1. The problem I’m having:
Hi, I’m having difficulty setting up an application service under Docker Compose which makes use of caddy-docker-proxy and Cloudflare Argo Tunnels. Specifically, I am trying to add basic_auth to the root of a Gerrit service container and am encountering 2 different failure modes:
-
Cloudflare returns a Bad Gateway (502) when I try to access my server and docker compose logs on the Caddy container gives the diagnostic in [1].
-
The basic auth dialog is never presented and Gerrit redirects me to a login page notifying me that there is no Authentication header and nothing seems to have worked.
There doesn’t seem to be any rhyme or reason as to why either failure mode occurs. Restarting any combination of services can enter a different one.
2. Error messages and/or full log output:
[1]
caddy | {"level":"error","ts":1705774799.259001,"logger":"docker-proxy","msg":"Error response from
server","server":"localhost","status code":400,"body":"{\"error\":\"loading config: loading new config:
loading http app module: provision http: server srv0: setting up route handlers: route 0: loading handler
modules: position 0: loading module 'subroute': provision http.handlers.subroute: setting up subroutes:
route 0: loading handler modules: position 0: loading module 'authentication': provision
http.handlers.authentication: loading authentication providers: module name 'http_basic': provision
http.authentication.providers.http_basic: account 0: username and password are required\"}\n"}
This error almost suggests to me that Cloudflare is trying to do some kind of liveness check on the connector and can’t get through because it’s failing auth? Do I need to add some exception for accesses from Cloudflare? How would I do that?
3. Caddy version:
v2.7.6 as built using:
ARG CADDY_VERSION=2.7.6
FROM caddy:${CADDY_VERSION}-builder AS builder
RUN xcaddy build \
--with github.com/lucaslorentz/caddy-docker-proxy/v2 \
--with github.com/caddy-dns/cloudflare \
--with github.com/greenpau/caddy-security
FROM caddy:${CADDY_VERSION}-alpine
COPY --from=builder /usr/bin/caddy /usr/bin/caddy
CMD ["caddy", "docker-proxy"]
4. How I installed and ran Caddy:
a. System environment:
Fedora Linux 39 (Workstation Edition) x86_64 with docker-ce 25.0.0
b. Command:
docker compose up -d
c. Service/unit/compose file:
Compose file for cloudflared:
version: '3.4'
services:
cloudflared:
image: msnelling/cloudflared
container_name: cloudflared
volumes:
- ./config:/etc/cloudflared
command: [sh, -c, ( echo "cat <<EOF" ; cat /etc/cloudflared/config.yml.template ; echo EOF ) | sh > /etc/cloudflared/config.yml && /usr/local/bin/cloudflared tunnel cleanup $TUNNEL_UUID && /usr/local/bin/cloudflared tunnel --no-autoupdate run]
env_file:
- .env
restart: always
extra_hosts:
- "host.docker.internal:host-gateway"
networks:
- cloudflared
networks:
cloudflared:
name: cloudflared
Compose file for Caddy:
version: "3.9"
services:
caddy:
build:
context: .
dockerfile: Dockerfile
image: caddy:v2.7.6
container_name: caddy
labels:
caddy:
caddy.debug:
caddy.email: "{env.EMAIL}"
caddy.acme_dns: "cloudflare {env:CF_API_TOKEN}"
environment:
- CADDY_INGRESS_NETWORKS=caddy
env_file:
- .env
networks:
- caddy
- cloudflared
volumes:
- /var/run/docker.sock:/var/run/docker.sock
- /home/benjaminmordaunt/phorge/caddy/data:/data
- /home/benjaminmordaunt/phorge/caddy/config:/config
restart: unless-stopped
networks:
caddy:
external: true
name: caddy
cloudflared:
external: true
name: cloudflared
Compose file for Gerrit:
version: '3.7'
services:
gerrit:
image: gerritcodereview/gerrit:3.9.1
networks:
- caddy
volumes:
- ./gerrit_etc:/var/gerrit/etc/
labels:
caddy: neocake.me
caddy.basicauth: /*
caddy.basicauth.neocake: "{env.HASHED_PASSWORD}"
caddy.reverse_proxy: "{{upstreams 80}}"
networks:
caddy:
external: true
d. My complete Caddy config:
This is entirely handled by docker-proxy labels above.