caddy (running on opnsense as service) as reverse proxy for grommunio

wseifert

In a first step I want to configure caddy (running on opnsense as service) as reverse proxy for grommunio. A second step should caddy configure as proxy for a immich instance inside my private network.
Searching the web I did not find tutorials or how to`s for grommunio behind caddy as HTTP/HTTPS/TLS proxy with acme functionaly by caddy.
Anyone outside there who has done such a configuration or on the way to?

Werner

frxb54

wseifert
I did it this way: First, a reverse proxy for grommunio, and then there's the layer 4 proxy in opnsense. I enabled that as well. Then it works.

Forgot to mention that with the opnsense caddy reverse proxy you can set the grommunio to get the certificate itself

crpb

I know that is something different but maybe you can use the HAPROXY examples to have an overview what needs to be configured.

wseifert

My idea is that certiface handling is done by caddy on opnsense so proxy for grommunio and proxy for immich is secured by same letsencrypt certificate. So for the moment two reverse proxies are needed, in the future more proxies (file sharing, ...) can be added with cert support.

frxb54

klappt alles einwandfrei über opnsense caddy würde ich behaupten (manchmal brauchts ja noch extra Portforwarding auf die Maschine selbst . Damit habe ich auch gleich netbird und tacticalrmm am start.
Die mich so interessieren und vorher irgendwie nicht so liefen. Hab damit erstmal kein VPS.

WalterH

You should read the multiserver setup, as it contains a lot of information about proxies. You can ignore shared storage and backend selection.
https://docs.grommunio.com/admin/architecture.html#multi-server-architecture

wseifert

I had no time to try and test what I wanted to have for a while, but finally I got it to work perfect:

What I needed to do was to reconfigure grommunio to use internal certificate instead of let's encrypt. To archieve this easy I created a new grommunio VM and cloned the system to a new instance with internal certificate. As result beside having the internal certificate now the unread folder on my emClient works.
The configuration of acme client for a wildcard certificate on opnsense needs a dns provider with DNS validation like CloudNS. The rest was very easy to do and most of the time used the mailbox migration.
Now I have a single registred public IP with HTTPS configured for all sub domains (mail, immich, bitwarden, ...) reverse proxied do different internal servers. As additional security I have added CrowdSec Agent to opnsense.

Werner