yak shaving moments of earlier in the day:
I have an Asustor NAS () that comes with a self-signed TLS cert for enabling TLS connections. Self-signed means that every browser will complain due to root cert not trusted. Decided to use Lets encrypt.sathyabh.at/nas/
I have an Asustor NAS () that comes with a self-signed TLS cert for enabling TLS connections. Self-signed means that every browser will complain due to root cert not trusted. Decided to use Lets encrypt.sathyabh.at/nas/
to get the cert. but I don't want to use nginx or certbot to manage the cert plus needed a simple reverse proxy, to installed @caddyserver because of it's automatic TLS support.
But wait, automatic TLS required publicly accessible connections. I don't want to do that for my NAS
But wait, automatic TLS required publicly accessible connections. I don't want to do that for my NAS
So, decided to use dns-01 for domain verification. But wait, caddy doesnt come with support for DNS provided out of box - need to recompile with that addon. But wait, I don't need that since I run caddy as a container, so try to find a way to get the DNS provider module.
But wait, this is also not supported and left as community contributed stuff. Look around, see there are bunch of different options (like xcaddy, build a new image based on the rebuilt caddy with dns provide module added on. Don't want to do that.
Remember on the back of my mind that @mrkaran_ had done something similar. Go find his work on his repo.
So go steal his image. But wait, need to setup Cloudflare API token. Fumble around how to do that & then give up and search for "cloudflare api token"github.com/mr-karan/caddy…
So go steal his image. But wait, need to setup Cloudflare API token. Fumble around how to do that & then give up and search for "cloudflare api token"github.com/mr-karan/caddy…
But wait, API token need to be setup with the least privileges. See that CF already provides some templates for API token permissions, take a few mins to read the wordy descriptions of each. Pick the right one. Have a token. Stick token into Caddyfile. Setup DNS record for NAS
Restart caddy container. See the logs and verify that API auth is working as expected. But wait, don't want plain text secrets in Caddy file. Go hunting ways to correct this. Find out can pass env variables to Caddy and can use these variable references in Caddyfile.
Modify Caddyfile to remove plain text token. Caddy runs. Still no TLS. Go back to logs. Realize caddy runs as container, while Asustor's portal isn't running as container. Figure out ways to get connection working from container to host.
Can cheat by adding the external IP. But don't want to do that. Want to do it right (lol). Can't use host.docker.internal because not running docker desktop. Finally got tired of yak shaving and stick in the docker network's gateway IP as reverse proxy.
Everything works. All because I want a nice TLS connection for my NAS portal that I use seldom, no one else uses, and is not publicly accessible.
and that is how I spent couple of hours on Saturday night. Send help.
and that is how I spent couple of hours on Saturday night. Send help.
@threadreaderapp unroll
• • •
Missing some Tweet in this thread? You can try to
force a refresh
