121 lines
4.2 KiB
Markdown
121 lines
4.2 KiB
Markdown
+++
|
|
title = 'How to Configure Adguard Home With Caddy2'
|
|
date = 2024-09-22T12:57:01+02:00
|
|
draft = false
|
|
tags = ['Caddy2', 'Adguard Home', 'Docker', 'Docker Compose', 'Reverse Proxy', 'SSL/TLS', 'ACME', 'DNS-over-TLS', 'DNS-over-HTTPS', 'Security', 'Networking', 'Server', 'Configuration', 'Guide']
|
|
+++
|
|
|
|
## Preface
|
|
|
|
Until recently I used [Nginx Proxy Manager](https://nginxproxymanager.com/) to
|
|
manage my reverse proxies and SSL certificates. It's a great tool, especially
|
|
for beginners who do prefer a GUI to configure the reverse proxy service, but
|
|
most of my TLS certificates expired suddenly and I did not like the idea to
|
|
reload all of them manually. Some time ago I heard about Caddy2, which
|
|
automatically renews TLS certificates using ACME, and I wanted to try it, but I
|
|
learnt by experience the motto 'If it works don't touch it', so I kept doing
|
|
other things rather than configuring Caddy without needing to do that. And I
|
|
have to say that configuring it was easier than I thought!
|
|
|
|
Both Adguard Home and Caddy2 are inside a Docker container, so I will show you
|
|
how to configure them with Docker Compose. That said, it could be useful also
|
|
for those who have them installed on their system.
|
|
|
|
## Adguard Home
|
|
|
|
The following is the Docker Compose configuration for Adguard Home. I used the
|
|
official Docker image from [Docker Hub](https://hub.Docker.com/r/adguard/adguardhome)
|
|
to deploy Adguard Home. I also utilized the existing Nginx Proxy Manager
|
|
network, so that I could use the same network for Caddy2. It didn't change until
|
|
I switched to Caddy2, after adding the volume for the certificates so that I
|
|
could configure Dns-Over-TLS and Dns-Over-Https. Note that the certificates are
|
|
stored within the Caddy2 container, so you'll need to update the certificate
|
|
path in the volume.
|
|
|
|
```yaml
|
|
services:
|
|
adguard:
|
|
image: adguard/adguardhome
|
|
container_name: adguard
|
|
restart: unless-stopped
|
|
volumes:
|
|
- ./work:/opt/adguardhome/work
|
|
- ./conf:/opt/adguardhome/conf
|
|
- ../caddy/caddy_data/caddy/certificates/acme-v02.api.letsencrypt.org-directory/dns.riefolo.me:/opt/adguardhome/cert
|
|
ports:
|
|
- 853:853/tcp # DNS-over-TLS
|
|
environment:
|
|
- TZ=Europe/Rome
|
|
networks:
|
|
- reverse-proxy_default
|
|
|
|
networks:
|
|
reverse-proxy_default:
|
|
external: true
|
|
```
|
|
|
|
## Caddy2
|
|
|
|
I took this configuration from the official [Caddy2 documentation](https://hub.Docker.com/_/caddy)
|
|
as a starting point and I modified it to reuse the existing Nginx Proxy Manager
|
|
network. I also changed the volumes to a local path because I find it more organized.
|
|
|
|
```yaml
|
|
services:
|
|
caddy:
|
|
image: caddy:latest
|
|
restart: unless-stopped
|
|
cap_add:
|
|
- NET_ADMIN
|
|
ports:
|
|
- "80:80"
|
|
- "443:443"
|
|
- "443:443/udp"
|
|
volumes:
|
|
- $PWD/Caddyfile:/etc/caddy/Caddyfile
|
|
- $PWD/site:/srv
|
|
- $PWD/caddy_data:/data
|
|
- $PWD/caddy_config:/config
|
|
networks:
|
|
- reverse-proxy_default
|
|
|
|
networks:
|
|
reverse-proxy_default:
|
|
external: true
|
|
```
|
|
|
|
Then I had to configure the Caddyfile, which is the configuration file for
|
|
Caddy2. I didn't delve into the documentation, but I managed to find a working
|
|
solution by searching how to reverse proxy. The only challenge was configuring
|
|
Dns-Over-Https with Caddy, but
|
|
|
|
```caddyfile
|
|
domain.tld {
|
|
handle /dns-query {
|
|
reverse_proxy https://adguard {
|
|
transport http {
|
|
tls_insecure_skip_verify
|
|
}
|
|
}
|
|
}
|
|
reverse_proxy http://adguard
|
|
}
|
|
```
|
|
|
|
The handle directive is used to match the path /dns-query, which is the path used
|
|
by Dns-Over-Https. The reverse_proxy directive is used to reverse proxy the request
|
|
to the Adguard Home container. The tls_insecure_skip_verify directive is used to
|
|
skip the tls verification, because I configured Adguard Home to use encryption so
|
|
that I could use Dns-Over-Https.
|
|
|
|
## Conclusion
|
|
|
|
Now the last things to do were to configure the settings in <https://domain.tld/#encryption>
|
|
by setting the certificate file path both for the chain and the private key:
|
|
|
|
![Adguard Home Settings](/images/adguard-home-settings.png)
|
|
|
|
And to open the port 443 in the firewall. That's it! Now I have a secure DNS server
|
|
and a reverse proxy with automatic TLS certificates renewal. I hope this guide was
|
|
useful to you!
|