Install the simplest webserver for static html

Apps and Virtualization
,
21

Hi dan, yes caddy is running on .1.40
image

Now I could make the local html web page show when I go to 192.168.1.40:40 (just to try). I can access TrueNAS html files and the caddyfile to edit it more easily, via Filezilla (took me a good hour to understand paths, logins, ssh etc). I have port :40 forwarded to 192.168.1.40 and it works with weather.domain. com now , thank you very much ! I’m not sure i understand everything i did but hey, it works lol.

I’m fiddling with ports and subdomains and am suprised that trying on the address main.domain. com/weather with

*:40{
	root * /usr/local/www/html
	file_server
	reverse_proxy /weather* 192.168.1.40:40
}

it goes back to my nextcloud
and also after #commenting the block, weather.domain. com:40 still shows the html page… I’m confused. Also it keeps wanting to add https:// instead of http://

now with the TLS, I have what you wrote in the github guide. Is that possible to use other ports than :80 and :443 ? they’re already used for my nextlcoud encryption and I’m wondering if i can use any other random port(s) for this webserver ?

but it doesn’t seem to do anything, even when I comment the first directive of the block #acme_ca … no sign of https

22

Your slightly missing the point here.

If caddy is running on that IP, then there is no need to reverse proxy to it. It will serve files out of the specified root when you visit the IP on port 80

23

Hi Victor, oh, okay I get it :slight_smile:
Actually now that I’m thinking about it, I already have a caddy instance on the nextcloud jail that I installed through dan’s script
So maybe i could leave the ports 80 and 443 forwarded to that nextcloud jail where caddy is, and change the caddyfile there on 192.168.1.36 ?
or is it cleaner to get rid of the caddy from the nextcloud jail, and put everything in this new caddy instance on 192.168.1.40 ?
if it’s better to merge to only one caddy, could I get some guidance on how to do so so it doesn’t mess up the nextcloud jail/access please ?

24

The Caddyfile inside the Nextcloud server is what is serving your nextcloud files. Don’t touch that one.

I would have a separate caddy jail (like you have) and use that for my reverse proxying. You can just proxy to Nextcloud from there.

25

personally if it static pages and only couple of pages - run it on the free tier of AWS - and call it a day. No need to deal with all this setup up servers and stuff. (if it for learning fine - but end of day… just need to get it done quickly)

26

Caddy offers functionality far beyond just static files.
Namely reverse proxying to other services in your network.

But I see we have strayed from the main point of the thread. Perhaps we should start a new thread.

27

Hi everyone, i’ve been fiddling with the settings and am getting somewhere with Caddy, read the documentation, researched the internet but still need a bit of help please. I’m going with the subdomain for each service option, as recommended by victor.

So to recap, i’ve got a Nextcloud jail installed with danb35 script (which includes its own caddy within the jail), I’ve got a separate jail for caddy, with the following caddyfile :

{
# Global options block for certificates
email golfox2@email.com
# acme_ca https://acme- staging-v02...
acme_ca https: //acme- v02...
}

# Nextcloud subdomain
nextcloud. domain. com {
reverse_proxy 192.168.1.36:443
}

# Plex subdomain
plex. domain. com {
reverse_proxy 192.168.1.35:32400
}

# Home Assistant subdomain
hass. domain. com {
reverse_proxy 192.168.1.71:8123
}

# Websites (for static HTML)

# weather subdomain
weather. domain. com {
root * /usr/local/www/weather
rewrite * /index.html
file_server

}

# Resume subdomain
resume. domain. com {
root * /usr/local/www/resume
rewrite * /resume.html
file_server

}

Now my problems :

-Weather and -Resume webpages works and looks like it’s secure, and it shows the index.html straight awaybut the CSS doesn’t load (the file is in the same folder, it works when I open it locally on my browser)

-Plex jail works perfectly fine, yay

-Nextcloud jail shows : “Client sent an HTTP request to an HTTPS server.” on a black screen, and nothing moves. (same result with the domain or 192.168.1.36:443)

-Home assistant virtual machine (running on the TrueNAS) shows : “400: Bad Request” on a black screen and nothing moves.

Here are the port forwarding I’ve done, and my subdomain names are/should be working because the plex and the webpages work (tested from 4G on phone too, works).

image
image866×390 13.6 KB

Which means i deleted the previous :80 and :443 forwarding to the nextcloud jail (as I had done according to danb35 install script indications).
Could that be a reason why the nextcloud doesnt work ?

Things I tried :

  • I tried to add “tls” under the reverse_proxy parameter but it makes everything crashes
  • I flushed dns on my windows computer
  • i restarted caddy jail everytime i made a a change to test, and cleared my browser’s cache everytime
  • ssllabs. com gave positive results for certificate tests
  • root@caddy:/usr/local/www # sockstat -l | grep 443 gives : root caddy 49362 7 tcp46 *:443 : and root caddy 49362 8 udp46 *:443 :
  • Verify the caddy file through : root@caddy:/usr/local/www # caddy validate Caddyfile, it gives valid configuration but with this :
caddy validation output

INFO using adjacent Caddyfile
INFO using config from file {“file”: “Caddyfile”}
INFO adapted config to JSON {“adapter”: “caddyfile”}
INFO tls.cache.maintenance started background certificate maintenance {“cache”: “0xc00050b480”}
INFO http.auto_https server is listening only on theHTTPS port but has no TLS connection policies; adding one to enable TLS {“server_name”: “srv0”, “https_port”: 443}
INFO http.auto_https enabling automatic HTTP->HTTPS redirects {“server_name”: “srv0”}
INFO tls.cache.maintenance stopped background certificate maintenance {“cache”: “0xc00050b480”}

Sooo, I don’t really know what else I can do to make the nextcloud and home assistant jails work…
Thank you in advance for the help !

PS : should I start a new thread ?

28

Why the rewrite? You should only need the root block.

You should be doing port 80 instead of port 443 here.

Home Assistant requires you to add a ‘trusted_proxies’ block in the homeassitant config file to trust the reverse proxy.

29

This won’t resolve your question, just for others reading with nextcloud, you typically want to add these to caddy as well:

redir /.well-known/carddav /remote.php/dav 301
redir /.well-known/caldav /remote.php/dav 301

At least if you are using carddav and/or caldav. I use them for my IOS calendar, address book, reminders, some apps, etc.

30

If Nextcloud was installed using my script, those are already in the Caddyfile:

1 Like
31

Thank you for taking the time to reply to me.

The rewrite because I would like to write only resume. domain. com and land directly on the resume.html page, not having to write the whole thing (easier to share with people)
same for the weather. When i type just the root block resume. domain. com it shows nothing if i don’t have the rewrite.

Okay i have changed my nextcloud port to 80 like this, but it still doesn’t work (now it says “This page isn’t working, redirected you too many times.”:

# Nextcloud subdomain
nextcloud. domain. com {
reverse_proxy 192.168.1.36:80
}

Then for the home assistant trusted proxies thingy, if i understand, the immediate upstream proxy is the local ip address of my caddy jail ? do i need to append /24 at the end ?
so in the home assistant yaml file :

  trusted_proxies:
    - 192.168.1.40/24

thank you

Sfatula & Dan:
Yes I installed nextcloud in a jail using dan’s script, and haven’t touched that caddyfile.
So if i understand, I am not supposed to add these to this caddy jail that i am now fiddling with, right ?

Thank you for your help !

32

You should not need to add those lines anywhere; they’re already in Nextcloud’s Caddyfile.

33

Ok noted thanks :slight_smile:

now I still face the nextcloud access issue, even after changing to port :80 in the caddy file (the one from the caddy jail, not the nextcloud’s caddyfile, i didnt touch this one)

34

Can you post your nextcloud caddyfile and also your nextcloud config.php file?

Remove anything sensitive.
Also, what CERT option did you choose when installing nextcloud?

35

Sure, here’s the nextcloud caddyfile on pastebin, it’s also here for convenience :

Nextcloud Caddyfile 
{
	# debug
	#acme_ca https://acme-staging-v02.api.letsencrypt.org/directory
	email @email.com
	# default_sni nextcloud domain com
}

nextcloud. domain  {
	root * /usr/local/www/nextcloud
	file_server
	log {
		output file /var/log/nextcloud. domain .log
	}

	php_fastcgi 127.0.0.1:9000 {
		env front_controller_active true
	}

	header {
		# enable HSTS
		# Strict-Transport-Security max-age=31536000;
	}

	# client support (e.g. os x calendar / contacts)
	redir /.well-known/carddav /remote.php/dav 301
	redir /.well-known/caldav /remote.php/dav 301
	redir /.well-known/webfinger /index.php/.well-known/webfinger 301
	redir /.well-known/nodeinfo /index.php/.well-known/nodeinfo 301

	# Required for legacy
	@notlegacy {
		path *.php
		not path /index*
		not path /remote*
		not path /public*
		not path /cron*
		not path /core/ajax/update*
		not path /status*
		not path /ocs/v1*
		not path /ocs/v2*
		not path /updater/*
		not path /ocs-provider/*
		not path */richdocumentscode/proxy*
	}
	rewrite @notlegacy /index.php{uri}

	# .htaccess / data / config / ... shouldn't be accessible from outside
	@forbidden {
		path /.htaccess
		path /data/*
		path /config/*
		path /db_structure
		path /.xml
		path /README
		path /3rdparty/*
		path /lib/*
		path /templates/*
		path /occ
		path /console.php
	}

	respond @forbidden 404
}

And there’s the nextcloud config.php file on pastebin too,
and here for convenience if needed :

nextcloud config.php 
<?php
$CONFIG = array (
  'passwordsalt' => 'xx',
  'secret' => 'xx',
  'trusted_domains' => 
  array (
    0 => 'localhost',
    1 => 'nextcloud. domain .click',
    2 => '192.168.1.36',
  ),
  'datadirectory' => '/mnt/files',
  'dbtype' => 'mysql',
  'version' => '29.0.1.1',
  'overwrite.cli.url' => 'https: //nextcloud. domain .click/',
  'dbname' => 'nextcloud',
  'dbhost' => 'localhost:/var/run/mysql/mysql.sock',
  'dbport' => '',
  'dbtableprefix' => 'oc_',
  'mysql.utf8mb4' => true,
  'dbuser' => 'nextcloud',
  'dbpassword' => 'MBRFvoQ52W7FSigMlnFnEA==',
  'installed' => true,
  'instanceid' => 'ocf0wn0s19o6',
  'logtimezone' => 'Europe/xx',
  'default_phone_region' => 'US',
  'log_type' => 'file',
  'logfile' => '/var/log/nextcloud/nextcloud.log',
  'loglevel' => '2',
  'logrotate_size' => '104847600',
  'memcache.local' => '\\OC\\Memcache\\APCu',
  'redis' => 
  array (
    'host' => '/var/run/redis/redis.sock',
    'port' => 0,
  ),
  'memcache.distributed' => '\\OC\\Memcache\\Redis',
  'memcache.locking' => '\\OC\\Memcache\\Redis',
  'overwritehost' => 'nextcloud. domain .click',
  'overwriteprotocol' => 'https',
  'htaccess.RewriteBase' => '/',
  'trusted_proxies' => 
  array (
    1 => '127.0.0.1',
  ),
  'maintenance_window_start' => 5,
  'mail_from_address' => 'xx',
  'mail_smtpmode' => 'smtp',
  'mail_sendmailmode' => 'smtp',
  'mail_domain' => 'xxx',
  'maintenance' => false,
  'theme' => '',
);

I used Let’s encrypt, first with the staging certificate, then with the normal (which was working on my previous setup without the dedicated caddy jail

# acme_ca https://acme-staging-v02.api.letsencrypt.org/directory|
acme_ca https://acme-v02.api.letsencrypt.org/directory|

So I own my domain name (here : nextcloud. domain .com for this example), the DNS is setup and works (it was working on the previous setup too, and works on Plex and the static html pages), and I have ports 80 and 443 open. and i did that config before running danb35’s script, according to his guide on github, § usage - letsencrypt and usage - installation.

When I ran the script, I used exactly these parameters :

JAIL_IP="192.168.1.36"
DEFAULT_GW_IP="192.168.1.1"
POOL_PATH="/mnt/Nextcloud"
TIME_ZONE="Europe/..."
HOST_NAME="nextcloud. domain .com"
STANDALONE_CERT=1
CERT_EMAIL="myemail@..."

I hope that helps, and i am really grateful for your help :slight_smile: good night

36

Oh I just saw something, could it be that I have to add the caddy jail local ip (192.168.1.40) to the trusted domains in the config php ?

array (
    0 => 'localhost',
    1 => 'nextcloud. domain .click',
    2 => '192.168.1.36',
  ),

or maybe here ?

  'trusted_proxies' => 
  array (
    1 => '127.0.0.1',
  ),

?

37

You need to add the caddy jail IP to the “trusted_proxies” filed of the config.php and you will need to change the nextcloud caddy file to show port 80 instead of your domain like this


{
	# debug
	#acme_ca https://acme-staging-v02.api.letsencrypt.org/directory
	email @email.com
	# default_sni nextcloud domain com
}

:80  {
	root * /usr/local/www/nextcloud
	file_server
	log {
		output file /var/log/nextcloud. domain .log
	}

	php_fastcgi 127.0.0.1:9000 {
		env front_controller_active true
	}

	header {
		# enable HSTS
		# Strict-Transport-Security max-age=31536000;
	}

	# client support (e.g. os x calendar / contacts)
	redir /.well-known/carddav /remote.php/dav 301
	redir /.well-known/caldav /remote.php/dav 301
	redir /.well-known/webfinger /index.php/.well-known/webfinger 301
	redir /.well-known/nodeinfo /index.php/.well-known/nodeinfo 301

	# Required for legacy
	@notlegacy {
		path *.php
		not path /index*
		not path /remote*
		not path /public*
		not path /cron*
		not path /core/ajax/update*
		not path /status*
		not path /ocs/v1*
		not path /ocs/v2*
		not path /updater/*
		not path /ocs-provider/*
		not path */richdocumentscode/proxy*
	}
	rewrite @notlegacy /index.php{uri}

	# .htaccess / data / config / ... shouldn't be accessible from outside
	@forbidden {
		path /.htaccess
		path /data/*
		path /config/*
		path /db_structure
		path /.xml
		path /README
		path /3rdparty/*
		path /lib/*
		path /templates/*
		path /occ
		path /console.php
	}

	respond @forbidden 404
}

The reason for this is because you are connecting via a reverse proxy. When you installed nextcloud with a STANDALONE_CERT it filled in the domain for you, but since you’re using a reverse proxy now, you’ll want caddy to just listen on port 80

38

Hey! thanks for the update, so I added my caddy jail’s ip : 192.168.1.40 in the config.php trusted proxies :

  'trusted_proxies' => 
  array (
    1 => '127.0.0.1',
	2 => '192.168.1.40',
  ),

and i added the :80 instead of the existing nextcloud. domain .com { }

aaaand… IT WORKS !
thank you so much for the help ! I really truly appreciate :smiling_face_with_three_hearts: :smiling_face_with_three_hearts: :smiling_face_with_three_hearts:

image

39

You got it all sorted now?

40

Almost, I need to take care of the configuration.yaml of home assistant and add the 192.168.1.40 caddy jail ip :
1)

Is in in this location from the user interface ? Because I don’t see any trusted_proxy block

yaml file

image
image946×466 50.4 KB

  1. add a username/password on one of the html page in the weather. domain. com page with the basic auth (i’m not sure how to deal with the encryption key generation ?). Structure should be

weather.html
weather.css
auth (folder which contains :slight_smile:
|> home.html (this is accessed by a simple a href link on the weather.html but i’d like to have a authentication to show the page)
|> home.css

  1. the rewrite for the resume static page doesn’t work properly, only the html is shown, the CSS doesn’t load. It works if I remove the rewrite but then i need to write the full : resume. domain .com /resume.html
    (which in itself is not a big deal, but i would like to print visit cards with QR code that points to just the resume. domain .com ideally)