1. Caddy version (caddy version
):
v2.4.3 h1:Y1FaV2N4WO3rBqxSYA8UZsZTQdN+PwcoOcAiZTM8C0I=
2. How I run Caddy:
We use caddy as the TLS terminator for shared hosting that forwards requests to apache via http backend. No TLS configuration exists in apache.
a. System environment:
CloudLinux 8.x, caddy as a systemd service.
b. Command:
Paste command here.
c. Service/unit/compose file:
[Unit]
Description=Caddy
Documentation=https://caddyserver.com/docs/
After=network.target network-online.target
Requires=network-online.target
[Service]
Type=notify
User=caddy
Group=caddy
ExecStart=/usr/bin/caddy run --environ --config /etc/caddy/Caddyfile
ExecReload=/usr/bin/caddy reload --config /etc/caddy/Caddyfile
TimeoutStopSec=5s
LimitNOFILE=1048576
LimitNPROC=512
PrivateTmp=true
ProtectSystem=full
AmbientCapabilities=CAP_NET_BIND_SERVICE
[Install]
WantedBy=multi-user.target
d. My complete Caddyfile or JSON config:
{
http_port 80
https_port 443
admin 127.0.0.1:8888
log {
output file /var/log/caddy/caddy.log {
roll_size 250MiB
roll_keep_for 15d
}
level INFO
}
on_demand_tls {
#TODO: Re-enable when script is done
#ask https://web23.swisscenter.com/tools/caddy_dns_check.php
interval 2m
burst 5
}
}
(common) {
bind 127.0.0.1 ::1 94.103.96.188 2a00:a500:0:96::188
reverse_proxy 127.0.0.80:80
}
(manager) {
bind 94.103.96.188 2a00:a500:0:96::188
reverse_proxy 127.0.0.1:9000
}
import /etc/caddy/host.conf
import /etc/caddy/customers/*.conf
host.conf
web23.swisscenter.com {
import common
}
manager.web23.swisscenter.com {
@only_obs {
not remote_ip 192.168.50.0/24
}
route @only_obs {
respond "Access denied" 403 {
close
}
}
import manager
}
127.0.0.1, [::1], 94.103.96.188, [2a00:a500:0:96::188] {
import common
tls internal
}
example customers/*.conf
http://cybermind.ch, https://cybermind.ch, http://www.cybermind.ch, https://www.cybermind.ch, http://276668.web23.swisscenter.com, https://276668.web23.swisscenter.com {
import common
tls {
on_demand
}
}
3. The problem Iâm having:
Everything works fine except when dealing with http->https redirects when they are defined by customers or CMSâes in for example .htaccess files.
It goes into infinite loops.
4. Error messages and/or full log output:
Nothing
5. What I already tried:
The reason is obvious. As caddy is talking to apache through http port the some of different variables to check if the client is connecting with https are reporting http.
I tried many ways to try to let know the scripts we are on https:
For example added this global config:
# Let apache know we're behind a SSL reverse proxy (caddy)
SetEnvIf X-Forwarded-Proto "https" HTTPS=on
<IfModule !mod_remoteip.c>
LoadModule remoteip_module lib64/httpd/modules/mod_remoteip.so
</IfModule>
<IfModule mod_remoteip.c>
RemoteIPHeader X-Forwarded-For
RemoteIPTrustedProxy 127.0.0.1/24
</IfModule>
This helps a bit for some situations but not for every one.
The main problem I would say is the redirections in .htaccess
For example the common:
<IfModule mod_rewrite.c>
RewriteEngine on
RewriteCond %{HTTPS} !=on [NC]
RewriteRule ^(.*)$ https://%{HTTP_HOST}/$1 [R=301,L]
</IfModule>
The rewriting of HTTPS doesnât work in this case as it seems this variable canât be overwritten at this point.
It is replaced when forwarded to PHP scripts, but not when checked in .htaccess.
I am looking for some advices about what is the best approach to have apache set all itâs variables like if we were truely connecting with https.
A workaround would be to setup some TLS configs in apache too and have caddy really talk https with apache, but thatâs not the goal.
I know itâs more an apache-side issue, but maybe someone has good advice about this ?
I even looked if there was some kind of apache module that could rewrite these variables when knowing that the reverse proxy serves clients with TLS⊠But found nothing (yet).
Thanks a lot for your good advice.