Caddy reverse proxy with Pi-hole local DNS setup
Introduction
I wanted to use Caddy’s reverse proxy functionality to browse my web applications using DNS instead of an IP address with a port number. For my Homer dashboard, I now browse to homer.home.arpa instead of an IP address and port number. Caddy also automatically converts the connection to HTTPS, which is a great feature!
This is why I use the macvlan option with Docker or Podman containers whenever possible, ensuring each container gets its own IP address. Using a macvlan with its own IP address simplifies the configuration of the reverse proxy, allowing each container to be accessed via DNS rather than an IP address with a port number.
Requirements
Ensure Caddy and Pi-hole are running, for example with Docker or Podman.
Setup
Caddyfile configuration
It is very easy to configure a local reverse proxy with Caddy. Add the following to the Caddyfile:
# To edit use your text editor application, for example Nano# {# debug # When things aren't working the way you'd like# }homer.home.arpa { tls internal handle { reverse_proxy <IP address>:<port> flush_interval -1 }}# IMPORTANT: Please read the instructions belowInstructions:
- Required Replace
homerwith your name andhome.arpawith your top level domain - Required Use the setting
tls internalfor locally-trusted certificates. Please see the Caddy docs for more information - Required Replace
<IP address>:<port>with the IP address and port. In this example I use the IP address and port of my Homer NixOS container. Please see the Caddy docs for more information about thehandledirective - Optional The setting
flush_interval -1was needed to solve some problems but I’ll mention it anyway. Please see the Caddy docs for more information
If you are using NixOS, the above Caddyfile is also very easy to add decleratively to configuration.nix. I’ll give you an example with two virtual hosts:
services.caddy = { enable = true; virtualHosts."homer.home.arpa".extraConfig = '' tls internal handle { reverse_proxy 192.168.xx.xx:8080 { flush_interval -1 } } ''; virtualHosts."phpmyadmin.home.arpa".extraConfig = '' tls internal handle { reverse_proxy 192.168.xx.xx:8080 { flush_interval -1 } } '';};Pi-hole Local DNS Configuration
Go to the Pi-hole web interface. You can add domain/IP associations on the Local DNS Records page.
- Select in the navigation
Local DNS>DNS Records - Add the domain, for example:
homer.home.arpawith the IP address of the Caddy server or container.
It will then look like this:
Root Certificate Installation
Now if you go to homer.home.arpa in a browser, it will indicate the connection is not trusted or will not work at all.
I fixed this by having different devices and browsers trust the Caddy root certifcate.
The steps below assume that [[Caddy - NixOS Container Setup|Caddy is running as a container]]:
- Go to the shell inside the container with
sudo podman exec -it caddy /bin/sh. If you use docker replace the commandpodmanwithdocker - View the content of the root certificate with
cat /data/caddy/pki/authorities/local/root.crt - Copy the contents of the root certificate into a
root.crtfile on your desktop, for example. Make sure you copy-----BEGIN CERTIFICATE-----and-----END CERTIFICATE-----along - Exit the container shell with
exit
Firefox (desktop)
- Go to
about:preferences#privacyand scroll down toCertificatesand clickView Certificates... - Within the Certificate Manager go to
Authoritiesand choose to import the Caddy root certificate which you previously saved asroot.crt.
Chrome or Vanadium (Android)
- Make sure you can access the
root.crtfile through the file manager on Android. This can be done, for example, by putting the file on Google Drive, Synology Drive or Proton Drive. - Tap
Security & privacyand thenMore security settingsand thenEncryption & credentialsand then tapInstall a certificateand choose forCA-Certificate. - Then select your Drive in the navigation and install the certificate by tapping
root.crt.
No comments found for this note.
Join the discussion for this note on Github. Comments appear on this page instantly.