Caddy and DNS Redirect

1. The problem I’m having:

I would like to be able to run my Caddy reverse proxy on a linode. All of my services are hosted on premises. I have my local server connected to the linode via tailscale. When I am on my LAN or my tailscale network, I do not want all my traffic to proxy through my linode.

When I was using traefik (locally) I simply set a DNS Redirect rule in AdGuard . Now that I have moved my reverse proxy to linode (and switched to Caddy), I can’t quite figure out how to do this. If i only have Caddy on the linode, then all my local traffic is proxied through the linode.

What I’ve shown below is my best attempt to get this work. The idea is the front end transparently passes everything to the backed caddyfile which does all the proxying to services. However when I do this I get an infinite redirect loop or SSL issues depending on how I set it up.

Sorry if this is an obvious question, still learning the vocabulary.

2. Error messages and/or full log output:

*   Trying 139.144.172.113:443...
* Connected to netdata.cyborgman.me (139.144.172.113) port 443 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
*  CAfile: /etc/ssl/certs/ca-certificates.crt
*  CApath: /etc/ssl/certs
* TLSv1.0 (OUT), TLS header, Certificate Status (22):
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
* TLSv1.2 (IN), TLS header, Unknown (21):
* TLSv1.3 (IN), TLS alert, internal error (592):
* error:0A000438:SSL routines::tlsv1 alert internal error
* Closing connection 0
curl: (35) error:0A000438:SSL routines::tlsv1 alert internal error

3. Caddy version:

v2.6.4 h1:2hwYqiRwk1tf3VruhMpLcYTg+11fCdr8S3jhNAdnPy8=

4. How I installed and ran Caddy:

a. System environment:

Ubuntu 22.04
Caddy installed with apt and started with systemd.

b. Command:

sudo systemctl restart caddy

c. Service/unit/compose file:

[Unit]
Description=Caddy
Documentation=https://caddyserver.com/docs/
After=network.target network-online.target
Requires=network-online.target

[Service]
Type=notify
User=caddy
Group=caddy
ExecStart=/usr/bin/caddy run --environ --config /etc/caddy/Caddyfile
ExecReload=/usr/bin/caddy reload --config /etc/caddy/Caddyfile --force
TimeoutStopSec=5s
LimitNOFILE=1048576
LimitNPROC=512
PrivateDevices=yes
PrivateTmp=true
ProtectSystem=full
AmbientCapabilities=CAP_NET_BIND_SERVICE

[Install]
WantedBy=multi-user.target

d. My complete Caddy config:

Frontend Caddyfile (on linode)

testvm is the hostname as defined in tailscale

{
        debug
}

*.cyborgman.me {
        reverse_proxy testvm
        log {
                output file /var/log/caddy/acess.log
        }
}

Backend Caddyfile (on prem)

{
        debug
}

netdata.cyborgman.me {
        reverse_proxy http://localhost:19999
        log {
                output file /var/log/caddy/access.log
        }
}

5. Links to relevant resources:

The situation with Caddy isn’t any different. Caddy doesn’t care what IP address the request comes from (unless you use the bind directive to bind it to a particular listener address).

Using a DNS server in your LAN to change what IP address a domain resolves to is the right way to make devices in your LAN directly reach the server in your LAN.

I’m actually making two changes. Change 1 is switching from traefik to nextcloud. Change 2 is trying to put the reverse proxy in linode.

I think change #2 is where my problem is coming from.

I got it working but am not entirely happy with my solution so hoping something cleaner exists. What I ended up doing was basically mirroring my Caddyfile to both servers. Ideally the internet facing proxy could just forward everything to avoid duplicating effort but I cannot get that working.

Also have a DNS rewrite rule that rewrites cyborgman.me to the local ip address of “testvm”

Internet Facing Caddyfile

netdata.cyborgman.me {
        reverse_proxy testvm:19999
}

Local Caddyfile

netdata.cyborgman.me {
        reverse_proxy http://localhost:19999
}

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.