New Caddy add-on

Klagio · January 5, 2020, 1:55pm

Hi, I had a working configuration for a year now. Something happened on my router and I could not get access to https://xxx.duckdns.org.

Now I factory reset my router, all seems working well, but still I am unable to access
https://xxx.duckdns.org neither from outside, nor from inside the lan I receive


502 Bad Gateway

I can access fine

https:/192.168.1.xx:8123

My configuration is

port 443 to 443 and 80 to 80 are forwarded to 192.168.1.12 hassio machine
Caddi config


{
  "flags": [
    "-agree",
    "-email",
    "[email protected]"
  ],
  "env_vars": [
    "DUCKDNS_TOKEN=xxxxab447"
  ]
}


xxx.duckdns.org {
    tls {
	    dns duckdns
	}
	log data/requests.log {
	rotate_size 50  # Rotate after 50 MB
	rotate_age  90  # Keep rotated files for 90 days
	rotate_keep 20  # Keep at most 20 log files
	rotate_compress # Compress rotated log files in gzip format
    }
    header / {
    Strict-Transport-Security "max-age=31536000; includeSubdomains"
    X-XSS-Protection "1; mode=block"
    X-Content-Type-Options "nosniff"
    X-Frame-Options "SAMEORIGIN"
    Referrer-Policy "same-origin"
    -Server
}
    proxy / 192.168.1.12:8123 {
        websocket
        transparent
        header_upstream Authorization {>Authorization}
    }
}


xxx-dash.duckdns.org {
    tls {
	    dns duckdns
	}
	log data/requests.log {
	rotate_size 50  # Rotate after 50 MB
	rotate_age  90  # Keep rotated files for 90 days
	rotate_keep 20  # Keep at most 20 log files
	rotate_compress # Compress rotated log files in gzip format
    }
    header / {
    Strict-Transport-Security "max-age=31536000; includeSubdomains"
    X-XSS-Protection "1; mode=block"
    X-Content-Type-Options "nosniff"
    X-Frame-Options "SAMEORIGIN"
    Referrer-Policy "same-origin"
    -Server
}
    proxy / localhost:5665 {
        websocket
        transparent
        header_upstream Authorization {>Authorization}
    }
}

xxx-me.duckdns.org {
    tls {
	    dns duckdns
	}
	log data/requests.log {
	rotate_size 50  # Rotate after 50 MB
	rotate_age  90  # Keep rotated files for 90 days
	rotate_keep 20  # Keep at most 20 log files
	rotate_compress # Compress rotated log files in gzip format
    }
    header / {
    Strict-Transport-Security "max-age=31536000; includeSubdomains"
    X-XSS-Protection "1; mode=block"
    X-Content-Type-Options "nosniff"
    X-Frame-Options "SAMEORIGIN"
    Referrer-Policy "same-origin"
    -Server
}
    proxy / 192.168.1.9:8123 {
        websocket
        transparent
        header_upstream Authorization {>Authorization}
    }
}

Klagio · January 5, 2020, 9:40pm

In my system log


20-01-05 21:12:54 INFO (MainThread) [hassio.store] Load add-ons from store: 95 all - 0 new - 0 remove
20-01-05 21:23:57 INFO (SyncWorker_13) [hassio.docker.interface] Stop addon_fe41fc28_caddy application
20-01-05 21:23:57 INFO (SyncWorker_13) [hassio.docker.interface] Clean addon_fe41fc28_caddy application
20-01-05 21:23:58 INFO (SyncWorker_7) [hassio.docker.addon] Start Docker add-on korylprince/hassio-caddy-amd64 with version 1.6
20-01-05 21:26:15 INFO (SyncWorker_4) [hassio.docker.interface] Stop addon_fe41fc28_caddy application
20-01-05 21:26:16 INFO (SyncWorker_4) [hassio.docker.interface] Clean addon_fe41fc28_caddy application
20-01-05 21:26:16 INFO (SyncWorker_19) [hassio.docker.addon] Start Docker add-on korylprince/hassio-caddy-amd64 with version 1.6
20-01-05 21:31:32 INFO (MainThread) [hassio.homeassistant] Updated Home Assistant API token

DavidFW1960 · January 5, 2020, 9:50pm

That 502 error usually means Caddy isn’t running (for me) and your log seems to show it starting/restarting a couple of times?

You also seem to specify DNS challenge (so no need to forward port 80)

What happens if you go to 192.168.1.12:8123 in your browser? Can you go to addons and check the Caddy log? Can you also check that duckdns has the right IP address - I have had 502 when caddy isn’t started - sometimes when it’s renewing certificates (saw this after I switched to a Namecheap domain… the TTV was causing each certificate to take 30 mins to renew…) Also check your router is still allowing NAT loopback.

Klagio · January 5, 2020, 10:26pm

https:192.168.1.12:8123 it works
http://192.168.1.12:8123 gives an error ERR_EMPTY_RESPONSE

caddy log


Found custom Caddy: Caddy v1.0.3 (h1:i9gRhBgvc5ifchwWtSe7pDpsdS9+Q0Rw9oYQmYUTw1w=)
Running Caddy: DUCKDNS_TOKEN=xxx28ab447 /share/caddy/caddy.bin -conf /share/caddy/Caddyfile -agree -email [email protected]
Activating privacy features... done.
Serving HTTPS on port 443 
https://xxx.duckdns.org
https://xxx-dash.duckdns.org
https://xxx-me.duckdns.org
Serving HTTP on port 80 
http://xxx.duckdns.org
http://xxx-dash.duckdns.org
http://xxx-me.duckdns.org

Klagio · January 5, 2020, 10:27pm

BTW

https://xxx-me.duckdns.org IS WORKING (its a second instance of HASSIO on a different address 192.168.1.9:8123)
with npthing in configuration.yaml


default_config:

# Uncomment this if you are using SSL/TLS, running in Docker container, etc.
# http:
#   base_url: example.duckdns.org:8123

https://xxx.duckdns.org IS NOT WORKING (its my primary instance of HASSIO on address 192.168.1.12:8123)
with this configuration.yaml


http:
  ssl_certificate: /ssl/fullchain.pem
  ssl_key: /ssl/privkey.pem
  base_url: https://xxx.duckdns.org

I can’t understand what is happening

Klagio · January 5, 2020, 10:42pm

so I commented out all of this, and now is working

I can access

https://xxx.duckdns.org
and I cannot access https://192.168.1.12:8123 anymore (ERR_SSL_PROTOCOL_ERROR)

strange the below configuration worked for ages now, it stopped working the other day???


http:
  ssl_certificate: /ssl/fullchain.pem
  ssl_key: /ssl/privkey.pem
  base_url: https://xxx.duckdns.org

LUNZ · January 5, 2020, 10:59pm

Can you try http://192.168.1.12:8123/ and see what happens?

Basically the IP address with http instead of https

DavidFW1960 · January 5, 2020, 11:14pm

Ha! Not sure how that would have ever worked with specifying the ssl_cert and key. I have those commented out.

http:
  # ssl_certificate: /ssl/fullchain.pem
  # ssl_key: /ssl/privkey.pem
  use_x_forwarded_for: true
  trusted_proxies:
    - 127.0.0.1
    - ::1
  ip_ban_enabled: true
  login_attempts_threshold: 5
  # Uncomment this if you are using SSL/TLS, running in Docker container, etc.
  base_url: !secret base_http_url

and base URL is https://xxx.yyy.zzz:xxxxx (I use a different port)
BTW - did you see where I said you don’t need port 80 forwarded anymore? You are using DNS validation not http now so unless you need port 80 for something else, remove that.
Caddy doesn’t put certs in /ssl folder which is why you get the error and why I don’t know how it ever worked.

Klagio · January 5, 2020, 11:20pm

Do I need http: and all the rest (I commented out all)?

Klagio · January 5, 2020, 11:20pm

Noted, will do tomorrow, thanks

DavidFW1960 · January 5, 2020, 11:34pm

you need http if you set a base url and some stuff won’t work correctly if you don’t specify a base url

Klagio · January 6, 2020, 7:37am

DavidFW1960:

ommented out.

Copy to clipboard

http:
  # ssl_certificate: /ssl/fullchain.pem
  # ssl_key: /ssl/privkey.pem
  use_x_forwarded_for: true
  trusted_proxies:
    - 127.0.0.1
    - ::1
  ip_ban_enabled: true
  login_attempts_threshold: 5
  # Uncomment this if you are using SSL/TLS, running in Docker container, etc.
  base_url: !secret base_http_url

and base URL is https://xxx.yyy.zzz:xxxxx

So far everything is working taking out ALL http: …

you put base_url: https://xx.duxkdns.org:yyy specifying the port? even if yo uforward 443 to 443 of the HASSIO/caddy installation?

Klagio · January 6, 2020, 7:38am

yeah who knows probably from old conficuration and trying in the past, something was making it work

DavidFW1960 · January 6, 2020, 7:53am

If you use 443 for ssl then you don’t need to specify it in the base_url.

I don’t use 443 because as Tinkerer says, when everyone front door is in the same place and yours isn’t, it just extra obscurity and you will have far less people knocking on it.

If you do decide to do that, forward xxxxx to 443 and in your caddyfile with the url just put :xxxxx at the end. eg xxx.duckdns.org:xxxxx

Klagio · January 6, 2020, 8:23am

strangely, so far evertything works without http: entirely !

DavidFW1960 · January 6, 2020, 9:10am

Does cast work? I also way back could not create a token without a base_url

Klagio · January 6, 2020, 4:07pm

Just checked, it works

Klagio · January 6, 2020, 4:09pm

This works too

sebdoan · January 26, 2020, 10:54am

Thanks so much for sharing the syntax you use for sub-subdomains!!!

It finally worked for me

r1kkie · May 25, 2020, 9:50am

Ive been tearing my hair out for days now with no luck getting this to work. I use my own domain through loopia and pointed A to my public ip adress. If I open 8123 -> 8123 i can access HA from autiside using my-own.domain.se:8123. So there shouldnt be a problem with the pointing.

My caddyfile looks like this:

my-own.domain.se {
    header / {
    Strict-Transport-Security "max-age=31536000; includeSubdomains"
    X-XSS-Protection "1; mode=block"
    X-Content-Type-Options "nosniff"
    X-Frame-Options "SAMEORIGIN"
    Referrer-Policy "same-origin"
}
    proxy / 192.168.1.70:8123 {
        websocket
        transparent
    }
}

The caddy addon seems to work and running with the logs saying this:

Using built-in Caddy: Caddy 0.11.1 (unofficial)
Running Caddy:  /usr/sbin/caddy -conf /share/caddy/Caddyfile -agree -email [email protected]
Activating privacy features... done.
https://my-own.domain.se
http://my-own.domain.se

My portforwardning is: 192.168.1.70 is my HA adress.
80 -> 80 for 192.168.1.70
433 -> 433 for 192.168.1.70

http:
  base_url: https://my-own.domain.se
  ip_ban_enabled: False
  login_attempts_threshold: 3
  use_x_forwarded_for: true
  trusted_proxies: 127.0.0.1

When I try to access it i get 401 Authorization Required, nginx

Can anyone point me in the right direction to get this to work?

/r1kkie