1. Caddy version (caddy version
):
v2.5.1
2. How I run Caddy:
a. System environment:
Ubuntu 20.04 - 5.4.0-113-generic, I use it as a systemctl service.
d. My complete Caddyfile or JSON config:
{
auto_https disable_redirects
default_bind someIP
admin off
debug
https_port 443
default_sni app1.domain0.fr
}
app1.domain0.fr {
reverse_proxy localhost:someport
tls {
dns cloudflare CLOUDFLAREAPIKEY
}
log {
output file /var/log/caddy/app1.domain0.fr_access.log
}
}
app2.localdom.local:20443 {
reverse_proxy localhost:someport
tls /srv/docker/certs/app2/app2.localdom.local.crt /srv/docker/certs/app2/app2.localdom.local.key {
ca_root /srv/docker/certs/localdom.local.crt
}
log {
output file /var/log/caddy/app2.localdom.local_access.log
}
}
app1.localdom.local:20443 {
reverse_proxy localhost:someport
tls /srv/docker/certs/app1/app1.localdom.local.crt /srv/docker/certs/app1/app1.localdom.local.key {
ca_root /srv/docker/certs/localdom.local.crt
}
log {
output file /var/log/caddy/app1.localdom.local_access.log
}
}
3. The problem I’m having:
With the above configuration I have 4 different sites:
1 site with a routable domain on the internet :
app1.domain0.fr
2 locals sites :
app1.localdom.local
app2.localdom.local
Problem n°1 :
When I access the different sites it works perfectly. My problem is the following: as soon as I access them by the public ip of my server I get an error NET::ERR_CERT_COMMON_NAME_INVALID.
When I look at the certificate distributed by caddy it is the one from app1.localdom.local.
I have the same result using the command
gnutls-cli --disable-sni app1.domain0.fr
I would like that there is no answer from caddy during the requests towards the IP, is it possible?
Problem n°2 :
When I test the security of my website (app1.domain0.fr) with the tool “SSL Server test of Qualys” :
SSL Server Test (Powered by Qualys SSL Labs)
I notice that for the clients not compatible TLS SNI the certificate of app1.localdom.local. is distributed.
Same result when testing a request without TLS SNI with the command :
gnutls-cli --disable-sni app1.domain0.fr
The distributed certificate and always this one of
app1.localdom.local.
Do you have any idea how to solve this problem?
4. Error messages and/or full log output:
I get no error, but I cannot solve my problem…
5. What I already tried:
I try to add this in Caddyfile :
:443 {
tls internal
respond * "Access denied" 403 {
close
}
}
it result in nothing…
When I access to website using IP, I get app1.localdom.local certifcate error then I accept the warning and I get “Access denied” and the connection is close.
I want the connection to be dropped before caddy send certificate to client.
Thank you in advance for your help, I have tried many configurations but without success.