yeah I’m back in on my ssl duckdns… thank heavens I have IP address access as well!
I love this addon… makes using a reverse proxy so easy compared to the alternatives…
Thanks!
1 Like
Glad to hear it! Sorry for the trouble… I haven’t had these issues with the builder before. I’ll be more careful to check that the images upload next time.
1 Like
Not a problem! I recommend your addon to everyone all the time. Thanks again.
1 Like
thanks a bunch, works great. peace,.
Do you think you can add support for this in Caddy add-on?
You could use this with a custom Caddy build.
If you want that feature right now, you’d probably need to build it from source. Once the next version is released, you could download it from the builder.
That’s above my comfort level/paygrade for now… lol.
Hi, I now have caddy running on a dedicated PI. However I’m migrating my HASS to a dedicated NUC. Is there an advantage of using Caddy on the NUC vs keeping it separate? I have fiber to the home so maybe the 100mb throughput of the PI might cause a bottleneck?
If I were you, I’d move it to the NUC. There’s less chance of failure that way, and you’d be running on a more performant (for network, CPU, and disk speed) device. I don’t see any advantages to keeping it running on the Pi.
@korylprince hoping you can help here. My ISP blocks port 80 so when i run your addon i get the below error:
Running Caddy with arguments: -conf /share/caddy/Caddyfile -agree -email [email protected] Using built-in Caddy: Caddy 0.10.14 (unofficial) 2019/01/09 17:42:43 [xxx.duckdns.org] failed to get certificate: [xxx.duckdns.org] error presenting token: presenting with standard HTTP provider server: Could not start HTTP server for challenge -> listen tcp :80: bind: address already in use Activating privacy features...
Can you advise if I’m able to do either of the following using you addon?
- have the HTTP challenge use another port instead of 80?
- use caddy’s “-disable-http-challenge” command so i can pass this step?
UPDATE: still not working for me (failed to get the certificate) but i figured out how to get -disable-http-challenge working… I’ve read somewhere that one must pass the challenge for the certificate to be issued, not sure if that’s try or not…
Not sure if it works for you now or not, but if it’s not you could use the DuckDNS add-on as a workaround and let that create the certs for you. That does not need ports 80 & 443 to work…
You could then use tls /ssl/fullchain.pem /ssl/privkey.pem in your CaddyFile to use the files created by the DuckDNS add-on.
@Florian’s suggestion is the much easier path. The only Let’s Encrypt method that works without port 80 is the DNS challenge, and the DuckDNS handles this nicely.
If you really want to do this with Caddy, it’s possible but you’ll need to build a custom binary with a DNS plugin and a shim script at /share/caddy/caddy.bin to set Caddy DNS environment variables and call your custom Caddy binary.
I’m making some progress. Apologies as I’m very new to Caddy. I’m using the below in the Hassio Addon config:
{
"flags": [
"-agree",
"-email",
"[email protected]"
]
}
and the below in my Caddyfile:
xxx.duckdns.org {
tls /ssl/fullchain.pem /ssl/privkey.pem
header / {
Strict-Transport-Security "max-age=31536000; includeSubdomains"
X-XSS-Protection "1; mode=block"
X-Content-Type-Options "nosniff"
X-Frame-Options "SAMEORIGIN"
Referrer-Policy "same-origin"
}
proxy / localhost:8123 {
websocket
transparent
}
}
Here’s the log when i run it now. Looks as though i don’t have the TLS syntax right for Caddyfile:
Running Caddy with arguments: -conf /share/caddy/Caddyfile -agree -email [email protected]
Using built-in Caddy: Caddy 0.10.14 (unofficial)
Activating privacy features... done.
https://xxx.duckdns.org:2015
I’m keeping things basic to just SSL Home Assistant for now. The logs look promising, but doesn’t seem to load my home assistant. I’m following @DavidFW1960 guide here: Setting Home Assistant up for Secure access over the Internet | DEW IT & Web Services
The logs looks promising, but it doesn’t seem to be working. Have to test to see what I’m doing wrong.
UPDATE: Looks like it’s working yay!!! I can access my site using https://xxx.duckdns.org:2015
Now to figure out how to make it use port 443 and getting sub-subdomains working.
Just specify the port you want to use, it’s currently listening on 2015 as the log you’ve posted says (btw: you should redact your mail and domain from there)
and you don’t need the flags when using the DuckDNS add-on, but if you might start using sub-subdomains as mentioned in David’s post using the add-on may introduce some problems when generating the certs.
@DavidFW1960 Is there a reason not to mention use_x_forwarded_for and trusted_proxies in step 3? If this is your current configuration how are you able to access your instance after someone banned the proxy’s ip?
Oh on my blog post you mean?
Well I only discovered that recently.
Before that I was getting banned every few days and had to ssh in to remove bans file and restart.
Since I added those to config yaml I have never been banned. I’m also using the authenticated sensor now and can see every IP connecting. I might review my blog post…
Since you’ve got people using your post as a reference I would be happy if you’d consider that 
Thanks!
1 Like
Yeah I will fix that shortly… Thanks for pointing this out.
EDIT: fixed.
1 Like
You’re right, I’m having problems with sub-subdomains. The same certificate can’t be used and I can’t seem to get the DuckDNS addon to add the additional sub-subdomains to my certificates either…
Looks like the DNS challenge method may be needed for me…
I’m going to attempt this, however it may be beyond my abilities…
I’d like to ask for some help with the caddyfile setup.
I set this up a few weeks ago and for my purpose it works beautiful!! But today I discovered that Hass don’t get the HTML5 events from push notifications back anymore.
This was discovered when my mother in law triggered the home alarm and I wasn’t able to easily shut it down! 
Anyway, I was looking in the bottom of the article for push notifications and there are some instructions on how to set NGINX up to allow the events to come through to the api. But can I? And if so, how do I add a rule that does the same to my caddyfile?
location /api/notify.html5/callback {
if ($http_authorization = "") { return 403; }
allow all;
proxy_pass http://localhost:8123;
proxy_set_header Host $host;
proxy_redirect http:// https://;
}
This is what it’s supposed to be for NGINX.
And this is my Caddyfile:
xxx.duckdns.org {
header / {
Strict-Transport-Security "max-age=31536000; includeSubdomains"
X-XSS-Protection "1; mode=block"
X-Content-Type-Options "nosniff"
X-Frame-Options "SAMEORIGIN"
Referrer-Policy "same-origin"
}
proxy / 192.168.xxx.xxx:xxxx {
websocket
transparent
}
}
xxx.xxx.duckdns.org {
proxy / 192.168.xxx.xxx:xxxx {
websocket
transparent
}
}
xxx.xxx.duckdns.org {
proxy / 192.168.xxx.xxx:xxxx {
websocket
transparent
}
}
xxx.xxx.duckdns.org {
proxy / 192.168.xxx.xxx:xxxx {
websocket
transparent
}
}
xxx.xxx.duckdns.org {
proxy / 192.168.xxx.xxx:xxxx {
websocket
transparent
}
}