Caddy Reverse Proxy issues with internal HTTPS sites (self signed)


(James S) #1

Hi,

I’ve got a Caddy reverse proxy serving internal http sites fine. But I can’t get it working with internal sites that are https. All have an auto generated self signed cert (not done by me, auto created when setting up the application/docker container etc)

I’ve tried adding the following to my caddyfile after suggestions from various forums and articles found whilst searching but still no luck ;

transparent
header_upstream X-Forwarded-Host {host}

my current caddyfile - the bottom entry is the one not working, the top entry works fine ;

domain.host.com {
proxy / IP.IP.IP.IP {
}
gzip
}

domain.hostame.com {
proxy / IP.IP.IP.IP {
header_upstream X-Forwarded-Host {host}
transparent
}
gzip
}

I would appreciate if someone could point me in the right direction, I am fairly new to Caddy.


(Matthew Fay) #2

Hi @jameski83,

When connecting to a HTTPS upstream server, Caddy requires the certificate to be valid. You can disable the verification with the insecure_skip_verify subdirective.

https://caddyserver.com/docs/proxy

Alternately you could look into signing internal certificates with your own CA and adding the CA certificate to the Caddy host.

Generally, unless your internal network is insecure and there’s a threat of data being stolen in transport, I’d recommend just using HTTP for upstream connections over skipping verification. Without it, your trust model is broken anyway.