Home Assistant Add-on: Caddy 2

Installation Home Assistant OS
81

@berichta did you see this?

82

Hi Berichta and David,

I made the adjustments as you both pointed out and have evolved my config and Caddyfile, as below:
http:

http:
  # Uncomment this to add a password (recommended!)
  # api_password: !secret http_password
  # ssl_certificate: /ssl/fullchain.pem
  # ssl_key: /ssl/privkey.pem
  use_x_forwarded_for: true
  trusted_proxies:
    - 127.0.0.1
    - ::1
  ip_ban_enabled: True
  login_attempts_threshold: 5
  # Uncomment this if you are using SSL/TLS, running in Docker container, etc.
  base_url: <my-domain>.duckdns.org

Caddyfile:

{   
	email <my-email>@email.com
}
(common) {
        tls {
                dns duckdns {env.DUCKDNS_TOKEN}
                on_demand
        }
        header {
                Strict-Transport-Security "max-age=31536000; includeSubdomains"
                X-XSS-Protection "1; mode=block"
                X-Content-Type-Options "nosniff"
                Referrer-Policy "same-origin"
                X-Frame-Options "ALLOW-FROM <my-domain>.duckdns.org"
                -Server
                Content-Security-Policy "frame-ancestors domain.com *.domain.com"
		Permissions-Policy "geolocation=(self domain.com *.domain.com), microphone=()"
        }
}

<my-domain(without the https://)>.duckdns.org {
    import common
    reverse_proxy localhost:8123 {
    }
}
<subdomain>.<my-domain>.duckdns.org {
    import common
    reverse_proxy localhost:8581 {
    }
}
<subdomain>.<my-domain>.duckdns.org {
    import common
    reverse_proxy <IP_Address>:443 {
    }
}

I can now access the door-knock on HA with the splash screen and the retry, but a retry goes to:

Safari cannot open the page.
The error was: "FETCHEVENT.respondWith received an error: no-response: no-response :: [{"url":"<my-domain>.duckdns.org/lovelace","error":{}}]".

Oh, so close!!

I also started to build out multiple subdomains and have those listed above, specifically the Caddyfile - Iā€™m not so sure about my most recent updates in line with your discussions from earlier in this thread?

Thank you for looking at these.

83

Ok so first you donā€™t need the X-Frame-Optionsā€¦ The Content-Security-Policy covers that off. Also see the post directly above yours. That permissions policy doesnā€™t work for me - I get console errors in chrome so I changed it to

Permissions-Policy "geolocation=(self) , microphone=()"

With the base_url, I use the setting in Configuration>General like this:
image
and in configuration.yaml only this for http

http:
  # ssl_certificate: /ssl/fullchain.pem
  # ssl_key: /ssl/privkey.pem
  use_x_forwarded_for: true
  trusted_proxies:
    - 127.0.0.1
    - ::1
  ip_ban_enabled: true
  login_attempts_threshold: 5

Yes you are really close!

84

Misses that bit but Iā€™m sure you cant proxy to 443 when you are connecting on 443 as well (same as the 8123 issue from yesterday.) I could be wrong about that of course lol.

85

How would I point to a nextcloud instance that communicates on port 443 (requires a ssl/https connection)? is it simply IP address and drop the port?

86

I donā€™t know however there is a Caddyfile here for nextcloud. Does that help?

87

Well wow thatā€™s some Caddyfile! I completely wiped my Nextcloud instance to start over there, much quicker and it was completely interfering with HA (multi-use of domain is not suggested)! Iā€™m going to wipe my cache for safari, but now instead of retry it comes up with initializing? Donā€™t know if Iā€™m getting closer, but feels like progress!

1 Like
88

All HA stuff is working now though? I couldnā€™t get a proxmox install to work either. It was on a different IP address as well so I donā€™t know it thatā€™s related or not. At the end of the day I didnā€™t care enough to try and hunt it down.

89

Finally up and running! Started resetting everything and after router itā€™s going perfect!

Couple follow ups:

  1. Webpage card config - have a cert on a local port thatā€™s working from cell network in browser but not populating the card, any thoughts?
  2. I had seen the iframes need an ssl reference, if you donā€™t mind what is that additional config? Added to config.yaml for iframes section? Added to config lines in addons (if so, under what reference)?

Thank you, this is cool getting this working!

90

Also, my naivety but when the site is being accessed through secure connection why does the local items on the same network not passed into HA server? Local ports or IPs on the local that are in the Lovelace cards or views for some reason I thought would locally pull in then be served out to the web interface, is that not the processing path?

91

Huh? I have no idea what you are asking. Your router will need to support NAT loop back otherwise you can use the ip-address:port when on your LAN.

IFramesā€¦ if you are using SSL for the HA frontend (which is why you use Caddy) Then the iFrame must also be ssl. I think I posted my iFrame config sā€¦ if you then access frontend via IP-address:port then the iFrames wonā€™t connectā€¦ just the way it is. Check my example above and/or the docs for iFrames. (Needs an iFrames: section).

Again no idea what you are asking. Can you show an example. It may again be mixing http and https

92

Hi David and Barichta, a big thank you to both of you!

The ssl tags that I see are from caddy1 thread but are these for addons


{
  "ssl": true,
  "certfile": "acme/acme-v02.api.letsencrypt.org/sites/domain.se/sites/domain.se.crt",
  "keyfile": "acme/acme-v02.api.letsencrypt.org/sites/domain.se/sites/domain.se.key",
  "log_level": "info"
}

Even though I have a https sub domain set for Homebridge this does not load on external interface:

image
image599Ɨ1101 91.2 KB

93

If you want addons to use ssl you could set the certificates in the addon configuration.
For the webpage card looks like you might need to use the domain and https. Did you try that?

94

Hi David, Yes I tried the https + domain for the webpage card and it was not working in there (although works directly). Iā€™ll have to fumble around this one for a little longer.

Iā€™ve got plex working correctly & Iā€™m also working on getting tautulli to work - where does the cert and key file get stored when using Caddy2? It seems like many add-ons refer back to these locations to pull their config.

Thank you

95

To complicate things I have the existing cert from a failed attempt with either nginx or dnsmasq that is confounding the addons certs, I think that I need to tease out the way to provide the cert file and key while having it pick up the right https reference. What do you think?

96

Hi David,

Iā€™ve found cert location (not super hard to find), but one of my subdomains is being tricky and not actually generating a cert folder - I have main domain + 4 other subdomains but no joy for a single additional one - no matter what I name it. Is there a theoretical max certs? or am I just doing something wrong (header issue maybe)?

Thank you in advance.

97

Donā€™t know. Thereā€™s no max Iā€™m aware of. If @berichta doesnā€™t respond you can try the caddy server forum.

98

I think Iā€™m facing a similar issue to these configs - Iframe issue (panel_iframe, Webpage Card), but funny thing is Iā€™m accessing https through https and still getting nothing - Iā€™ll clear cache to confirm.

99

Hey David, I just saw that this was your post: https://dew-itwebservices.com.au/setting-home-assistant-up-for-secure-access-over-the-internet/, really liked it and Iā€™m going to add the port number to the end of my https references for iframe and give that a try.

100

I have been meaning to do a post for caddy2 as well. Non standard port is a good idea.