Caddy in Docker on Synology

bughatti · May 17, 2022, 9:58pm

1. Caddy version (`caddy version`):

caddy/latest
Caddy V2.5.1

2. How I run Caddy:

a. System environment:

Synology DSM 6.2.1-23824 Update 6
Docker 20.10.3-0554
Edgerouter x

b. Command:

Paste command here.

c. Service/unit/compose file:

d. My complete Caddyfile or JSON config:

{
  admin 0.0.0.0:2019
  email email@gmail.com
}
test123.com {
  templates
}
# Synology
liquidxpe.test123.com {
  reverse_proxy 10.66.66.48:5001
# reverse_proxy 10.66.66.48:5000 # line commented if the above line isn't
}

3. The problem I’m having:

I am using dsm, unifi, sonarr, radarr, sabnzbd, home assistant and many other sites I want to put behind caddy. I am setting this up cause i want an automated way to renew certs

4. Error messages and/or full log output:

2022/05/18 14:16:10.706 ERROR tls.issuance.acme.acme_client challenge failed {“identifier”: “test123.com”, “challenge_type”: “tls-alpn-01”, “problem”: {“type”: “urn:ietf:params:acme:error:connection”, “title”: “”, “detail”: “XX.XX.XX.17: Timeout during connect (likely firewall problem)”, “instance”: “”, “subproblems”: []}}

2022/05/18 14:16:10.706 ERROR tls.issuance.acme.acme_client validating authorization {“identifier”: “test123.com”, “problem”: {“type”: “urn:ietf:params:acme:error:connection”, “title”: “”, “detail”: “XX.XX.XX.17: Timeout during connect (likely firewall problem)”, “instance”: “”, “subproblems”: []}, “order”: “https://acme-v02.api.letsencrypt.org/acme/order/547802866/89767181206”, “attempt”: 2, “max_attempts”: 3}

2022/05/18 14:16:10.706 ERROR tls.obtain could not get certificate from issuer {“identifier”: “test123.com”, “issuer”: “acme-v02.api.letsencrypt.org-directory”, “error”: “HTTP 400 urn:ietf:params:acme:error:connection - XX.XX.XX.17: Timeout during connect (likely firewall problem)”}

5. What I already tried:

I have my domain at cloudflare. I have made sure that the tls/ssl is none, i have made sure the cloudflare firewall is not running, I have made sure that no A records are being proxied. I have port 7443 and 7080 in my router port forwarded to my synology nas. In Docker on the NAS I have the caddy docker set to ports 7443 > 443 and 7080 > 80 Port checker shows 7080 and 7443 closed which makes no sense cause I have a docker running plex, sab, radarr and sonarr and all show open ports for their respective ports. The caddy docker is setup no different. I do not understand the “Likely a firewall problem”.

6. Links to relevant resources:

francislavoie · May 17, 2022, 10:39pm

Are you sure you have the latest? Please run caddy version to check.

You haven’t filled this out. What’s your config? What did you try?

It’s best if you tell us exactly what you tried and what failed. It’s easier for us to point out mistakes than abstractly give instructions.

bughatti · May 18, 2022, 2:27pm

Post updated

francislavoie · May 18, 2022, 2:50pm

You must use ports 80 and 443 at the edge; ACME issuers will only try to connect on ports 80 and 443 to solve ACME HTTP and ACME TLS-ALPN challenges respectively. It won’t work if you forwarded 7080/7443 to Caddy’s port 80/443.

This site on its own won’t do anything – the templates directive is a response body post-processor. You need another directive that will actually write a response to pair with it, like file_server for example.

bughatti · May 19, 2022, 2:24am

Ok, so how do I get past the 80/443 response from dsm. I have even changed the ports with the below

sed -i -e 's/80/81/' -e 's/443/444/' /usr/syno/share/nginx/server.mustache /usr/syno/share/nginx/DSM.mustache /usr/syno/share/nginx/WWWService.mustache

synoservicecfg --restart nginx

So the config file was an example i found from somewhere else online, I can remove it all. I just need to know how the config file should look for my synology on 5001

bughatti · May 19, 2022, 2:26am

Whitestrake · May 19, 2022, 6:31am

Francis was referring to the edge (i.e. your router), not DSM; you can arbitrarily route your ports however you like - as long as 80 and 443 at your public IP address (your router) eventually reach the HTTP/S listeners Caddy is using.

I suspect this one might go beyond the scope of Caddy support here on the forums. If someone around here is familiar with Synology in particular and could help you troubleshoot why it doesn’t seem to be passing the expected ports through, hopefully they will do so; otherwise, unless you can ensure traffic is reaching Caddy, there’s not much Caddy can do.

For what it’s worth, that is how I’d usually recommend doing things with a NAS like Synology; using a port detour by forwarding 80->8080 from your router to Synology, and 8080->80 into the Caddy container. Likewise for router:443->synology:8443 and then back through synology:8443->caddy:443. Or 7080 and 7443 as you’ve used, or whatever’s convenient. You just need to ensure Synology is passing the packets as you expect.

bughatti · May 19, 2022, 4:34pm

Ok so I decided to change up things, i took the caddy server away from my dsm and put it on my other computer running docker. I think dsm causes many issues with 80 and 443 that cant directly and easily be fixed. Now port 443 shows open to the new docker container. Below is my new config which was auto generated, then i edited it with my info

# The Caddyfile is an easy way to configure your Caddy web server.
#
# Unless the file starts with a global options block, the first
# uncommented line is always the address of your site.
#
# To use your own domain name (with automatic HTTPS), first make
# sure your domain's A/AAAA DNS records are properly pointed to
# this machine's public IP, then replace ":80" below with your
# domain name.


{
  admin 0.0.0.0:2019
  email name@gmail.com
}


:80 {
        # Set this path to your site's directory.
        root * /usr/share/caddy

        # Enable the static file server.
        file_server

        # Another common task is to set up a reverse proxy:
        # reverse_proxy localhost:8080

        # Or serve a PHP site through php-fpm:
        # php_fastcgi localhost:9000
}

# Refer to the Caddy docs for more information:
# https://caddyserver.com/docs/caddyfile
# Synology
liquidxpe.test123.com {
  reverse_proxy 10.66.66.48:5001
# reverse_proxy 10.66.66.48:5000 # line commented if the above line isn't
}
# Unifi
liquiduni.test123.com {
  reverse_proxy 10.66.66.240:8443
}

both dns records are in cloudflare

Here are the issues now
for synology, going to https//liquidxpe.test123.com I get

400 Bad Request
The plain HTTP request was sent to HTTPS port
nginx

for unifi i get

Bad Request
This combination of host and port requires TLS.

Both show the new certs pulled from zerossl

Whitestrake · May 19, 2022, 4:36pm

I’d wager that’s because Caddy is reverse proxying to HTTP by default.

Try reverse_proxy https://10.66.66.48:5001 and reverse_proxy https://10.66.66.240:8443 (note the https:// scheme added to both.)

If the upstreams don’t have trusted HTTPS certificates (probably not, considering that they’re just IP addresses) you may need to skip TLS verification (reverse_proxy (Caddyfile directive) — Caddy Documentation).

bughatti · May 19, 2022, 4:45pm

changed to

# Synology
liquidxpe.test123.com {
  reverse_proxy https://10.66.66.48:5001
# reverse_proxy 10.66.66.48:5000 # line commented if the above line isn't
}
# Unifi
liquiduni.test123.com {
  reverse_proxy https://10.66.66.240:8443
}

Now i get

is currently unable to handle this request.
HTTP ERROR 502

Just saw the skip verify piece, here is the config now

# Synology
liquidxpe.test123.com {
  reverse_proxy https://10.66.66.48:5001
# reverse_proxy 10.66.66.48:5000 # line commented if the above line isn't
tls_insecure_skip_verify
}
# Unifi
liquiduni.test123.com {
  reverse_proxy https://10.66.66.240:8443
tls_insecure_skip_verify
}

bughatti · May 19, 2022, 4:55pm

Do I have the skip verify in the wrong place, now i just get refused to connect.

francislavoie · May 19, 2022, 4:55pm

What’s in Caddy’s logs?

Yes, it goes within reverse_proxy, in a block (i.e. { })

reverse_proxy https://10.66.66.240:8443 {
	tls_insecure_skip_verify
}

bughatti · May 19, 2022, 5:02pm

Ok below is the whole config file, now the docker wont start

This is the error in logs

run: adapting config using caddyfile: /etc/caddy/Caddyfile:37: unrecognized directive: tls_insecure_skip_verify

# The Caddyfile is an easy way to configure your Caddy web server.
#
# Unless the file starts with a global options block, the first
# uncommented line is always the address of your site.
#
# To use your own domain name (with automatic HTTPS), first make
# sure your domain's A/AAAA DNS records are properly pointed to
# this machine's public IP, then replace ":80" below with your
# domain name.


{
  admin 0.0.0.0:2019
  email name@gmail.com
}


:80 {
        # Set this path to your site's directory.
        root * /usr/share/caddy

        # Enable the static file server.
        file_server

        # Another common task is to set up a reverse proxy:
        # reverse_proxy localhost:8080

        # Or serve a PHP site through php-fpm:
        # php_fastcgi localhost:9000
}

# Refer to the Caddy docs for more information:
# https://caddyserver.com/docs/caddyfile

# Synology
liquidxpe.test123.com {
reverse_proxy https://10.66.66.48:5001
        tls_insecure_skip_verify
}
# Unifi
liquiduni.test123.com {
reverse_proxy https://10.66.66.240:8443 {
        tls_insecure_skip_verify
}

bughatti · May 19, 2022, 5:30pm

I really hate syntax errors lol, its now working

# Synology
https://liquidxpe.test123.com {
        reverse_proxy https://10.66.66.48:5001 {
                transport http {
                        tls_insecure_skip_verify
                }
        }
}
# Unifi
https://liquiduni.test123.com {
        reverse_proxy https://10.66.66.240:8443 {
                transport http {
                        tls_insecure_skip_verify
                }
        }
}

system · June 16, 2022, 9:59pm

This topic was automatically closed after 30 days. New replies are no longer allowed.