Caddy + Postgres + Outline wiki deployment issues on GCP

1. Caddy version (caddy version):

Caddy Docker Image latest ( 2.4.5, 2, latest)

2. How I run Caddy:

I mostly followed a guide on how to deploy a tool called Outline wiki. Please look in the end of this article for links to it
Basically first running
sudo docker network create reverseproxy-nw
and then
sudo docker-compose up -d
See below for my docker-compose file

a. System environment:

Docker using docker-compose, on Debian 11 running on Google Cloud VM instnance e2-small (2 vCPUs, 2 GB memory)

b. Command:

sudo docker-compose up -d

c. Service/unit/compose file:

version: "3"

networks:
  reverseproxy-nw:
    external: true

services:
  caddy:
    image: caddy:latest
    container_name: caddy
    volumes:
      - ./Caddyfile:/etc/caddy/Caddyfile
      - ./data:/data
    ports:
      - 80:80
      - 443:443
    networks:
      - reverseproxy-nw
    restart: unless-stopped

d. My complete Caddyfile or JSON config:

{
    debug
}
kb.mcgilleus.ca {
    reverse_proxy outline:443 {
        header_up X-Forwarded-Proto {scheme}
        header_up X-Forwarded-Host {host}
    }
}
kbdata.mcgilleus.ca {
    reverse_proxy outline_minio:9000 {
        header_up X-Forwarded-Proto {scheme}
        header_up X-Forwarded-Host {host}
    }
}

3. The problem I’m having:

I cannot access the website as shown in the guide above.
I have my DNS A records set like this:

A  kbdata.mcgilleus..ca   35.203.58.7   TTL:3600
A  kb.mcgilleus.ca   35.203.58.7   TTL:3600

a quick curl -v kbdata.mcgilleus.ca gives me this:

click here to expand
*   Trying 35.203.58.7:443...
* Connected to kbdata.mcgilleus.ca (35.203.58.7) port 443 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
* successfully set certificate verify locations:
*  CAfile: /etc/ssl/certs/ca-certificates.crt
*  CApath: none
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
* TLSv1.3 (IN), TLS handshake, Server hello (2):
* TLSv1.3 (IN), TLS handshake, Encrypted Extensions (8):
* TLSv1.3 (IN), TLS handshake, Certificate (11):
* TLSv1.3 (IN), TLS handshake, CERT verify (15):
* TLSv1.3 (IN), TLS handshake, Finished (20):
* TLSv1.3 (OUT), TLS change cipher, Change cipher spec (1):
* TLSv1.3 (OUT), TLS handshake, Finished (20):
* SSL connection using TLSv1.3 / TLS_AES_128_GCM_SHA256
* ALPN, server accepted to use h2
* Server certificate:
*  subject: CN=kbdata.mcgilleus.ca
*  start date: Oct 19 03:25:53 2021 GMT
*  expire date: Jan 17 03:25:52 2022 GMT
*  subjectAltName: host "kbdata.mcgilleus.ca" matched cert's "kbdata.mcgilleus.ca"
*  issuer: C=US; O=Let's Encrypt; CN=R3
*  SSL certificate verify ok.
* Using HTTP2, server supports multiplexing
* Connection state changed (HTTP/2 confirmed)
* Copying HTTP/2 data in stream buffer to connection buffer after upgrade: len=0
* Using Stream ID: 1 (easy handle 0x562d529739a0)
> GET / HTTP/2
> Host: kbdata.mcgilleus.ca
> user-agent: curl/7.79.1
> accept: */*
>
* TLSv1.3 (IN), TLS handshake, Newsession Ticket (4):
* Connection state changed (MAX_CONCURRENT_STREAMS == 250)!
< HTTP/2 403
< accept-ranges: bytes
< content-security-policy: block-all-mixed-content
< content-type: application/xml
< date: Tue, 19 Oct 2021 04:59:44 GMT
< server: Caddy
< server: MinIO
< strict-transport-security: max-age=31536000; includeSubDomains
< vary: Origin
< vary: Accept-Encoding
< x-amz-request-id: 16AF55DA0F932A2C
< x-content-type-options: nosniff
< x-xss-protection: 1; mode=block
< content-length: 226
<
<?xml version="1.0" encoding="UTF-8"?>
* Connection #0 to host kbdata.mcgilleus.ca left intact
<Error><Code>AccessDenied</Code><Message>Access Denied.</Message><Resource>/</Resource><RequestId>16AF55DA0F932A2C</RequestId><HostId>cc3b7dcd-fa3f-4424-a9b5-6ece2213f462</HostId></Error>%   

Clearly there is an issue with accessing and permissions, or at leasy I think so.

4. Error messages and/or full log output:

(click here to expand) Here is my caddy container logs
aliotique@lucario:~/caddy$ sudo docker-compose logs caddy
Attaching to caddy
caddy    | {"level":"info","ts":1634619908.281191,"msg":"using provided configuration","config_file":"/etc/caddy/Caddyfile","config_adapter":"caddyfile"}
caddy    | 2021/10/19 05:05:08 [WARNING] Unnecessary header_up ('X-Forwarded-Proto' field): the reverse proxy's default behavior is to pass headers to the upstream
caddy    | 2021/10/19 05:05:08 [WARNING] Unnecessary header_up ('X-Forwarded-Proto' field): the reverse proxy's default behavior is to pass headers to the upstream
caddy    | {"level":"warn","ts":1634619908.2844605,"msg":"input is not formatted with 'caddy fmt'","adapter":"caddyfile","file":"/etc/caddy/Caddyfile","line":2}
caddy    | {"level":"info","ts":1634619908.2868974,"logger":"admin","msg":"admin endpoint started","address":"tcp/localhost:2019","enforce_origin":false,"origins":["localhost:2019","[::1]:2019","127.0.0.1:2019"]}
caddy    | {"level":"info","ts":1634619908.2871525,"logger":"http","msg":"server is listening only on the HTTPS port but has no TLS connection policies; adding one to enable TLS","server_name":"srv0","https_port":443}
caddy    | {"level":"info","ts":1634619908.2872167,"logger":"http","msg":"enabling automatic HTTP->HTTPS redirects","server_name":"srv0"}
caddy    | {"level":"debug","ts":1634619908.2879457,"logger":"http","msg":"starting server loop","address":"[::]:443","http3":false,"tls":true}
caddy    | {"level":"debug","ts":1634619908.2880538,"logger":"http","msg":"starting server loop","address":"[::]:80","http3":false,"tls":false}
caddy    | {"level":"info","ts":1634619908.2881026,"logger":"http","msg":"enabling automatic TLS certificate management","domains":["kbdata.mcgilleus.ca","kb.mcgilleus.ca"]}
caddy    | {"level":"info","ts":1634619908.2887173,"logger":"tls.cache.maintenance","msg":"started background certificate maintenance","cache":"0xc00033a7e0"}
caddy    | {"level":"debug","ts":1634619908.2900875,"logger":"tls","msg":"loading managed certificate","domain":"kbdata.mcgilleus.ca","expiration":1642389952,"issuer_key":"acme-v02.api.letsencrypt.org-directory","storage":"FileStorage:/data/caddy"}
caddy    | {"level":"debug","ts":1634619908.2911036,"logger":"tls.cache","msg":"added certificate to cache","subjects":["kbdata.mcgilleus.ca"],"expiration":1642389952,"managed":true,"issuer_key":"acme-v02.api.letsencrypt.org-directory","hash":"f21193e1cec0b183b4cfe13270ef52e121beb80402b1bbfc58c2990da70e57a9"}
caddy    | {"level":"info","ts":1634619908.2901967,"logger":"tls","msg":"cleaning storage unit","description":"FileStorage:/data/caddy"}
caddy    | {"level":"debug","ts":1634619908.2931392,"logger":"tls","msg":"loading managed certificate","domain":"kb.mcgilleus.ca","expiration":1642389943,"issuer_key":"acme-v02.api.letsencrypt.org-directory","storage":"FileStorage:/data/caddy"}
caddy    | {"level":"debug","ts":1634619908.2935917,"logger":"tls.cache","msg":"added certificate to cache","subjects":["kb.mcgilleus.ca"],"expiration":1642389943,"managed":true,"issuer_key":"acme-v02.api.letsencrypt.org-directory","hash":"8960355d3dc9ad25c043dc528ef03a85fb86908c40f36228071dde74422157b1"}
caddy    | {"level":"info","ts":1634619908.293843,"msg":"autosaved config (load with --resume flag)","file":"/config/caddy/autosave.json"}
caddy    | {"level":"info","ts":1634619908.293937,"msg":"serving initial configuration"}
caddy    | {"level":"info","ts":1634619908.2949057,"logger":"tls","msg":"finished cleaning storage units"}
caddy    | {"level":"debug","ts":1634619920.6256568,"logger":"tls.handshake","msg":"choosing certificate","identifier":"kbdata.mcgilleus.ca","num_choices":1}
caddy    | {"level":"debug","ts":1634619920.6257157,"logger":"tls.handshake","msg":"default certificate selection results","identifier":"kbdata.mcgilleus.ca","subjects":["kbdata.mcgilleus.ca"],"managed":true,"issuer_key":"acme-v02.api.letsencrypt.org-directory","hash":"f21193e1cec0b183b4cfe13270ef52e121beb80402b1bbfc58c2990da70e57a9"}
caddy    | {"level":"debug","ts":1634619920.625727,"logger":"tls.handshake","msg":"matched certificate in cache","subjects":["kbdata.mcgilleus.ca"],"managed":true,"expiration":1642389952,"hash":"f21193e1cec0b183b4cfe13270ef52e121beb80402b1bbfc58c2990da70e57a9"}
caddy    | {"level":"debug","ts":1634619920.6446133,"logger":"http.handlers.reverse_proxy","msg":"upstream roundtrip","upstream":"outline_minio:9000","request":{"remote_addr":"24.201.191.39:48298","proto":"HTTP/2.0","method":"GET","host":"kbdata.mcgilleus.ca","uri":"/","headers":{"Sec-Fetch-User":["?1"],"X-Forwarded-For":["24.201.191.39"],"Accept-Language":["en-US,en;q=0.5"],"Sec-Fetch-Dest":["document"],"Upgrade-Insecure-Requests":["1"],"X-Forwarded-Proto":["https"],"Accept-Encoding":["gzip, deflate, br"],"User-Agent":["Mozilla/5.0 (X11; Linux x86_64; rv:93.0) Gecko/20100101 Firefox/93.0"],"Te":["trailers"],"Accept":["text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8"],"Dnt":["1"],"Cache-Control":["max-age=0"],"Sec-Fetch-Mode":["navigate"],"Sec-Fetch-Site":["none"],"X-Forwarded-Host":["kbdata.mcgilleus.ca"]},"tls":{"resumed":false,"version":772,"cipher_suite":4865,"proto":"h2","proto_mutual":true,"server_name":"kbdata.mcgilleus.ca"}},"headers":{"Content-Type":["text/html; charset=utf-8"],"Location":["http://kbdata.mcgilleus.ca:40077"],"Vary":["Origin"],"Date":["Tue, 19 Oct 2021 05:05:20 GMT"],"Content-Length":["68"]},"status":307}
caddy    | {"level":"debug","ts":1634619922.7535079,"logger":"tls.handshake","msg":"choosing certificate","identifier":"kbdata.mcgilleus.ca","num_choices":1}
caddy    | {"level":"debug","ts":1634619922.753849,"logger":"tls.handshake","msg":"default certificate selection results","identifier":"kbdata.mcgilleus.ca","subjects":["kbdata.mcgilleus.ca"],"managed":true,"issuer_key":"acme-v02.api.letsencrypt.org-directory","hash":"f21193e1cec0b183b4cfe13270ef52e121beb80402b1bbfc58c2990da70e57a9"}
caddy    | {"level":"debug","ts":1634619922.7539346,"logger":"tls.handshake","msg":"matched certificate in cache","subjects":["kbdata.mcgilleus.ca"],"managed":true,"expiration":1642389952,"hash":"f21193e1cec0b183b4cfe13270ef52e121beb80402b1bbfc58c2990da70e57a9"}
caddy    | {"level":"debug","ts":1634619922.7740898,"logger":"http.handlers.reverse_proxy","msg":"upstream roundtrip","upstream":"outline_minio:9000","request":{"remote_addr":"24.201.191.39:48300","proto":"HTTP/2.0","method":"GET","host":"kbdata.mcgilleus.ca","uri":"/","headers":{"User-Agent":["curl/7.79.1"],"Accept":["*/*"],"X-Forwarded-For":["24.201.191.39"],"X-Forwarded-Proto":["https"],"X-Forwarded-Host":["kbdata.mcgilleus.ca"]},"tls":{"resumed":false,"version":772,"cipher_suite":4865,"proto":"h2","proto_mutual":true,"server_name":"kbdata.mcgilleus.ca"}},"headers":{"X-Amz-Request-Id":["16AF5628BFAF8962"],"X-Content-Type-Options":["nosniff"],"X-Xss-Protection":["1; mode=block"],"Strict-Transport-Security":["max-age=31536000; includeSubDomains"],"Content-Length":["226"],"Content-Security-Policy":["block-all-mixed-content"],"Content-Type":["application/xml"],"Server":["MinIO"],"Vary":["Origin","Accept-Encoding"],"Date":["Tue, 19 Oct 2021 05:05:22 GMT"],"Accept-Ranges":["bytes"]},"status":403}
aliotique@lucario:~/caddy$ 
(click here to expand) Here is my main app (outline) logs:
aliotique@lucario:~/outline$ sudo docker-compose logs outline
Attaching to outline
outline             | yarn run v1.22.5
outline             | $ sequelize db:migrate --env=production-ssl-disabled
outline             | 
outline             | Sequelize CLI [Node: 14.17.6, CLI: 6.2.0, ORM: 6.3.5]
outline             | 
outline             | Loaded configuration file "server/config/database.json".
outline             | Using environment "production-ssl-disabled".
outline             | 
outline             | ERROR: connect ECONNREFUSED 172.19.0.2:5432
outline             | 
outline             | error Command failed with exit code 1.
outline             | info Visit https://yarnpkg.com/en/docs/cli/run for documentation about this command.
outline             | yarn run v1.22.5
outline             | $ sequelize db:migrate --env=production-ssl-disabled
outline             | 
outline             | Sequelize CLI [Node: 14.17.6, CLI: 6.2.0, ORM: 6.3.5]
outline             | 
outline             | Loaded configuration file "server/config/database.json".
outline             | Using environment "production-ssl-disabled".
outline             | == 20160619080644-initial: migrating =======
outline             | == 20160619080644-initial: migrated (0.051s)
outline             | 
outline             | == 20160622043741-add-parent-document: migrating =======
outline             | == 20160622043741-add-parent-document: migrated (0.008s)
outline             | 
outline             | == 20160626063409-add-indexes: migrating =======
outline             | == 20160626063409-add-indexes: migrated (0.034s)
outline             | 
outline             | == 20160626175224-add-revisions: migrating =======
outline             | == 20160626175224-add-revisions: migrated (0.018s)
outline             | 
outline             | == 20160711071958-search-index: migrating =======
outline             | == 20160711071958-search-index: migrated (0.013s)
outline             | 
outline             | == 20160726061511-atlas-creator: migrating =======
outline             | == 20160726061511-atlas-creator: migrated (0.007s)
outline             | 
outline             | == 20160812145029-document-atlas-soft-delete: migrating =======
outline             | == 20160812145029-document-atlas-soft-delete: migrated (0.008s)
outline             | 
outline             | == 20160814083127-paranoia-indeces: migrating =======
outline             | == 20160814083127-paranoia-indeces: migrated (0.041s)
outline             | 
outline             | == 20160814095336-add-document-createdById: migrating =======
outline             | == 20160814095336-add-document-createdById: migrated (0.007s)
outline             | 
outline             | == 20160814111419-add-document-collaboratorIds: migrating =======
outline             | == 20160814111419-add-document-collaboratorIds: migrated (0.007s)
outline             | 
outline             | == 20160815142720-app-collection-urlId: migrating =======
outline             | == 20160815142720-app-collection-urlId: migrated (0.009s)
outline             | 
outline             | == 20160816082738-add-revision-index: migrating =======
outline             | == 20160816082738-add-revision-index: migrated (0.009s)
outline             | 
outline             | == 20160824061730-add-apikeys: migrating =======
outline             | == 20160824061730-add-apikeys: migrated (0.014s)
outline             | 
outline             | == 20160824062457-add-apikey-indeces: migrating =======
outline             | == 20160824062457-add-apikey-indeces: migrated (0.012s)
outline             | 
outline             | == 20160911230444-user-optional-slack-id: migrating =======
outline             | == 20160911230444-user-optional-slack-id: migrated (0.034s)
outline             | 
outline             | == 20160911232911-user-unique-fields: migrating =======
outline             | == 20160911232911-user-unique-fields: migrated (0.044s)
outline             | 
outline             | == 20160911234928-user-password: migrating =======
outline             | == 20160911234928-user-password: migrated (0.007s)
outline             | 
outline             | == 20170603185012-add-collection-documentStructure-migration: migrating =======
outline             | == 20170603185012-add-collection-documentStructure-migration: migrated (0.009s)
outline             | 
outline             | == 20170604052346-add-views: migrating =======
outline             | == 20170604052346-add-views: migrated (0.015s)
outline             | 
outline             | == 20170604052347-add-stars: migrating =======
outline             | == 20170604052347-add-stars: migrated (0.014s)
outline             | 
outline             | == 20170712055148-non-unique-email: migrating =======
outline             | == 20170712055148-non-unique-email: migrated (0.009s)
outline             | 
outline             | == 20170712072234-uniq-slack-id: migrating =======
outline             | == 20170712072234-uniq-slack-id: migrated (0.012s)
outline             | 
outline             | == 20170729215619-emoji: migrating =======
outline             | == 20170729215619-emoji: migrated (0.007s)
outline             | 
outline             | == 20170827182423-improve-references: migrating =======
outline             | == 20170827182423-improve-references: migrated (0.016s)
outline             | 
outline             | == 20170904202454-allow-null-username: migrating =======
outline             | == 20170904202454-allow-null-username: migrated (0.007s)
outline             | 
outline             | == 20171010042938-add-event: migrating =======
outline             | == 20171010042938-add-event: migrated (0.014s)
outline             | 
outline             | == 20171016012353-remove-collection-navigationtree: migrating =======
outline             | == 20171016012353-remove-collection-navigationtree: migrated (0.007s)
outline             | 
outline             | == 20171017055026-remove-document-html: migrating =======
outline             | == 20171017055026-remove-document-html: migrated (0.010s)
outline             | 
outline             | == 20171019071915-user-avatar-url: migrating =======
outline             | == 20171019071915-user-avatar-url: migrated (0.007s)
outline             | 
outline             | == 20171023064220-collection-color: migrating =======
outline             | == 20171023064220-collection-color: migrated (0.007s)
outline             | 
outline             | == 20171218043717-add-authentications: migrating =======
outline             | == 20171218043717-add-authentications: migrated (0.014s)
outline             | 
outline             | == 20171225143838-set-admins: migrating =======
outline             | == 20171225143838-set-admins: migrated (0.009s)
outline             | 
outline             | == 20180115021837-add-drafts: migrating =======
outline             | == 20180115021837-add-drafts: migrated (0.013s)
outline             | 
outline             | == 20180212033504-add-integrations: migrating =======
outline             | == 20180212033504-add-integrations: migrated (0.015s)
outline             | 
outline             | == 20180225203847-document-pinning: migrating =======
outline             | == 20180225203847-document-pinning: migrated (0.007s)
outline             | 
outline             | == 20180303193036-suspended-users: migrating =======
outline             | == 20180303193036-suspended-users: migrated (0.009s)
outline             | 
outline             | == 20180324214403-serializer-upgrade: migrating =======
outline             | == 20180324214403-serializer-upgrade: migrated (0.006s)
outline             | 
outline             | == 20180513041057-add-share-links: migrating =======
outline             | == 20180513041057-add-share-links: migrated (0.011s)
outline             | 
outline             | == 20180528233909-google-auth: migrating =======
outline             | == 20180528233909-google-auth: migrated (0.039s)
outline             | 
outline             | == 20180528233910-rename-serviceid: migrating =======
outline             | == 20180528233910-rename-serviceid: migrated (0.030s)
outline             | 
outline             | == 20180604182823-user-tracking: migrating =======
outline             | == 20180604182823-user-tracking: migrated (0.011s)
outline             | 
outline             | == 20180604191743-revoke-share-links: migrating =======
outline             | == 20180604191743-revoke-share-links: migrated (0.009s)
outline             | 
outline             | == 20180707220121-more-soft-delete: migrating =======
outline             | == 20180707220121-more-soft-delete: migrated (0.008s)
outline             | 
outline             | == 20180707231201-remove-passwords: migrating =======
outline             | == 20180707231201-remove-passwords: migrated (0.010s)
outline             | 
outline             | == 20180708231200-serviceid-null: migrating =======
outline             | == 20180708231200-serviceid-null: migrated (0.009s)
outline             | 
outline             | == 20180808061353-cleanup: migrating =======
outline             | == 20180808061353-cleanup: migrated (0.026s)
outline             | 
outline             | == 20180819054252-disable-sharing: migrating =======
outline             | == 20180819054252-disable-sharing: migrated (0.008s)
outline             | 
outline             | == 20181031015046-add-subdomain-to-team: migrating =======
outline             | == 20181031015046-add-subdomain-to-team: migrated (0.015s)
outline             | 
outline             | == 20181124000438-add-notifications: migrating =======
outline             | == 20181124000438-add-notifications: migrated (0.025s)
outline             | 
outline             | == 20181215192422-document-embeds: migrating =======
outline             | == 20181215192422-document-embeds: migrated (0.007s)
outline             | 
outline             | == 20181227001547-collection-permissions: migrating =======
outline             | == 20181227001547-collection-permissions: migrated (0.015s)
outline             | 
outline             | == 20190404035736-add-archive: migrating =======
outline             | == 20190404035736-add-archive: migrated (0.007s)
outline             | 
outline             | == 20190423051708-add-search-indexes: migrating =======
outline             | == 20190423051708-add-search-indexes: migrated (0.017s)
outline             | 
outline             | == 20190606035733-events: migrating =======
outline             | == 20190606035733-events: migrated (0.025s)
outline             | 
outline             | == 20190704070630-welcome-docs: migrating =======
outline             | == 20190704070630-welcome-docs: migrated (0.009s)
outline             | 
outline             | == 20190706213213-backlinks: migrating =======
outline             | == 20190706213213-backlinks: migrated (0.020s)
outline             | 
outline             | == 20190811231511-maintainers: migrating =======
outline             | == 20190811231511-maintainers: migrated (0.014s)
outline             | 
outline             | == 20191118023010-cascade-delete: migrating =======
outline             | == 20191118023010-cascade-delete: migrated (0.010s)
outline             | 
outline             | == 20191119023010-cascade-backlinks: migrating =======
outline             | == 20191119023010-cascade-backlinks: migrated (0.010s)
outline             | 
outline             | == 20191119023011-cascade-parent-documents: migrating =======
outline             | == 20191119023011-cascade-parent-documents: migrated (0.010s)
outline             | 
outline             | == 20191119023012-cascade-shares: migrating =======
outline             | == 20191119023012-cascade-shares: migrated (0.010s)
outline             | 
outline             | == 20191119023013-cascade-backlinks2: migrating =======
outline             | == 20191119023013-cascade-backlinks2: migrated (0.010s)
outline             | 
outline             | == 20191121035144-guest-invite: migrating =======
outline             | == 20191121035144-guest-invite: migrated (0.011s)
outline             | 
outline             | == 20191211044318-create-groups: migrating =======
outline             | == 20191211044318-create-groups: migrated (0.021s)
outline             | 
outline             | == 20191211044319-create-group-users: migrating =======
outline             | == 20191211044319-create-group-users: migrated (0.021s)
outline             | 
outline             | == 20191228031525-edit-presence: migrating =======
outline             | == 20191228031525-edit-presence: migrated (0.007s)
outline             | 
outline             | == 20200104233831-attachments: migrating =======
outline             | == 20200104233831-attachments: migrated (0.020s)
outline             | 
outline             | == 20200122083721-create-collection-groups: migrating =======
outline             | == 20200122083721-create-collection-groups: migrated (0.023s)
outline             | 
outline             | == 20200316040755-document-editor-version: migrating =======
outline             | == 20200316040755-document-editor-version: migrated (0.010s)
outline             | 
outline             | == 20200328175012-cascade-delete: migrating =======
outline             | == 20200328175012-cascade-delete: migrated (0.011s)
outline             | 
outline             | == 20200330053639-document-version: migrating =======
outline             | == 20200330053639-document-version: migrated (0.010s)
outline             | 
outline             | == 20200519032353-text-backup: migrating =======
outline             | == 20200519032353-text-backup: migrated (0.009s)
outline             | 
outline             | == 20200522054958-collection-icon: migrating =======
outline             | == 20200522054958-collection-icon: migrated (0.007s)
outline             | 
outline             | == 20200723055414-add-published-to-shares: migrating =======
outline             | == 20200723055414-add-published-to-shares: migrated (0.008s)
outline             | 
outline             | == 20200727051157-add-templates: migrating =======
outline             | == 20200727051157-add-templates: migrated (0.010s)
outline             | 
outline             | == 20200812170227-remove-collection-type: migrating =======
outline             | == 20200812170227-remove-collection-type: migrated (0.008s)
outline             | 
outline             | == 20200915010511-create-search-queries: migrating =======
outline             | == 20200915010511-create-search-queries: migrated (0.020s)
outline             | 
outline             | == 20200926204620-add-missing-indexes: migrating =======
outline             | == 20200926204620-add-missing-indexes: migrated (0.022s)
outline             | 
outline             | == 20201028043021-reverse-document-id-index: migrating =======
outline             | == 20201028043021-reverse-document-id-index: migrated (0.010s)
outline             | 
outline             | == 20201103050534-custom-domains: migrating =======
outline             | == 20201103050534-custom-domains: migrated (0.011s)
outline             | 
outline             | == 20201106122752-i18n: migrating =======
outline             | == 20201106122752-i18n: migrated (0.007s)
outline             | 
outline             | == 20201206210619-update-attachment-cols: migrating =======
outline             | == 20201206210619-update-attachment-cols: migrated (0.008s)
outline             | 
outline             | == 20201211080408-attachment-no-cascade: migrating =======
outline             | == 20201211080408-attachment-no-cascade: migrated (0.008s)
outline             | 
outline             | == 20201230031607-collection-sort: migrating =======
outline             | == 20201230031607-collection-sort: migrated (0.007s)
outline             | 
outline             | == 20210110143902-collection-rename-creator-id: migrating =======
outline             | == 20210110143902-collection-rename-creator-id: migrated (0.017s)
outline             | 
outline             | == 20210208062816-disable-collection-sharing: migrating =======
outline             | == 20210208062816-disable-collection-sharing: migrated (0.008s)
outline             | 
outline             | == 20210218111237-add-collection-index: migrating =======
outline             | == 20210218111237-add-collection-index: migrated (0.009s)
outline             | 
outline             | == 20210226232041-authentication-providers: migrating =======
outline             | == 20210226232041-authentication-providers: migrated (0.039s)
outline             | 
outline             | == 20210310051804-passport: migrating =======
outline             | == 20210310051804-passport: migrated (0.009s)
outline             | 
outline             | == 20210314173941-isViewer: migrating =======
outline             | == 20210314173941-isViewer: migrated (0.007s)
outline             | 
outline             | == 20210327005406-read-only-collections: migrating =======
outline             | == 20210327005406-read-only-collections: migrated (0.010s)
outline             | 
outline             | == 20210418053152-share-last-viewed: migrating =======
outline             | == 20210418053152-share-last-viewed: migrated (0.007s)
outline             | 
outline             | == 20210426055334-nested-document-sharing: migrating =======
outline             | == 20210426055334-nested-document-sharing: migrated (0.007s)
outline             | 
outline             | == 20210430024222-marketing-tracking: migrating =======
outline             | == 20210430024222-marketing-tracking: migrated (0.006s)
outline             | 
outline             | == 20210716064654-introduce-previousTitles: migrating =======
outline             | == 20210716064654-introduce-previousTitles: migrated (0.008s)
outline             | 
outline             | == 20210716071454-search-index-previousTitles: migrating =======
outline             | == 20210716071454-search-index-previousTitles: migrated (0.009s)
outline             | 
outline             | == 20210716162923-events-indexes: migrating =======
outline             | == 20210716162923-events-indexes: migrated (0.012s)
outline             | 
outline             | == 20210730042450-remove-unused-indexes: migrating =======
outline             | == 20210730042450-remove-unused-indexes: migrated (0.016s)
outline             | 
outline             | == 20210730044247-remove-backup-column: migrating =======
outline             | == 20210730044247-remove-backup-column: migrated (0.008s)
outline             | 
outline             | == 20210730210120-add-fileOperations: migrating =======
outline             | == 20210730210120-add-fileOperations: migrated (0.075s)

5. What I already tried:

I thought it could have been an issue with directory permissions, so I ran

sudo chmod -R 755 caddy/
sudo chmod -R 755 outline/

I tried redoing everything and changing every single variable in my Outline config files, but it all leads to me suspecting my caddy configuration to be the problem. I tried it on a fresh VM and the errors persist.
Apologies for my lack of experience. Any help is really, really apreciated!

6. Links to relevant resources:

> Deploying Outline with Docker and Caddy
Outline wiki website

I think you mistakenly pasted your docker-compose config twice, I’m not seeing your Caddyfile :no_mouth:

Note these warnings, you probably have some lines in your config you don’t need.

Looks like the upstream being hit is MinIO, not β€œOutline”, unless those are the same thing.

Your upstream is returning a 403 response, for some reason. This doesn’t seem like an issue with Caddy. It’s likely some misconfiguration with MinIO. But I’ve never used MinIO so I don’t know where to point you to look.

1 Like

Minio is used as storage for images in outline. the kbdata-address is probably not usable directly, you need the complete address of an image to get something useful. Minio has a browsable β€œconsole”, but this runs on a different port. This has changed sometine this year, so perhaps the gurucomputing blog was created with an earlier version of the minio image, where the console was available on the same port as the data storage. i have a dedicated subdomain for the console (also behind Caddy).
In the docker-compose.yml for minio i have appended ’ --console-address β€œ:9001”’ to the command line of the minio service, and β€œEXPOSE” this port 9001.
Then i have a console.minio.example.com reverse proxied to minio:9001.

Outline should be reachable via reverse_proxy to the name of the outline container and the port as configured in the outline environment file.
i think the gurucomputing blog is not really correct (running the container with β€œβ€“env=production-ssl-disabled” but on PORT 443). i have outline running on PORT 3000, with the external URL set to the equivalent of kb.mcgilleus.ca, and FORCE_HTTPS=false.
In my Caddyfile i have this:

outline.example.com {
        reverse_proxy http://outline:3000 {
                header_down Strict-Transport-Security "max-age=15768000; includeSubDomains; preloa
d;"
                header_up X-Real-IP {remote_host}
        }

}
minio.example.com {
        reverse_proxy http://minio:9000 {
                header_down Strict-Transport-Security "max-age=15768000; includeSubDomains; preloa
d;"
                header_up X-Real-IP {remote_host}
        }

}
console.minio.example.com {
        reverse_proxy http://minio:9001 {
                header_down Strict-Transport-Security "max-age=15768000; includeSubDomains; preloa
d;"
                header_up X-Real-IP {remote_host}
        }

}

not sure if the header directives are really needed.

P.S. i have this running, but only as test, because outline is missing at least a file attachment feature for our production use

3 Likes

Thanks a lot for looking. I edited my post to include the Caddy file. It is indeed an issue with MinIO (AWS S3 compatible storage service that according to another comment was misconfigured and the guide I was following was outdated)

Thanks a lot for your answer. This clarifies a lot of stuff. Here I have my new Caddyfile:

kb.mcgilleus.ca {
        reverse_proxy http://outline:3000 {
                header_down Strict-Transport-Security "max-age=15768000; includeSubDomains; preloa
d;"
                header_up X-Real-IP {remote_host}
        }
}
kbdata.mcgilleus.ca {
        reverse_proxy http://minio:9000 {
                header_down Strict-Transport-Security "max-age=15768000; includeSubDomains; preloa
d;"
                header_up X-Real-IP {remote_host}
        }
}
console.mcgilleus.ca {
        reverse_proxy http://minio:9001 {
                header_down Strict-Transport-Security "max-age=15768000; includeSubDomains; preloa
d;"
                header_up X-Real-IP {remote_host}
        }
}

and here is my new MinIO docker-compose:

...
  outline_minio:
    image: minio/minio
    container_name: outline_minio
    volumes:
      - ./data:/data
    env_file: ./outline_minio.env
    networks:
      - reverseproxy-nw
    command: "server --console-address β€œ:9001” /data"
...

New DNS configs:

A  kbdata.mcgilleus..ca   35.203.58.7   TTL:3600
A  kb.mcgilleus.ca   35.203.58.7   TTL:3600
A  console.mcgilleus.ca    35.203.58.7   TTL:3600

and changed outline.env so force-https is set to false

outline.env (click here to expand)
# πŸ‘‹ Welcome, we're glad you're setting up an installation of Outline. Copy this 
# file to .env or set the variables in your local environment manually. For 
# development with docker this should mostly work out  of the box other than 
# setting the Slack keys and the SECRET_KEY.
# This is an undocumented environment variable, required if you are running postgres unencrypted
# (which we are since we're using docker on a single host)
PGSSLMODE=disable
# –––––––––––––––– REQUIRED ––––––––––––––––
# Generate a unique random key, you can use `openssl rand -hex 32` in terminal
# DO NOT LEAVE UNSET. THIS IS JUST A DEMO KEY, CHANGE IT YOURSELF!
SECRET_KEY=fe90bfae1fe2907c82bbcf58e4f3fde2104f78d13814b1f2468e530396a4ae9c
# Generate a unique random key, you can use `openssl rand -hex 32` in terminal
# DO NOT LEAVE UNSET. THIS IS JUST A DEMO KEY, CHANGE IT YOURSELF!
UTILS_SECRET=5c8f6712ca2e7014b9ca82f02fec572434f5e8f97402b7b1989fc8dd3f7997f7
# For production point these at your databases, in development the default
# should work out of the box.
DATABASE_URL=postgres://arandomusername:mypasswordrandomlygenerateme123@outline_postgres:5432/outline
# Note, we do not have a test database, so this is just filler. Changing to test won't work without initializing
# another postgres database (preferably on a separate docker image).
DATABASE_URL_TEST=postgres://arandomusername:mypasswordrandomlygenerateme123@outline_postgres:5432/outline_test
REDIS_URL=redis://outline_redis:6379
# URL should point to the fully qualified, publicly accessible URL. If using a
# proxy the port in URL and PORT may be different.
URL=https://kb.mcgilleus.ca
PORT=443
# Third party signin credentials, at least one of EITHER Google OR Slack is
# required for a working installation or you'll have no sign-in options.
# To configure Slack auth, you'll need to create an Application at
# => https://api.slack.com/apps
#
# When configuring the Client ID, add a redirect URL under "OAuth & Permissions":
# https://<URL>/auth/slack.callback
SLACK_KEY=2012233542167.2637377603344
SLACK_SECRET=0a8cee459427e589c56942561365474b
# To configure Google auth, you'll need to create an OAuth Client ID at
# => https://console.cloud.google.com/apis/credentials
#
# When configuring the Client ID, add an Authorized redirect URI:
# https://<URL>/auth/google.callback
GOOGLE_CLIENT_ID=
GOOGLE_CLIENT_SECRET=
# –––––––––––––––– OPTIONAL ––––––––––––––––
# If using a Cloudfront/Cloudflare distribution or similar it can be set below.
# This will cause paths to javascript, stylesheets, and images to be updated to  
# the hostname defined in CDN_URL. In your CDN configuration the origin server 
# should be set to the same as URL.
CDN_URL=
# Auto-redirect to https in production. The default is true but you may set to 
# false if you can be sure that SSL is terminated at an external loadbalancer.
FORCE_HTTPS=false
# πŸ‘‹ Welcome, we're glad you're setting up an installation of Outline. Copy this 
# file to .env or set the variables in your local environment manually. For 
# development with docker this should mostly work out  of the box other than 
# setting the Slack keys and the SECRET_KEY.
# This is an undocumented environment variable, required if you are running postgres unencrypted
# (which we are since we're using docker on a single host)
PGSSLMODE=disable
# –––––––––––––––– REQUIRED ––––––––––––––––
# Generate a unique random key, you can use `openssl rand -hex 32` in terminal
# DO NOT LEAVE UNSET. THIS IS JUST A DEMO KEY, CHANGE IT YOURSELF!
SECRET_KEY=fe90bfae1fe2907c82bbcf58e4f3fde2104f78d13814b1f2468e530396a4ae9c
# Generate a unique random key, you can use `openssl rand -hex 32` in terminal
# DO NOT LEAVE UNSET. THIS IS JUST A DEMO KEY, CHANGE IT YOURSELF!
UTILS_SECRET=5c8f6712ca2e7014b9ca82f02fec572434f5e8f97402b7b1989fc8dd3f7997f7
# For production point these at your databases, in development the default
# should work out of the box.
DATABASE_URL=postgres://arandomusername:mypasswordrandomlygenerateme123@outline_postgres:5432/outline
# Note, we do not have a test database, so this is just filler. Changing to test won't work without initializing
# another postgres database (preferably on a separate docker image).
DATABASE_URL_TEST=postgres://arandomusername:mypasswordrandomlygenerateme123@outline_postgres:5432/outline_test
REDIS_URL=redis://outline_redis:6379
# URL should point to the fully qualified, publicly accessible URL. If using a
# proxy the port in URL and PORT may be different.
URL=https://kb.mcgilleus.ca
PORT=443
# Third party signin credentials, at least one of EITHER Google OR Slack is
# required for a working installation or you'll have no sign-in options.
# To configure Slack auth, you'll need to create an Application at
# => https://api.slack.com/apps
#
# When configuring the Client ID, add a redirect URL under "OAuth & Permissions":
# https://<URL>/auth/slack.callback
SLACK_KEY=2012233542167.2637377603344
SLACK_SECRET=0a8cee459427e589c56942561365474b
# To configure Google auth, you'll need to create an OAuth Client ID at
# => https://console.cloud.google.com/apis/credentials
#
# When configuring the Client ID, add an Authorized redirect URI:
# https://<URL>/auth/google.callback
GOOGLE_CLIENT_ID=
GOOGLE_CLIENT_SECRET=

# –––––––––––––––– OPTIONAL ––––––––––––––––
# If using a Cloudfront/Cloudflare distribution or similar it can be set below.
# This will cause paths to javascript, stylesheets, and images to be updated to  
# the hostname defined in CDN_URL. In your CDN configuration the origin server 
# should be set to the same as URL.
CDN_URL=
# Auto-redirect to https in production. The default is true but you may set to 
# false if you can be sure that SSL is terminated at an external loadbalancer.
FORCE_HTTPS=false
# Have the installation check for updates by sending anonymized statistics to
# the maintainers
ENABLE_UPDATES=true
# You may enable or disable debugging categories to increase the noisiness of
# logs. The default is a good balance
DEBUG=cache,presenters,events,emails,mailer,utils,multiplayer,server,services
# Comma separated list of domains to be allowed to signin to the wiki. If not
# set, all domains are allowed by default when using Google OAuth to signin
GOOGLE_ALLOWED_DOMAINS=
# For a complete Slack integration with search and posting to channels the 
# following configs are also needed, some more details
# => https://wiki.generaloutline.com/share/be25efd1-b3ef-4450-b8e5-c4a4fc11e02a
#
SLACK_VERIFICATION_TOKEN=bUB7nCxrfAP5pHAENQsGgi81
SLACK_APP_ID=A02JRB3HRA4
SLACK_MESSAGE_ACTIONS=false
# Optionally enable google analytics to track pageviews in the knowledge base 
GOOGLE_ANALYTICS_ID=
# Optionally enable Sentry (sentry.io) to track errors and performance
SENTRY_DSN=
# To support uploading of images for avatars and document attachments an
# s3-compatible storage must be provided. AWS S3 is recommended for redundency
# however if you want to keep all file storage local an alternative such as 
# minio (https://github.com/minio/minio) can be used.
# A more detailed guide on setting up S3 is available here:
# => https://wiki.generaloutline.com/share/125de1cc-9ff6-424b-8415-0d58c809a40f
#
AWS_ACCESS_KEY_ID=anotherusername
AWS_SECRET_ACCESS_KEY=2ndpasswordrandomlygenerateme
AWS_REGION=us-east-1
AWS_S3_UPLOAD_BUCKET_URL=https://kbdata.mcgilleus.ca
AWS_S3_UPLOAD_BUCKET_NAME=outline
AWS_S3_UPLOAD_MAX_SIZE=26214400
AWS_S3_FORCE_PATH_STYLE=true
AWS_S3_ACL=private
# To support sending outgoing transactional emails such as "document updated" or 
# "you've been invited" you'll need to provide authentication for an SMTP server.
# For this guide, we're ignoring mail support for now.
SMTP_HOST=
SMTP_PORT=
SMTP_USERNAME=
SMTP_PASSWORD=
SMTP_FROM_EMAIL=
SMTP_REPLY_EMAIL=
# Custom logo that displays on the authentication screen, scaled to height: 60px
# TEAM_LOGO=https://example.com/images/logo.png
# The default interface language. See translate.getoutline.com for a list of 
# available language codes and their rough percentage translated.
DEFAULT_LANGUAGE=en_US

Still, after running
sudo docker-compose up -d --force-recreate on both my Outline deployment (Outline, Postgres & MinIO) and Caddy, the same error persists.
As a last ditch effort, I deleted all containers, deleted all images and re-ran everything but it does not seem to be working. Surely I’m missing something in my networking configuration, since my curl command below gives a 502 error.

$ curl -v https://console.mcgilleus.ca
*   Trying 35.203.58.7...
* TCP_NODELAY set
* Connected to console.mcgilleus.ca (35.203.58.7) port 443 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
* successfully set certificate verify locations:
*   CAfile: /etc/ssl/cert.pem
  CApath: none
* TLSv1.2 (OUT), TLS handshake, Client hello (1):
* TLSv1.2 (IN), TLS handshake, Server hello (2):
* TLSv1.2 (IN), TLS handshake, Certificate (11):
* TLSv1.2 (IN), TLS handshake, Server key exchange (12):
* TLSv1.2 (IN), TLS handshake, Server finished (14):
* TLSv1.2 (OUT), TLS handshake, Client key exchange (16):
* TLSv1.2 (OUT), TLS change cipher, Change cipher spec (1):
* TLSv1.2 (OUT), TLS handshake, Finished (20):
* TLSv1.2 (IN), TLS change cipher, Change cipher spec (1):
* TLSv1.2 (IN), TLS handshake, Finished (20):
* SSL connection using TLSv1.2 / ECDHE-ECDSA-AES128-GCM-SHA256
* ALPN, server accepted to use h2
* Server certificate:
*  subject: CN=console.mcgilleus.ca
*  start date: Oct 19 14:34:58 2021 GMT
*  expire date: Jan 17 14:34:57 2022 GMT
*  subjectAltName: host "console.mcgilleus.ca" matched cert's "console.mcgilleus.ca"
*  issuer: C=US; O=Let's Encrypt; CN=R3
*  SSL certificate verify ok.
* Using HTTP2, server supports multi-use
* Connection state changed (HTTP/2 confirmed)
* Copying HTTP/2 data in stream buffer to connection buffer after upgrade: len=0
* Using Stream ID: 1 (easy handle 0x7fb4e680dc00)
> GET / HTTP/2
> Host: console.mcgilleus.ca
> User-Agent: curl/7.64.1
> Accept: */*
>
* Connection state changed (MAX_CONCURRENT_STREAMS == 250)!
< HTTP/2 502
< server: Caddy
< content-length: 0
< date: Tue, 19 Oct 2021 16:28:20 GMT
<
* Connection #0 to host console.mcgilleus.ca left intact
* Closing connection 0
Here is my Caddy logs with debug
$ ~/caddy$ sudo docker-compose logs caddy
Attaching to caddy
caddy    | {"level":"info","ts":1634660540.5385053,"msg":"using provided configuration","config_file":"/etc/caddy/Caddyfile","config_adapter":"caddyf
ile"}
caddy    | {"level":"warn","ts":1634660540.5405896,"msg":"input is not formatted with 'caddy fmt'","adapter":"caddyfile","file":"/etc/caddy/Caddyfile
","line":5}
caddy    | {"level":"info","ts":1634660540.542264,"logger":"admin","msg":"admin endpoint started","address":"tcp/localhost:2019","enforce_origin":fal
se,"origins":["localhost:2019","[::1]:2019","127.0.0.1:2019"]}
caddy    | {"level":"info","ts":1634660540.5427277,"logger":"tls.cache.maintenance","msg":"started background certificate maintenance","cache":"0xc00
0351dc0"}
caddy    | {"level":"info","ts":1634660540.542837,"logger":"http","msg":"server is listening only on the HTTPS port but has no TLS connection policie
s; adding one to enable TLS","server_name":"srv0","https_port":443}
caddy    | {"level":"info","ts":1634660540.5429285,"logger":"http","msg":"enabling automatic HTTP->HTTPS redirects","server_name":"srv0"}
caddy    | {"level":"info","ts":1634660540.5437949,"logger":"tls","msg":"cleaning storage unit","description":"FileStorage:/data/caddy"}
caddy    | {"level":"info","ts":1634660540.545878,"logger":"tls","msg":"finished cleaning storage units"}
caddy    | {"level":"debug","ts":1634660540.5460737,"logger":"http","msg":"starting server loop","address":"[::]:443","http3":false,"tls":true}
caddy    | {"level":"debug","ts":1634660540.5462284,"logger":"http","msg":"starting server loop","address":"[::]:80","http3":false,"tls":false}
caddy    | {"level":"info","ts":1634660540.5463479,"logger":"http","msg":"enabling automatic TLS certificate management","domains":["console.mcgilleu
s.ca","kbdata.mcgilleus.ca","kb.mcgilleus.ca"]}
caddy    | {"level":"debug","ts":1634660540.546961,"logger":"tls","msg":"loading managed certificate","domain":"console.mcgilleus.ca","expiration":16
42430097,"issuer_key":"acme-v02.api.letsencrypt.org-directory","storage":"FileStorage:/data/caddy"}
caddy    | {"level":"debug","ts":1634660540.546961,"logger":"tls","msg":"loading managed certificate","domain":"console.mcgilleus.ca","expiration":16
42430097,"issuer_key":"acme-v02.api.letsencrypt.org-directory","storage":"FileStorage:/data/caddy"}
caddy    | {"level":"debug","ts":1634660540.547421,"logger":"tls.cache","msg":"added certificate to cache","subjects":["console.mcgilleus.ca"],"expir
ation":1642430097,"managed":true,"issuer_key":"acme-v02.api.letsencrypt.org-directory","hash":"69798996b7988675854818d03b5d51f657fb904eb491caf0d91253
3f22ce2eb5"}
caddy    | {"level":"debug","ts":1634660540.5479758,"logger":"tls","msg":"loading managed certificate","domain":"kbdata.mcgilleus.ca","expiration":16
42389952,"issuer_key":"acme-v02.api.letsencrypt.org-directory","storage":"FileStorage:/data/caddy"}
caddy    | {"level":"debug","ts":1634660540.548385,"logger":"tls.cache","msg":"added certificate to cache","subjects":["kbdata.mcgilleus.ca"],"expira
tion":1642389952,"managed":true,"issuer_key":"acme-v02.api.letsencrypt.org-directory","hash":"f21193e1cec0b183b4cfe13270ef52e121beb80402b1bbfc58c2990
da70e57a9"}
caddy    | {"level":"debug","ts":1634660540.5488935,"logger":"tls","msg":"loading managed certificate","domain":"kb.mcgilleus.ca","expiration":164238
9943,"issuer_key":"acme-v02.api.letsencrypt.org-directory","storage":"FileStorage:/data/caddy"}
caddy    | {"level":"debug","ts":1634660540.5492537,"logger":"tls.cache","msg":"added certificate to cache","subjects":["kb.mcgilleus.ca"],"expiratio
n":1642389943,"managed":true,"issuer_key":"acme-v02.api.letsencrypt.org-directory","hash":"8960355d3dc9ad25c043dc528ef03a85fb86908c40f36228071dde7442
2157b1"}
caddy    | {"level":"info","ts":1634660540.5495002,"msg":"autosaved config (load with --resume flag)","file":"/config/caddy/autosave.json"}
caddy    | {"level":"info","ts":1634660540.549521,"msg":"serving initial configuration"}
caddy    | {"level":"debug","ts":1634660900.427976,"logger":"tls.handshake","msg":"choosing certificate","identifier":"console.mcgilleus.ca","num_cho
ices":1}
caddy    | {"level":"debug","ts":1634660900.4322386,"logger":"tls.handshake","msg":"default certificate selection results","identifier":"console.mcgi
lleus.ca","subjects":["console.mcgilleus.ca"],"managed":true,"issuer_key":"acme-v02.api.letsencrypt.org-directory","hash":"69798996b7988675854818d03b
5d51f657fb904eb491caf0d912533f22ce2eb5"}
caddy    | {"level":"debug","ts":1634660900.432532,"logger":"tls.handshake","msg":"matched certificate in cache","subjects":["console.mcgilleus.ca"],
"managed":true,"expiration":1642430097,"hash":"69798996b7988675854818d03b5d51f657fb904eb491caf0d912533f22ce2eb5"}
caddy    | {"level":"debug","ts":1634660900.6213338,"logger":"http.handlers.reverse_proxy","msg":"upstream roundtrip","upstream":"minio:9001","reques
t":{"remote_addr":"24.201.191.39:54250","proto":"HTTP/2.0","method":"GET","host":"console.mcgilleus.ca","uri":"/","headers":{"X-Forwarded-For":["24.2
01.191.39"],"X-Forwarded-Proto":["https"],"X-Real-Ip":["24.201.191.39"],"User-Agent":["curl/7.64.1"],"Accept":["*/*"]},"tls":{"resumed":false,"versio
n":771,"cipher_suite":49195,"proto":"h2","proto_mutual":true,"server_name":"console.mcgilleus.ca"}},"duration":0.100324013,"error":"dial tcp: lookup 
minio on 127.0.0.11:53: no such host"}
caddy    | {"level":"error","ts":1634660900.6237483,"logger":"http.log.error","msg":"dial tcp: lookup minio on 127.0.0.11:53: no such host","request"
:{"remote_addr":"24.201.191.39:54250","proto":"HTTP/2.0","method":"GET","host":"console.mcgilleus.ca","uri":"/","headers":{"User-Agent":["curl/7.64.1
"],"Accept":["*/*"]},"tls":{"resumed":false,"version":771,"cipher_suite":49195,"proto":"h2","proto_mutual":true,"server_name":"console.mcgilleus.ca"}
},"duration":0.105420462,"status":502,"err_id":"z94pvjd5y","err_trace":"reverseproxy.statusError (reverseproxy.go:858)"}
caddy    | {"level":"debug","ts":1634661514.3601341,"logger":"tls.handshake","msg":"no matching certificates and no custom selection logic","identifi
er":"172.18.0.2"}
caddy    | {"level":"debug","ts":1634661514.3617017,"logger":"tls.handshake","msg":"no certificate matching TLS ClientHello","server_name":"","remote
":"192.241.210.29:37622","identifier":"172.18.0.2","cipher_suites":[49199,49195,49169,49159,49171,49161,49172,49162,5,47,53,49170,10],"cache_size":3,
"cache_capacity":10000,"load_if_necessary":true,"obtain_if_necessary":true,"on_demand":false}
caddy    | {"level":"debug","ts":1634661514.3618467,"logger":"http.stdlib","msg":"http: TLS handshake error from 192.241.210.29:37622: no certificate
 available for '172.18.0.2'"}
caddy    | {"level":"debug","ts":1634661541.6204717,"logger":"http.stdlib","msg":"http: TLS handshake error from 192.241.197.157:49982: tls: client o
ffered only unsupported versions: [302 301]"}

Thanks again for looking. Also would it be possible to take a look at your configuration, if possbile?

My docker-compose for Minio:

version: '3.7'

services:
  minio:
    image: minio/minio
    volumes:
      - /opt/minio/data:/data
    restart: unless-stopped
    expose:
       - "9000"
       - "9001"
    env_file:
      - minio.env
    command: server /data --console-address ":9001"
    healthcheck:
      test: ["CMD", "curl", "-f", "http://localhost:9000/minio/health/live"]
      interval: 30s
      timeout: 20s
      retries: 3

    networks:
      minio:
      proxy:
        aliases:
          - minio

networks:
  proxy:
    external: true
  minio:
    external: false

(i use Minio for more than outline, so i have it defined in its own docker-compose.yml and have a different networks configuration)

I think there is a syntax problem with your line with β€œcommand”, can you remove the " before server and after data?
And i think you need to explicitly expose the port 9001 (9000 is exposed by default in the image)

So it should be:

  outline_minio:
    image: minio/minio
    container_name: outline_minio
    volumes:
      - ./data:/data
    env_file: ./outline_minio.env
    networks:
      - reverseproxy-nw
    expose:
       - "9000"
       - "9001"
    command: server --console-address ":9001" /data

In my minio.env (-> outline_minio.env in your case) i have an environment variable MINIO_BROWSER_REDIRECT_URL defined, pointing to the console url,so in your case:

MINIO_BROWSER_REDIRECT_URL=https://console.mcgilleus.ca/

This is recommended here: GitHub - minio/minio: High Performance, Kubernetes Native Object Storage

Additionaly i see that your are still using port 443 for outline. i think it would be better to use a different port, because the outline server doesn’t use SSL/TLS by itself. the standard port of the outline image is 3000.

3 Likes

This topic was automatically closed after 30 days. New replies are no longer allowed.