cogneato/Caddy_setup.md

## Caddy_setup.md

      
    Raw
  

              Caddy_setup.md
            
          
    Caddy setup

Steps for configuring Caddy reverse proxy for Hassio
Install the addon

Add this repo to the addon store:
https://github.com/korylprince/hassio-caddy
Using the icon in the upper right, reload the page.
Scroll down and install the Caddy addon.
Remove previous SSL configuration (if needed).

Comment out your ssl/ lines in the http: section of your configuration.yaml. Restart Home Assistant.
Connect to http://local-ip:8123 for the rest of this setup until Caddy is completely configured.
If you were using DuckDNS for ssl, go to your DuckDNS addon configuration page and change "accept terms" to "false". Save the config. Restart the addon. If you were using some other method or addon, simply stop that addon and set it to not run at startup, or uninstall it altogether.
Set up port forwarding in your router

Once Caddy is running, everything will come through port 443. You will also need 80 forwarded for the cert retrieval and cert renewal (automatic).
So forward external 443 to internal 443, and external 80 to internal 80 for your Hassio's local ip address.
If you would like to change the external ports for extra security you can, but I won't go in to detail about that here.
Configure the Caddy addon options

Enter the content below into the config options for the addon, using your own email address.
{
  "flags": [
    "-agree",
    "-email",
    "your-email-here@gmail.com"
  ]
}
Save, but DO NOT START. There's one more step...
Create a Caddyfile

Create a new file in a text editor. At minimum, this file will contain:
your_sub.duckdns.org {

    proxy / localhost:8123 {
        websocket
        transparent
    }
}

You can stop there, and be done. You then save this file as Caddyfile (case sensitive and no extension) inside /share/caddy.
At this point, you can start the addon and check the logs below on the same page.
You should see:
starting version 3.2.4
Running Caddy with arguments: -conf /share/caddy/Caddyfile -agree -email youremail@gmail.com
Activating privacy features... done.
followed by your domain listed as both http and https.
If everything is working, you can now reach your domain using https://your.domain.name and internally with http://your.local.ip:8123
Now, you can continue tweaking your Caddyfile!

Here is an example of a Caddyfile with additional security headers and some subdomains which are all reverse proxied. Caddy handles the ports, so none of them need to be open on your router.

Don't forget to restart the Caddy addon whenever you make changes to the Caddyfile

Note that in this example, some services are on the pi running Hass.io (those using 'localhost') and some services are running on another machine with a different IP on the same network :
my-domain.com {
    header / {
	Strict-Transport-Security "max-age=31536000; includeSubDomains"
	X-XSS-Protection "1; mode=block"
	X-Content-Type-Options "nosniff"
	X-Frame-Options "SAMEORIGIN"
    Referrer-Policy "same-origin"
    - Server
}
    proxy / localhost:8123 {
        websocket
        transparent
    }
}

node.my-domain.com {
    proxy / localhost:1880 {
        websocket
        transparent
    }
}

term.my-domain.com {
    proxy / localhost:7681 {
        websocket
        transparent
    }
}

config.my-domain.com {
    proxy / localhost:3218 {
        websocket
        transparent
    }
}

sonarr.my-domain.com {
    proxy / 192.168.1.213:8989 {
        websocket
        transparent
    }
}

ombi.my-domain.com {
    proxy / 192.168.1.213:3579 {
        websocket
        transparent
    }
}

cloud.my-domain.com {
    proxy / 192.168.1.152 {
        websocket
        transparent
    }
}