Skip to content

Instantly share code, notes, and snippets.

@AdroitAdorKhan

AdroitAdorKhan/https-on-lan.md

Forked from jkelin/howto.md
Last active July 6, 2023 20:47
Show Gist options
  • Save AdroitAdorKhan/e27054ac958a51a9c5dccca3c07c6a5e to your computer and use it in GitHub Desktop.
Save AdroitAdorKhan/e27054ac958a51a9c5dccca3c07c6a5e to your computer and use it in GitHub Desktop.
Download ZIP
HTTPs on Local Network. 7 simple-ish steps to green HTTPS on LAN with custom domain, Caddy, LetsEncrypt and Cloudflare.
Raw
https-on-lan.md

7 simple-ish steps to green HTTPS on LAN with custom domain, Caddy, LetsEncrypt and Cloudflare. And a bonus tip!

Ever felt envious of those pretty green lock on sites like Github.com or Google.com? Ever wished to have one of those for services on your homelab? Well wish no more because I have a guide for you!

This guide is written for Ubuntu 16.04 server with domain registered on NameSilo and nameservers using Cloudflare. However it will work for any OS that Caddy supports (this includes Linux, Windows, macOS and many others on several architectures) and any other DNS provider with an API that Caddy supports.

What will you need:

  1. $$ Domain
  2. Cloudflare account, or account with other DNS provider with API listed in https://caddyserver.com/docs/automatic-https#enabling-the-dns-challenge
  3. Basic understanding of DNS, server management and ability to RTFM

Setup your domains

  1. Register your domain on Cloudflare
  2. Change the nameservers of your domain to point to Cloudlare's NS https://support.cloudflare.com/hc/en-us/articles/205195708-Step-3-Change-your-domain-name-servers-to-Cloudflare
  3. Setup your DNS records to point to your services via A or CNAME. Make sure to UNCHECK "Traffic to this hostname will go through Cloudflare". For example here I have fireant.pw as my domain, diskstation as my server and netdata/webmin as services on diskstation:
  • Type: A, Name: diskstation, Value: 172.24.0.1
  • Type: CNAME, Name: netdata, Value: diskstation.fireant.pw
  • Type: CNAME, Name: webmin, Value: diskstation.fireant.pw

Configure Caddy

  1. Download and install Caddy https://gist.github.com/AdroitAdorKhan/5cc1eb30e48a13d3dee19209365acc50
sudo apt install -y debian-keyring debian-archive-keyring apt-transport-https
curl -1sLf 'https://dl.cloudsmith.io/public/caddy/xcaddy/gpg.key' | sudo gpg --dearmor -o /usr/share/keyrings/caddy-xcaddy-archive-keyring.gpg
curl -1sLf 'https://dl.cloudsmith.io/public/caddy/xcaddy/debian.deb.txt' | sudo tee /etc/apt/sources.list.d/caddy-xcaddy.list
sudo apt update
sudo apt install xcaddy
  • Build caddy with cloudflare dns module
xcaddy build --with github.com/caddy-dns/cloudflare
  • Now install the binary
sudo mv caddy /usr/bin
  • Create a group and add user named caddy with a writeable home directory:
sudo groupadd --system caddy
sudo useradd --system \
  --gid caddy \
  --create-home \
  --home-dir /var/lib/caddy \
  --shell /usr/sbin/nologin \
  --comment "Caddy web server" \
  caddy
  • Set config

/etc/systemd/system/caddy.service https://github.com/caddyserver/dist/blob/master/init/caddy.service

/etc/systemd/system/caddy-api.service https://github.com/caddyserver/dist/blob/master/init/caddy-api.service

  1. Add CLOUDFLARE_API_KEY to Caddyfile on top
   tls {
       dns cloudflare 1okkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkJdF
   }
  1. Setup Caddyfile (in Ubuntu 16.04, this is in /etc/caddy/Caddyfile). Example configuration:
netdata.fireant.pw {
  proxy / localhost:19999
}

webmin.fireant.pw {
  proxy / localhost:10000
}
  1. Start Caddy services caddy restart, wait for it to setup certs with LetsEncrypt, checkout your websites with pretty green badges
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment