Skip to content

Instantly share code, notes, and snippets.

@josephbolus
Forked from crazy-max/Caddy.env
Created July 23, 2022 06:44
Show Gist options
  • Save josephbolus/65e1fb9b7a65e0703ec63ff90fa27c5a to your computer and use it in GitHub Desktop.
Save josephbolus/65e1fb9b7a65e0703ec63ff90fa27c5a to your computer and use it in GitHub Desktop.
Proxmox web interface through Caddy as reverse proxy with Let's Encrypt

Install

On Proxmox as root:

curl -o /usr/bin/caddy --silent --show-error --fail --location --header "Accept: application/octet-stream" \
  "https://caddyserver.com/api/download?os=linux&arch=amd64&p=github.com%2Fcaddy-dns%2Flego-deprecated&p=github.com%2Fcaddy-dns%2Froute53&idempotency=46848955563362"
chmod 0755 /usr/bin/caddy

Test that it worked:

caddy version

Create a user to run Caddy:

groupadd --system caddy
useradd --system --gid caddy \
  --create-home \
  --home-dir /var/lib/caddy \
  --shell /usr/sbin/nologin \
  --comment "Caddy web server" \
  caddy

Create required directory structure:

mkdir /etc/caddy
chmod 775 /etc/caddy
chown -R caddy:caddy /etc/caddy

Copy the Caddyfile and Caddy.env files with your modifications and set required permissions:

chmod 600 /etc/caddy/Caddyfile /etc/caddy/Caddy.env
chown -R caddy:caddy /etc/caddy

Service

Create a systemd unit in /etc/systemd/system/caddy.service:

[Unit]
Description=Caddy
Documentation=https://caddyserver.com/docs/
After=network.target network-online.target
Requires=network-online.target
AssertFileIsExecutable=/usr/bin/caddy
AssertPathExists=/etc/caddy/Caddyfile

[Service]
User=caddy
Group=caddy
ExecStart=/usr/bin/caddy run --environ --envfile /etc/caddy/Caddy.env --config /etc/caddy/Caddyfile
ExecReload=/usr/bin/caddy reload --config /etc/caddy/Caddyfile
TimeoutStopSec=5s
LimitNOFILE=1048576
LimitNPROC=512
PrivateTmp=true
ProtectSystem=full
CapabilityBoundingSet=CAP_NET_BIND_SERVICE
AmbientCapabilities=CAP_NET_BIND_SERVICE

[Install]
WantedBy=multi-user.target

After saving your service file, you can start the service for the first time with the usual systemctl dance:

systemctl daemon-reload
systemctl enable caddy
systemctl start caddy

Verify that it is running:

systemctl status caddy

Proxmox should be accessible via https://proxmox.home.example.com

Now you can restrict pveproxy to localhost by creating the /etc/default/pveproxy file:

ALLOW_FROM="127.0.0.1"
DENY_FROM="all"
POLICY="allow"

Create a supersede unit for pveproxy service:

mkdir -p /etc/systemd/system/pveproxy.service.d
printf "[Unit]\nBefore=caddy.service\n" > /etc/systemd/system/pveproxy.service.d/10-before-caddy.conf
systemctl daemon-reload

And restart pveproxy:

systemctl restart pveproxy

Done!

AWS_ACCESS_KEY_ID=
AWS_SECRET_ACCESS_KEY=
AWS_HOSTED_ZONE_ID=
(acme) {
tls email@example.com {
dns lego_deprecated route53
}
}
proxmox.home.example.com {
import acme
@storage host proxmox.home.example.com
handle @storage {
reverse_proxy https://127.0.0.1:8006 {
transport http {
tls_insecure_skip_verify
}
}
}
log
}
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment