Caddy behind Cloudflare SSL

1. Caddy version:

v2.6.2 h1:wKoFIxpmOJLGl3QXoo6PNbYvGW4xLEgo32GPBEjWL8o=

2. How I installed, and run Caddy:

Package manager for Ubuntu (APT)

a. System environment:

Ubuntu 22.04.1 LTS

b. Command:

sudo systemctl reload caddy

c. Service/unit/compose file:

Not using Docker

d. My complete Caddy config:

{
    on_demand_tls {
        ask https://webhook.site/275424e6-4864-4743-b8c6-c9328aa2cfbf
    }
}

:443
tls {
    on_demand
}


.example.app {
	file_server
	reverse_proxy 127.0.0.1:3000
	tls /etc/ssl/certs/cfcertificate.pem /etc/ssl/private/cfprivate.pem
}

3. The problem I’m having:

I’m trying to run Caddy behind Cloudflare Proxy using Cloudflare SSL for SaaS. I’m unable to serve the app via Caddy with SSL via Cloudflare, since it is failing SSL Handshake. This happens when a custom domain is mapped to cname.example.app, and when I try to access that domain.

The origin domain (example.app) certificate was provisioned using Cloudflare Origin Certificate and Caddy is configured to use that.

4. Error messages and/or full log output:

5. What I already tried:

  1. Removing the Orange Cloud icon to pass requests directly to Caddy.

6. Links to relevant resources:

The wildcard matcher is actually *.example.com

And caddy can be configured to issue its own certificate using Cloudflare DNS. Then the “Full (Strict)” mode proxy should work.

You should not need an origin certificate. If caddy has its own cert, and Cloudflare Edge has its own, then Full (Strict) mode works on its own for me.

Thanks for the suggestion @victor. Appreciate it. I’m going to try this now. Do you think this is the way my customers can configure custom domains as well?

It’s hard for me to say. I don’t have any experience with this. I know caddy can do that, but I don’t know if cloudflare can do wildcard domains.

EDIT: Wildcard DNS records · Cloudflare DNS docs

It looks like it is supported.

Your Caddyfile is invalid.
Caddy shouldn’t even be able to start.
Are you sure the posted Caddyfile is the one you are running?

You can use caddy validate to check it before running systemctl reload caddy.

Also note, that Caddy won’t load your invalid config with systemctl reload caddy.
It will keep using the previous version.
Check your logs.
You can also enable debug logging with the debug global option

1 Like