7 simple-ish steps to green HTTPS on LAN with custom domain, Caddy, LetsEncrypt and Cloudflare. And a bonus tip!
Ever felt envious of those pretty green lock on sites like Github.com or Google.com? Ever wished to have one of those for services on your homelab? Well wish no more because I have a guide for you!
This guide is written for Ubuntu 16.04 server with domain registered on NameSilo and nameservers using Cloudflare. However it will work for any OS that Caddy supports (this includes Linux, Windows, macOS and many others on several architectures) and any other DNS provider with an API that Caddy supports.
- $$ Domain
- Cloudflare account, or account with other DNS provider with API listed in https://caddyserver.com/docs/automatic-https#enabling-the-dns-challenge
- Basic understanding of DNS, server management and ability to RTFM
- Register your domain on Cloudflare
- Change the nameservers of your domain to point to Cloudlare's NS https://support.cloudflare.com/hc/en-us/articles/205195708-Step-3-Change-your-domain-name-servers-to-Cloudflare
- Setup your DNS records to point to your services via
A
orCNAME
. Make sure to UNCHECK "Traffic to this hostname will go through Cloudflare". For example here I havefireant.pw
as my domain,diskstation
as my server andnetdata
/webmin
as services ondiskstation
:
- Type:
A
, Name:diskstation
, Value:172.24.0.1
- Type:
CNAME
, Name:netdata
, Value:diskstation.fireant.pw
- Type:
CNAME
, Name:webmin
, Value:diskstation.fireant.pw
- Download and install Caddy https://gist.github.com/AdroitAdorKhan/5cc1eb30e48a13d3dee19209365acc50
- Install go https://go.dev/doc/install
- For Debian, Ubuntu, and Raspbian, an
xcaddy
package is available from our Cloudsmith repo:
sudo apt install -y debian-keyring debian-archive-keyring apt-transport-https
curl -1sLf 'https://dl.cloudsmith.io/public/caddy/xcaddy/gpg.key' | sudo gpg --dearmor -o /usr/share/keyrings/caddy-xcaddy-archive-keyring.gpg
curl -1sLf 'https://dl.cloudsmith.io/public/caddy/xcaddy/debian.deb.txt' | sudo tee /etc/apt/sources.list.d/caddy-xcaddy.list
sudo apt update
sudo apt install xcaddy
- Build caddy with cloudflare dns module
xcaddy build --with github.com/caddy-dns/cloudflare
- Now install the binary
sudo mv caddy /usr/bin
- Create a group and add user named caddy with a writeable home directory:
sudo groupadd --system caddy
sudo useradd --system \
--gid caddy \
--create-home \
--home-dir /var/lib/caddy \
--shell /usr/sbin/nologin \
--comment "Caddy web server" \
caddy
- Set config
/etc/systemd/system/caddy.service
https://github.com/caddyserver/dist/blob/master/init/caddy.service
/etc/systemd/system/caddy-api.service
https://github.com/caddyserver/dist/blob/master/init/caddy-api.service
- Add
CLOUDFLARE_API_KEY
to Caddyfile on top
tls {
dns cloudflare 1okkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkJdF
}
- Setup
Caddyfile
(in Ubuntu 16.04, this is in/etc/caddy/Caddyfile
). Example configuration:
netdata.fireant.pw {
proxy / localhost:19999
}
webmin.fireant.pw {
proxy / localhost:10000
}
- Start Caddy
services caddy restart
, wait for it to setup certs with LetsEncrypt, checkout your websites with pretty green badges