Posted on

I run a lot of services at home.

This includes, but isn't limited to

and a lot more.

Pretty much anything that's served up over HTTP is always nice if not necessary to have behind TLS.

LetsEncrypt long ago brought free certs to the masses and there are a lot of tools for automating that nowadays.

My preferred approach for getting all the unnecessary nonsense I self-host at home behind TLS is Caddy.

I have a super straight forward setup, generally:

  • Run Caddy in a docker container
  • Create a wildcard CNAME record in my DNS pointing at my home's (effectively) static IP
  • Add an entry in my Caddyfile for each services I'm running at home on its own subdomain
  • If it's a service then I add it with a reverse_proxy block
  • If it's a static site (like this) then there's a block for
  • If it's something I want only accessible on my home network then I put a block like
  @local_network {
    path *
    remote_ip <home subnet here>

in the directive. And voila.

Then tell Caddy to reload the config and I'm done.