bob
March 14, 2018, 10:25am
1
Hello,
I can not configure caddy, i would like acess to my qnap on https://[my domain]
Default port system on QNAP are:
Web administration 8080 (http) & 443 (https)
Serveur web (Apache) 80 (http) & 8081 (https)
My docker ports bridge:
“25860:443”
“25865:80”
“25986:2015”
My routeur forward :
NAS : PORT_EXT: 443 PORT_INT : 25860
NAS : PORT_EXT: 80 PORT_INT : 25865
My caddy conf :
[my domain]:25860 {
log stdout
errors stdout
tls / {
load /root/.caddy
}
header / {
Strict-Transport-Security “max-age=31536000;”
X-XSS-Protection “1; mode=block”
X-Content-Type-Options “nosniff”
X-Frame-Options “DENY”
Content-Security-Policy “”
Referrer-Policy “strict-origin-when-cross-origin”
}
proxy / [my ip]:8080 { # QNAP
transparent
websocket
}
}
Thanks for your help.
Looks good to me. What issue are you having?
bob
March 14, 2018, 11:15am
3
When I connect to the address https://mydomain.com it returns https://[my domain]/redirect.html?count=0.6829600469439594. In caddy log no error
Could you curl -Lsvo /dev/null https://[your domain] and post the output for me?
bob
March 14, 2018, 12:20pm
5
Yes of course :
https :
* Rebuilt URL to: https://[my domain]
* Trying [my ip public]...
* Connected to [my domain] ([my ip public]) port 443 (#0)
* ALPN, offering http/1.1
* Cipher selection: ALL:!EXPORT:!EXPORT40:!EXPORT56:!aNULL:!LOW:!RC4:@STRENGTH
* successfully set certificate verify locations:
* CAfile: none
CApath: /etc/ssl/certs
* TLSv1.2 (OUT), TLS header, Certificate Status (22):
} [5 bytes data]
* TLSv1.2 (OUT), TLS handshake, Client hello (1):
} [512 bytes data]
* Unknown SSL protocol error in connection to [my domain]:443
* Closing connection 0
http :
* Rebuilt URL to: http://[my domain]
* Trying [my ip public]...
* Connected to [my domain] ([my ip public]) port 80 (#0)
> GET / HTTP/1.1
> Host: [my domain]
> User-Agent: curl/7.43.0
> Accept: */*
>
* Recv failure: Connection reset by peer
* Closing connection 0
Looks like the connection is being refused, which indicates the problem is related to your firewall/port forwarding.
bob
March 15, 2018, 1:38pm
7
Ok i change port etc and its work but i get error
Caddy log :
2018/03/15 15:23:56 http: TLS handshake error from 10.0.3.1:48494: tls: client offered an unsupported, maximum protocol version of 3
01
2018/03/15 15:23:58 http: TLS handshake error from 10.0.3.1:48512: local error: tls: bad record MAC
2018/03/15 15:24:03 http: TLS handshake error from 10.0.3.1:48478: EOF 2018/03/15 15:33:23 http: TLS handshake error from 10.0.3.1:50588: tls: first record does not look like a TLS handshake
2018/03/15 16:22:33 [INFO] Scanning for stale OCSP staples
2018/03/15 16:22:33 [INFO] Done checking OCSP staples
10.0.3.1 - - [15/Mar/2018:16:26:42 +0000] "GET /cgi-bin/ HTTP/2.0" 304 0
10.0.3.1 - - [15/Mar/2018:16:26:43 +0000] "GET /redirect.html?count=0.7947553241184967 HTTP/2.0" 200 548
10.0.3.1 - - [15/Mar/2018:16:26:43 +0000] "GET /cgi-bin/QTS.cgi?count=795058 HTTP/2.0" 302 0
10.0.3.1 - - [15/Mar/2018:16:26:43 +0000] "GET /cgi-bin/login.html?1521131203 HTTP/2.0" 200 2605
10.0.3.1 - - [15/Mar/2018:16:26:43 +0000] "GET /v3_menu/css/qts-font.css?_dc=1518642934 HTTP/2.0" 200 253
10.0.3.1 - - [15/Mar/2018:16:26:43 +0000] "POST /cgi-bin/authLogin.cgi HTTP/2.0" 200 3368
10.0.3.1 - - [15/Mar/2018:16:26:43 +0000] "POST /cgi-bin/sysinfoReq.cgi?qpkg=1 HTTP/2.0" 200 573
This is expected behaviour - Caddy rejects TLS1.0 (aka version 301) as insecure by default, requiring a minimum TLS1.1 and maximum TLS1.2.
The default can be changed via the tls directive. https://caddyserver.com/docs/tls#protocols
That’s a new one! Some quick research indicates that this occurs when, after completing the handshake, the first secure communication isn’t encrypted correctly. Bad client, perhaps? What is running at 10.0.3.1?
Everything else looks fine, though.
bob
March 16, 2018, 9:40am
9
Ok thanks. For 10.0.3.1 is virtual switch create by container station (docker) in Qnap
Now if i set :
[my domain]:443 {
proxy / http://[my ip]:PORT { # Radarr
transparent
}
It doesn’t work 502 bad gateway
Two things that will help you find out why the 502s are occuring:
Run curl http://[my ip]:PORT from the host Caddy is running on - does it work?
Add log /path/to/caddy.log and errors /path/to/errors.log to the Caddyfile. What comes up in the logs when you get these 502s?
bob
March 23, 2018, 12:45pm
11
Thanks you. I solve the problem by putting the ip 10.0.3.1 address assigned by docker.
Now i have new problem with php. I build then with abiosoft/caddy:php repo and set my own PUID and GUID.
2018/03/22 18:17:03 [INFO] Blocking Command "php-fpm7 " with ID ...
22/Mar/2018:18:17:41 +0000 [ERROR 0 /] Primary script unknown
[my ip] - - [22/Mar/2018:18:17:41 +0000] "GET / HTTP/2.0" 404 54
Caddy conf :
[mydomain]:443 {
log stdout
errors stdout
gzip
on startup php-fpm7
fastcgi / 127.0.0.1:9000 php
root /srv/www
tls /root/.caddy/domain.full.cert.pem /root/.caddy/domain.key
header / {
Strict-Transport-Security "max-age=31536000;"
X-XSS-Protection "1; mode=block"
X-Content-Type-Options "nosniff"
X-Frame-Options "DENY"
Content-Security-Policy ""
Referrer-Policy "strict-origin-when-cross-origin"
-Server
}
}
Since Caddy and PHP are running in the same container, it’s unlikely to be an incorrect SCRIPT_FILENAME, so it’s probably a permissions issue. Make sure that the user PHP is running as has read access to the files.
system
June 21, 2018, 2:00pm
13
This topic was automatically closed 90 days after the last reply. New replies are no longer allowed.