Updated to 2.4.5. Still does not work.
Now https://<loadbalancer-url>
just loads forever and in caddy I don’t see any logs at all
NLB in front of caddy has PROXY PROTOCOL v2 enabled
Building in docker:
ARG GO_VERSION="1.17.2"
FROM golang:${GO_VERSION}-alpine AS builder
ARG CADDY_VERSION="2.4.5"
ARG XCADDY_VERSION="0.2.0"
ARG DYNAMODB_STORAGE_VERSION="2.0.1"
RUN wget -O xcaddy.tar.gz "https://github.com/caddyserver/xcaddy/releases/download/v${XCADDY_VERSION}/xcaddy_${XCADDY_VERSION}_linux_amd64.tar.gz"; \
tar x -z -f xcaddy.tar.gz -C /usr/bin xcaddy; \
chmod +x /usr/bin/xcaddy;
RUN /usr/bin/xcaddy build v${CADDY_VERSION} \
--output /usr/bin/caddy \
--with github.com/silinternational/certmagic-storage-dynamodb/v2@${DYNAMODB_STORAGE_VERSION} \
--with github.com/mastercactapus/caddy2-proxyprotocol
Full Caddyfile (generated)
{
"apps":{
"tls":{
"automation":{
"on_demand":{
"ask":"http://127.0.0.1:8080/ask"
},
"policies":[
{
"issuers":[
{
"email":"{env.EMAIL}",
"module":"acme"
}
],
"on_demand":true
}
]
},
"certificates":{
"load_folders":[
"/certs"
]
}
},
"http":{
"servers":{
"secure":{
"listener_wrappers":[
{
"wrapper":"proxy_protocol",
"allow":[
"192.168.0.0/16",
"10.0.0.0/8"
]
},
{
"wrapper":"tls"
}
],
"listen":[
":443"
],
"routes":[
{
"handle":[
{
"handler":"subroute",
"routes":[
{
"handle":[
{
"handler":"headers",
"response":{
"delete":[
"ALB"
],
"set":{
"Referrer-Policy":[
"strict-origin-when-cross-origin"
],
"Strict-Transport-Security":[
"max-age=63072000; preload"
],
"Content-Security-Policy":[
"default-src 'self'; img-src data: *; media-src 'self' *; child-src blob: *; frame-src blob: *; style-src 'self' 'unsafe-inline' bitpub-euc1.s3.amazonaws.com bitpub-euc1.s3.eu-central-1.amazonaws.com bitpub-usw1-live.s3.us-west-1.amazonaws.com bitpub-use1-live.s3.us-east-1.amazonaws.com bitpub-euc1-staging.s3.amazonaws.com bitpub-euc1-staging.s3.eu-central-1.amazonaws.com bitpub-usw1-staging.s3.us-west-1.amazonaws.com bitpub-use1-staging.s3.us-east-1.amazonaws.com blinkit-branding.s3.eu-central-1.amazonaws.com s3-eu-central-1.amazonaws.com fonts.googleapis.com translate.googleapis.com; font-src 'unsafe-inline' data: *; script-src 'self' 'unsafe-inline' beacon-v2.helpscout.net app.satismeter.com; connect-src 'self' blob: *;"
]
}
}
},
{
"handler":"reverse_proxy",
"transport":{
"protocol":"http",
"tls":{
"insecure_skip_verify":true
}
},
"upstreams":[
{
"dial":"{env.ENDPOINT}"
}
],
"handle_response":[
{
"match":{
"status_code":[
5
]
},
"routes":[
{
"handle":[
{
"handler":"file_server",
"root":"/var/www/html",
"index_names":[
"500.html"
]
}
]
}
]
}
]
}
]
}
]
}
],
"terminal":true
}
],
"tls_connection_policies":[
{
"cipher_suites":[
"TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384",
"TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384",
"TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256",
"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256",
"TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256",
"TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256",
"TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA",
"TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA",
"TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA",
"TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA",
"TLS_RSA_WITH_AES_128_GCM_SHA256",
"TLS_RSA_WITH_AES_256_GCM_SHA384",
"TLS_RSA_WITH_AES_128_CBC_SHA",
"TLS_RSA_WITH_AES_256_CBC_SHA"
]
}
]
},
"status-check":{
"listen":[
":8080"
],
"routes":[
{
"match":[
{
"path":[
"{env.STATUS_ROUTE}"
]
}
],
"handle":[
{
"body":"OK!",
"handler":"static_response",
"status_code":200
}
]
},
{
"match":[
{
"path":[
"/ask"
]
}
],
"handle":[
{
"handler":"reverse_proxy",
"headers":{
"request":{
"add":{
"X-Cloud":[
"{env.CLOUD}"
]
}
}
},
"upstreams":[
{
"dial":"{env.TLS_ASK}"
}
]
}
]
}
]
}
}
}
},
"logging":{
"logs":{
"default":{
"level":"{env.LOG_LEVEL}"
}
}
},
"storage":{
"module":"file_system",
"root":"/efs-certs"
}
}