feat(post): add Caddy2 and Adguard Home configuration guide

2024-09-22 19:08:26 +02:00 · 2024-09-22 19:08:26 +02:00 · 82f55163d0
commit 82f55163d0
parent fcb6bb33d9
3 changed files with 122 additions and 0 deletions
--- a/content/posts/how-to-configure-adguard-home-with-caddy2.md
+++ b/content/posts/how-to-configure-adguard-home-with-caddy2.md
@ -0,0 +1,120 @@
 +++
 title = 'How to Configure Adguard Home With Caddy2'
 date = 2024-09-22T12:57:01+02:00
 draft = false
 tags = ['Caddy2', 'Adguard Home', 'Docker', 'Docker Compose', 'Reverse Proxy', 'SSL/TLS', 'ACME', 'DNS-over-TLS', 'DNS-over-HTTPS', 'Security', 'Networking', 'Server', 'Configuration', 'Guide']
 +++
 ## Preface
 Until recently I used [Nginx Proxy Manager](https://nginxproxymanager.com/) to
 manage my reverse proxies and SSL certificates. It's a great tool, especially
 for beginners who do prefer a GUI to configure the reverse proxy service, but
 most of my TLS certificates expired suddenly and I did not like the idea to
 reload all of them manually. Some time ago I heard about Caddy2, which
 automatically renews TLS certificates using ACME, and I wanted to try it, but I
 learnt by experience the motto 'If it works don't touch it', so I kept doing
 other things rather than configuring Caddy without needing to do that. And I
 have to say that configuring it was easier than I thought!
 Both Adguard Home and Caddy2 are inside a Docker container, so I will show you
 how to configure them with Docker Compose. That said, it could be useful also
 for those who have them installed on their system.
 ## Adguard Home
 The following is the Docker Compose configuration for Adguard Home. I used the
 official Docker image from [Docker Hub](https://hub.Docker.com/r/adguard/adguardhome)
 to deploy Adguard Home. I also utilized the existing Nginx Proxy Manager
 network, so that I could use the same network for Caddy2. It didn't change until
 I switched to Caddy2, after adding the volume for the certificates so that I
 could configure Dns-Over-TLS and Dns-Over-Https. Note that the certificates are
 stored within the Caddy2 container, so you'll need to update the certificate
 path in the volume.
 ```yaml
 services:
  adguard:
    image: adguard/adguardhome
    container_name: adguard
    restart: unless-stopped
    volumes:
      - ./work:/opt/adguardhome/work
      - ./conf:/opt/adguardhome/conf
      - ../caddy/caddy_data/caddy/certificates/acme-v02.api.letsencrypt.org-directory/dns.riefolo.me:/opt/adguardhome/cert
    ports:
      - 853:853/tcp # DNS-over-TLS
    environment:
      - TZ=Europe/Rome
    networks:
      - reverse-proxy_default
 networks:
  reverse-proxy_default:
    external: true
 ```
 ## Caddy2
 I took this configuration from the official [Caddy2 documentation](https://hub.Docker.com/_/caddy)
 as a starting point and I modified it to reuse the existing Nginx Proxy Manager
 network. I also changed the volumes to a local path because I find it more organized.
 ```yaml
 services:
  caddy:
    image: caddy:latest
    restart: unless-stopped
    cap_add:
      - NET_ADMIN
    ports:
      - "80:80"
      - "443:443"
      - "443:443/udp"
    volumes:
      - $PWD/Caddyfile:/etc/caddy/Caddyfile
      - $PWD/site:/srv
      - $PWD/caddy_data:/data
      - $PWD/caddy_config:/config
    networks:
      - reverse-proxy_default
 networks:
  reverse-proxy_default:
    external: true
 ```
 Then I had to configure the Caddyfile, which is the configuration file for
 Caddy2. I didn't delve into the documentation, but I managed to find a working
 solution by searching how to reverse proxy. The only challenge was configuring
 Dns-Over-Https with Caddy, but
 ```caddyfile
 domain.tld {
    handle /dns-query {
        reverse_proxy https://adguard {
            transport http {
                tls_insecure_skip_verify
            }
        }
    }
    reverse_proxy http://adguard
 }
 ```
 The handle directive is used to match the path /dns-query, which is the path used
 by Dns-Over-Https. The reverse_proxy directive is used to reverse proxy the request
 to the Adguard Home container. The tls_insecure_skip_verify directive is used to
 skip the tls verification, because I configured Adguard Home to use encryption so
 that I could use Dns-Over-Https.
 ## Conclusion
 Now the last things to do were to configure the settings in <https://domain.tld/#encryption>
 by setting the certificate file path both for the chain and the private key:
 ![Adguard Home Settings](/images/adguard-home-settings.png)
 And to open the port 443 in the firewall. That's it! Now I have a secure DNS server
 and a reverse proxy with automatic TLS certificates renewal. I hope this guide was
 useful to you!
--- a/hugo.toml
+++ b/hugo.toml
@ -11,6 +11,8 @@ menu = [
  { Name = 'About', URL = '/about/', HasChildren = false },
  { Name = 'Useful links', URL = '' },
  { Name = 'Repositories', URL = 'https://git.riefolo.me/mariano', External = true },
  { Name = "Posts", URL = "/posts/", Pre = "Recent", HasChildren = true, Limit = 5 },
 ]
 email_url = 'mailto:rfmariano@protonmail.com'
--- a/static/images/adguard-home-settings.png
+++ b/static/images/adguard-home-settings.png