Normalize caddy-home-assistant-liar

romkey · romkey · commit c6a784c52344 · 2026-03-11T09:16:01.000-07:00
docker-compose.yml:
- Rename service caddy -&gt; caddy-home-assistant-liar (matches container_name)
- Use ${IMAGE_VERSION:-latest} for image tag
- Uncomment hass network (required for reverse_proxy home-assistant:8123)
- Rename network alias home-assistant -&gt; hass (project convention)
- Add env_file

config/Caddyfile.default (renamed from Caddyfile.example):
- Renamed so configure_app can auto-copy it to Caddyfile on install

Add .env.example, README.md, .rsync-exclude

Made-with: Cursor
diff --git a/apps/caddy-home-assistant-liar/.env.example b/apps/caddy-home-assistant-liar/.env.example
@@ -0,0 +1,2 @@
+# Image version (optional, defaults to latest)
+#IMAGE_VERSION=latest
diff --git a/apps/caddy-home-assistant-liar/.rsync-exclude b/apps/caddy-home-assistant-liar/.rsync-exclude
diff --git a/apps/caddy-home-assistant-liar/README.md b/apps/caddy-home-assistant-liar/README.md
@@ -0,0 +1,74 @@
+# caddy-home-assistant-liar
+
+A Caddy reverse proxy that spoofs `X-Forwarded-For` and `X-Real-IP` headers to
+make Home Assistant believe incoming requests originate from a trusted local IP
+address. This bypasses Home Assistant's IP-based authentication check when
+requests arrive via nginx-proxy-manager from a non-RFC1918 source.
+
+## How it works
+
+nginx-proxy-manager → **caddy-home-assistant-liar** → home-assistant
+
+Caddy rewrites the forwarded IP headers to `192.168.0.0` before passing
+requests upstream to `home-assistant:8123`. Home Assistant sees a local IP
+and grants access without requiring authentication.
+
+## Configuration
+
+### Caddyfile
+
+Copy the default config and edit as needed:
+
+```bash
+cp config/Caddyfile.default config/Caddyfile
+```
+
+Key settings in `config/Caddyfile`:
+
+| Setting | Description |
+|---------|-------------|
+| `trusted_proxies static <IP>` | IP of the nginx-proxy-manager container on the caddy network — check with `docker inspect` if it changes |
+| `X-Forwarded-For` / `X-Real-IP` | Spoofed local IP sent to Home Assistant |
+| `reverse_proxy home-assistant:8123` | Upstream Home Assistant container (resolved via hass-net) |
+
+### Environment Variables
+
+No required environment variables. Optionally set `IMAGE_VERSION` in `.env`
+to pin the Caddy image tag.
+
+## Network dependencies
+
+| Network | Provided by | Purpose |
+|---------|-------------|---------|
+| `nginx-proxy-net` | nginx-proxy-manager | Receives inbound requests from the reverse proxy |
+| `hass-net` | home-assistant | Reaches `home-assistant:8123` by container name |
+| `caddy-home-assistant-liar-net` | this service | Internal network created by this service |
+
+## Usage
+
+### Starting the service
+
+```bash
+# Configure Caddyfile first
+cp config/Caddyfile.default config/Caddyfile
+# Edit config/Caddyfile if needed, then:
+docker compose up -d
+```
+
+### Stopping the service
+
+```bash
+docker compose down
+```
+
+### Viewing logs
+
+```bash
+docker compose logs -f
+```
+
+### Reloading Caddy config without restart
+
+```bash
+docker compose exec caddy-home-assistant-liar caddy reload --config /etc/caddy/Caddyfile
+```
diff --git a/apps/caddy-home-assistant-liar/config/Caddyfile.default b/apps/caddy-home-assistant-liar/config/Caddyfile.default
@@ -0,0 +1,29 @@
+{
+	servers {
+		trusted_proxies static 172.18.0.17 # The IP nc showed as the source
+	}
+}
+
+http://ctrlh:8888, :8888 {
+	request_header X-Forwarded-For "192.168.0.0"
+	request_header X-Real-IP "192.168.0.0"
+
+	reverse_proxy home-assistant:8123 {
+# for debugging - to see headers run:  nc -v -l -p 8089
+#	reverse_proxy 192.168.13.2:8089 {
+		# Force removal of existing headers
+		# (don't actually do this, this removes the headers we add as well)
+		#        header_up -X-Forwarded-For
+		#        header_up -X-Real-IP
+
+		# 2. Use the '+' prefix to FORCE add these headers
+		header_up X-Forwarded-For "192.168.0.0"
+		header_up X-Real-IP "192.168.0.0"
+
+
+		# 3. Add a canary header to prove Caddy is reading this block
+		header_up +X-Spoof-Active "True"
+
+		header_up X-Forwarded-Proto {scheme}
+	}
+}
diff --git a/apps/caddy-home-assistant-liar/docker-compose.yml b/apps/caddy-home-assistant-liar/docker-compose.yml
@@ -0,0 +1,28 @@
+services:
+  caddy-home-assistant-liar:
+    image: caddy:${IMAGE_VERSION:-latest}
+    container_name: caddy-home-assistant-liar
+    hostname: caddy-home-assistant-liar
+    restart: unless-stopped
+#    ports:
+#      - 80:80
+    volumes:
+      - ./config:/etc/caddy
+      - ../../lib/caddy-home-assistant-liar/data:/data
+      - ../../lib/caddy-home-assistant-liar/config:/config
+    env_file:
+      - .env
+    networks:
+      - proxy
+      - hass
+      - caddy
+
+networks:
+  proxy:
+    external: true
+    name: nginx-proxy-net
+  hass:
+    external: true
+    name: hass-net
+  caddy:
+    name: caddy-home-assistant-liar-net

Original file line number	Diff line number	Diff line change
`@@ -0,0 +1,2 @@`
	`1`	`+# Image version (optional, defaults to latest)`
	`2`	`+#IMAGE_VERSION=latest`