Skip to content

Instantly share code, notes, and snippets.

@jkelin

jkelin/howto.md

Last active January 3, 2024 08:55
Show Gist options
  • Star 12 You must be signed in to star a gist
  • Fork 1 You must be signed in to fork a gist
  • Save jkelin/fc04b081ed19910618770c6be998de0e to your computer and use it in GitHub Desktop.
Save jkelin/fc04b081ed19910618770c6be998de0e to your computer and use it in GitHub Desktop.
Download ZIP
7 simple-ish steps to green HTTPS on LAN with custom domain, Caddy, LetsEncrypt and Cloudflare. And a bonus tip!
Raw
howto.md

7 simple-ish steps to green HTTPS on LAN with custom domain, Caddy, LetsEncrypt and Cloudflare. And a bonus tip!

Ever felt envious of those pretty green lock on sites like Github.com or Google.com? Ever wished to have one of those for services on your homelab? Well wish no more because I have a guide for you!

This guide is written for Ubuntu 16.04 server with domain registered on NameSilo and nameservers using Cloudflare. However it will work for any OS that Caddy supports (this includes Linux, Windows, macOS and many others on several architectures) and any other DNS provider with an API that Caddy supports.

What will you need:

  1. $$ Domain
  2. Cloudflare account, or account with other DNS provider with API listed in https://caddyserver.com/docs/automatic-https#enabling-the-dns-challenge
  3. Basic understanding of DNS, server management and ability to RTFM

Setup your domains

  1. Register your domain on Cloudflare
  2. Change the nameservers of your domain to point to Cloudlare's NS https://support.cloudflare.com/hc/en-us/articles/205195708-Step-3-Change-your-domain-name-servers-to-Cloudflare
  3. Setup your DNS records to point to your services via A or CNAME. Make sure to UNCHECK "Traffic to this hostname will go through Cloudflare". For example here I have fireant.pw as my domain, diskstation as my server and netdata/webmin as services on diskstation:
  • Type: A, Name: diskstation, Value: 172.24.0.1
  • Type: CNAME, Name: netdata, Value: diskstation.fireant.pw
  • Type: CNAME, Name: webmin, Value: diskstation.fireant.pw

Configure Caddy

  1. Download and install Caddy with tls.dns.cloudflare selected as plugin https://caddyserver.com/download (if on *nix box, curl https://getcaddy.com | bash -s personal tls.dns.cloudflare)
  2. Add CLOUDFLARE_EMAIL and CLOUDFLARE_API_KEY ENV variables to your Caddy startup script (in Ubuntu 16.04, this is in /etc/systemd/system/caddy.service)
  • on systemd boxes (like Ubuntu 16.04) do not forget to systemctl daemon-reload to reload systemd configuration
  1. Setup Caddyfile (in Ubuntu 16.04, this is in /etc/caddy/Caddyfile). Example configuration:
netdata.fireant.pw {
  proxy / localhost:19999

  tls {
    dns cloudflare
  }
}

webmin.fireant.pw {
  proxy / localhost:10000

  tls {
    dns cloudflare
  }
}
  1. Start Caddy (in Ubuntu 16.04, services caddy restart), wait for it to setup certs with LetsEncrypt, checkout your websites with pretty green badges

Bonus tip

If you want to access your services on your home LAN even when you are mobile, at school or at work, you can use VPN like ZeroTier https://www.zerotier.com/ to connect to your services. They have Linux, Windows and phone apps.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment