Caddy conditional tls options

shami · July 1, 2023, 3:26pm

1. The problem I’m having:

I’m having an issue: a Caddy reverse proxy offering H2+ can’t be browsed through Wireguard tunnel.
However, I have another IPSec VPN that points to the same Caddy and that works just fine.
My idea was to force the downgrade of H2+ to H1 using Request matchers, however I seem not to find the good settings.

The relevant sections of my Caddy file are the following:

{
        http_port 80
        https_port 443
        admin off

        email "MyEmail@example.com"

        servers :443 {
                listener_wrappers {
                        http_redirect
                        tls
                }
        }

        servers :80 {
                protocols h1 h2c
        }
}

(ip-whitelist) {
        @privatefilter {
                not remote_ip 192.168.1.0/24 10.0.0.0/24
        }
        abort @privatefilter
}

(common-proxy) {
        header_down -Server
        header_down -X-Powered-By
}

*.example.com {
        @subdomain1 host subdomain1.example.com
        handle @subdomain1 {
                import ip-whitelist
                reverse_proxy MyRealWebServer:Port {
                        import common-proxy
                }
        }

        @subdomain2 host subdomain2.example.com
        handle @subdomain2 {
..... etc. ......
}

As I said, my initial idea was to add some sort of conditional TLS section but the issue is that I cannot recall remote_ip from inside of a reverse_proxy section, or I’m doing something else wrong.
My Wireguard IP range is 10.0.0.0/24, I was thinking to use that as remote_ip and in that case add the relevant section to the reverse_proxy.

Top section added:

(h2check) {
        @h2filter {
                remote_ip 10.0.0.0/24
        }
        transport @h2filter http {
                versions 1.1
        }
}

Modified section:

        handle @subdomain1 {
                import ip-whitelist
                reverse_proxy MyRealWebServer:Port {
                        import h2check
                        import common-proxy
                }
        }

Is there a way to check a request variable and influence the transport section?

2. Error messages and/or full log output:

2023/07/01 15:14:08.729	INFO	using provided configuration	{"config_file": "/etc/caddy/Caddyfile", "config_adapter": "caddyfile"}
Error: adapting config using caddyfile: parsing caddyfile tokens for 'handle': /etc/caddy/Caddyfile:133 - Error during parsing: parsing caddyfile tokens for 'reverse_proxy': /etc/caddy/Caddyfile:31 - Error during parsing: unrecognized response matcher remote_ip

3. Caddy version:

/srv $ caddy version
v2.6.4 h1:2hwYqiRwk1tf3VruhMpLcYTg+11fCdr8S3jhNAdnPy8=

Docker image:
caddy:latest@sha256:050db1833a9c3bee6699e344442199769ebfd076525de385a1eb47318b900119

4. How I installed and ran Caddy:

a. System environment:

Docker + Portainer

b. Command:

caddy run --config /etc/caddy/Caddyfile --adapter caddyfile

c. Service/unit/compose file:

https://hub.docker.com/_/caddy

shami · July 1, 2023, 4:24pm

This is the issue I get using Wireguard is the following:

% curl -v https://subdomain1.example.com
*   Trying 192.168.1.74:443...
* Connected to subdomain1.example.com (192.168.1.74) port 443 (#0)
* ALPN: offers h2
* ALPN: offers http/1.1
*  CAfile: /etc/ssl/cert.pem
*  CApath: none
* [CONN-0-0][CF-SSL] (304) (OUT), TLS handshake, Client hello (1):
* [CONN-0-0][CF-SSL] (304) (IN), TLS handshake, Server hello (2):
* [CONN-0-0][CF-SSL] (304) (IN), TLS handshake, Unknown (8):
* [CONN-0-0][CF-SSL] (304) (IN), TLS handshake, Certificate (11):
* [CONN-0-0][CF-SSL] (304) (IN), TLS handshake, CERT verify (15):
* [CONN-0-0][CF-SSL] (304) (IN), TLS handshake, Finished (20):
* [CONN-0-0][CF-SSL] (304) (OUT), TLS handshake, Finished (20):
* SSL connection using TLSv1.3 / AEAD-AES128-GCM-SHA256
* ALPN: server accepted h2
* Server certificate:
*  subject: CN=*.example.com
*  start date: Apr 23 20:14:09 2023 GMT
*  expire date: Jul 22 20:14:08 2023 GMT
*  subjectAltName: host "subdomain1.example.com" matched cert's "*.example.com"
*  issuer: C=US; O=Let's Encrypt; CN=R3
*  SSL certificate verify ok.
* Using HTTP2, server supports multiplexing
* Copying HTTP/2 data in stream buffer to connection buffer after upgrade: len=0
* h2h3 [:method: GET]
* h2h3 [:path: /]
* h2h3 [:scheme: https]
* h2h3 [:authority: subdomain1.example.com]
* h2h3 [user-agent: curl/7.87.0]
* h2h3 [accept: */*]
* Using Stream ID: 1 (easy handle 0x7f9c5200b800)
> GET / HTTP/2
> Host: subdomain1.example.com
> user-agent: curl/7.87.0
> accept: */*
>
* Connection state changed (MAX_CONCURRENT_STREAMS == 250)!
* HTTP/2 stream 0 was not closed cleanly: INTERNAL_ERROR (err 2)
* Connection #0 to host subdomain1.example.com left intact
curl: (92) HTTP/2 stream 0 was not closed cleanly: INTERNAL_ERROR (err 2)

shami · July 1, 2023, 6:05pm

Should I provide more context?

system · July 31, 2023, 6:06pm

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.