Caddy behind http caddy

#1

1. My Caddy version (caddy -version):

1.0.4 (Both Public Caddy/Internal Caddy)

2. How I run Caddy:

Public Caddy (Ubuntu 18.0.4 install via bash) which runs on profile based default caddy.service but with added cloudflare credentials and have been running fine for about a year.

Internal (FreeBSD - Freenas Jail)

a. System environment:

OS, relevant versions, systemd? docker? etc.
Ubuntu 18.0.4 (Public)
Freenas 11.2 U7 (Internal)

b. Command:

paste command here

c. Service/unit/compose file:

paste full file contents here

d. My complete Caddyfile:

Public

*public domain* {
    tls {
        dns cloudflare
    }
    proxy / 192.168.100.6:1000 {
    websocket
    header_upstream Host {host}
    header_upstream X-Real-IP {remote}
    header_upstream X-Forwarded-For {remote}
    header_upstream X-Forwarded-Proto {scheme}
    }
}

Internal

192.168.100.6:1000 {

	root   /usr/local/www/nextcloud
	log    /var/log/nextcloud_access.log
	errors /var/log/nextcloud_errors.log

	fastcgi / 127.0.0.1:9000 php {
		env PATH /bin
		env modHeadersAvailable true
		env front_controller_active true
		connect_timeout 60s
		read_timeout 3600s
		send_timeout 300s
	}

	header / {
		Strict-Transport-Security		"max-age=15768000;"
		X-Content-Type-Options			"nosniff"
		X-XSS-Protection			"1; mode=block"
		X-Robots-Tag				"none"
		X-Download-Options			"noopen"
		X-Permitted-Cross-Domain-Policies	"none"
		Referrer-Policy				"no-referrer"
	}

	header /core/fonts {
		Cache-Control				"max-age=604800"
	}

	# checks for images
	rewrite {
		ext .png .html .ttf .ico .jpg .jpeg .css .js .woff .woff2 .svg .gif .map
		r ^/index.php/.*$
		to /{1} /index.php?{query}
	}
	
	rewrite {
                r ^/\.well-known/host-meta$
                to /public.php?service=host-meta&{query}
        }
	rewrite {
                r ^/\.well-known/host-meta\.json$
                to /public.php?service=host-meta-json&{query}
        }
	rewrite {
                r ^/\.well-known/webfinger$
                to /public.php?service=webfinger&{query}
        }

	rewrite {
		r ^/index.php/.*$
		to /index.php?{query}
	}

	rewrite / {
		if {path} not_starts_with /remote.php
		if {path} not_starts_with /public.php
		ext .png .html .ttf .ico .jpg .jpeg .css .js .woff .woff2 .svg .gif .map .html .ttf 
		r ^/(.*)$
		to /{1} /index.php{uri}
	}

	rewrite / {
		if {path} not /core/img/favicon.ico
		if {path} not /core/img/manifest.json
		if {path} not_starts_with /remote.php
		if {path} not_starts_with /public.php
		if {path} not_starts_with /cron.php
		if {path} not_starts_with /core/ajax/update.php
		if {path} not_starts_with /status.php
		if {path} not_starts_with /ocs/v1.php
		if {path} not_starts_with /ocs/v2.php
		if {path} not /robots.txt
		if {path} not_starts_with /updater/
		if {path} not_starts_with /ocs-provider/
		if {path} not_starts_with /ocm-provider/ 
		if {path} not_starts_with /.well-known/
		to /index.php{uri}
	}

	# client support (e.g. os x calendar / contacts)
	redir /.well-known/carddav /remote.php/carddav 301
	redir /.well-known/caldav /remote.php/caldav 301

	# remove trailing / as it causes errors with php-fpm
	rewrite {
		r ^/remote.php/(webdav|caldav|carddav|dav)(\/?)(\/?)$
		to /remote.php/{1}
	}

	rewrite {
		r ^/remote.php/(webdav|caldav|carddav|dav)/(.+?)(\/?)(\/?)$
		to /remote.php/{1}/{2}
	}

	rewrite {
		r ^/public.php/(dav|webdav|caldav|carddav)(\/?)(\/?)$
		to /public.php/{1}
	}

	rewrite {
		r ^/public.php/(dav|webdav|caldav|carddav)/(.+)(\/?)(\/?)$
		to /public.php/{1}/{2}
	}

	# .htaccess / data / config / ... shouldn't be accessible from outside
	status 404 {
		/.htaccess
		/data
		/config
		/db_structure
		/.xml
		/README
		/3rdparty
		/lib
		/templates
		/occ
		/console.php
	}

}

3. The problem I’m having:

Essentially nextcloud was installed via a script which works fine when instance if public facing, so I was hoping to change to just internal http caddy and use my public instance to proxy to.

I can access the instance (nextcloud) completely fine through local network by local ip address but when I tired to access the public domain I am getting error: “404 Site public domain is not served on this interface”

This seem like internal caddy is not allowing access via domain name, is there a way to allow explicit access from a specific domain name? Or have I setup the public instance incorrectly?

The reason for the setup is because the public caddy instance is also running other reverse proxy for other services from different vlans/devices etc. It also allow me to modify the nextcloud system without interfering with other project which is being proxied and served by public instance.

Would it be easier to re-write using apache and my previous of nextcloud works flawless with caddy to proxy through.

4. Error messages and/or full log output:

I don’t see any error message on both the internal/public.

5. What I already tried:

I have tired removing header_upstreams which made the instance not reachable outside the network but for internal just redirect to local address.

6. Links to relevant resources:

The scrip I used to install nextcloud:

#2

I have fixed the issue:

*public domain* {

	root   /usr/local/www/nextcloud
	log    /var/log/nextcloud_access.log
	errors /var/log/nextcloud_errors.log

        tls off

	fastcgi / 127.0.0.1:9000 php {
		env PATH /bin
		env modHeadersAvailable true
		env front_controller_active true
		connect_timeout 60s
		read_timeout 3600s
		send_timeout 300s
	}

	header / {
		Strict-Transport-Security		"max-age=15768000;"
		X-Content-Type-Options			"nosniff"
		X-XSS-Protection			"1; mode=block"
		X-Robots-Tag				"none"
		X-Download-Options			"noopen"
		X-Permitted-Cross-Domain-Policies	"none"
		Referrer-Policy				"no-referrer"
	}

	header /core/fonts {
		Cache-Control				"max-age=604800"
	}

	# checks for images
	rewrite {
		ext .png .html .ttf .ico .jpg .jpeg .css .js .woff .woff2 .svg .gif .map
		r ^/index.php/.*$
		to /{1} /index.php?{query}
	}
	
	rewrite {
                r ^/\.well-known/host-meta$
                to /public.php?service=host-meta&{query}
        }
	rewrite {
                r ^/\.well-known/host-meta\.json$
                to /public.php?service=host-meta-json&{query}
        }
	rewrite {
                r ^/\.well-known/webfinger$
                to /public.php?service=webfinger&{query}
        }

	rewrite {
		r ^/index.php/.*$
		to /index.php?{query}
	}

	rewrite / {
		if {path} not_starts_with /remote.php
		if {path} not_starts_with /public.php
		ext .png .html .ttf .ico .jpg .jpeg .css .js .woff .woff2 .svg .gif .map .html .ttf 
		r ^/(.*)$
		to /{1} /index.php{uri}
	}

	rewrite / {
		if {path} not /core/img/favicon.ico
		if {path} not /core/img/manifest.json
		if {path} not_starts_with /remote.php
		if {path} not_starts_with /public.php
		if {path} not_starts_with /cron.php
		if {path} not_starts_with /core/ajax/update.php
		if {path} not_starts_with /status.php
		if {path} not_starts_with /ocs/v1.php
		if {path} not_starts_with /ocs/v2.php
		if {path} not /robots.txt
		if {path} not_starts_with /updater/
		if {path} not_starts_with /ocs-provider/
		if {path} not_starts_with /ocm-provider/ 
		if {path} not_starts_with /.well-known/
		to /index.php{uri}
	}

	# client support (e.g. os x calendar / contacts)
	redir /.well-known/carddav /remote.php/carddav 301
	redir /.well-known/caldav /remote.php/caldav 301

	# remove trailing / as it causes errors with php-fpm
	rewrite {
		r ^/remote.php/(webdav|caldav|carddav|dav)(\/?)(\/?)$
		to /remote.php/{1}
	}

	rewrite {
		r ^/remote.php/(webdav|caldav|carddav|dav)/(.+?)(\/?)(\/?)$
		to /remote.php/{1}/{2}
	}

	rewrite {
		r ^/public.php/(dav|webdav|caldav|carddav)(\/?)(\/?)$
		to /public.php/{1}
	}

	rewrite {
		r ^/public.php/(dav|webdav|caldav|carddav)/(.+)(\/?)(\/?)$
		to /public.php/{1}/{2}
	}

	# .htaccess / data / config / ... shouldn't be accessible from outside
	status 404 {
		/.htaccess
		/data
		/config
		/db_structure
		/.xml
		/README
		/3rdparty
		/lib
		/templates
		/occ
		/console.php
	}

}

*public domain* {
    tls {
        dns cloudflare
    }
    proxy / 192.168.100.6:2015 {
    websocket
    transparent
    }
}

So if anyone have similar issues, this fixes the issues for me.

#3

Hi,

Can you please describe in details how you solved it?

On danb35’s script, which switches have you used?

I suppose everything goes through the caddy reverse proxy, where you redirect for the other web services you have. Any particular settings on that?

Also, above, I suppose the first one is the caddyfile from the nextcloud jail and the second the one from the caddy proxy one, right?

Many anticipated thanks.

#4

From what I can see, he just added tls off on the internal service to make it run on HTTP.