1. Caddy version:
$ docker exec caddy caddy version
v2.6.2 h1:wKoFIxpmOJLGl3QXoo6PNbYvGW4xLEgo32GPBEjWL8o=
2. How I installed, and run Caddy:
Setup using docker compose. I run checkmk as a service and want to use caddy as a reverse proxy to the checkmk web ui in order to handle TLS.
a. System environment:
$ uname -a
Linux sentinel 5.15.0-56-generic #62-Ubuntu SMP Tue Nov 22 19:54:14 UTC 2022 x86_64 x86_64 x86_64 GNU/Linux
$ docker --version
Docker version 20.10.23, build 7155243
$ docker-compose version
docker-compose version 1.29.2, build unknown
docker-py version: <module 'docker.version' from '/usr/local/lib/python3.10/dist-packages/docker/version.py'>
CPython version: 3.10.6
OpenSSL version: OpenSSL 3.0.2 15 Mar 2022
b. Command:
Default command of official caddy docker image.
c. Service/unit/compose file:
docker-compose file
services:
checkmk:
image: checkmk/check-mk-free:2.1.0p20
restart: always
environment:
- "CMK_SITE_ID=mysite"
- "CMK_PASSWORD=mypassword"
volumes:
- type: bind
source: /etc/localtime
target: /etc/localtime
read_only: true
- type: volume
source: checkmk-data
target: /omd/sites
tmpfs:
- /opt/omd/sites/mysite/tmp:uid=1000,gid=1000
expose:
- 5000
ports:
- 8000:8000
caddy:
image: caddy:2.6.2
restart: always
ports:
- 80:80
- 443:443
volumes:
- type: volume
source: caddy-data
target: /data
- type: volume
source: caddy-config
target: /config
- type: bind
source: "/etc/caddy/Caddyfile"
target: /etc/caddy/Caddyfile
depends_on:
- checkmk
volumes:
caddy-data:
caddy-config:
checkmk-data:
d. My complete Caddy config:
Caddyfile
{
email admin@example.com
}
checkmk.example.com {
reverse_proxy checkmk:5000
}
3. The problem I’m having:
The checkmk monitoring service provides a frontend to configure and visualize metrics, alarms, etc. In order to secure the connection to the frontend, I want to use caddy with automatic HTTPS as reverse proxy. Additionaly checkmk communicates with client “agents” on other devices trough port 8000
. As you can see I opened it up using ports:
in the compose file.
With the given caddy config the UI is accessible and gets automatic HTTPS certificates as well as 80->443 redirects.
But when an agent on another device tries to connect to the checkmk server it gets rejected. Probably because caddy blocks this attempt?
4. Error messages and/or full log output:
client:~$ sudo cmk-agent-ctl register --hostname client_hostname --server checkmk.example.com --site p8 --user automation --password "ABCDEFGHIJKLMNOPQRSTUVWXYZ" --verbose
INFO [cmk_agent_ctl] starting
INFO [cmk_agent_ctl] Loaded config from '"/var/lib/cmk-agent/cmk-agent-ctl.toml"', legacy pull 'LegacyPullMarker("/var/lib/cmk-agent/allow-legacy-pull")' exists
INFO [cmk_agent_ctl::site_spec] Failed to discover agent receiver port using https, trying http.
INFO [cmk_agent_ctl::site_spec] Failed to discover agent receiver port using http.
ERROR [cmk_agent_ctl] Failed to discover agent receiver port from Checkmk REST API, both with http and https. Run with verbose output to see errors.
5. What I already tried:
I tried only listening on ports 80
and 443
for caddy, with
{
email admin@example.com
}
checkmk.example.com:80, checkmk.example.com:443 {
reverse_proxy checkmk:5000
}
Then the agent can connect to port 8000
and can register, but when I now try to access the checkmk web ui, HTTPS does not work anymore.
So, the question is, can I achieve handling traffic on port 80
and 443
using caddy as reverse proxy, while in the sametime let the checkmk service handle port 8000
?
6. Links to relevant resources:
tbd