4.2 KiB
+++ title = 'How to Configure Adguard Home With Caddy2' date = 2024-09-22T12:57:01+02:00 draft = false tags = ['Caddy2', 'Adguard Home', 'Docker', 'Docker Compose', 'Reverse Proxy', 'SSL/TLS', 'ACME', 'DNS-over-TLS', 'DNS-over-HTTPS', 'Security', 'Networking', 'Server', 'Configuration', 'Guide'] +++
Preface
Until recently I used Nginx Proxy Manager to manage my reverse proxies and SSL certificates. It's a great tool, especially for beginners who do prefer a GUI to configure the reverse proxy service, but most of my TLS certificates expired suddenly and I did not like the idea to reload all of them manually. Some time ago I heard about Caddy2, which automatically renews TLS certificates using ACME, and I wanted to try it, but I learnt by experience the motto 'If it works don't touch it', so I kept doing other things rather than configuring Caddy without needing to do that. And I have to say that configuring it was easier than I thought!
Both Adguard Home and Caddy2 are inside a Docker container, so I will show you how to configure them with Docker Compose. That said, it could be useful also for those who have them installed on their system.
Adguard Home
The following is the Docker Compose configuration for Adguard Home. I used the official Docker image from Docker Hub to deploy Adguard Home. I also utilized the existing Nginx Proxy Manager network, so that I could use the same network for Caddy2. It didn't change until I switched to Caddy2, after adding the volume for the certificates so that I could configure Dns-Over-TLS and Dns-Over-Https. Note that the certificates are stored within the Caddy2 container, so you'll need to update the certificate path in the volume.
services:
adguard:
image: adguard/adguardhome
container_name: adguard
restart: unless-stopped
volumes:
- ./work:/opt/adguardhome/work
- ./conf:/opt/adguardhome/conf
- ../caddy/caddy_data/caddy/certificates/acme-v02.api.letsencrypt.org-directory/dns.riefolo.me:/opt/adguardhome/cert
ports:
- 853:853/tcp # DNS-over-TLS
environment:
- TZ=Europe/Rome
networks:
- reverse-proxy_default
networks:
reverse-proxy_default:
external: true
Caddy2
I took this configuration from the official Caddy2 documentation as a starting point and I modified it to reuse the existing Nginx Proxy Manager network. I also changed the volumes to a local path because I find it more organized.
services:
caddy:
image: caddy:latest
restart: unless-stopped
cap_add:
- NET_ADMIN
ports:
- "80:80"
- "443:443"
- "443:443/udp"
volumes:
- $PWD/Caddyfile:/etc/caddy/Caddyfile
- $PWD/site:/srv
- $PWD/caddy_data:/data
- $PWD/caddy_config:/config
networks:
- reverse-proxy_default
networks:
reverse-proxy_default:
external: true
Then I had to configure the Caddyfile, which is the configuration file for Caddy2. I didn't delve into the documentation, but I managed to find a working solution by searching how to reverse proxy. The only challenge was configuring Dns-Over-Https with Caddy, but
domain.tld {
handle /dns-query {
reverse_proxy https://adguard {
transport http {
tls_insecure_skip_verify
}
}
}
reverse_proxy http://adguard
}
The handle directive is used to match the path /dns-query, which is the path used by Dns-Over-Https. The reverse_proxy directive is used to reverse proxy the request to the Adguard Home container. The tls_insecure_skip_verify directive is used to skip the tls verification, because I configured Adguard Home to use encryption so that I could use Dns-Over-Https.
Conclusion
Now the last things to do were to configure the settings in https://domain.tld/#encryption by setting the certificate file path both for the chain and the private key:
And to open the port 443 in the firewall. That's it! Now I have a secure DNS server and a reverse proxy with automatic TLS certificates renewal. I hope this guide was useful to you!