New app catalogue request: Caddy (reverse proxy)

Evan123 · July 8, 2025, 2:45pm

Caddy is a reverse proxy that natively integrates with Acme and can use Tailscale certificates.

Docker Hub: https://hub.docker.com/_/caddy/

It is very simple to configure and deploy. It also has a native integration with Docker where it can be configured entirely using Docker labels with no configuration file required and automatically maintains itself with no in-service outage for changes (although the container will need to be reloaded when new app networks are deployed, based on a separate network for each app, and for upgrades). It needs access to /var/run/docker.sock and TrueNAS has made an effort to prevent that (cannot add users to group ‘docker’) so I did not try, but am willing to For Science.

Some apps also don’t work with the ECDSA certs issued by Tailscale, and most won’t support QUIC, which the reverse proxy can do. Jellyfin does not work with Tailscale certs, and has announced plans to remove HTTPS support, so a reverse proxy will be required. It is getting harder to avoid https and harder to avoid certificate automation, with CA/Browser Forum agreeing to reduce max cert lifetime from 1 year now to 47 days in 2029.

There would be an opportunity for a very elegant integration between TrueNAS, the Apps catalogue, Docker, and Tailscale/Acme. For example, TrueNAS App catalogue sets labels on the containers that Caddy uses to publish with the certificate auto-managed from Tailscale, with no config file to manage. TrueNAS could even use it for presenting the Web UI, protected with a real cert.

In the apps catalogue today there is Nginx but it doesn’t have the native integrations with Acme, Tailscale, Docker. Caddy’s features significantly differentiate.

sfatula · July 8, 2025, 3:44pm

Caddy is so nice but you should have posted this under feature requests? Maybe? Not sure if new apps should go there.

Caddy runs fine on Eel including docker.sock.

I believe you have to build in labels, but they could do this easily enough. I am using labels and had to build them in, didn’t see an image with labels support.

Another thing to consider is building in other dns providers. That could also be done in an image. I for example use porkbun with caddy.

Evan123 · July 8, 2025, 10:23pm

Thanks – I moved to Feature Requests.

/var/run/docker.sock on 25.04 is root:docker 660. I suppose one could run caddy as root but it is not good practice. TrueNAS should allow you to change the membership of group docker.

Rocketplanner83 · July 9, 2025, 2:03am

Summary:
The TrueNAS App Catalog currently offers Nginx as a reverse proxy option but lacks native support for modern, container-friendly reverse proxies like Caddy and Traefik. Both of these tools provide significant advantages in ease of use, automatic certificate management, and dynamic configuration, which could improve the overall user experience when deploying applications on TrueNAS.

Caddy for TrueNAS

Caddy is an easy-to-use reverse proxy that natively integrates with ACME for automatic SSL certificate management. It supports Tailscale certificates and QUIC, making it an excellent choice for simple, secure web application deployments. Caddy automatically maintains certificates and updates the reverse proxy without requiring in-service outages or manual configuration changes.

Key Features of Caddy:

Automatic HTTPS: No manual certificate management; SSL certs are automatically issued and renewed via ACME and Tailscale.
Docker Integration: Native integration with Docker allows for simple container-based deployments using labels to configure services without requiring a configuration file.
QUIC Support: Supports the modern QUIC protocol, improving performance for secure HTTP/3 connections.
Simplicity: Very easy to configure with minimal setup. The Caddyfile is simple to read and write, making it ideal for users who need quick and easy configuration.
Use Case: Ideal for home labs or smaller setups that prioritize simplicity and automated HTTPS.

Challenges:

TrueNAS Docker Integration: TrueNAS has restrictions around Docker container management, specifically around /var/run/docker.sock access. This could limit the ability to fully leverage Docker-based features with Caddy on TrueNAS unless further integrations are added to allow this access.

Traefik for TrueNAS

Traefik is a powerful reverse proxy and load balancer that is optimized for containerized environments. It supports dynamic service discovery and automatic configuration updates, making it highly scalable and adaptable for more complex infrastructure. Traefik integrates seamlessly with Docker and Kubernetes, providing advanced routing features and traffic management options.

Key Features of Traefik:

Dynamic Service Discovery: Automatically discovers services running in containers and adjusts its routes without needing manual configuration changes.
Advanced Routing: Supports advanced routing options, such as path-based routing, load balancing, and middleware configurations.
Docker and Kubernetes Integration: Excellent support for Docker and Kubernetes environments, using labels to configure routing and proxy rules.
Automatic SSL: Like Caddy, Traefik supports ACME for automatic certificate management.
Scalability: Best suited for larger, more complex infrastructures, especially when dealing with multiple services and high traffic.

Challenges:

Complexity: Traefik offers more features and flexibility but requires more setup and a deeper understanding of configuration files (JSON or TOML).
Integration with TrueNAS: While Traefik could be highly beneficial for containerized environments, integration with TrueNAS would require ensuring proper support for Docker networks and dynamic updates for service discovery.

Request:

We propose adding Caddy and Traefik as reverse proxy options to the TrueNAS App Catalog. Both tools offer unique advantages that could enhance the flexibility, security, and ease of use for users deploying containers and services on TrueNAS.

Caddy: A simple, out-of-the-box solution for managing SSL certificates and reverse proxy configuration with minimal setup. Ideal for users who want a lightweight, automated solution for home labs and small-to-medium setups.
Traefik: A more advanced, feature-rich reverse proxy that excels in dynamic service discovery, load balancing, and support for complex containerized environments. A great choice for larger, more complex setups that need scalability and customization.

Conclusion:
Adding Caddy and Traefik to the TrueNAS App Catalog would provide users with more flexibility and improve reverse proxy options for diverse use cases, from simple home labs to larger, containerized infrastructures. These tools would complement the existing Nginx option and allow TrueNAS users to more easily secure and manage their web services.

Evan123 · July 9, 2025, 2:42am

Wonderful, thank you!

At the same time the Tailscale app needs to be updated to allow /var/run/tailscale to be stored on a host dataset. This is required for certificate automation, so that it can be shared with other containers who will request certificates over /var/run/tailscale/tailscaled.sock.

Feature request: Tailscale TrueNAS app: make /var/run/tailscale volume configurable

Evan123 · July 9, 2025, 5:24am

All (web) apps also need the ability to add the web server to the network that the proxy is running in so that the proxy can reach the web server. For example:

services:
  caddy:
    networks:
    -  caddy
  ...
...
  jellyfin:
    networks:
    - ix-jellyfin_default
    - caddy
  ...