Home Assistant Add-on: Caddy 2

Installation Home Assistant OS
222

I just launched Caddy2 a few hours ago and have hit this error also…

INFO: Run Caddy...
{"level":"info","ts":1680053243.2530215,"msg":"using provided configuration","config_file":"/share/caddy/Caddyfile","config_adapter":""}
Error: adapting config using caddyfile: parsing caddyfile tokens for 'tls': /share/caddy/Caddyfile:20 - Error during parsing: getting module named 'dns.providers.cloudflare': module not registered: dns.providers.cloudflare
INFO: Service caddy exited with code 1 (by signal 0)

                tls {
                        dns cloudflare {env.CLOUDFLARE_AUTH_TOKEN}
                }

                reverse_proxy localhost:<port>
223

Probably need to make a custom caddy binary with that module built in. Go to caddy website https://caddyserver.com/download select the computer architecture you are running, add the cloudfare dns, save the file as /share/caddy/caddy and the addon should use that binary instead next time you restart.

1 Like
224

Thak you! That worked!

image
image1344×712 69 KB

image

225

I figured this out a while after my post. What I can’t figure out is no matter what I do to add the cloudflare IPs to my trusted_proxies section when I proxy via cloudflare, the sites will not load. They work just fine if I set the site to DNS Only in cloudflare.

EDIT: My problem is the non-standard port that I am using. It isn’t compatible with Cloudflare’s list of cached ports. I either need to use one of theirs or just disable the caching for that subdomain.

226

I’m using Cloudflared tunnels and I can’t get HA to work via them and Caddy 2, only Vaultwarden is working. With NPM, the reverse was true: HA worked fine but not Vaultwarden.

227

Just got it all working…

HA configuration.yaml:

homeassistant:
  auth_providers:
    - type: homeassistant
    - type: trusted_networks
      trusted_networks:
        - 192.168.1.0/24
        - fd12:3456:7890:1::fc
      trusted_users:
        192.168.1.100: 7c824b771254da39c719cddefae9008
        192.168.1.130: 30fd5dd9c3878e0a3c4fb48016b6197
      allow_bypass_login: true

http:
  ip_ban_enabled: true
  login_attempts_threshold: 3
  use_x_forwarded_for: true
  trusted_proxies:
    - ::1              # IPv6 localhost
    - 127.0.0.1        # IPv4 localhost - Caddy 2 reverse proxy
    - 172.30.32.0/23   # Docker subnets - Cloudflared tunnel(s)

Cloudflared:

external_hostname: ""
additional_hosts:
  - hostname: <ha>.<my_domain.com>
    service: http://192.168.1.104:8123
    disableChunkedEncoding: true
  - hostname: <vaultwarden>.<my_domain.com>
    service: https://192.168.1.104:<custom_port>
    disableChunkedEncoding: true
nginx_proxy_manager: false

Caddy 2:

args: []
env_vars:
  - name: CLOUDFLARE_AUTH_TOKEN
    value: <my_api_token>
log_level: info
non_caddyfile_config:
  destination: localhost
  domain: <ha>.<my_domain.com>
  email: <my_email@my_domain.com>
  port: 8123

Caddyfile:

{
        email <my_email@my_domain.com>
}

(common) {
        tls {
                dns cloudflare {env.CLOUDFLARE_AUTH_TOKEN}
        }

        header / {
                Strict-Transport-Security "max-age=31536000; includeSubdomains"
                X-XSS-Protection "1; mode=block"
                X-Content-Type-Options "nosniff"
                Referrer-Policy "same-origin"
                Permissions-Policy "geolocation=(self), microphone=()"
                Content-Security-Policy "frame-ancestors <my_domain.com>:XXXXX *.my_domain.com:XXXXX>
                -Server
        }
}

<ha>.<my_domain.com> {
        import common
        reverse_proxy localhost:8123 {
        }
}
<vaultwarden>.<my_domain.com> {
        import common
        reverse_proxy localhost:<my_custom_port> {
        }
}

I should add that I also utilized Cloudflare’s SSL/TLS encryption in Flexible mode as well as created an API Token in Cloudflare, My Profile, API Tokens with Zone.Zone:Read & Zone.DNS:Write permissions for Caddy 2’s use

1 Like
228

does it work behind a CGNAT?

229

We do a reverse proxy on Caddy 2 for a Unify controller:

unifi.my.domain {
  reverse_proxy https://192.168.7.4 {
    transport http {
      tls_insecure_skip_verify
    }
    header_up -Authorization
    header_up Host {host}
  }
}
1 Like
230

Just came across this and got it working. I found it very confusing so leaving a couple of notes for anyone else who wants to try this.

I have the ssl certificate and key files stored in a folder so the tls line is different to above:

tls /path_to_sslcertificate.pem /path_to_sslkey.pem

I have also changed the Content-Security-Policy to allow http to serve https iframes:

Content-Security-Policy "frame-ancestors default-src 'self' https://mydomain.org:port  *mydomain.org:port http://localhomeassistantname:port http://homeassistantIPaddress:port"

It still gets the A+ rating from https://securityheaders.com/.

The whole file is:

(common) {
   tls /path_to_sslcertificate.pem /path_to_sslkey.pem
   header {
       Strict-Transport-Security "max-age=63072000; includeSubdomains; preload"
       X-XSS-Protection "1; mode=block"
       X-Content-Type-Options "nosniff"
       Referrer-Policy "same-origin"
       -Server
       Content-Security-Policy "frame-ancestors default-src 'self' https://mydomain.org:port  *mydomain.org:port http://localhomeassistantname:port http://homeassistantIPaddress:port"
       Permissions-Policy "geolocation=(self mydomain.org *.mydomain.org), microphone=()"
    }
}

mydomain.org:port {
      import common
      reverse_proxy homeassistantIPaddress:port
}
231

Did anyone insert robots.txt in root? I want to host some services in public and wants to know how.

232

Hello everyone, im trying to configure Caddy2 in order to provide https for Vaultwarden (port 7277) instance (only LAN, no internet) but im stuck with these errors:

a. System environment:

HassOs:

  • Core 2024.1.0
  • Supervisor 2023.12.0
  • Operating System 11.2
  • Frontend 20240103.3
    Vaultwarden Add-on:
    “Vaultwarden (Bitwarden) Current version: 0.20.1”
    DuckDNS Integration:1.15.0
    Integration with domain linked to my Public IP. Domain: smartzucchero.duckdns.org

All components are on the same machine (192.168.0.2)

VW Config:

ssl: true
certfile: fullchain.pem
keyfile: privkey.pem
log_level: debug

3. Caddy version:

Caddy 2, Current version: 1.5.4e.

I used the custom binary for arm54 platform with the duckdns module built-in (retrieved from the official caddy website) and made it executable through chmod but still receiving error:

s6-rc: info: service s6rc-oneshot-runner: starting
s6-rc: info: service s6rc-oneshot-runner successfully started
s6-rc: info: service base-addon-banner: starting

-----------------------------------------------------------
 Add-on: Caddy 2
 Open source web and proxy server with automatic HTTPS
-----------------------------------------------------------
 Add-on version: 1.5.4
 You are running the latest version of this add-on.
 System: Home Assistant OS 11.2  (aarch64 / raspberrypi4-64)
 Home Assistant Core: 2024.1.0
 Home Assistant Supervisor: 2023.12.0
-----------------------------------------------------------
 Please, share the above information when looking for help
 or support in, e.g., GitHub, forums or the Discord chat.
-----------------------------------------------------------
s6-rc: info: service base-addon-banner successfully started
s6-rc: info: service fix-attrs: starting
s6-rc: info: service base-addon-log-level: starting
s6-rc: info: service fix-attrs successfully started
Log level is set to DEBUG
s6-rc: info: service base-addon-log-level successfully started
s6-rc: info: service legacy-cont-init: starting
s6-rc: info: service legacy-cont-init successfully started
s6-rc: info: service caddy: starting
s6-rc: info: service caddy successfully started
s6-rc: info: service legacy-services: starting
s6-rc: info: service legacy-services successfully started
INFO: Prepare Caddy...
INFO: Found custom Caddy at /share/caddy/caddy
v2.7.6 h1:w0NymbG2m9PcvKWsrXO6EEkY9Ru4FJK8uQbYcev1p3A=
INFO: Prepare Caddyfile...
INFO: Caddyfile found at /share/caddy/Caddyfile
INFO: Run Caddy...
DEBUG: '/share/caddy/caddy' run --config '/share/caddy/Caddyfile' ''
{"level":"info","ts":1704471555.2387967,"msg":"using provided configuration","config_file":"/share/caddy/Caddyfile","config_adapter":""}
{"level":"info","ts":1704471555.2464736,"logger":"admin","msg":"admin endpoint started","address":"localhost:2019","enforce_origin":false,"origins":["//localhost:2019","//[::1]:2019","//127.0.0.1:2019"]}
{"level":"info","ts":1704471555.2471159,"logger":"tls.cache.maintenance","msg":"started background certificate maintenance","cache":"0x40002d2b00"}
{"level":"info","ts":1704471555.2474158,"logger":"http.auto_https","msg":"server is listening only on the HTTPS port but has no TLS connection policies; adding one to enable TLS","server_name":"srv0","https_port":443}
{"level":"info","ts":1704471555.2474706,"logger":"http.auto_https","msg":"enabling automatic HTTP->HTTPS redirects","server_name":"srv0"}
{"level":"info","ts":1704471555.248698,"logger":"tls.cache.maintenance","msg":"stopped background certificate maintenance","cache":"0x40002d2b00"}
Error: loading initial config: loading new config: http app module: start: listening on :443: listen tcp :443: bind: address already in use
INFO: Service caddy exited with code 1 (by signal 0)
s6-rc: info: service legacy-services: stopping
s6-rc: info: service legacy-services successfully stopped
s6-rc: info: service caddy: stopping
s6-rc: info: service caddy successfully stopped
s6-rc: info: service legacy-cont-init: stopping
s6-rc: info: service legacy-cont-init successfully stopped
s6-rc: info: service fix-attrs: stopping
s6-rc: info: service base-addon-log-level: stopping
s6-rc: info: service fix-attrs successfully stopped
s6-rc: info: service base-addon-log-level successfully stopped
s6-rc: info: service base-addon-banner: stopping
s6-rc: info: service base-addon-banner successfully stopped
s6-rc: info: service s6rc-oneshot-runner: stopping
s6-rc: info: service s6rc-oneshot-runner successfully stopped

This is the accutally Caddyfile config:

{
	email [email protected]
}

smartzucchero.duckdns.org {
	tls {
		dns duckdns TOKEN
	}
	reverse_proxy https://localhost:7277
}

This is my “http” Configuration.yaml file:

http:
    server_port: 8123
    ssl_certificate: /ssl/fullchain.pem
    ssl_key: /ssl/privkey.pem
    base_url: https://smartzucchero.duckdns.org
    use_x_forwarded_for: true
    trusted_proxies:
        - 172.18.0.0/24
        - 192.168.50.2

Im also trying to investigate what could be running on 443 but i cant figure it out:
Cattura

@berichta i believe in you <3

233

you can also ask on the caddy forum. This is generic to caddy not specific to the addon…

234

Hi @alebald1,
It looks like you are trying to use the same URL for different routes.
smartzucchero.duckdns.org → localhost:8123
smartzucchero.duckdns.org → localhost:7277

The first one is bound by home assistant, the second one by caddy.
Both together can not work. That is also what caddy states:

Error: loading initial config: loading new config: http app module: start: listening on :443: listen tcp :443: bind: address already in use

My suggestion would be to create another domain, using it purely for vaultwarden.

For example you could create a new domain like smartzucchero2.duckdns.org, then changing your caddyfile:


smartzucchero2.duckdns.org {
	tls {
		dns duckdns TOKEN
	}
	reverse_proxy https://localhost:7277
}
235

I made a very poorly written Home Assistant addon that builds a custom caddy binary for use with berichta’s addon. Available from my repo: https://github.com/jdeath/homeassistant-addons/

With google domains going away and the replacement not supporting dynamic dns, I switched to cloudfare. The caddy download page kept hanging to include cloudfare plugin, so I made this addon so I could run xcaddy. It is not the greatest interface. You have to edit a script to include your desired xcaddy command. Hopefully it will help someone in a bind.

ps. Did you know that caddy will also update your dynamic dns IP addresses? This saves me from running inadyn. The default build on my addon includes all the plugins to make this happen (plus others I use). There is no log output when it updates them, but it does do it!

236

Has anybody set up meshcentral remote desk top software https://github.com/Ylianst/MeshCentral/pkgs/container/meshcentral behind Caddy 2.
It can be set up behind a reverse proxy. MeshCentral can offload the TLS work to the the reverse proxy and pull a certificate from it. I can piece together that other people have done it with a caddy container but I’m not sure how to configure the JSON. Config file for the mesh central container with the add on. My docker compose file for mesh central seems to be working and I can get to the gui but I have an error in the mesh central log that states cannot get web certificate. The GUI shows as SSL encrypted, caddy did pull certs for the domain when I put the entry in the Caddyfile. In the caddy log I can see it’s refusing a connection from mesh central. The JSON config for mesh central has an entry for the address for caddy which I guess normally is the docker network address typically a 172 address. I’ve just entered the IP of the system that is running home assistant with the Caddy add-on? I realize the use case is obscure but thought maybe someone had experience or an :bulb:

237

Was there a breaking change in Home Assistant (or HaOS) this week?

I had to update the TLS section of my Caddyfile by changing “trusted_roots /share/config/MyCA.crt” to “trusted_roots /config/MyCA.crt” in order to get Home Assistant working again.

238

I tried to setup the addon on my instance but I can’t get it to work.

First, my HASS instance is not running HTTPS. It’s running only on port 8123. Second, the Caddy addon doesn’t seem to be binding to port 443. I installed the Terminal & SSH addon, ran netstat -tulpn, and all I see is:

Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address           Foreign Address         State       PID/Program name    
tcp        0      0 0.0.0.0:8099            0.0.0.0:*               LISTEN      163/ttyd
tcp        0      0 127.0.0.11:43003        0.0.0.0:*               LISTEN      -
udp        0      0 127.0.0.11:48200        0.0.0.0:*                           -

My configuration.yaml file:

http:
  use_x_forwarded_for: true
  trusted_proxies:
    - 192.168.68.20
    - 127.0.0.1
    - ::1
  base_url: https://mydomain.duckdns.org

and my Caddyfile:

{
	email [email protected]
}

https://mydomain.duckdns.org {
	tls {
		dns duckdns {env.DUCKDNS_TOKEN}
	}

	reverse_proxy 172.30.33.255:8123
}

I tried changing the reverse_proxy IP to localhost or even the local IP where HASS is accessible, but no success. I believe the main issue here is that Caddy is not binding to port 443 on the host.

239

Have moved from Caddy 2 a while back after I left duckdns hosting to cloudflare and started using the cloudflared addon…running into some issues where the sites are not using tls/ssl and wanted to reference the sites again using caddy to direct https to the local servers.

Would it make sense to have Caddy build on top of the cloudlfared sites to move from the http://example.com to https://example.com, or should I redirect the caddyfile back to the local host ip on the network and skirt the cloudflared addon - how much trouble am I asking for?!?