Caddy as reverse proxy for docker services

1. Caddy version (caddy version):


v2.5.0

2. How I run Caddy:


Revers Proxy

a. System environment:


caddy runs as docker container on

Sles 15 wiht docker version: 20.10.12-ce

b. Command:


docker-compose up -d

c. Service/unit/compose file:


version: "3"

services:

  caddy:

    container_name: caddy

    build:

     context: .

     dockerfile: Dockerfile

    volumes:

     - ./Caddyfile:/etc/caddy/Caddyfile

     - ./data/caddy:/data

     - ./config:/config

    ports:

     - 80:80

     - 443:443

    network_mode: "host"

Promtail docker-compose file:


version: "3"

services:

  grafana:

    container_name: grafana

    user: "0:0"

    image: /grafana/grafana:latest

    restart: always

    depends_on:

      - prometheus

      - promtail

    volumes:

      - ./conf/grafana/provisioning/datasources:/etc/grafana/provisioning/datasources

      - ./conf/grafana/provisioning/dashboards:/etc/grafana/provisioning/dashboards

      - ./data/grafana:/var/lib/grafana

    environment:

     GF_SECURITY_ADMIN_USER: ${GF_SECURITY_ADMIN_USER}

     GF_SECURITY_ADMIN_PASSWORD: ${GF_SECURITY_ADMIN_PASSWORD}

     GF_USERS_VIEWERS_EDIT: "true"

    # GF_SERVER_ROOT_URL: {{ gf_server_root_url }}

     GF_SERVER_DOMAIN: example.com

     GF_SERVER_ROOT_URL: https://example.com/grafana/

     GF_SERVER_SERVE_FROM_SUB_PATH: "true"

    network_mode: "host"

  promtail:

    container_name: promtail

    image: /grafana/promtail:latest

    restart: always

    environment:

      - TZ=Europe/Berlin

    command: -config.file=/etc/promtail-config/promtail.yml

    volumes:

      - ./conf/promtail/promtail.yml:/etc/promtail-config/promtail.yml

      - /var/lib/docker/containers:/var/lib/docker/containers:ro

      - /var/log/:/var/log/:ro

    network_mode: "host"

        

  prometheus:

    container_name: prometheus

    user: "0"

    image: prom/prometheus:latest

    network_mode: "host"

    volumes:

      - ./conf/prometheus:/etc/prometheus

      - ./data/prometheus:/prometheus

      - /etc/timezone:/etc/timezone:ro

      - /etc/localtime:/etc/localtime:ro

    command:

      - '--storage.tsdb.retention.time=1w'            

      - '--storage.tsdb.retention.size=800MB'

      - '--log.level=error'        

      - '--storage.tsdb.wal-compression'          

      - '--config.file=/etc/prometheus/prometheus.yml'

      - '--web.enable-lifecycle'                      

      - '--web.enable-admin-api'                      

      - '--storage.tsdb.path=data/'

     # - '--web.config.file=/etc/prometheus/web.yml'            

d. My complete Caddyfile config:


example.com {

    handle /grafana* {

        reverse_proxy 127.0.0.1:3000

    }

    handle /promtail* {

        reverse_proxy 127.0.0.1:9080

    }

    handle /prometheus* {

        reverse_proxy 127.0.0.1:9000

    }

    }

3. The problem I’m having:


I want to run the containers behind the reverse proxy, and encrypt the connection to individual services via HTTPS. I have a domain e.g. "example.com" and my services should be reached via the domain. e.g.

example.com/grafana

example.com/promtail

example.com/prometheus

With the attached caddyfile I can only reach Grafana, all other services are returned with 404.

4. Error messages and/or full log output:


{"level":"warn","ts":1652266503.1458752,"logger":"tls","msg":"stapling OCSP","error":"no OCSP stapling for [example.com]: no OCSP server specified in certificate","identifiers":["example.com"]}

5. What I already tried:


If I configure so denn Caddyfile, then it works.

 example.com

       reverse_proxy /grafana* 127.0.0.1:3000

6. Links to relevant resources:

When in Docker, 127.0.0.1 (a.k.a. localhost) refers to this container, so Caddy is trying to connect to something within the same container. Which won’t work.

You should use the container name of the other containers to connect to them.

Also, I strongly recommend using subdomains for each service, instead of using subpaths:

1 Like

This topic was automatically closed after 30 days. New replies are no longer allowed.