1. Output of caddy version
:
2.6.1
2. How I run Caddy:
docker container with docker compose
a. System environment:
Ubuntu Server w/ Docker 20.10.18
b. Command:
docker compose up -d
c. Service/unit/compose file:
services:
caddy:
container_name: caddy
build:
context: ./
dockerfile: Dockerfile
networks:
- caddy-net
ports:
- 80:80
- 443:443
environment:
LOG_FILE: ~/server/logs/caddy/access.log
DOMAIN: jlr.lol
EMAIL: emailredacted@zoho.com
DUCKDNS_API_TOKEN: ${DUCKDNS_TOKEN}
BOUNCER_CADDY_TOKEN: 0740e7d77e70f43e8ce143e27dd2718b
PORT_HTPC_HTTP: ${PORT_HTPC_HTTP}
PORT_HTPC_REQUESTS: ${PORT_HTPC_REQUESTS}
PORT_UPKUMA: ${PORT_UPKUMA}
labels:
- "diun.enable=true"
volumes:
- ./Caddyfile:/etc/caddy/Caddyfile:ro # Required. Needs to be an extension-less file NOT a directory
- ~/server/config/caddy:/data # Optional, house for certs. Caddy adds its own /caddy/ directory
- ~/server/config/caddy:/config # Optional, JSON Config files. Caddy adds its own /caddy/ directory
- ~/server/logs/caddy:/server/logs/caddy
- ~/docker/caddy/users.json:/etc/caddy/auth/local/users.json #auth db
healthcheck:
test: ["CMD", "caddy", "version"]
restart: unless-stopped
networks:
caddy-net:
name: caddy-net
external: true
d. My complete Caddy config:
{ # Global options block. Entirely optional, https is on by default
email redactedemail@zoho.com # Optional email key for lets encrypt
debug # this is optional; makes Caddy log more details
acme_ca https://acme-staging-v02.api.letsencrypt.org/directory
order crowdsec first # this ensures that the CrowdSec module is executed before any other HTTP handlers
crowdsec {
api_url http://crowdsec:8080/ # the URL where your CrowdSec LAPI can be reached. Caddy connects directly, so use the default port 8080
api_key 0740e7d77e70f43e8ce143e27dd2718b # the secret API key for the bouncer to authenticate against LAPI
}
auth.jlr.lol {
header {
server #anonymizes Caddy
# disable FLoC tracking
Permissions-Policy interest-cohort=()
# enable HSTS
Strict-Transport-Security max-age=31536000;
# disable clients from sniffing the media type
X-Content-Type-Options nosniff
# clickjacking protection
X-Frame-Options DENY
# keep referrer data off of HTTP connections
Referrer-Policy no-referrer-when-downgrade
}
encode zstd gzip
crowdsec
reverse_proxy https://authentik_server_1:9443
log {
level ERROR
output file {$LOG_FILE} {
roll_size 3MiB
roll_keep 5
roll_keep_for 24h
format json }
}
www.jlr.lol {
redir jlr.lol
}
3. The problem I’m having:
4. Error messages and/or full log output:
Curl Output:
curl: (60) SSL certificate problem: self-signed certificate More details here: https://curl.se/docs/sslcerts.html curl failed to verify the legitimacy of the server and therefore could not establish a secure connection to it. To learn more about this situation and how to fix it, please visit the web page mentioned above.
Logs:
{"level":"error","ts":1665548013.0090258,"logger":"http.log.error.log3","msg":"x509: certificate signed by unknown authority","request":{"remote_ip":"73.254.98.51","remote_port":"10113","proto":"HTTP/2.0","method":"GET","host":"auth.jlr.lol","uri":"/","headers":{"Sec-Ch-Ua-Platform":["\"Windows\""],"Upgrade-Insecure-Requests":["1"],"User-Agent":["Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/106.0.0.0 Safari/537.36 Edg/106.0.1370.37"],"Sec-Fetch-User":["?1"],"Accept-Language":["en-US,en;q=0.9"],"Sec-Ch-Ua":["\"Chromium\";v=\"106\", \"Microsoft Edge\";v=\"106\", \"Not;A=Brand\";v=\"99\""],"Sec-Ch-Ua-Mobile":["?0"],"Accept":["text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9"],"Sec-Fetch-Site":["none"],"Sec-Fetch-Mode":["navigate"],"Sec-Fetch-Dest":["document"],"Accept-Encoding":["gzip, deflate, br"],"Cache-Control":["max-age=0"]},"tls":{"resumed":false,"version":772,"cipher_suite":4865,"proto":"h2","server_name":"auth.jlr.lol"}},"duration":0.043758474,"status":502,"err_id":"qibtyttsz","err_trace":"reverseproxy.statusError (reverseproxy.go:1271)"}
5. What I already tried:
No one seems to use Caddy and Authentik for examples online so I couldn’t find many examples linking the two.