS:Write permissions for Caddy 2’s use

1 Like