Caddy behind a apache revers proxy


(Marius) #1

Hello!!!

- explain what you are trying to do

I’m trying to use caddy web server and reverse proxy behind an apache revers proxy.
Caddy and Gitlab is all using Docker

Gitlab is the container i wants to proxy to

the ressone it is behind an apache revers proxy is becuse I dont own the network but just one server on the network and the sys-admin have another webserver alredy running on apache so for him it was alot easyer to just use that as the revers proxy til my revers server

- show what you have already tried,

My caddy file looks like this

git.exempel.org {
        proxy / 172.20.1.10:8080 {
              transparent
        }
}

and the apache config looks like atm

        ServerName git.exemple.org

        ProxyRequests Off
        RewriteEngine On
        <Proxy *>
                Order deny,allow
                Allow from all
        </Proxy>
        ProxyErrorOverride On
        ProxyPass / http://172.16.1.20/
        ProxyPassReverse / http://172.16.1.20/
        <Location />
                Order allow,deny
                Allow from all
        </Location>

- include error messages and log output,

The log only logs this


Activating privacy features... 2018/06/10 21:12:32 [INFO][git.exemple.org] acme: Obtaining bundled SAN certificate


2018/06/10 21:12:33 [INFO][git.exemple.org] AuthURL: https://acme-v02.api.letsencrypt.org/acme/authz/


2018/06/10 21:12:33 [INFO][git.exemple.org] acme: Could not find solver for: dns-01


2018/06/10 21:12:33 [INFO][git.exemple.org] acme: Trying to solve HTTP-01


2018/06/10 21:12:33 [WARN] Received request for domain 172.16.1.20 with method GET but the domain did not match any challenge. Please ensure your are passing the HOST header properly.


2018/06/10 21:12:38 [git.exemple.org] failed to get certificate: acme: Error 403 - urn:ietf:params:acme:error:unauthorized - The key authorization file from the server did not match this challenge [] != [TEST]


exit status 1

(Matthew Fay) #2

Hi @xaner4,

Thanks for the comprehensive explanation of your issue. Luckily, the logs make it pretty clear what’s going wrong at the moment and what you’ll need to do to fix it.

In a normal setup, when Caddy requests an ACME certificate, LetsEncrypt checks DNS and issues a challenge to Caddy. When Caddy gives the correct response, the certificate is served.

With Apache in the middle, LetsEncrypt has to talk to Apache first, which then passes the request back to Caddy. By default, though, Apache doesn’t preserve the original client’s Host header. This creates a problem when Caddy gets the proxied request, because Caddy can’t determine which website LetsEncrypt’s challenge is for, and so can’t respond correctly.

To tell Apache to preserve the original Host header, you’ll need to use ProxyPreserveHost On in your Apache configuration for the reverse proxy.

http://httpd.apache.org/docs/2.2/mod/mod_proxy.html#ProxyPreserveHost


(Marius) #3

Thanks that worked for the SSL, So now I have an SSL. :smiley:
But I still can’t get to Gitlab :frowning:
But I think that is Gitlabs fault

Internal Server Error

The server encountered an internal error or misconfiguration and was unable to complete your request.

Please contact the server administrator at hjelp@exempel.org to inform them of the time this error occurred, and the actions you performed just before this error.

More information about this error may be available in the server error log.

(Matthew Fay) #4

Yep, you’ll need to have a peek in the app’s own logs for clues on that one, unfortunately.