From f2f339038870d35c3c6693765f20a05ddb9005bd Mon Sep 17 00:00:00 2001 From: Monviech <79600909+Monviech@users.noreply.github.com> Date: Wed, 17 Apr 2024 18:14:12 +0200 Subject: [PATCH] Update caddy.rst - Typo corrections --- source/manual/how-tos/caddy.rst | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/source/manual/how-tos/caddy.rst b/source/manual/how-tos/caddy.rst index 31378b99..f7fbf8dc 100644 --- a/source/manual/how-tos/caddy.rst +++ b/source/manual/how-tos/caddy.rst @@ -551,7 +551,7 @@ Next, connect to the OPNsense via SSH or console, go into the shell with Option Caddy and High Availability Setups ---------------------------------- -There are a few possible configurations to run Caddy successfully in a High Availability Setup with two OPNsense Firewalls. +There are a few possible configurations to run Caddy successfully in a High Availability Setup with two OPNsense firewalls. .. Tip:: The main issue to think about is the certificate handling. @@ -561,11 +561,11 @@ There are three methods that support XMLRPC sync: * Using the DNS-01 challenge for all domains. * A mix of custom certificates and DNS-01 challenge for all domains. -.. Note:: Using one of these three methods is recommended if there are a lot of changes to the Caddy configuration, since they reduce the administrative overhead. Only these methods are confirmed to work in a HA production setup. +.. Note:: Using one of these three methods is recommended, since they are confirmed to work in a HA production setup. -Additionally, there is one advanced method that has to be configured manually on both firewalls. The XMLRPC sync has to be disabled for the Caddy section to use it. +Additionally, there is one advanced method that has to be configured manually on both OPNsense firewalls. -.. Attention:: This method shouldn't be used in production. It's an interesting workaround for home or lab setups that is explained for completion. Both port ``80`` and ``443`` have to be allowed on ``WAN`` to reach Caddy. +.. Attention:: This method should not be used in production. It's an interesting workaround for home or lab setups that is explained for completion. * Configure Caddy on the master OPNsense firewall until the whole initial configuration is completed. * Sync this configuration once with XMLRPC sync. @@ -573,9 +573,9 @@ Additionally, there is one advanced method that has to be configured manually on * On the master OPNsense, select each domain, and set the IP Address in `HTTP-01 challenge redirection` to the same value as in `Synchronize Config to IP` found in `System - High Availability - Settings`. * Create a new Firewall rule that allows Port ``80`` to ``This Firewall`` on the interface that has the prior selected IP Address. * Once this is done, do another XMLRPC sync and then apply the new configuration. -* Check Caddy on the Backup OPNsense. There shouldn't be any IP Addresses in `HTTP-01 challenge redirection`. If there are, delete them and check that the XMLRPC sync for the Caddy section is really disabled. Only Caddy on the master OPNsense should ever have an IP Address in `HTTP-01 challenge redirection`. +* Check Caddy on the backup OPNsense. There shouldn't be any IP Addresses in `HTTP-01 challenge redirection`. If there are, delete them and check that the XMLRPC sync for the Caddy section is really disabled. Only Caddy on the master OPNsense should ever have an IP Address in `HTTP-01 challenge redirection`. -.. Note:: Now both Caddy instances will be able to issue ACME certificates at the same time. The master OPNsense uses the TLS-ALPN-01 challenge for itself and reverse proxies the HTTP-01 challenge to the backup OPNsense. +.. Note:: Now both Caddy instances will be able to issue ACME certificates at the same time. Caddy on the master OPNsense uses the TLS-ALPN-01 challenge for itself and reverse proxies the HTTP-01 challenge to the Caddy of the backup OPNsense. --------------------------------