bob
(bob)
March 14, 2018, 10:25am
1
Hello,
I can not configure caddy, i would like acess to my qnap on https://[my domain]
Default port system on QNAP are:
Web administration 8080 (http) & 443 (https)
Serveur web (Apache) 80 (http) & 8081 (https)
My docker ports bridge:
“25860:443”
“25865:80”
“25986:2015”
My routeur forward :
NAS : PORT_EXT: 443 PORT_INT : 25860
NAS : PORT_EXT: 80 PORT_INT : 25865
My caddy conf :
[my domain]:25860 {
log stdout
errors stdout
tls / {
load /root/.caddy
}
header / {
Strict-Transport-Security “max-age=31536000;”
X-XSS-Protection “1; mode=block”
X-Content-Type-Options “nosniff”
X-Frame-Options “DENY”
Content-Security-Policy “”
Referrer-Policy “strict-origin-when-cross-origin”
}
proxy / [my ip]:8080 { # QNAP
transparent
websocket
}
}
Thanks for your help.
Looks good to me. What issue are you having?
bob
(bob)
March 14, 2018, 11:15am
3
When I connect to the address https://mydomain.com
it returns https://[my domain]/redirect.html?count=0.6829600469439594
. In caddy log no error
Could you curl -Lsvo /dev/null https://[your domain]
and post the output for me?
bob
(bob)
March 14, 2018, 12:20pm
5
Yes of course :
https :
* Rebuilt URL to: https://[my domain]
* Trying [my ip public]...
* Connected to [my domain] ([my ip public]) port 443 (#0)
* ALPN, offering http/1.1
* Cipher selection: ALL:!EXPORT:!EXPORT40:!EXPORT56:!aNULL:!LOW:!RC4:@STRENGTH
* successfully set certificate verify locations:
* CAfile: none
CApath: /etc/ssl/certs
* TLSv1.2 (OUT), TLS header, Certificate Status (22):
} [5 bytes data]
* TLSv1.2 (OUT), TLS handshake, Client hello (1):
} [512 bytes data]
* Unknown SSL protocol error in connection to [my domain]:443
* Closing connection 0
http :
* Rebuilt URL to: http://[my domain]
* Trying [my ip public]...
* Connected to [my domain] ([my ip public]) port 80 (#0)
> GET / HTTP/1.1
> Host: [my domain]
> User-Agent: curl/7.43.0
> Accept: */*
>
* Recv failure: Connection reset by peer
* Closing connection 0
Looks like the connection is being refused, which indicates the problem is related to your firewall/port forwarding.
bob
(bob)
March 15, 2018, 1:38pm
7
Ok i change port etc and its work but i get error
Caddy log :
2018/03/15 15:23:56 http: TLS handshake error from 10.0.3.1:48494: tls: client offered an unsupported, maximum protocol version of 3
01
2018/03/15 15:23:58 http: TLS handshake error from 10.0.3.1:48512: local error: tls: bad record MAC
2018/03/15 15:24:03 http: TLS handshake error from 10.0.3.1:48478: EOF 2018/03/15 15:33:23 http: TLS handshake error from 10.0.3.1:50588: tls: first record does not look like a TLS handshake
2018/03/15 16:22:33 [INFO] Scanning for stale OCSP staples
2018/03/15 16:22:33 [INFO] Done checking OCSP staples
10.0.3.1 - - [15/Mar/2018:16:26:42 +0000] "GET /cgi-bin/ HTTP/2.0" 304 0
10.0.3.1 - - [15/Mar/2018:16:26:43 +0000] "GET /redirect.html?count=0.7947553241184967 HTTP/2.0" 200 548
10.0.3.1 - - [15/Mar/2018:16:26:43 +0000] "GET /cgi-bin/QTS.cgi?count=795058 HTTP/2.0" 302 0
10.0.3.1 - - [15/Mar/2018:16:26:43 +0000] "GET /cgi-bin/login.html?1521131203 HTTP/2.0" 200 2605
10.0.3.1 - - [15/Mar/2018:16:26:43 +0000] "GET /v3_menu/css/qts-font.css?_dc=1518642934 HTTP/2.0" 200 253
10.0.3.1 - - [15/Mar/2018:16:26:43 +0000] "POST /cgi-bin/authLogin.cgi HTTP/2.0" 200 3368
10.0.3.1 - - [15/Mar/2018:16:26:43 +0000] "POST /cgi-bin/sysinfoReq.cgi?qpkg=1 HTTP/2.0" 200 573
This is expected behaviour - Caddy rejects TLS1.0 (aka version 301) as insecure by default, requiring a minimum TLS1.1 and maximum TLS1.2.
The default can be changed via the tls
directive. https://caddyserver.com/docs/tls#protocols
That’s a new one! Some quick research indicates that this occurs when, after completing the handshake, the first secure communication isn’t encrypted correctly. Bad client, perhaps? What is running at 10.0.3.1
?
Everything else looks fine, though.
bob
(bob)
March 16, 2018, 9:40am
9
Ok thanks. For 10.0.3.1
is virtual switch create by container station (docker) in Qnap
Now if i set :
[my domain]:443 {
proxy / http://[my ip]:PORT { # Radarr
transparent
}
It doesn’t work 502 bad gateway
Two things that will help you find out why the 502s are occuring:
Run curl http://[my ip]:PORT
from the host Caddy is running on - does it work?
Add log /path/to/caddy.log
and errors /path/to/errors.log
to the Caddyfile. What comes up in the logs when you get these 502s?
bob
(bob)
March 23, 2018, 12:45pm
11
Thanks you. I solve the problem by putting the ip 10.0.3.1
address assigned by docker.
Now i have new problem with php. I build then with abiosoft/caddy:php repo and set my own PUID and GUID.
2018/03/22 18:17:03 [INFO] Blocking Command "php-fpm7 " with ID ...
22/Mar/2018:18:17:41 +0000 [ERROR 0 /] Primary script unknown
[my ip] - - [22/Mar/2018:18:17:41 +0000] "GET / HTTP/2.0" 404 54
Caddy conf :
[mydomain]:443 {
log stdout
errors stdout
gzip
on startup php-fpm7
fastcgi / 127.0.0.1:9000 php
root /srv/www
tls /root/.caddy/domain.full.cert.pem /root/.caddy/domain.key
header / {
Strict-Transport-Security "max-age=31536000;"
X-XSS-Protection "1; mode=block"
X-Content-Type-Options "nosniff"
X-Frame-Options "DENY"
Content-Security-Policy ""
Referrer-Policy "strict-origin-when-cross-origin"
-Server
}
}
Since Caddy and PHP are running in the same container, it’s unlikely to be an incorrect SCRIPT_FILENAME
, so it’s probably a permissions issue. Make sure that the user PHP is running as has read access to the files.
system
(system)
Closed
June 21, 2018, 2:00pm
13
This topic was automatically closed 90 days after the last reply. New replies are no longer allowed.