7 simple-ish steps to green HTTPS on LAN with custom domain, Caddy, LetsEncrypt and Cloudflare. And a bonus tip!
Ever felt envious of those pretty green lock on sites like Github.com or Google.com? Ever wished to have one of those for services on your homelab? Well wish no more because I have a guide for you!
This guide is written for Ubuntu 16.04 server with domain registered on NameSilo and nameservers using Cloudflare. However it will work for any OS that Caddy supports (this includes Linux, Windows, macOS and many others on several architectures) and any other DNS provider with an API that Caddy supports.
- $$ Domain
- Cloudflare account, or account with other DNS provider with API listed in https://caddyserver.com/docs/automatic-https#enabling-the-dns-challenge
- Basic understanding of DNS, server management and ability to RTFM
- Register your domain on Cloudflare
- Change the nameservers of your domain to point to Cloudlare's NS https://support.cloudflare.com/hc/en-us/articles/205195708-Step-3-Change-your-domain-name-servers-to-Cloudflare
- Setup your DNS records to point to your services via
A
orCNAME
. Make sure to UNCHECK "Traffic to this hostname will go through Cloudflare". For example here I havefireant.pw
as my domain,diskstation
as my server andnetdata
/webmin
as services ondiskstation
:
- Type:
A
, Name:diskstation
, Value:172.24.0.1
- Type:
CNAME
, Name:netdata
, Value:diskstation.fireant.pw
- Type:
CNAME
, Name:webmin
, Value:diskstation.fireant.pw
- Download and install Caddy with
tls.dns.cloudflare
selected as plugin https://caddyserver.com/download (if on *nix box,curl https://getcaddy.com | bash -s personal tls.dns.cloudflare
) - Add
CLOUDFLARE_EMAIL
andCLOUDFLARE_API_KEY
ENV variables to your Caddy startup script (in Ubuntu 16.04, this is in/etc/systemd/system/caddy.service
)
- on systemd boxes (like Ubuntu 16.04) do not forget to
systemctl daemon-reload
to reload systemd configuration
- Setup
Caddyfile
(in Ubuntu 16.04, this is in/etc/caddy/Caddyfile
). Example configuration:
netdata.fireant.pw {
proxy / localhost:19999
tls {
dns cloudflare
}
}
webmin.fireant.pw {
proxy / localhost:10000
tls {
dns cloudflare
}
}
- Start Caddy (in Ubuntu 16.04,
services caddy restart
), wait for it to setup certs with LetsEncrypt, checkout your websites with pretty green badges
If you want to access your services on your home LAN even when you are mobile, at school or at work, you can use VPN like ZeroTier https://www.zerotier.com/ to connect to your services. They have Linux, Windows and phone apps.