Bitwarden - Caddy - Tailscale

TL;DL

I believe I am very close to getting this all working. For as this is my first use of Caddy I would like some help with my setting/Caddyfile please?

I am using a VPN for my Docker Containers. Eg. Home Assistant. Everything works great. I rather not open a port on my router. The only container I have that requires a HTTPS connection is Bitwarden.

Tailscale has HTTPS and Magic DNS. I have created the tail cert and that seems ok. But when I put the Magic DNS url it takes me to the Unraid Server. Not the bitwarden URL. Here is my simple Caddyfile:

NB: The 100.28.311.152 is the tailscale URL

apple.uptom.ts.net

reverse_proxy 100.28.311.152:4743

I have also tried with the internal URL.

apple.uptom.ts.net

reverse_proxy 192.168.1.478:4743

If I do the “apple.uptom.ts.net” in by browser it takes me to a non secure front page from Unraidd, Not bitwarden.

If I do the HTTPS I get
" This site can’t be reached"

Any help would be appreciated.

1. Caddy version (caddy version):

Cannot run, latest Alpine version

2. How I run Caddy:

Unraid Docker

a. System environment:

Unraid 6.9.2 Docker

b. Command:

N/A

c. Service/unit/compose file:


d. My complete Caddyfile or JSON config:

apple.uptom.ts.net

reverse_proxy 100.28.311.152:4743

3. The problem I’m having:

On install I get this error:

4. Error messages and/or full log output:

This site can’t be reached

apple.uptom.ts.net refused to connect.

Try:

ERR_CONNECTION_REFUSED

5. What I already tried:

Changing my Caddyfile.

6. Links to relevant resources:

My log

{"level":"info","ts":1651908234.5958538,"msg":"using provided configuration","config_file":"/etc/caddy/Caddyfile","config_adapter":"caddyfile"}
{"level":"info","ts":1651908234.5969832,"logger":"admin","msg":"admin endpoint started","address":"tcp/localhost:2019","enforce_origin":false,"origins":["//localhost:2019","//[::1]:2019","//127.0.0.1:2019"]}
{"level":"info","ts":1651908234.5970902,"logger":"http","msg":"server is listening only on the HTTPS port but has no TLS connection policies; adding one to enable TLS","server_name":"srv0","https_port":443}
{"level":"info","ts":1651908234.5971065,"logger":"http","msg":"enabling automatic HTTP->HTTPS redirects","server_name":"srv0"}
{"level":"info","ts":1651908234.597194,"logger":"tls.cache.maintenance","msg":"started background certificate maintenance","cache":"0xc00030e4d0"}
{"level":"info","ts":1651908234.5974722,"logger":"tls","msg":"cleaning storage unit","description":"FileStorage:/data/caddy"}
{"level":"info","ts":1651908234.597706,"msg":"autosaved config (load with --resume flag)","file":"/config/caddy/autosave.json"}
{"level":"info","ts":1651908234.597715,"msg":"serving initial configuration"}
{"level":"info","ts":1651908234.5996919,"logger":"tls","msg":"finished cleaning storage units"}

I think you probably have Unraid listening on ports 80/443, and not Caddy. So when you make a request to apple.uptom.ts.net without specifying a port, it uses the default HTTP or HTTPS port (80 and 443 respectively), which hits Unraid.

From your other post, I think you’re binding Caddy to port 2080 and 2443.

Unfortunately, only one program can listen on a port at a time. I’d typically recommend configuring Unraid to change its default port to something else, then having Caddy bind to 80/443, then make Caddy reverse_proxy to Unraid, with a domain like unraid.uptom.ts.net I guess.

Thank you for the quick reply.

I have changed the Ports for both 80 and 443 on Unraid to 8180 and 4443 respectively.

I have pointed Caddy to 80 and 443 in the docker settings.

Certs are still unchanged.

But if I point to apple.uptom.ts.net it does not resolve.

How would I make Caddy reverse_proxy to Unraid, with a domain like unraid.uptom.ts.net?

Small issue is Tailscales tunnel address no longer works. I have to pur :8180 at the end to have it resolve.

My logs again

{"level":"info","ts":1651912711.89546,"msg":"using provided configuration","config_file":"/etc/caddy/Caddyfile","config_adapter":"caddyfile"}
{"level":"info","ts":1651912711.8964903,"logger":"admin","msg":"admin endpoint started","address":"tcp/localhost:2019","enforce_origin":false,"origins":["//[::1]:2019","//127.0.0.1:2019","//localhost:2019"]}
{"level":"info","ts":1651912711.8966317,"logger":"http","msg":"server is listening only on the HTTPS port but has no TLS connection policies; adding one to enable TLS","server_name":"srv0","https_port":443}
{"level":"info","ts":1651912711.8966403,"logger":"http","msg":"enabling automatic HTTP->HTTPS redirects","server_name":"srv0"}
{"level":"info","ts":1651912711.8971055,"logger":"tls","msg":"cleaning storage unit","description":"FileStorage:/data/caddy"}
{"level":"info","ts":1651912711.8974762,"msg":"autosaved config (load with --resume flag)","file":"/config/caddy/autosave.json"}
{"level":"info","ts":1651912711.8975077,"msg":"serving initial configuration"}
{"level":"info","ts":1651912711.8975532,"logger":"tls.cache.maintenance","msg":"started background certificate maintenance","cache":"0xc000467f80"}
{"level":"info","ts":1651912711.9017496,"logger":"tls","msg":"finished cleaning storage units"}
{"level":"info","ts":1651912716.6354978,"msg":"shutting down apps, then terminating","signal":"SIGTERM"}
{"level":"warn","ts":1651912716.635517,"msg":"exiting; byeee!! 👋","signal":"SIGTERM"}
{"level":"info","ts":1651912716.6378062,"logger":"tls.cache.maintenance","msg":"stopped background certificate maintenance","cache":"0xc000467f80"}
{"level":"info","ts":1651912716.6400025,"logger":"admin","msg":"stopped previous server","address":"tcp/localhost:2019"}
{"level":"info","ts":1651912716.6400146,"msg":"shutdown complete","signal":"SIGTERM","exit_code":0}
{"level":"info","ts":1651912717.257324,"msg":"using provided configuration","config_file":"/etc/caddy/Caddyfile","config_adapter":"caddyfile"}
{"level":"info","ts":1651912717.259935,"logger":"admin","msg":"admin endpoint started","address":"tcp/localhost:2019","enforce_origin":false,"origins":["//localhost:2019","//[::1]:2019","//127.0.0.1:2019"]}
{"level":"info","ts":1651912717.2621439,"logger":"tls.cache.maintenance","msg":"started background certificate maintenance","cache":"0xc0000f4ee0"}
{"level":"info","ts":1651912717.2620902,"logger":"http","msg":"server is listening only on the HTTPS port but has no TLS connection policies; adding one to enable TLS","server_name":"srv0","https_port":443}
{"level":"info","ts":1651912717.2654002,"logger":"http","msg":"enabling automatic HTTP->HTTPS redirects","server_name":"srv0"}
{"level":"info","ts":1651912717.2701452,"logger":"tls","msg":"cleaning storage unit","description":"FileStorage:/data/caddy"}
{"level":"info","ts":1651912717.277159,"msg":"autosaved config (load with --resume flag)","file":"/config/caddy/autosave.json"}
{"level":"info","ts":1651912717.2771833,"msg":"serving initial configuration"}
{"level":"info","ts":1651912717.2988515,"logger":"tls","msg":"finished cleaning storage units"}

I am also trying to setup https with Caddy and tailscale, couldn’t make it work with docker either. Currently trying with just a plain ubuntu VM on my proxmox

Installed Caddy 2.5.1 and did the tailscale cert command. But still not able to communicate over https://HOSTNAME.xx.ts.net giving me a cert error.

I also want to set this up for bitwarden (and to be able to cast with Jellyfin to chromecast (which needs https)

Caddy will try to communicate with the Tailscale unix socket to fetch the certificate. So you probably need to mount the tailscale socket from your host machine as a volume on the Caddy container.

The default location that it looks for the socket file is /var/run/tailscale/tailscaled.sock, so try to set up that mount.

1 Like