This seems too straightforward, what’s the catch?
Like how secure is it? Should I be turning it off (and disabling the port forwarding) when not using it?
Do I need any additional security? Mainly just want to use it for Jellyfin
Thanks
I switched from Traefik to Caddy a few years ago and have no ragrets. The only complaints I have about Caddy:
- It doesn’t support configuring virtual hosts automatically via docker labelsl (like Traefik).
- Many features (like DNS auth for certs) require compiling Caddy. Which is easy but annoying.
I have not tested it, but someone did auto discovery for caddy
It doesn’t support configuring virtual hosts automatically via docker labelsl (like Traefik).
Here you go: https://github.com/lucaslorentz/caddy-docker-proxy. No more extra Caddy configuration file.
If you are using Docker, check out this repository for Caddy builds with different plugins https://github.com/serfriz/caddy-custom-builds
Random question from a noobie…. Why do you use something like Traefik versus something like Cloudflare Zero Access? (Again sorry if question is dumb). I’m just a new guy to this learning as I go and after getting up zero access with a $8 domain and now being able to securely access everything via subdomains it seems confusing why apps like Traefik are still so popular? I know I’m missing something there but hoping someone points it out.
I wrote something that can setup caddy automatically from docker labels.
It’s not well documented as I mostly wrote it for myself. https://hub.docker.com/r/mheys1/docker-dynamic-caddy https://github.com/mattheys/ddc
It basically acts like a DNS server serving up SRV records that caddy can use for dynamic configuration, I added in an on_demand_tls endpoint as well so that you don’t get spammed for non existent TLS records.
Anyone know if Caddy would be a good pick for a reverse proxy on a public subnet to distribute traffic to a bunch of subdomains in low traffic settings? I figure it could be a single source for all HTTPS stuff in my stack.
Or is it really just for like single applications running through Docker? Sorry, I haven’t played with it too much.
What is it? Is it an alternative to unraid?
there are some trade offs, mostly performance
I would not directly expose Jellyfin to the Internet (including reverse proxy) because of security issues they’ve had. And no, a reverse proxy (like Caddy) doesn’t usually add much insecurity or security^.
The thing I currently do is use forward_auth w/ Authelia (from anywhere, you could also use basic_auth though the UX sucks) but bypass it for the app in private IP ranges (aka at home or in VPN):
jellyfin.example {
@notapp {
not {
header User-Agent *Jellyfin*
client_ip private_ranges
}
}
forward_auth @notapp localhost:8080 {
uri /api/verify?rd=https://authelia.example/
}
reverse_proxy 192.168.1.44:8080
}
Apps get to continue working, and I can access it from my phone without a VPN setup (because it’s annoying and I only look at metadata on my phone anyway).
You can also do a simpler config (which I used to do) where you just give an HTTP Unauthorized for anything outside of private ranges (this lets you do the HTTP challenge for a certificate while still not exposing Jellyfin to the general internet).
^You can configure more security by doing authentication in the reverse proxy so that anyone trying to attack services behind it must first authenticate with the reverse proxy, but this is not the default. Security-wise this ends up similar to forcing all access through a VPN first, if a little harder to setup.
Been using it for a few years now, and yeah, it’s just that simple.
I have 443 open and pointing at my Caddy instance, it handles everything else.