Take back control: secure and private self-hosting on Debian with SSH keys, an ufw firewall and a robust fail2ban configuration. Use Docker and Caddy as a reverse proxy to securely provide your self-hosted services.
Step-by-step, minimal, and practical.
https://lukasrotermund.de/posts/simple-private-self-hosting/
@gewt move to #CaddyServer and there won't be a need for #certbot anymore, since it comes with built-in #ACME support and all tools and knobs one could wish for.
It comes with many sane defaults and thereby allows to run quite complex setups - yet only requiring very minimal configs.
I have again tried and failed to get my #Nextcloud server to be happy with #caddyserver. It seems others have gotten pretty URLs with a subdomain to work and I got it sort of half-working, in that it's showing a nextcloud page, but with no CSS and an otherwise page not found.
My current ISP blocks port 80, so I have to use dns-01 with apache, which is one of those things that isn't great if I were to abruptly kick the bucket and my wife would eventually lose access to our server.
Want to leverage #MCP (Model Context Protocol) without the hassle? Learn how to set up a powerful #n8n server on #hostinger for #AI #automation with @tailscale and #caddyserver
Save $200+ over 2 years with this method 
https://youtu.be/OmWJPJ1CR7M
@simsus für den Fall finde ich ja den Webserver #Caddyserver genial, der automatisch verlängert und auch automatisch beantragt:
Caddy Web Server 2.10 released with encrypted ClientHello (ECH) support, post-quantum key exchange, ACME profiles, libdns 1.0 APIs, global DNS config
Hi all. Hoping someone in the #SelfHosting community can help. I'm trying to set up #Linkwarden in #Docker behind #Caddy. The service is running, but I'm unable to create a user account. This is what I see in my browser console when I try:
register:1 [Intervention] Images loaded lazily and replaced with placeholders. Load events are deferred. See https://go.microsoft.com/fwlink/?linkid=2048113
register:1 [DOM] Input elements should have autocomplete attributes (suggested: "new-password"): (More info: https://www.chromium.org/developers/design-documents/create-amazing-password-forms)
<input data-testid="password-input" type="password" placeholder="••••••••••••••" class="w-full rounded-md p-2 border-neutral-content border-solid border outline-none focus:border-primary duration-100 bg-base-100" value="tyq5ghp!QVH-mva1agc">
register:1 [DOM] Input elements should have autocomplete attributes (suggested: "new-password"): (More info: https://www.chromium.org/developers/design-documents/create-amazing-password-forms)
<input data-testid="password-confirm-input" type="password" placeholder="••••••••••••••" class="w-full rounded-md p-2 border-neutral-content border-solid border outline-none focus:border-primary duration-100 bg-base-100" value="tyq5ghp!QVH-mva1agc">
Error
api/v1/users:1 Request unavailable in the network panel, try reloading the inspected page Failed to load resource: the server responded with a status of 400 () Failed to load resource: the server responded with a status of 400 ()
compose file:
services:
postgres:
image: postgres:16-alpine
container_name: linkwarden_postgres
env_file: .env
restart: always
volumes:
- ./pgdata:/var/lib/postgresql/data
networks:
- linkwarden_net
linkwarden:
env_file: .env
environment:
- DATABASE_URL=postgresql://postgres:${POSTGRES_PASSWORD}@linkwarden_postgres:5432/postgres
restart: always
# build: . # uncomment this line to build from source
image: ghcr.io/linkwarden/linkwarden:latest # comment this line to build from source
container_name: linkwarden
ports:
- 3009:3000
volumes:
- ./data:/data/data
networks:
- linkwarden_net
depends_on:
- postgres
networks:
linkwarden_net:
driver: bridge
Relevant part of .env file:
NEXTAUTH_URL=https://bookmarks.laniecarmelo.tech/api/v1/auth
NEXTAUTH_SECRET=x8az9q9w8ofAxnrVcer2vsPHeMmKSPbf
# Manual installation database settings
# Example: DATABASE_URL=postgresql://user:password@localhost:5432/linkwarden
DATABASE_URL=
# Docker installation database settings
POSTGRES_PASSWORD=redacted
# Additional Optional Settings
PAGINATION_TAKE_COUNT=
STORAGE_FOLDER=
AUTOSCROLL_TIMEOUT=
NEXT_PUBLIC_DISABLE_REGISTRATION=false
NEXT_PUBLIC_CREDENTIALS_ENABLED=true
Caddyfile snippet
*.laniecarmelo.tech {
tls redacted {
dns cloudflare redacted
}
header {
Content-Security-Policy "default-src 'self' https: 'unsafe-inline' 'unsafe-eval';
img-src https: data:;
font-src 'self' https: data:;
frame-src 'self' https:;
object-src 'none'"
Referrer-Policy "strict-origin-when-cross-origin"
Strict-Transport-Security "max-age=31536000; includeSubDomains; preload"
X-Content-Type-Options "nosniff"
X-Xss-Protection "1; mode=block"
}
encode br gzip
# Bookmarks
@bookmarks host bookmarks.laniecarmelo.tech
handle @bookmarks {
reverse_proxy 127.0.0.1:3009
}
}
Can anyone help? I have no idea how to fix this.
#SelfHosted #CaddyServer #Linux #Tech #Technology
@selfhost @selfhosted @selfhosting
Hi everyone,
I'm encountering an issue with my self-hosted setup using Caddy 2.9.1 and Authelia 4.38.19. All domains except auth.laniecarmelo.tech return a 401 Unauthorized error. Journald logs suggest issues with insecure schemes ('') instead of https or wss.
Details:
Feb 24 21:01:47 stormux authelia[2932]: level=error msg="Target URL '/' has an insecure scheme '', only 'https' and 'wss' are supported"Caddy:Feb 24 21:19:41 stormux caddy[48845]: {"msg":"handled request","method":"GET","host":"adguard.laniecarmelo.tech","status":200}Configurations:
Curl Output:
HTTP Request:
$ curl home.laniecarmelo.tech -v
< HTTP/1.1 308 Permanent Redirect
< Location: https://home.laniecarmelo.tech/
HTTPS Request:
$ curl https://home.laniecarmelo.tech -v
< HTTP/2 401
< content-type: text/plain; charset=utf-8
< server: Caddy
401 Unauthorized
Does anyone know what might be causing this? I suspect it could be related to forward_auth or trusted proxies.
Thanks in advance! 
#SelfHosting #CaddyServer #Authelia #ReverseProxy #TechHelp #Linux #HomeLab
@selfhost @selfhosting @selfhosted
Help Needed: #CORS and #Cloudflare Access Issues with #Nextflux + #MiniFlux Setup
Hi everyone! I’m struggling with a #SelfHosted setup and could really use some advice from the self-hosting community. Lol I've been trying to figure this out for hours with no luck. Here’s my situation:
Setup
What’s Working
The Problem
Nextflux cannot connect to MiniFlux due to persistent CORS errors and authentication issues with Cloudflare Access. Here are the errors I’m seeing in the browser console:
Access to fetch at 'https://rss.laniecarmelo.tech/v1/me' from origin 'https://nextflux.laniecarmelo.tech' has been blocked by CORS policy: No 'Access-Control-Allow-Origin' header is present on the requested resource.Cloudflare Access Redirection:
Request redirected to 'https://lifeofararebird.cloudflareaccess.com/cdn-cgi/access/login/rss.laniecarmelo.tech'.
Failed to Fetch:
Failed to fetch: TypeError: Failed to fetch.
What I’ve Tried
Service Token Authentication:
CF-Access-Client-Id and CF-Access-Client-Secret headers in Caddy for rss.laniecarmelo.tech.CORS Configuration:
Access-Control-Allow-Origin: *) in both Caddy and MiniFlux.Policy Adjustments:
Debugging Logs:
AccessJWTValidator errors).Current State
Despite these efforts:
Goals
My Environment
CLOUDFLARE_SERVICE_AUTH_ENABLED=trueCLOUDFLARE_CLIENT_ID=<client-id>CLOUDFLARE_CLIENT_SECRET=<client-secret>Relevant Logs
From cloudflared:
ERR error="request filtered by middleware handler (AccessJWTValidator) due to: no access token in request"
From the browser console:
Access to fetch at 'https://rss.laniecarmelo.tech/v1/me' has been blocked by CORS policy.
Questions
Any help or advice would be greatly appreciated!
http://www.myproject.localhost:8080/
http://app.myproject.localhost:8080/
http://api.myproject.localhost:8080/
TIL you can add subdomains to localhost & it will just work!
Great for throwing a #CaddyServer in between you and your development containers, let it route to all the different services by domain.
Today I switched my web server from Apache httpd to Caddy on FreeBSD 14. I've never seen a simpler web server. All you need is one Caddyfile to manage Caddy itself and all websites.
For anyone wanting to add custom plugins/modules to #caddyserver on #NixOS: @vbernat released a flake to do this via xcaddy in a fixed-output derivation. Switched to it on my server today and works perfectly! More details in his blog post:
https://caddy.community/t/set-cookie-manipulation-in-reverse-proxy/7666/15
#CaddyServer is able to alter cookies that are passed between a reverse proxy, removing pesky browser restriction
"I recreated the server, now with encrypted disks, and restored the application. Can you check why it is not running?"
Spent considerable time checking the #Symfony, #caddyserver and #phpfpm configs: nothing could explain such errors, including not respecting any config change.
It was the usual suspect: #selinux, which was non properly configured
Bonus point: took the time to quickly upgrade to PHP 8.3 and Symfony 6.4; not bad for an application last deployed on December 2022 
On December 5 and 6, I'll be in Vienna for SymfonyCon! I'll be explaining how HTTP compression works and how to use the latest developments in the field (Brotli, Zstandard...) to make your @symfony applications even faster.
Of course, we'll also talk about how #CaddyServer and #FrankenPHP can help (as always)!
@alios I don't know whether there's a module for a fully declarative self-contained CA in #nixpkgs, but you could run your own CA using "services.step-ca" and retrieve certs via #ACME (either through the corresponding applications' support or using "security.acme").
If you're using #CaddyServer, you also might want to simply use its built-in support to run an ACME CA (also based on smallstep) or utilize its ACME support to automatically retrieve certs at runtime for all defined hosts.
Because the excellent (and beloved for a decade or so) #reeder by @rizzi does not support #TLSClientAuth for feeds* I spent a few hours on Yak-Shaving and on learning about #caddyserver #systemd-#resolved and - in the end - about #iCloudPrivateRelay.
If a local request is handled like an external request it may be because ... it's coming in as an external request.
___
* I’m sure I’m the only one left on the planet who has rss feeds with Client Certificates, so this is fine!
Time to try #Caddy as the main reverse proxy 
The first few things will be my blog (because the root domain is a bit of a mess with Matrix and the RSS feed redirection)
After a lot of trial and error, I finally got object storage configured for this instance. I had originally planned to use Backblaze, but ended up going with Linode Object Storage. Unfortunately, the guides I found online didn't work for me, and I also had to make the switch from Caddy to Nginx. I'm thinking about writing a blog post to share my experience.
I'm using Caddy and couldn't find a guide to set up object cache proxying. Can someone please provide a Caddyfile for this? I'm using Backblaze for storage.
