My Organization has an administrator that already provide https to my domain name (https://app1.example.com) that pointed to my app1. Public users now already can access https://app1.example.com.
Since I can only manage MyServer, I would like to add caddy to manage my existing docker container.
But I don’t want to interrupt the existing https that my administrator has already provide.
Below image is:
A. Existing topology, currently each docker container exposed directly to public IP.
B. What it will looks like if I add caddy as my own reverse proxy:
Your Caddyfile could work, yes.
But I would highly recommend speaking with your administrator or whatever.
There are almost infinite ways how they might have set up that https proxy for your existing app1.example.com and how it might conflict with your plans
So there is no caddy config to skip and use existing https?
Perhaps just by forwarding any request on app1.example.com (without requesting new https) to any define reverse proxy on caddy?
I see an auto_https in global options. Can this be used? does it mean I don’t request https for app1.example.com but use the existing one?
For example like this full Caddyfile:
{
auto_https off
}
app1.example.com {
reverse_proxy app1:8080
}
But if your administrator’s proxy only forwards app1.example.com to you, then you won’t be able to add app2.example.com just by adding it to your Caddyfile.
Instead, your administrator might have to add that to their proxy as well (and maybe create another dns record).
If you only care about app1.example.com for now, then sure.
Your B. Topology from that image you shared with
will suffice. auto_https off on the other hand, not.
Yes, for now I need only to maintain this sub domain, and manage anything with caddy, including load balancing to any container behind caddy, etc, etc…
What you’re asking for is a TCP proxy, which means not decrypting the connection before passing it on upstream.
Vanilla Caddy doesn’t do that, but you could do it with GitHub - mholt/caddy-l4: Layer 4 (TCP/UDP) app for Caddy which is a plugin for Caddy that can proxy TCP/UDP. But this is a lot more complicated to use because it only supports JSON config at the moment, no Caddyfile support (see the GitHub issues for details on that).
Why must you keep the TLS connection unbroken? You could have Caddy terminate TLS using its own certificate issued from an ACME issuer, then proxy upstream over either HTTP (if your upstream has an HTTP port exposed) or HTTPS (i.e. another TLS connection to upstream, if necessary).
Hmm I didn’t expect to use plugin, it’s much more complicated then…
Yes, I actually easily can issue certificate using caddy. But as I told in image A existing topology, Organization Admin already issue the certificate, and I don’t want to broke that.
I’d like to try as Emily suggest, if it doesn’t work, well I have to figure out something else
By using above caddy config, I can successfully browse to https://app1.example.com/v2022-dev and load my login page of PHP app,
But it work only some parts, other parts shows Mixed Content issue which request http, mostly plugins or javascripts.
I have inspect using chrome devtools, and here is one error sample (other issue have more or less similar error) shows on the console:
Mixed Content: The page at 'https://app1.example.com/v2022-dev/?f=1' was loaded over HTTPS, but requested an insecure stylesheet 'http://app1.example.com/v2022-dev/asset/plugins/datatables-bootstrap/dataTables.bootstrap.custom.css'. This request has been blocked; the content must be served over HTTPS
Is it can be handled by caddy or there’s should be some changes in my code?
I also try to issue certificate using caddy. The certificate issued successfully, no error on caddy logs. But the browser end up with too many redirects error. I am using this caddyfile:
Currently, I add header Content-Security-Policy "upgrade-insecure-requests" to caddyfile. So far it resolved the problems, here are my final caddyfile:
Your upstream app needs to be updated to produce URLs with the same scheme as the incoming requests (or just use //app1.example.com, i.e. no scheme, which will let browsers use the appropriate scheme, or use absolute URLs with no hostname in it which would be even better).
After a quick check, might be there’s a mistake on how to automatically detect https/http on our base_url variable.
We use this snippets to detect https/http inside our config PHP app: