Caddy for reverse proxy and worpress on an separate lxc container

clendee1 · July 25, 2022, 8:35pm

1. Caddy version (`caddy version`):

Caddy Version 2.5.1

2. How I run Caddy:

I run caddy in an LXC container.

a. System environment:

Caddy is running on Ubuntu 20.04.4 LTS Server edition

b. Command:

systemctl start caddy

c. Service/unit/compose file:

[Unit]
Description=Caddy
Documentation=https://caddyserver.com/docs/
After=network.target network-online.target
Requires=network-online.target

[Service]
Type=notify
User=caddy
Group=caddy
ExecStart=/usr/bin/caddy run --environ --config /etc/caddy/Caddyfile
ExecReload=/usr/bin/caddy reload --config /etc/caddy/Caddyfile
TimeoutStopSec=5s
LimitNOFILE=1048576
LimitNPROC=512
PrivateTmp=true
ProtectSystem=full
AmbientCapabilities=CAP_NET_BIND_SERVICE

[Install]
WantedBy=multi-user.target

d. My complete Caddyfile or JSON config:

wp.thescrewball.co.uk {
   reverse_proxy 10.33.3.51
}

3. The problem I’m having:

I have setup a Wordpress site on an Ubuntu 22.04 LXC container
Caddy is setup on another 20.04 LXC container

When I try to connect to the site above I get a blank screen on my browser. All the handshaking goes through correctly.

I’d like to know the correct config for the Caddyfile and the LAMP stack to get the Caddy LXC container and the Wordpress container working between both container. Sorry this it all a bit new to me.

4. Error messages and/or full log output:

5. What I already tried:

The caddy file above is what I have tried. It does get a cert and show a lock on the webpage as a secure site, but the page is blank as it cannot seem to connect with the wordpress container.

6. Links to relevant resources:

francislavoie · July 26, 2022, 4:02am

What do you see when you make the request with curl -v https://wp.thescrewball.co.uk ?

What’s in Caddy’s logs? You can turn on the debug global option to see more detail in the logs. Add this at the top of your Caddyfile:

{
	debug
}

clendee1 · July 26, 2022, 6:09am

Here is the content of the curl -v

yp@T450:~$ curl -v https://wp.thescrewball.co.uk
*   Trying 123.123.123.241:443...
* TCP_NODELAY set
* Connected to wp.thescrewball.co.uk (123.123.123.241) port 443 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
* successfully set certificate verify locations:
*   CAfile: /etc/ssl/certs/ca-certificates.crt
  CApath: /etc/ssl/certs
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
* TLSv1.3 (IN), TLS handshake, Server hello (2):
* TLSv1.3 (IN), TLS handshake, Encrypted Extensions (8):
* TLSv1.3 (IN), TLS handshake, Certificate (11):
* TLSv1.3 (IN), TLS handshake, CERT verify (15):
* TLSv1.3 (IN), TLS handshake, Finished (20):
* TLSv1.3 (OUT), TLS change cipher, Change cipher spec (1):
* TLSv1.3 (OUT), TLS handshake, Finished (20):
* SSL connection using TLSv1.3 / TLS_AES_128_GCM_SHA256
* ALPN, server accepted to use h2
* Server certificate:
*  subject: CN=wp.thescrewball.co.uk
*  start date: Jul 24 18:35:57 2022 GMT
*  expire date: Oct 22 18:35:56 2022 GMT
*  subjectAltName: host "wp.thescrewball.co.uk" matched cert's "wp.thescrewball.co.uk"
*  issuer: C=US; O=Let's Encrypt; CN=R3
*  SSL certificate verify ok.
* Using HTTP2, server supports multi-use
* Connection state changed (HTTP/2 confirmed)
* Copying HTTP/2 data in stream buffer to connection buffer after upgrade: len=0
* Using Stream ID: 1 (easy handle 0x56002b3112f0)
> GET / HTTP/2
> Host: wp.thescrewball.co.uk
> user-agent: curl/7.68.0
> accept: */*
> 
* TLSv1.3 (IN), TLS handshake, Newsession Ticket (4):
* Connection state changed (MAX_CONCURRENT_STREAMS == 250)!
< HTTP/2 502 
< server: Caddy
< content-length: 0
< date: Tue, 26 Jul 2022 05:48:00 GMT
< 
* Connection #0 to host wp.thescrewball.co.uk left intact

And here is the content of the logs…

Jul 26 07:03:14 caddy caddy[253]: {"level":"debug","ts":1658815394.8902805,"logger":"http.handlers.reverse_proxy","msg":"upstream roundtrip","upstream":"10.33.3.51:443","duration":3.000294223,"request":{"remote_ip":"10.33.3.1","remote_port":"37650","proto":"HTTP/2.0","method":"GET","host":"wp.thescrewball.co.uk","uri":"/favicon.ico","headers":{"Accept":["image/avif,image/webp,*/*"],"Sec-Fetch-Site":["same-origin"],"User-Agent":["Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:102.0) Gecko/20100101 Firefox/102.0"],"Sec-Fetch-Mode":["no-cors"],"Te":["trailers"],"Referer":["https://wp.thescrewball.co.uk/"],"Sec-Gpc":["1"],"X-Forwarded-For":["10.33.3.1"],"Accept-Language":["en-GB,en;q=0.5"],"Cache-Control":["no-cache"],"Dnt":["1"],"Sec-Fetch-Dest":["image"],"Pragma":["no-cache"],"X-Forwarded-Proto":["https"],"Accept-Encoding":["gzip, deflate, br"],"Cookie":[],"X-Forwarded-Host":["wp.thescrewball.co.uk"]},"tls":{"resumed":false,"version":772,"cipher_suite":4865,"proto":"h2","server_name":"wp.thescrewball.co.uk"}},"error":"dial tcp 10.33.3.51:443: i/o timeout"}
Jul 26 07:03:14 caddy caddy[253]: {"level":"error","ts":1658815394.8916583,"logger":"http.log.error.log9","msg":"dial tcp 10.33.3.51:443: i/o timeout","request":{"remote_ip":"10.33.3.1","remote_port":"37650","proto":"HTTP/2.0","method":"GET","host":"wp.thescrewball.co.uk","uri":"/favicon.ico","headers":{"Accept":["image/avif,image/webp,*/*"],"Accept-Language":["en-GB,en;q=0.5"],"Accept-Encoding":["gzip, deflate, br"],"Sec-Fetch-Site":["same-origin"],"User-Agent":["Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:102.0) Gecko/20100101 Firefox/102.0"],"Referer":["https://wp.thescrewball.co.uk/"],"Cookie":[],"Sec-Gpc":["1"],"Cache-Control":["no-cache"],"Dnt":["1"],"Sec-Fetch-Dest":["image"],"Sec-Fetch-Mode":["no-cors"],"Pragma":["no-cache"],"Te":["trailers"]},"tls":{"resumed":false,"version":772,"cipher_suite":4865,"proto":"h2","server_name":"wp.thescrewball.co.uk"}},"duration":3.002436888,"status":502,"err_id":"mzbkwhm2n","err_trace":"reverseproxy.statusError (reverseproxy.go:1196)"}

Thanks for taking the time to have a look at this.

francislavoie · July 26, 2022, 10:32am

Yep okay, you’re getting a 502 which means Caddy couldn’t connect to the upstream.

I’ve never used LXC so I don’t know how networking in them works… So I can’t suggest much unfortunately, but yeah, it’s just an internal networking problem at this point.

clendee1 · July 26, 2022, 3:09pm

Ok, thanks for your reply. Your comments prompted me to disable the firewall on the WordPress container. I can ping the WP container from the Caddy container, they are on the same network.

I’m concerned its to do with with Wordpress and Apache config for behind a reverse proxy but I’m not entirely sure.

system · August 24, 2022, 8:36pm

This topic was automatically closed after 30 days. New replies are no longer allowed.