Caddy - Reverse Proxy with Pi-hole Local DNS Setup

Since I create Docker/Podman containers with a macvlan and a reserved IP address, I also wanted to use my local top level domain (home.arpa) for safe and easy browsing to the container software. For example homer.home.arpa refers to the IP address of the Homer container which is running in NixOS and will serve the site over HTTPS.

Home.ARPA has been specifically created to handle “home” or “small business” name queries by shunting it to “black holes” early in the hops.

Caddyfile Configuration

Within Caddy it is very easy to configure a local reverse proxy. Add the following to the Caddyfile:

# uncomment to debug when things aren't working the way you'd like
#{
#       debug
#}

homer.home.arpa {
        tls internal
        handle {
                reverse_proxy 192.168.xx.xx:8080
        }
}

Adjust the following:

homer.home.arpa
Replace homer with your name and home.arpa with your top level domain. We will also need the full domain name within Pi-hole

tls internal
Use locally-trusted certificates. Please see the Caddy docs for more information

192.168.xx.xx:8080
Replace the IP address and port. In this example I use the IP address and port of my Homer container. Please see the Caddy docs for more information about the handle directive

You can then start Caddy and the necessary self-signed certificates will be generated automatically.

Pi-hole Local DNS Configuration

The steps below assume that Pi-hole is already running.
On the Local DNS Records page you can add domain/IP associations.

1. Select in the navigation Local DNS > DNS Records
2. Add the domain, for example: homer.home.arpa with the IP address (without the port) you entered above for the reverse proxy (192.168.xx.xx)

It will then look like this:

Root Certificate Installation

Now if you go to homer.home.arpa in a browser, it will indicate that the connection is not trusted or will not work at all. I fixed this by having different devices and browsers trust the Caddy root certifcate which is generated within the Caddy container.

The steps below assume that Caddy is running as a container:

1. Go to the shell inside the container with sudo podman exec -it caddy /bin/sh. If you use docker replace the command podman with docker
2. View the content of the root certificate with cat /data/caddy/pki/authorities/local/root.crt
3. Copy the contents of the root certificate into a root.crt file on your desktop, for example. Make sure you copy -----BEGIN CERTIFICATE----- and -----END CERTIFICATE----- along
4. Exit the container shell with exit

Firefox (desktop)

1. Go to about:preferences#privacy and scroll down to Certificates and click View Certificates...
2. Within the Certificate Manager go to Authorities and choose to import the Caddy root certificate which you previously saved as root.crt

Chrome or Vanadium (android)

1. Make sure you can access the root.crt file through the file manager on Android. This can be done, for example, by putting the file on Google Drive, Synology Drive or Proton Drive.
2. Then go to the Android file manager en select your Drive in the navigation and install the certificate by tapping root.crt

Read other notes