I’m a web/networking noob so forgive me in advance for any murdering of terms or standards I do, most of my expertise is servers and endpoints etc.
I host a ton of homelab stuff that i make internet accessible to learn as much as I can about the end-to-end of it all. I have just enabled and configured IPv6 addressing at home so I have some more public addresses but to access my lab stuff from work (IPv4 only) I need to dual stack (I think I’m using the term right), which means keeping the reverse proxy active to proxy the v4 requests through the v4 interfaces.
I have an RDS farm which, long story short, I need to use my proper cert for. It all works on v6 but via Caddy functionality breaks because its using the LetsEncrypt cert and its expecting my signed cert.
Is there a way to tell caddy to just forward requests for a subdomain without attaching a LetsEncrypt cert to it? I’ve tried the tls tag but that only works for port 80, when the RDS servers redirect to 443 the client gets a 404 back (because according to Caddy it doesn’t exist).
I’m assuming I could get Caddy to use my signed cert for that one subdomain but I still dont know how the double encryption etc affects it.
If you can pull the cert and key from your RDS farm and supply it to Caddy, it can present that to your clients. The double encryption shouldn’t be a problem, you’ll just have to make sure that Caddy trusts the RDS farm’s certificate for valid HTTPS all the way through. Caddy effectively acts as a (authorized) man in the middle between the RDS farm and the client.
You’ll want to use the syntax tls cert key for this subdomain.
The RDS Farm is using the wildcard cert I bought, so no internal CA there.
I put in the subdomain in as below. The root is displaying IIS standard page but with the LetsEncrypt cert (probably because the root isn’t encrypted on the server??), trying to navigate to the RDS Login page /RDWeb/ gives me an ERR_TOO_MANY_REDIRECTS error.
Should that be https://IP or IP:443? Does it matter?
I tried both and now still get the IIS Root page ok with the LetsEncrypt cert but trying to access /RDWeb redirects to /RDWeb/Pages as expected and then throws a 502.
28/Mar/2019:14:50:45 +1100 [ERROR 502 /] read tcp 172.30.250.253:64895->172.30.250.66:443: wsarecv: An existing connection was forcibly closed by the remote host.
28/Mar/2019:14:50:45 +1100 [ERROR 502 /favicon.ico] read tcp 172.30.250.253:64896->172.30.250.66:443: wsarecv: An existing connection was forcibly closed by the remote host.
28/Mar/2019:14:50:51 +1100 [ERROR 502 /rdweb/webclient/] read tcp 172.30.250.253:64897->172.30.250.66:443: wsarecv: An existing connection was forcibly closed by the remote host.
28/Mar/2019:14:50:51 +1100 [ERROR 502 /favicon.ico] read tcp 172.30.250.253:64898->172.30.250.66:443: wsarecv: An existing connection was forcibly closed by the remote host.
Oof, 2/3 possibilities guessed and got em both wrong. Classic.
So that’s Caddy connecting to your RDS server and trying to read its response in order to pass it back to the client. The RDS server is closing the connection on Caddy.
Does the RDS server work if you point your client directly at its IP address?
Yep that was the first thing I tried when I got the 502.
The caveat is, Caddy is running on a Server Core install so i can’t check whether the page loads on the caddy box specifically. However, a test-netconnection succeeds and a connection from another machine in the same subnet (to rule out firewall) to that IP works.
Edit: Given the client (work PC) gets the redirect it (caddy) must be connecting, at least to start, which made the test-netconnection useless but /shrug