feat(post): add Caddy2 and Adguard Home configuration guide

This commit is contained in:
Mariano Riefolo 2024-09-22 19:08:26 +02:00
parent fcb6bb33d9
commit 82f55163d0
3 changed files with 122 additions and 0 deletions

View File

@ -0,0 +1,120 @@
+++
title = 'How to Configure Adguard Home With Caddy2'
date = 2024-09-22T12:57:01+02:00
draft = false
tags = ['Caddy2', 'Adguard Home', 'Docker', 'Docker Compose', 'Reverse Proxy', 'SSL/TLS', 'ACME', 'DNS-over-TLS', 'DNS-over-HTTPS', 'Security', 'Networking', 'Server', 'Configuration', 'Guide']
+++
## Preface
Until recently I used [Nginx Proxy Manager](https://nginxproxymanager.com/) to
manage my reverse proxies and SSL certificates. It's a great tool, especially
for beginners who do prefer a GUI to configure the reverse proxy service, but
most of my TLS certificates expired suddenly and I did not like the idea to
reload all of them manually. Some time ago I heard about Caddy2, which
automatically renews TLS certificates using ACME, and I wanted to try it, but I
learnt by experience the motto 'If it works don't touch it', so I kept doing
other things rather than configuring Caddy without needing to do that. And I
have to say that configuring it was easier than I thought!
Both Adguard Home and Caddy2 are inside a Docker container, so I will show you
how to configure them with Docker Compose. That said, it could be useful also
for those who have them installed on their system.
## Adguard Home
The following is the Docker Compose configuration for Adguard Home. I used the
official Docker image from [Docker Hub](https://hub.Docker.com/r/adguard/adguardhome)
to deploy Adguard Home. I also utilized the existing Nginx Proxy Manager
network, so that I could use the same network for Caddy2. It didn't change until
I switched to Caddy2, after adding the volume for the certificates so that I
could configure Dns-Over-TLS and Dns-Over-Https. Note that the certificates are
stored within the Caddy2 container, so you'll need to update the certificate
path in the volume.
```yaml
services:
adguard:
image: adguard/adguardhome
container_name: adguard
restart: unless-stopped
volumes:
- ./work:/opt/adguardhome/work
- ./conf:/opt/adguardhome/conf
- ../caddy/caddy_data/caddy/certificates/acme-v02.api.letsencrypt.org-directory/dns.riefolo.me:/opt/adguardhome/cert
ports:
- 853:853/tcp # DNS-over-TLS
environment:
- TZ=Europe/Rome
networks:
- reverse-proxy_default
networks:
reverse-proxy_default:
external: true
```
## Caddy2
I took this configuration from the official [Caddy2 documentation](https://hub.Docker.com/_/caddy)
as a starting point and I modified it to reuse the existing Nginx Proxy Manager
network. I also changed the volumes to a local path because I find it more organized.
```yaml
services:
caddy:
image: caddy:latest
restart: unless-stopped
cap_add:
- NET_ADMIN
ports:
- "80:80"
- "443:443"
- "443:443/udp"
volumes:
- $PWD/Caddyfile:/etc/caddy/Caddyfile
- $PWD/site:/srv
- $PWD/caddy_data:/data
- $PWD/caddy_config:/config
networks:
- reverse-proxy_default
networks:
reverse-proxy_default:
external: true
```
Then I had to configure the Caddyfile, which is the configuration file for
Caddy2. I didn't delve into the documentation, but I managed to find a working
solution by searching how to reverse proxy. The only challenge was configuring
Dns-Over-Https with Caddy, but
```caddyfile
domain.tld {
handle /dns-query {
reverse_proxy https://adguard {
transport http {
tls_insecure_skip_verify
}
}
}
reverse_proxy http://adguard
}
```
The handle directive is used to match the path /dns-query, which is the path used
by Dns-Over-Https. The reverse_proxy directive is used to reverse proxy the request
to the Adguard Home container. The tls_insecure_skip_verify directive is used to
skip the tls verification, because I configured Adguard Home to use encryption so
that I could use Dns-Over-Https.
## Conclusion
Now the last things to do were to configure the settings in <https://domain.tld/#encryption>
by setting the certificate file path both for the chain and the private key:
![Adguard Home Settings](/images/adguard-home-settings.png)
And to open the port 443 in the firewall. That's it! Now I have a secure DNS server
and a reverse proxy with automatic TLS certificates renewal. I hope this guide was
useful to you!

View File

@ -11,6 +11,8 @@ menu = [
{ Name = 'About', URL = '/about/', HasChildren = false }, { Name = 'About', URL = '/about/', HasChildren = false },
{ Name = 'Useful links', URL = '' }, { Name = 'Useful links', URL = '' },
{ Name = 'Repositories', URL = 'https://git.riefolo.me/mariano', External = true }, { Name = 'Repositories', URL = 'https://git.riefolo.me/mariano', External = true },
{ Name = "Posts", URL = "/posts/", Pre = "Recent", HasChildren = true, Limit = 5 },
] ]
email_url = 'mailto:rfmariano@protonmail.com' email_url = 'mailto:rfmariano@protonmail.com'

Binary file not shown.

After

Width:  |  Height:  |  Size: 176 KiB