riefolo.me/content/posts/how-to-configure-adguard-home-with-caddy2.md

+++
title = 'How to Configure Adguard Home With Caddy2'
date = 2024-09-22T12:57:01+02:00
draft = false
tags = ['Caddy2', 'Adguard Home', 'Docker', 'Docker Compose', 'Reverse Proxy', 'SSL/TLS', 'ACME', 'DNS-over-TLS', 'DNS-over-HTTPS', 'Security', 'Networking', 'Server', 'Configuration', 'Guide']
+++

## Preface

Until recently I used [Nginx Proxy Manager](https://nginxproxymanager.com/) to
manage my reverse proxies and SSL certificates. It's a great tool, especially
for beginners who do prefer a GUI to configure the reverse proxy service, but
most of my TLS certificates expired suddenly and I did not like the idea to
reload all of them manually. Some time ago I heard about Caddy2, which
automatically renews TLS certificates using ACME, and I wanted to try it, but I
learnt by experience the motto 'If it works don't touch it', so I kept doing
other things rather than configuring Caddy without needing to do that. And I
have to say that configuring it was easier than I thought!

Both Adguard Home and Caddy2 are inside a Docker container, so I will show you
how to configure them with Docker Compose. That said, it could be useful also
for those who have them installed on their system.

## Adguard Home

The following is the Docker Compose configuration for Adguard Home. I used the
official Docker image from [Docker Hub](https://hub.Docker.com/r/adguard/adguardhome)
to deploy Adguard Home. I also utilized the existing Nginx Proxy Manager
network, so that I could use the same network for Caddy2. It didn't change until
I switched to Caddy2, after adding the volume for the certificates so that I
could configure Dns-Over-TLS and Dns-Over-Https. Note that the certificates are
stored within the Caddy2 container, so you'll need to update the certificate
path in the volume.

```yaml
services:
  adguard:
    image: adguard/adguardhome
    container_name: adguard
    restart: unless-stopped
    volumes:
      - ./work:/opt/adguardhome/work
      - ./conf:/opt/adguardhome/conf
      - ../caddy/caddy_data/caddy/certificates/acme-v02.api.letsencrypt.org-directory/dns.riefolo.me:/opt/adguardhome/cert
    ports:
      - 853:853/tcp # DNS-over-TLS
    environment:
      - TZ=Europe/Rome
    networks:
      - reverse-proxy_default

networks:
  reverse-proxy_default:
    external: true
```

## Caddy2

I took this configuration from the official [Caddy2 documentation](https://hub.Docker.com/_/caddy)
as a starting point and I modified it to reuse the existing Nginx Proxy Manager
network. I also changed the volumes to a local path because I find it more organized.

```yaml
services:
  caddy:
    image: caddy:latest
    restart: unless-stopped
    cap_add:
      - NET_ADMIN
    ports:
      - "80:80"
      - "443:443"
      - "443:443/udp"
    volumes:
      - $PWD/Caddyfile:/etc/caddy/Caddyfile
      - $PWD/site:/srv
      - $PWD/caddy_data:/data
      - $PWD/caddy_config:/config
    networks:
      - reverse-proxy_default

networks:
  reverse-proxy_default:
    external: true
```

Then I had to configure the Caddyfile, which is the configuration file for
Caddy2. I didn't delve into the documentation, but I managed to find a working
solution by searching how to reverse proxy. The only challenge was configuring
Dns-Over-Https with Caddy, but

```caddyfile
domain.tld {
    handle /dns-query {
        reverse_proxy https://adguard {
            transport http {
                tls_insecure_skip_verify
            }
        }
    }
    reverse_proxy http://adguard
}
```

The handle directive is used to match the path /dns-query, which is the path used
by Dns-Over-Https. The reverse_proxy directive is used to reverse proxy the request
to the Adguard Home container. The tls_insecure_skip_verify directive is used to
skip the tls verification, because I configured Adguard Home to use encryption so
that I could use Dns-Over-Https.

## Conclusion

Now the last things to do were to configure the settings in <https://domain.tld/#encryption>
by setting the certificate file path both for the chain and the private key:

![Adguard Home Settings](/images/adguard-home-settings.png)

And to open the port 443 in the firewall. That's it! Now I have a secure DNS server
and a reverse proxy with automatic TLS certificates renewal. I hope this guide was
useful to you!
feat(post): add Caddy2 and Adguard Home configuration guide 2024-09-22 17:08:26 +00:00			`+++`
			`title = 'How to Configure Adguard Home With Caddy2'`
			`date = 2024-09-22T12:57:01+02:00`
			`draft = false`
			`tags = ['Caddy2', 'Adguard Home', 'Docker', 'Docker Compose', 'Reverse Proxy', 'SSL/TLS', 'ACME', 'DNS-over-TLS', 'DNS-over-HTTPS', 'Security', 'Networking', 'Server', 'Configuration', 'Guide']`
			`+++`

			`## Preface`

			`Until recently I used [Nginx Proxy Manager](https://nginxproxymanager.com/) to`
			`manage my reverse proxies and SSL certificates. It's a great tool, especially`
			`for beginners who do prefer a GUI to configure the reverse proxy service, but`
			`most of my TLS certificates expired suddenly and I did not like the idea to`
			`reload all of them manually. Some time ago I heard about Caddy2, which`
			`automatically renews TLS certificates using ACME, and I wanted to try it, but I`
			`learnt by experience the motto 'If it works don't touch it', so I kept doing`
			`other things rather than configuring Caddy without needing to do that. And I`
			`have to say that configuring it was easier than I thought!`

			`Both Adguard Home and Caddy2 are inside a Docker container, so I will show you`
			`how to configure them with Docker Compose. That said, it could be useful also`
			`for those who have them installed on their system.`

			`## Adguard Home`

			`The following is the Docker Compose configuration for Adguard Home. I used the`
			`official Docker image from [Docker Hub](https://hub.Docker.com/r/adguard/adguardhome)`
			`to deploy Adguard Home. I also utilized the existing Nginx Proxy Manager`
			`network, so that I could use the same network for Caddy2. It didn't change until`
			`I switched to Caddy2, after adding the volume for the certificates so that I`
			`could configure Dns-Over-TLS and Dns-Over-Https. Note that the certificates are`
			`stored within the Caddy2 container, so you'll need to update the certificate`
			`path in the volume.`

			```yaml
			`services:`
			`adguard:`
			`image: adguard/adguardhome`
			`container_name: adguard`
			`restart: unless-stopped`
			`volumes:`
			`- ./work:/opt/adguardhome/work`
			`- ./conf:/opt/adguardhome/conf`
			`- ../caddy/caddy_data/caddy/certificates/acme-v02.api.letsencrypt.org-directory/dns.riefolo.me:/opt/adguardhome/cert`
			`ports:`
			`- 853:853/tcp # DNS-over-TLS`
			`environment:`
			`- TZ=Europe/Rome`
			`networks:`
			`- reverse-proxy_default`

			`networks:`
			`reverse-proxy_default:`
			`external: true`
			```

			`## Caddy2`

			`I took this configuration from the official [Caddy2 documentation](https://hub.Docker.com/_/caddy)`
			`as a starting point and I modified it to reuse the existing Nginx Proxy Manager`
			`network. I also changed the volumes to a local path because I find it more organized.`

			```yaml
			`services:`
			`caddy:`
			`image: caddy:latest`
			`restart: unless-stopped`
			`cap_add:`
			`- NET_ADMIN`
			`ports:`
			`- "80:80"`
			`- "443:443"`
			`- "443:443/udp"`
			`volumes:`
			`- $PWD/Caddyfile:/etc/caddy/Caddyfile`
			`- $PWD/site:/srv`
			`- $PWD/caddy_data:/data`
			`- $PWD/caddy_config:/config`
			`networks:`
			`- reverse-proxy_default`

			`networks:`
			`reverse-proxy_default:`
			`external: true`
			```

			`Then I had to configure the Caddyfile, which is the configuration file for`
			`Caddy2. I didn't delve into the documentation, but I managed to find a working`
			`solution by searching how to reverse proxy. The only challenge was configuring`
			`Dns-Over-Https with Caddy, but`

			```caddyfile
			`domain.tld {`
			`handle /dns-query {`
			`reverse_proxy https://adguard {`
			`transport http {`
			`tls_insecure_skip_verify`
			`}`
			`}`
			`}`
			`reverse_proxy http://adguard`
			`}`
			```

			`The handle directive is used to match the path /dns-query, which is the path used`
			`by Dns-Over-Https. The reverse_proxy directive is used to reverse proxy the request`
			`to the Adguard Home container. The tls_insecure_skip_verify directive is used to`
			`skip the tls verification, because I configured Adguard Home to use encryption so`
			`that I could use Dns-Over-Https.`

			`## Conclusion`

			`Now the last things to do were to configure the settings in <https://domain.tld/#encryption>`
			`by setting the certificate file path both for the chain and the private key:`

			`![Adguard Home Settings](/images/adguard-home-settings.png)`

			`And to open the port 443 in the firewall. That's it! Now I have a secure DNS server`
			`and a reverse proxy with automatic TLS certificates renewal. I hope this guide was`
			`useful to you!`