What am I trying to do?
I’m trying to setup Caddy as a reverse proxy to secure external access to several services, chiefly an Emby media server, running on a Whatbox slot with the DNS for mydomain.tld handled by Cloudflare.
As a background, I was following this guide on the Whatbox wiki but ran into issues when I tried it myself. I spoke to Whatbox support and was told that this user-created page is probably incomplete. The page is actually not among their curated list of officially supported software on their main wiki page, but it was the first result that appeared on Google when I searched reverse proxy whatbox
.
So while the question of whether it can work at all is unconfirmed, I imagine the original author didn’t write that guide as a joke and was actually able to get it running at some point. I figured I should ask here before trying something else.
Current Setup
- The host server has a static external address.
- To my knowledge, I have no control over what ports are provided for the services I run.
- My Emby server is directly accessible through HTTP from external-host-ip:7777. Emby also sets up port 8888 for HTTPS access but I cannot use it without first setting up an SSL cert.
- I’m using Cloudflare for DNS since it’s compatible with LetsEncrypt. My SSL cert setting on Cloudflare is currently set to Full (strict) (I don’t know if this is the correct setting).
What have I tried?
I installed Caddy and setup up my Cloudflare credentials as environment variables according to the linked wiki guide.
Caddyfile
mydomain.tld {
tls {
dns cloudflare
}
gzip
proxy /emby localhost:7777 { # Should this be the HTTPS port 8888 instead?
websocket
transparent
}
log
}
I ran Caddy as a screen daemon. Although that wiki guide may not be officially supported, the ports provided were indeed opened properly.
screen -dmS caddy /path/caddy/caddy -conf /path/caddy/Caddyfile -http-port 20202 -https-port 40404
This is where I ran into confusion. When I try to access my service via https://mydomain.tld/emby
, I get an Error 526 page (Invalid SSL certificate).
I checked the log using ./caddy -log -stderr
and see this:
Activating privacy features... done.
2019/01/09 22:27:44 listen tcp :443: bind: permission denied
If I attach the screen with screen -r caddyID
, I see this:
Activating privacy features... done.
https://mydomain.tld:40404
http://mydomain.tld:20202
…which is what I think I should be seeing. What’s going on?
The Caddy page on automatic-https has this paragraph…
Paragraph on ports 80 and 443
Ports 80 and 443 must be externally open
By default, Caddy will bind to ports 80 and 443 to serve HTTPS and redirect HTTP to HTTPS. This usually requires privilege escalation. On Linux systems, you can give Caddy permission to bind to port 80 and 443 without being root using setcap, like so:
setcap cap_net_bind_service=+ep caddy
. Don’t forget to configure all relevant firewalls to allow Caddy to use these ports for incoming and outgoing connections! Caddy must have claim on these ports to obtain certificates unless you enable the DNS challenge OR forward ports 80 and 443 to different ports internally (in which case you can change the HTTP and HTTPS ports using CLI flags.
…that makes it sound like not binding ports 80 and 443 was OK as long as I enabled the DNS challenge (which I think I am, through Cloudflare). This is what has me confused the most.
Is Caddy binding the new ports or is it trying to bind 80 and 443? If it is trying to bind the standard ports, why? Aren’t I explicitly setting them to be something else via CLI flags? Is this just some weirdness with running as screen daemon?
Finally, as this is a shared machine, I do not have root, but I did try running the setcap
command suggested above…
setcap cap_net_bind_service=+ep /path/caddy/caddy
…but it was denied.
unable to set CAP_SETFCAP effective capability: Operation not permitted
Sorry for the wall of text. I hope I’ve given enough that someone will be able to help me understand what’s going on and maybe what I should do.