Home Assistant Add-on: Caddy 2

Thanks for replying. The behavior also made me think it was just a cache issue but I have cleared the cache and even tried a different browser but it still shows as not started with the red dot in the upper right corner
How would I completely scrub all parts of the addon so I can start from scratch with it. Would all the folders in the base ssl directory be purged also? I have tried reverting to previous configuration but that didnt fix the problem and I didnt realize that a back and forth with backups can be a little problematic with other things

this is the error showing now {"level":"error","ts":1668770179.934891,"logger":"http.handlers.reverse_proxy","msg":"aborting with incomplete response","error":"http2: stream closed"}

I have tried to use services to stop start restart the addon but they all give a failed to start service undefined error

final edit: Deleted anything I thought was caddy related including all folders in SSL(backed up but still probably shouldn’t have done that). Removed the addon restarted HA then also restarted the actual Virtual Machine. Reinstalled the addon and put back my Caddyfile. Now finally HA recognizes the addon as started. Problem with the shotgun approach is I dont know what the problem was.

Can somebody help me with simple mark down I cant get it right and I would like to incorporate the security back into my simple caddy file. Ive had to temporarily move away from duckdns for home assistant specifically as I am having problems with google assistant integration. I am still using duckdns as you can see for somethings. I cant seem to get the security part back into my caddy file without causing an error.
This part defined as common:

}
(common) {
	tls {
		dns duckdns redacted
		on_demand
	}
	header {
		Strict-Transport-Security "max-age=31536000; includeSubdomains; preload"
		X-XSS-Protection "1; mode=block"
		X-Content-Type-Options "nosniff"
		Referrer-Policy "same-origin"
		Content-Security-Policy "frame-ancestors redacted.duckdns.org *.redacted.duckdns.org"
		-Server
		Permissions-Policy "geolocation=(self), microphone=()"
	}
}

redacted.twilightparadox.com {
	reverse_proxy redacted:8123
}
ombi.redacted.duckdns.org {
	reverse_proxy redacted:3579
}
tautalli.redacted.duckdns.org {
	reverse_proxy redacted:8181
}
portainer.redacted.duckdns.org {
	reverse_proxy redacted:9000
}
plex.redacted.duckdns.org {
	reverse_proxy redacted:32400
}
redacted.redacted.duckdns.org {
	reverse_proxy redacted:redacted
}
redacted.redacted.duckdns.org {
	reverse_proxy redacted:redacted {
		transport http {
			tls
			tls_insecure_skip_verify
		}
	}
}
prowlarr.redacted.duckdns.org {
	reverse_proxy redacted:9696
}
sonarr.redacted.duckdns.org {
	reverse_proxy redacted:8989
}
radarr.redacted.duckdns.org {
	reverse_proxy redacted:7878
}
organizr.redacted.duckdns.org {
	reverse_proxy redacted:8006
}

OK? I tried to go back to my old caddy file which uses on duckdns with dns challenge and I am getting “Error during parsing: getting module named ‘dns.providers.duckdns’: module not registered: dns.providers.duckdns.” I thought this addon was compiled with the duckdns dns module? Nevermind it was not I had to download one from the caddywebisite with the addon (linux amd64 and name it caddy not Caddy in /share/caddy/

Curious if anyone is getting a deceptive site warning using caddy2 in home assistant? mine started yesterday and all of my sites behind my router are showing deceptive, not just home assistant.

caddyfile

# Synology
https://liquidxpe.somename.com {
        reverse_proxy https://XX.XX.XX.48:5001 {
                transport http {
                        tls_insecure_skip_verify
                }
        }
}
# Unifi
https://liquiduni.somename.com {
        reverse_proxy https://XX.XX.XX.240:8443 {
                transport http {
                        tls_insecure_skip_verify
                }
        }
}
# Edgerouter
https://liquidrt.somename.com {
        reverse_proxy https://XX.XX.XX.1:8440 {
                transport http {
                        tls_insecure_skip_verify
                }
        }
}
# DSM Portainer
https://dsmportainer.somename.com {
        reverse_proxy https://XX.XX.XX.48:9443 {
                transport http {
                        tls_insecure_skip_verify
                }
        }
}
# HA Portainer
https://haportainer.somename.com {
        reverse_proxy http://XX.XX.XX.240:9000 {
                transport http
        }
}
# Radarr
https://radarr.somename.com {
        reverse_proxy http://XX.XX.XX.48:7878 {
                transport http
        }
}
# Sonarr
https://sonarr.somename.com {
        reverse_proxy http://XX.XX.XX.48:8989 {
                transport http
        }
}
# Readarr
https://read.somename.com {
        reverse_proxy http://XX.XX.XX.48:8787 {
                transport http
        }
}
# Lidarr
https://music.somename.com {
        reverse_proxy http://XX.XX.XX.48:8686 {
                transport http
        }
}
# SabNZBD
https://sab.somename.com {
        reverse_proxy http://XX.XX.XX.48:8080 {
                transport http
        }
}
# automate-myhome
https://automate-myhome.com {
        reverse_proxy http://XX.XX.XX.240:49153 {
                transport http
        }
}
# HomeAssist
https://homeaccess.somename.com {
        reverse_proxy https://XX.XX.XX.220:8123 {
                transport http {
                        tls_insecure_skip_verify
                }
        }
}
#Frigate
https://frigate.somename.com {
        reverse_proxy http://XX.XX.XX.75:5000 {
                transport http
        }
}
#Search
https://search.somename.com {
        reverse_proxy http://XX.XX.XX.48:5055 {
                transport http
        }
}
#Transcode
https://transcode.somename.com {
        reverse_proxy http://XX.XX.XX.75:8265 {
                transport http
        }
}
#Plex
https://watch.somename.com {
        reverse_proxy http://XX.XX.XX.75:32400 {
                transport http
        }
}

link dead now?

image866×183 5.95 KB

strange i cant even add your repository

image907×285 27.3 KB

nevermind. seems it works on Edge browser only…

can someone please show me their config for very basic https access to my HA machine?
what to put in here?

image998×828 81.3 KB

i only need local https://192.168.1.229:8123
as of now, i access my HA OS’s GUI via http://192.168.1.229:8123
i wont need to access the gui remotely or anything fancy like that

i did try but this does not work when i try to open tung.ha (tung.ha is not a real site)

When using the Home Assistant add-on, how do I use cloudflare for the DNS challenge? I’m getting the following error, which I assume means it isn’t included in the add-on.

Error during parsing: getting module named ‘dns.providers.cloudflare’: module not registered: dns.providers.cloudflare

I just launched Caddy2 a few hours ago and have hit this error also…

INFO: Run Caddy...
{"level":"info","ts":1680053243.2530215,"msg":"using provided configuration","config_file":"/share/caddy/Caddyfile","config_adapter":""}
Error: adapting config using caddyfile: parsing caddyfile tokens for 'tls': /share/caddy/Caddyfile:20 - Error during parsing: getting module named 'dns.providers.cloudflare': module not registered: dns.providers.cloudflare
INFO: Service caddy exited with code 1 (by signal 0)

                tls {
                        dns cloudflare {env.CLOUDFLARE_AUTH_TOKEN}
                }

                reverse_proxy localhost:<port>

Probably need to make a custom caddy binary with that module built in. Go to caddy website https://caddyserver.com/download select the computer architecture you are running, add the cloudfare dns, save the file as /share/caddy/caddy and the addon should use that binary instead next time you restart.

Thak you! That worked!

image1344×712 69 KB

I figured this out a while after my post. What I can’t figure out is no matter what I do to add the cloudflare IPs to my trusted_proxies section when I proxy via cloudflare, the sites will not load. They work just fine if I set the site to DNS Only in cloudflare.

EDIT: My problem is the non-standard port that I am using. It isn’t compatible with Cloudflare’s list of cached ports. I either need to use one of theirs or just disable the caching for that subdomain.

I’m using Cloudflared tunnels and I can’t get HA to work via them and Caddy 2, only Vaultwarden is working. With NPM, the reverse was true: HA worked fine but not Vaultwarden.

Just got it all working…

HA configuration.yaml:

homeassistant:
  auth_providers:
    - type: homeassistant
    - type: trusted_networks
      trusted_networks:
        - 192.168.1.0/24
        - fd12:3456:7890:1::fc
      trusted_users:
        192.168.1.100: 7c824b771254da39c719cddefae9008
        192.168.1.130: 30fd5dd9c3878e0a3c4fb48016b6197
      allow_bypass_login: true

http:
  ip_ban_enabled: true
  login_attempts_threshold: 3
  use_x_forwarded_for: true
  trusted_proxies:
    - ::1              # IPv6 localhost
    - 127.0.0.1        # IPv4 localhost - Caddy 2 reverse proxy
    - 172.30.32.0/23   # Docker subnets - Cloudflared tunnel(s)

Cloudflared:

external_hostname: ""
additional_hosts:
  - hostname: <ha>.<my_domain.com>
    service: http://192.168.1.104:8123
    disableChunkedEncoding: true
  - hostname: <vaultwarden>.<my_domain.com>
    service: https://192.168.1.104:<custom_port>
    disableChunkedEncoding: true
nginx_proxy_manager: false

Caddy 2:

args: []
env_vars:
  - name: CLOUDFLARE_AUTH_TOKEN
    value: <my_api_token>
log_level: info
non_caddyfile_config:
  destination: localhost
  domain: <ha>.<my_domain.com>
  email: <my_email@my_domain.com>
  port: 8123

Caddyfile:

{
        email <my_email@my_domain.com>
}

(common) {
        tls {
                dns cloudflare {env.CLOUDFLARE_AUTH_TOKEN}
        }

        header / {
                Strict-Transport-Security "max-age=31536000; includeSubdomains"
                X-XSS-Protection "1; mode=block"
                X-Content-Type-Options "nosniff"
                Referrer-Policy "same-origin"
                Permissions-Policy "geolocation=(self), microphone=()"
                Content-Security-Policy "frame-ancestors <my_domain.com>:XXXXX *.my_domain.com:XXXXX>
                -Server
        }
}

<ha>.<my_domain.com> {
        import common
        reverse_proxy localhost:8123 {
        }
}
<vaultwarden>.<my_domain.com> {
        import common
        reverse_proxy localhost:<my_custom_port> {
        }
}

I should add that I also utilized Cloudflare’s SSL/TLS encryption in Flexible mode as well as created an API Token in Cloudflare, My Profile, API Tokens with Zone.Zone:Read & Zone.DNS:Write permissions for Caddy 2’s use

does it work behind a CGNAT?

We do a reverse proxy on Caddy 2 for a Unify controller:

unifi.my.domain {
  reverse_proxy https://192.168.7.4 {
    transport http {
      tls_insecure_skip_verify
    }
    header_up -Authorization
    header_up Host {host}
  }
}

Just came across this and got it working. I found it very confusing so leaving a couple of notes for anyone else who wants to try this.

I have the ssl certificate and key files stored in a folder so the tls line is different to above:

tls /path_to_sslcertificate.pem /path_to_sslkey.pem

I have also changed the Content-Security-Policy to allow http to serve https iframes:

Content-Security-Policy "frame-ancestors default-src 'self' https://mydomain.org:port  *mydomain.org:port http://localhomeassistantname:port http://homeassistantIPaddress:port"

It still gets the A+ rating from https://securityheaders.com/.

The whole file is:

(common) {
   tls /path_to_sslcertificate.pem /path_to_sslkey.pem
   header {
       Strict-Transport-Security "max-age=63072000; includeSubdomains; preload"
       X-XSS-Protection "1; mode=block"
       X-Content-Type-Options "nosniff"
       Referrer-Policy "same-origin"
       -Server
       Content-Security-Policy "frame-ancestors default-src 'self' https://mydomain.org:port  *mydomain.org:port http://localhomeassistantname:port http://homeassistantIPaddress:port"
       Permissions-Policy "geolocation=(self mydomain.org *.mydomain.org), microphone=()"
    }
}

mydomain.org:port {
      import common
      reverse_proxy homeassistantIPaddress:port
}

Did anyone insert robots.txt in root? I want to host some services in public and wants to know how.

Hello everyone, im trying to configure Caddy2 in order to provide https for Vaultwarden (port 7277) instance (only LAN, no internet) but im stuck with these errors:

a. System environment:

HassOs:

• Core 2024.1.0
• Supervisor 2023.12.0
• Operating System 11.2
• Frontend 20240103.3
  Vaultwarden Add-on:
  “Vaultwarden (Bitwarden) Current version: 0.20.1”
  DuckDNS Integration:1.15.0
  Integration with domain linked to my Public IP. Domain: smartzucchero.duckdns.org

All components are on the same machine (192.168.0.2)

VW Config:

ssl: true
certfile: fullchain.pem
keyfile: privkey.pem
log_level: debug

3. Caddy version:

Caddy 2, Current version: 1.5.4e.

I used the custom binary for arm54 platform with the duckdns module built-in (retrieved from the official caddy website) and made it executable through chmod but still receiving error:

s6-rc: info: service s6rc-oneshot-runner: starting
s6-rc: info: service s6rc-oneshot-runner successfully started
s6-rc: info: service base-addon-banner: starting

-----------------------------------------------------------
 Add-on: Caddy 2
 Open source web and proxy server with automatic HTTPS
-----------------------------------------------------------
 Add-on version: 1.5.4
 You are running the latest version of this add-on.
 System: Home Assistant OS 11.2  (aarch64 / raspberrypi4-64)
 Home Assistant Core: 2024.1.0
 Home Assistant Supervisor: 2023.12.0
-----------------------------------------------------------
 Please, share the above information when looking for help
 or support in, e.g., GitHub, forums or the Discord chat.
-----------------------------------------------------------
s6-rc: info: service base-addon-banner successfully started
s6-rc: info: service fix-attrs: starting
s6-rc: info: service base-addon-log-level: starting
s6-rc: info: service fix-attrs successfully started
Log level is set to DEBUG
s6-rc: info: service base-addon-log-level successfully started
s6-rc: info: service legacy-cont-init: starting
s6-rc: info: service legacy-cont-init successfully started
s6-rc: info: service caddy: starting
s6-rc: info: service caddy successfully started
s6-rc: info: service legacy-services: starting
s6-rc: info: service legacy-services successfully started
INFO: Prepare Caddy...
INFO: Found custom Caddy at /share/caddy/caddy
v2.7.6 h1:w0NymbG2m9PcvKWsrXO6EEkY9Ru4FJK8uQbYcev1p3A=
INFO: Prepare Caddyfile...
INFO: Caddyfile found at /share/caddy/Caddyfile
INFO: Run Caddy...
DEBUG: '/share/caddy/caddy' run --config '/share/caddy/Caddyfile' ''
{"level":"info","ts":1704471555.2387967,"msg":"using provided configuration","config_file":"/share/caddy/Caddyfile","config_adapter":""}
{"level":"info","ts":1704471555.2464736,"logger":"admin","msg":"admin endpoint started","address":"localhost:2019","enforce_origin":false,"origins":["//localhost:2019","//[::1]:2019","//127.0.0.1:2019"]}
{"level":"info","ts":1704471555.2471159,"logger":"tls.cache.maintenance","msg":"started background certificate maintenance","cache":"0x40002d2b00"}
{"level":"info","ts":1704471555.2474158,"logger":"http.auto_https","msg":"server is listening only on the HTTPS port but has no TLS connection policies; adding one to enable TLS","server_name":"srv0","https_port":443}
{"level":"info","ts":1704471555.2474706,"logger":"http.auto_https","msg":"enabling automatic HTTP->HTTPS redirects","server_name":"srv0"}
{"level":"info","ts":1704471555.248698,"logger":"tls.cache.maintenance","msg":"stopped background certificate maintenance","cache":"0x40002d2b00"}
Error: loading initial config: loading new config: http app module: start: listening on :443: listen tcp :443: bind: address already in use
INFO: Service caddy exited with code 1 (by signal 0)
s6-rc: info: service legacy-services: stopping
s6-rc: info: service legacy-services successfully stopped
s6-rc: info: service caddy: stopping
s6-rc: info: service caddy successfully stopped
s6-rc: info: service legacy-cont-init: stopping
s6-rc: info: service legacy-cont-init successfully stopped
s6-rc: info: service fix-attrs: stopping
s6-rc: info: service base-addon-log-level: stopping
s6-rc: info: service fix-attrs successfully stopped
s6-rc: info: service base-addon-log-level successfully stopped
s6-rc: info: service base-addon-banner: stopping
s6-rc: info: service base-addon-banner successfully stopped
s6-rc: info: service s6rc-oneshot-runner: stopping
s6-rc: info: service s6rc-oneshot-runner successfully stopped

This is the accutally Caddyfile config:

{
	email [email protected]
}

smartzucchero.duckdns.org {
	tls {
		dns duckdns TOKEN
	}
	reverse_proxy https://localhost:7277
}

This is my “http” Configuration.yaml file:

http:
    server_port: 8123
    ssl_certificate: /ssl/fullchain.pem
    ssl_key: /ssl/privkey.pem
    base_url: https://smartzucchero.duckdns.org
    use_x_forwarded_for: true
    trusted_proxies:
        - 172.18.0.0/24
        - 192.168.50.2

Im also trying to investigate what could be running on 443 but i cant figure it out:

@berichta i believe in you <3

you can also ask on the caddy forum. This is generic to caddy not specific to the addon…

Hi @alebald1,
It looks like you are trying to use the same URL for different routes.
smartzucchero.duckdns.org → localhost:8123
smartzucchero.duckdns.org → localhost:7277

The first one is bound by home assistant, the second one by caddy.
Both together can not work. That is also what caddy states:

Error: loading initial config: loading new config: http app module: start: listening on :443: listen tcp :443: bind: address already in use

My suggestion would be to create another domain, using it purely for vaultwarden.

For example you could create a new domain like smartzucchero2.duckdns.org, then changing your caddyfile:

smartzucchero2.duckdns.org {
	tls {
		dns duckdns TOKEN
	}
	reverse_proxy https://localhost:7277
}

I made a very poorly written Home Assistant addon that builds a custom caddy binary for use with berichta’s addon. Available from my repo: https://github.com/jdeath/homeassistant-addons/

With google domains going away and the replacement not supporting dynamic dns, I switched to cloudfare. The caddy download page kept hanging to include cloudfare plugin, so I made this addon so I could run xcaddy. It is not the greatest interface. You have to edit a script to include your desired xcaddy command. Hopefully it will help someone in a bind.

ps. Did you know that caddy will also update your dynamic dns IP addresses? This saves me from running inadyn. The default build on my addon includes all the plugins to make this happen (plus others I use). There is no log output when it updates them, but it does do it!