Reverse Proxy with Caddy

:warning: This guide has been migrated from our website and might be outdated. Feel free to edit this guide to update it, and to remove this message after that.

Caddy Server is a powerful HTTP/2 server, that enables HTTPS by default with automatically generated Let’s Encrypt certificates, which allows a simple configuration procces.

Using Caddy as a proxy for Home Assistant allows you to serve Home Assistant securely over standard ports. This configuration file and instructions will walk you through setting up Home Assistant over a secure connection.

1. Get a domain name forwarded to your IP

Chances are, you have a dynamic IP address (your ISP changes your address periodically). If this is true, you can use a Dynamic DNS service to obtain a domain and set it up to update with you IP. If you purchase your own domain name, you will be able to easily get a trusted SSL certificate later.

2. Install Caddy on your server

This will vary depending on your OS. Caddy has a nice utillity that generates an installer script.

:information_source: Make sure you include the hook.service plugin if you want to run Caddy as a service

3. Port forwarding

Forward ports 443 and 80 to your server on your router. Do not forward port 8123.

4. Create Caddyfile

Use this as your Caddyfile, change the domain name to match yours.

example.com {
    proxy / localhost:8123 {
        websocket
        transparent
    }
}

5. Configure Home Assistant

Home Assistant is still available without using the Caddy proxy. Restricting it to only listen to 127.0.0.1 will forbid direct accesses. Also, Home Assistant should be told to trust headers coming from Caddy proxy only. Otherwise, incoming requests will always come from 127.0.0.1 and not the real IP address.

On your configuration.yaml file, edit the http component.

http:
  # For extra security set this to only accept connections on localhost if Caddy is on the same machine
  # server_host: 127.0.0.1
  # Update this line to be your domain
  base_url: https://example.com
  use_x_forwarded_for: true
  # You must set the trusted proxy IP address so that Home Assistant will properly accept connections
  # Set this to your Caddy machine IP, or localhost if hosted on the same machine.
  trusted_proxies: <Caddy IP address here, or 127.0.0.1 if hosted on the same machine>

6. Start Caddy

You can either start Caddy or install it as a service, pass the Caddyfile path as a conf parameter.
Home Assistant will be listening on port 443 (HTTPS) and all insecure traffic on port 80 will be redirected.

1 Like

== Note ==

This is a Caddy V1 guide and replaced with Caddy V2.

The equivalent to “proxy” in caddy v2 is" reverse_proxy"

example.com {
    reverse_proxy localhost:8123
}

transparent and websocket are both default and aren’t needed.

4 Likes

Hello, I have duckdns and caddy installed working but my router can’t forward 443 and 80 ports… how can I solve?

If ports 80 and 443 are blocked, you gotta figure out if they’re blocked on the machine (like by a firewall) or if they’re blocked by your internet service provider (ISP). If it’s the firewall, you can modify that (instructions vary by machine). If the ISP blocks them then you’re kinda out of luck =\