Caddy(docker) reverse proxy with dns-01 on Cloudflare

In your Cloudflare DNS dashboard, is your website grey or orange-cloud?

3 Likes

I’ve tried both.
orange-cloud → error 522 Cloudflare page
grey-cloud → redirected to my router page

I’ can’t figure where is the problem, I have tried more configuration.
internal tls, let’s encrypt with cloud flare dns module, cloudlfare origin and I have ever the same result.

So, Cloudflare can’t connect to your origin server.

Likely because you attempted to access your website from inside the same network your server is on, and the traffic went to your router (i.e. towards the internet).

Except that when the router receives the packets, it realises that the router itself is the destination! (i.e. your public IP address).

So it processes them as normal. Which, in a normal port-forwarding situation, would involve passing the traffic back to your web server. Except that because the traffic came from inside the local network, your router treats it as traffic for its own web GUI.

A common issue, solved by enabling hairpin NAT or by using split DNS, assuming your intent is to port forward to the web server. However, going back and looking at your original post…

I suspect you’ve betrayed the source of your problem here.

If you don’t have ports open, you will not be able to serve your website.

There is a way around this, but the DNS challenge on its own is only half the solution. The other half would be cloudflared / Argo Tunnel.

3 Likes

Oh yes… in the rush to secure everything I am lost.

Fantastic, thats the solution.
I’ve studied cloudflared it’s wonderfull.

I tried first without caddy for understand the function. And wow it’s worked, i was able to reach a server through my domain without open a port. Fantastic.

But then i tried with caddy it not work.

#cloudflared config
tunnel: x
credentials-file: x

logfile: clodflared.log

ingress:
    - hostname: gorcy.domain.x
      service:  http://127.0.0.1:10000
#caddyfile
gorcy.domain.x:10000   {
	tls {
		dns cloudflare ABCD
		resolvers 1.1.1.1
	}
	reverse_proxy http://192.168.1.7:9283
}

Not sure on this, i just discovered cloudflared, and I am now learning how to use caddy :slight_smile:

Oh and i forgot to say that on Cloudflare DNS record i have only one CNAME named grocy with target (the tunnel UIDD).cfargotunnel.com

Unfortunately, “it’s not working” doesn’t give enough information for me to make any guesses at how you could possibly troubleshoot. Is it timing out? Is it returning an error? Is it trying to redirect you?

I have one wild guess based off the configs:

vs.

Caddy is probably trying to use HTTPS on port 10000 because Caddy tries to be secure by default, however, you’ve configured your Argo Tunnel to proxy over HTTP-insecure.

You’ve already configured DNS validation, so instead of downgrading Caddy to HTTP-insecure, I’d suggest upgrading the Argo Tunnel proxy to use HTTPS instead.


P.S.

For the sake of ease of use, I just set:

ingress:
  - service: https://caddy

As my ingress rule; literally a catch-all, since all web traffic will get sorted out by Caddy on my machine regardless of which hostname it’s for. That means I control which domains actually go here in DNS itself, by configuring which ones are CNAMEd to the specific named tunnel in Cloudflare.

This is a lot more similar to how things work without tunnels; using ingress rules with different hostnames is more useful for the kind of scenario where you don’t have Caddy and want cloudflared itself to handle the routing of multiple services.

1 Like

Just tried and now it show me this error

ERR  error="Unable to reach the origin service. The service may be down or it may not be responding to traffic from cloudflared: remote error: tls: internal error" cfRay=69e494bca8b5374a-MXP ingressRule=0 originService=https://127.0.0.1:10000

And on the page " Error 502 Bad gateway"

Wow this is very usefull, but i dont understand how to implement it.

Easy, just remove the hostname qualifier on your ingress rule.

For you it’d be like:

- service: http://127.0.0.1:10000

That’d send all Argo Tunnel traffic to Caddy regardless of which hostname it’s for.

Then you just configure your hostnames in Caddy exactly like you would normally, all on port 10000.

sub1.example.com:10000 {
  # blah
}

sub2.example.com:10000 {
  # blah
}

Is there any output in Caddy logs for this event?

What was it doing before you made the change, exactly? Were there any cloudflared/Caddy logs from the previous issue?

nope, standard

2021/10/14 23:23:44.933 INFO    using adjacent Caddyfile
2021/10/14 23:23:44.936 WARN    input is not formatted with 'caddy fmt' {"adapter": "caddyfile", "file": "Caddyfile", "line": 1}
2021/10/14 23:23:44.942 INFO    admin   admin endpoint started  {"address": "tcp/localhost:2019", "enforce_origin": false, "origins": ["[::1]:2019", "127.0.0.1:2019", "localhost:2019"]}
2021/10/14 23:23:44.943 INFO    tls.cache.maintenance   started background certificate maintenance      {"cache": "0xc000665ab0"}
2021/10/14 23:23:44.943 INFO    http    enabling automatic HTTP->HTTPS redirects        {"server_name": "srv0"}
2021/10/14 23:23:44.949 INFO    http    enabling automatic TLS certificate management   {"domains": ["gorcy.domain.x"]}
2021/10/14 23:23:44.982 INFO    tls     finished cleaning storage units
2021/10/14 23:23:44.982 INFO    autosaved config (load with --resume flag)    
2021/10/14 23:23:44.982 INFO    serving initial configuration

Same log except the error. And on browser now i’ve checked again and it says “Client sent an HTTP request to an HTTPS server.” (you was right :smiley: ). But before it was something like “can’t resolve hostname”

Hmm.

What do you get from:

curl -IL --resolve gorcy.domain.x:10000:127.0.0.1 https://gorcy.domain.x:10000

curl: (7) Failed to connect to gorcy.domain.x port 10000: Connection refused

I note that your Caddy is in a Docker container.

Have you configured port 10000 to forward to the Caddy container?

Yes, i tried also without the external networks “reverse-proxy”.

I noted that if i try to connect internally it show “ERR_SSL_PROTOCOL_ERROR”

Thanks for your help now had to go sleep, but i would to ask if it’s possible to extend the time of expiration of the topic. Sweat dreams :wink:

Done. :+1:

1 Like

I retried this and now the response is “curl: (60) SSL certificate problem: unable to get local issuer certificate”

How about:

curl -kIL --resolve gorcy.domain.x:10000:127.0.0.1 https://gorcy.domain.x:10000

(Note the addition of the k flag)

1 Like

HTTP/2 502
server: Caddy
date: Mon, 18 Oct 2021 08:03:06 GMT

So i have problem with ssl?

And with the upstream server, apparently.

This could means that your local root certificate store has issues of some kind.

I’m not sure how to proceed on a raspberry pi, exactly, but I’d probably look into troubleshooting your ca-certificates next?

1 Like

I’m trying with cloudflare origin CA and dns01 challenge, but neither can resolve the problem. So i decided to try all from the start without cloudflared and with the 10000 port opened on my router, but When i try to connect it says “ERR_NAME_NOT_RESOLVED”

This is the configuration

gorcy.mydomain.x:10000 {
	tls /cert/certificate.pem /cert/key.pem
	reverse_proxy http://127.0.0.1:9283
}

And on DNS Cloudflare:
A | mydomain.x–>> my ip
CNAME | gorcy → mydomain.x