I’m trying to deploy rootless Caddy to my Homelab, and the way I have it set up, I have each service I wish to reverse proxy to on a dedicated user account.
Pre-post EDIT: Ya, I put the Docker Management flare, but I didn’t see any about Podman and this really is a very Podman issue.
This is a cross-post from an off-Reddit Caddy community:
https://caddy.community/t/networking-caddy-in-a-podman-container-to-other-users/21462/3
## 1. The problem I’m having:
I am rebuilding my homelab server, ButonMash (Rocky 8.8), to use Caddy as a reverse proxy instead of binding each service to a port on the host.
I am trying to reverse proxy three already-existent services: Vaultwarden, Pi-Hole, and Nextcloud. Each is in a rootless Podman container (Nextcloud has a pod with MariaDB) and has its own user account. At present, I am working with a Caddy container running off Pi-Hole’s account. Pi-Hole is serving a DNS record for buttonmash.lan, and I have already worked out the inbound traffic with firewalld and Podman.
Caddy port forwarding
(Host_port->Host_port):container_port
(80->8000):80
(443->44300):443
2019:2019
Curling buttonmash.lan:2019 returns Hello World! when Caddy is running.
Both TCP and UDP are forwarded on ports 80 and 443.
My present goal is to reach vaultwarden.buttonmash.lan with a Bitwarden client and/or Firefox, but I’m having trouble finding the best practice way to reach it in terms of security. I have started up Caddy, Pi-Hole, and Vaultwarden with the flag “–network podman”, but was only able to curl :2019 from Pi-Hole, the container Caddy is sharing a user with for now.
My present problem is getting traffic back out of Caddy’s Podman container and on to containers run by other users.
I’d prefer running Caddy rootless
I’d prefer using a Podman container.
I am aware of using a host-mode network, but security concerns.
I’d prefer to maintain user-account separation for various services, but am open to the idea as a backup plan before going rootfull.
My ideal solution would be to use a rootfull method to either make a Podman network rootless containers can connect to or somehow use slirp4netns (I know little beyond the name) or netavark (with Podman 4.0+ it works with rootless, and I’m on Podman 4.4.1)
## 2. Error messages and/or full log output:
```
Problem does not produce error logs.
```
## 3. Caddy version:
Caddy v2.7.5
docker.io/library/caddy:latest
## 4. How I installed and ran Caddy:
Caddy is installed from docker.io/library/caddy:latest
I use a script with to reset it (available below).
### a. System environment:
Rocky Linux 8.8
CPU architecture: x86_64 (Intel Core i5-3470 CPU @ 3.20GHz)
Podman 4.4.1
systemd
```
$ systemctl --version
systemd 239 (239-74.el8_8.5)
+PAM +AUDIT +SELINUX +IMA -APPARMOR +SMACK +SYSVINIT +UTMP +LIBCRYPTSETUP +GCRYPT +GNUTLS +ACL +XZ +LZ4 +SECCOMP +BLKID +ELFUTILS +KMOD +IDN2 -IDN +PCRE2 default-hierarchy=legacy
```
### b. Command:
```
podman stop Caddy
podman rm Caddy
podman run -d \
--name Caddy \
--network podman \
-p 2019:2019 \
-p 8000:80 \
-p 44300:443 \
-v $PWD/Caddyfile:/etc/caddy/Caddyfile:z \
-v caddy-config:/config \
-v caddy-data:/data \
caddy
```
### c. Service/unit/compose file:
### d. My complete Caddy config:
```
vaultwarden.buttonmash.lan {
tls internal
reverse_proxy localhost:8002
}
piholeadmin.buttonmash.lan {
tls internal
reverse_proxy 10.88.0.3:8001
}
:2019 {
respond “Hello World!”
}
```
### 5. Links to relevant resources:
Too many to know which ones are relevant and which are trash.
You must log in or register to comment.
Container in the same network namespace can communicate with each other but only if run by the same user. Why do you feel the need to run pods with different users? Podman is by default rootless, that rootless gives you the best in security when it comes to container isolation from the host. If you want to isolate containers from each other simply use different pods or network namespaces, whatever you prefer. Any reason to prefer caddy over the likes for Traefik or Nginx?