+++ title = 'How to Configure Adguard Home With Caddy2' date = 2024-09-22T12:57:01+02:00 draft = false tags = ['Caddy2', 'Adguard Home', 'Docker', 'Docker Compose', 'Reverse Proxy', 'SSL/TLS', 'ACME', 'DNS-over-TLS', 'DNS-over-HTTPS', 'Security', 'Networking', 'Server', 'Configuration', 'Guide'] +++ ## Preface Until recently I used [Nginx Proxy Manager](https://nginxproxymanager.com/) to manage my reverse proxies and SSL certificates. It's a great tool, especially for beginners who do prefer a GUI to configure the reverse proxy service, but most of my TLS certificates expired suddenly and I did not like the idea to reload all of them manually. Some time ago I heard about Caddy2, which automatically renews TLS certificates using ACME, and I wanted to try it, but I learnt by experience the motto 'If it works don't touch it', so I kept doing other things rather than configuring Caddy without needing to do that. And I have to say that configuring it was easier than I thought! Both Adguard Home and Caddy2 are inside a Docker container, so I will show you how to configure them with Docker Compose. That said, it could be useful also for those who have them installed on their system. ## Adguard Home The following is the Docker Compose configuration for Adguard Home. I used the official Docker image from [Docker Hub](https://hub.Docker.com/r/adguard/adguardhome) to deploy Adguard Home. I also utilized the existing Nginx Proxy Manager network, so that I could use the same network for Caddy2. It didn't change until I switched to Caddy2, after adding the volume for the certificates so that I could configure Dns-Over-TLS and Dns-Over-Https. Note that the certificates are stored within the Caddy2 container, so you'll need to update the certificate path in the volume. ```yaml services: adguard: image: adguard/adguardhome container_name: adguard restart: unless-stopped volumes: - ./work:/opt/adguardhome/work - ./conf:/opt/adguardhome/conf - ../caddy/caddy_data/caddy/certificates/acme-v02.api.letsencrypt.org-directory/dns.riefolo.me:/opt/adguardhome/cert ports: - 853:853/tcp # DNS-over-TLS environment: - TZ=Europe/Rome networks: - reverse-proxy_default networks: reverse-proxy_default: external: true ``` ## Caddy2 I took this configuration from the official [Caddy2 documentation](https://hub.Docker.com/_/caddy) as a starting point and I modified it to reuse the existing Nginx Proxy Manager network. I also changed the volumes to a local path because I find it more organized. ```yaml services: caddy: image: caddy:latest restart: unless-stopped cap_add: - NET_ADMIN ports: - "80:80" - "443:443" - "443:443/udp" volumes: - $PWD/Caddyfile:/etc/caddy/Caddyfile - $PWD/site:/srv - $PWD/caddy_data:/data - $PWD/caddy_config:/config networks: - reverse-proxy_default networks: reverse-proxy_default: external: true ``` Then I had to configure the Caddyfile, which is the configuration file for Caddy2. I didn't delve into the documentation, but I managed to find a working solution by searching how to reverse proxy. The only challenge was configuring Dns-Over-Https with Caddy, but ```caddyfile domain.tld { handle /dns-query { reverse_proxy https://adguard { transport http { tls_insecure_skip_verify } } } reverse_proxy http://adguard } ``` The handle directive is used to match the path /dns-query, which is the path used by Dns-Over-Https. The reverse_proxy directive is used to reverse proxy the request to the Adguard Home container. The tls_insecure_skip_verify directive is used to skip the tls verification, because I configured Adguard Home to use encryption so that I could use Dns-Over-Https. ## Conclusion Now the last things to do were to configure the settings in by setting the certificate file path both for the chain and the private key: ![Adguard Home Settings](/images/adguard-home-settings.png) And to open the port 443 in the firewall. That's it! Now I have a secure DNS server and a reverse proxy with automatic TLS certificates renewal. I hope this guide was useful to you!