Steps for configuring Caddy reverse proxy for Hassio
Add this repo to the addon store:
https://github.com/korylprince/hassio-caddy
Using the icon in the upper right, reload the page.
Scroll down and install the Caddy addon.
Comment out your ssl/ lines in the http: section of your configuration.yaml. Restart Home Assistant.
Connect to http://local-ip:8123 for the rest of this setup until Caddy is completely configured.
If you were using DuckDNS for ssl, go to your DuckDNS addon configuration page and change "accept terms" to "false". Save the config. Restart the addon. If you were using some other method or addon, simply stop that addon and set it to not run at startup, or uninstall it altogether.
Once Caddy is running, everything will come through port 443. You will also need 80 forwarded for the cert retrieval and cert renewal (automatic).
So forward external 443 to internal 443, and external 80 to internal 80 for your Hassio's local ip address. If you would like to change the external ports for extra security you can, but I won't go in to detail about that here.
Enter the content below into the config options for the addon, using your own email address.
{
"flags": [
"-agree",
"-email",
"[email protected]"
]
}Save, but DO NOT START. There's one more step...
Create a new file in a text editor. At minimum, this file will contain:
your_sub.duckdns.org {
proxy / localhost:8123 {
websocket
transparent
}
}
You can stop there, and be done. You then save this file as Caddyfile (case sensitive and no extension) inside /share/caddy.
At this point, you can start the addon and check the logs below on the same page.
You should see:
starting version 3.2.4
Running Caddy with arguments: -conf /share/caddy/Caddyfile -agree -email [email protected]
Activating privacy features... done.followed by your domain listed as both http and https.
If everything is working, you can now reach your domain using https://your.domain.name and internally with http://your.local.ip:8123
Here is an example of a Caddyfile with additional security headers and some subdomains which are all reverse proxied. Caddy handles the ports, so none of them need to be open on your router.
Don't forget to restart the Caddy addon whenever you make changes to the Caddyfile
Note that in this example, some services are on the pi running Hass.io (those using 'localhost') and some services are running on another machine with a different IP on the same network :
my-domain.com {
header / {
Strict-Transport-Security "max-age=31536000; includeSubDomains"
X-XSS-Protection "1; mode=block"
X-Content-Type-Options "nosniff"
X-Frame-Options "SAMEORIGIN"
Referrer-Policy "same-origin"
- Server
}
proxy / localhost:8123 {
websocket
transparent
}
}
node.my-domain.com {
proxy / localhost:1880 {
websocket
transparent
}
}
term.my-domain.com {
proxy / localhost:7681 {
websocket
transparent
}
}
config.my-domain.com {
proxy / localhost:3218 {
websocket
transparent
}
}
sonarr.my-domain.com {
proxy / 192.168.1.213:8989 {
websocket
transparent
}
}
ombi.my-domain.com {
proxy / 192.168.1.213:3579 {
websocket
transparent
}
}
cloud.my-domain.com {
proxy / 192.168.1.152 {
websocket
transparent
}
}