Using a single FQDN for Teslamate and Grafana under Caddy w/ SSL & Basic Auth

[SemoTech]

*** SOLVED, SEE BELOW ***

Hello,
I am looking to move my teslamate to another host, and taking the opportunity to explore the possibility of having just one FQDN, instead of the current teslamate.example.com and grafana.example.com. Basically just teslamate.example.com and teslamate.example.com/grafana

The plan is to do a fresh install of teslamate in Docker behind a Caddy V2 proxy, which will handle HTTPS through auto-retrieved valid SSL certificates and Basic Auth, and then restore the backup database, but unsure what the ideal docker-compose.yml contents/configuration will be.

[tobiasehlert]

Yes that is possible and you should be able to take a look here:
https://docs.teslamate.org/docs/guides/traefik

I have at least a setup close to this, except that I've added some additional auth on top :)

[SemoTech]

Thanks @tobiasehlert I knew I saw this somewhere :-)

After a lot of work and support from https://caddy.community/u/francislavoie on the Caddy forums I managed to get this installed from scratch and working, as follows:

1 - Secure setup using Caddy proxy (pulls SSL cert automatically from Let's Encrypt) - needs un-proxied DNS record, and a firewall forward rule for ports 80 and 443 but only into Caddy.
2 - Deployment in Portainer for "teslamate" Stack containing the services: teslamate:, grafana:, postgres database: and mosquitto:. Note that mosquitto: is OPTIONAL should you NOT need to export data to another system like Home Asssitant.
3 - Caddy v2 running as another Docker container instance (another Stack) on same Docker server, & using the caddy-net: network
4 - Single FQDN in the form of 'https://teslamate.example.com' with Grafana accessible as 'https://teslamate.example.com/grafana'
5 - Modal basic authentication by Caddy (further improved with LAN bypass in my subsequent post.
6 - Port security - No exposed ports outside of Docker stack, since Caddy will process/access everything internally and communication is all done through Caddy, even for LAN.
7 - Watchtower configuration flag (needs Watchtower Stack installed separately) in order to automatically update teslamate:, grafana: and mosquitto: services, but NOT the postgres: service, as that can break the DB. Postgres DB upgrades can be done as per the manual HERE. Use Watchtower this at your own risk.

Here are the config files:

Portainer Config for "teslamate" Stack (i.e. docker-compose.yml) - note the ${} variables used, you'll need a .env file with all of them!

services:
  teslamate:
    image: teslamate/teslamate:latest
    restart: always
    depends_on:
      - database
    environment:
      - ENCRYPTION_KEY=${TM_ENCRYPTION_KEY}
      - DATABASE_USER=${TM_DB_USER}
      - DATABASE_PASS=${TM_DB_PASS}
      - DATABASE_NAME=${TM_DB_NAME}
      - DATABASE_HOST=${TM_DB_HOST}
      - MQTT_HOST=mosquitto
      - VIRTUAL_HOST=${FQDN_TM}
      - CHECK_ORIGIN=true
      - NTP_SERVERS=${TM_NTP}
      - TZ=${TM_TZ}
    labels:
      - "com.centurylinklabs.watchtower.enable=true"  
    networks:
      tm-net:
      caddy-net:      
    volumes:
      - /root/docker/teslamate/import:/opt/app/import
    cap_drop:
      - all

  database:
    image: postgres:16
    restart: always
    environment:
      - POSTGRES_USER=${TM_DB_USER}
      - POSTGRES_PASSWORD=${TM_DB_PASS}
      - POSTGRES_DB=${TM_DB_NAME}   
    networks:
      tm-net:
    volumes:
      - /root/docker/teslamate/teslamate-db:/var/lib/postgresql/data

  grafana:
    image: teslamate/grafana:latest
    restart: always
    environment:
      - DATABASE_USER=${TM_DB_USER}
      - DATABASE_PASS=${TM_DB_PASS}
      - DATABASE_NAME=${TM_DB_NAME}
      - DATABASE_HOST=${TM_DB_HOST}
      - GRAFANA_PASSWD=${GRAFANA_PW}
      - GF_SECURITY_ADMIN_USER=${GRAFANA_USER}
      - GF_SECURITY_ADMIN_PASSWORD=${GRAFANA_PW}
      - GF_AUTH_BASIC_ENABLED=true
      - GF_AUTH_ANONYMOUS_ENABLED=false
      - GF_SERVER_DOMAIN=${FQDN_TM}
      - GF_SERVER_ROOT_URL=%(protocol)s://%(domain)s/grafana
      - GF_SERVER_SERVE_FROM_SUB_PATH=true
      - GF_SMTP_ENABLED=true
      - GF_SMTP_FROM_NAME=${GF_SMTPNAME}
      - GF_SMTP_FROM_ADDRESS=${GF_SMTPSENDER}
      - GF_SMTP_HOST=${GF_SMTPHOST}                      
      - GF_SMTP_USER=${GF_SMTPUSER}                   
      - GF_SMTP_PASSWORD=${GF_SMTPPASS}
      - GF_SMTP_SKIP_VERIFY=false
    user: "root:root"
    networks:
      tm-net:
      caddy-net:     
    labels:
      - "com.centurylinklabs.watchtower.enable=true"
    volumes:
      - /root/docker/teslamate/teslamate-grafana-data:/var/lib/grafana

  mosquitto:
    image: eclipse-mosquitto:2
    restart: always
    command: mosquitto -c /mosquitto-no-auth.conf    
    networks:
      tm-net:
    labels:
      - "com.centurylinklabs.watchtower.enable=true"        
    volumes:
      - /root/docker/teslamate/mosquitto-conf:/mosquitto/config
      - /root/docker/teslamate/mosquitto-data:/mosquitto/data

volumes:
  teslamate-db:
  teslamate-grafana-data:
  mosquitto-conf:
  mosquitto-data:

networks:
  tm-net:
  caddy-net:
    external: true
    name: caddy-net  

Note that Grafana was configured in the "teslamate" Portainer Stack / docker-compose.yml to use the teslamate FQDN and the /grafana path using:

      - GF_SERVER_DOMAIN=${FQDN_TM}
      - GF_SERVER_ROOT_URL=%(protocol)s://%(domain)s/grafana
      - GF_SERVER_SERVE_FROM_SUB_PATH=true

Therefore the Caddy config needs to access "teslamate" as teslamate.example.com on port 4000 and "grafana" as teslamate.example.com/grafana on port 3000

Caddy config that accomplishes this (use the "caddy hash-password" command to get the hash):

 teslamate.example.com {
  handle /grafana* {
        encode gzip
              basic_auth {
                     # username is gf-admin and password is a hash obtained using the caddy hash-password command
                     gf-admin $23ihnqbeocbqebfihbadfvnbsrgbsfb
           }
    reverse_proxy grafana:3000
  }

  handle {
        encode gzip
              basic_auth {
                     # username is tm-admin and password is a hash obtained using the caddy hash-password command
                      tm-admin $vweonqvbqvuabworhuqfvjanefjn
              }
    reverse_proxy teslamate:4000
  }
}

Hope this helps someone else as well.

[SemoTech]

I made some improvements to the Caddy config I am happy to share. This is so Caddy does NOT prompt for Basic Auth credentials when accessing the protected resource from a trusted IP range (the LAN).

Note that Grafana will still ask for login to itself via the username and password you setup in the main .env file for the Teslamare Stack.

Here is the same Caddy Caddyfile config but with the IP/LAN exclusion, in case anyone is interested:

teslamate.example.com {
  handle /grafana* {
        encode gzip
              @not-local not remote_ip 192.168.1.0/24  # Exclude LAN IP's
                basic_auth @not-local {
                     # username is gf-admin and password is a hash obtained using the caddy hash-password command
                     gf-admin $23ihnqbeocbqebfihbadfvnbsrgbsfb
           }
    reverse_proxy grafana:3000
  }

  handle {
        encode gzip
              @not-local not remote_ip 192.168.1.0/24  # Exclude LAN IP's
                basic_auth @not-local {
                     # username is tm-admin and password is a hash obtained using the caddy hash-password command
                      tm-admin $vweonqvbqvuabworhuqfvjanefjn
              }
    reverse_proxy teslamate:4000
  }
}