1. The problem I’m having:
I’m trying to use snippets so that I can use my cloudflare origin certificate for sites that will sit behind cloudflare, and use ACME certificates from my ACME server for other sites.
I have got the ACME snippet working with other sites, but when I use the import
command to use the snippet I wrote for cloudflare sites with ANOTHER host, a site that doesn’t have this import
statement suddenly starts using the wrong certificate, causing errors as the cloudflare origin CA isn’t trusted by my browser!
2. Error messages and/or full log output:
PASTE OVER THIS, BETWEEN THE ``` LINES.
Please use the preview pane to ensure it looks nice.
3. Caddy version:
v2.7.6
4. How I installed and ran Caddy:
Docker container
a. System environment:
Docker container
b. Command:
PASTE OVER THIS, BETWEEN THE ``` LINES.
Please use the preview pane to ensure it looks nice.
c. Service/unit/compose file:
PASTE OVER THIS, BETWEEN THE ``` LINES.
Please use the preview pane to ensure it looks nice.
d. My complete Caddy config:
{
http_port 80
https_port 443
}
(graylog-logging) {
log graylog-logging {
output net udp/graylog:12400
format json
}
}
(cloudflare-host) {
## Blocking requests not originating from cloudflare IP adresses ##
@not-cloudflare-ip not client_ip 173.245.48.0/20 103.21.244.0/22 103.22.200.0/22 103.31.4.0/22 141.101.64.0/18 108.162.192.0/18 190.93.240.0/20 188.114.96.0/20 197.234.240.0/22 198.41.128.0/17 162.158.0.0/15 104.16.0.0/13 104.24.0.0/14 172.64.0.0/13 131.0.72.0/22 2400:cb00::/32 2606:4700::/32 2803:f800::/32 2405:b500::/32 2405:8100::/32 2a06:98c0::/29 2c0f:f248::/32 192.168.5.0/24 192.168.10.0/24
## TODO: put a good 403 page on ##
handle @not-cloudflare-ip {
header Content-Type text/html
respond "<h1>403 - Access Denied</h1>" 403
}
## Use our custom cloudflare origin TLS cert ##
tls /data/caddy/custom-certs/cf-origin/cf-origin.pem /data/caddy/custom-certs/cf-origin/cf-origin.key
}
(step-ca-acme-cert) {
## Uses my internal CA to get certs via ACME! ##
tls {
issuer acme {
dir https://ca.infra.lab.liamriley.me:8443/acme/acme/directory
trusted_roots /data/caddy/custom-certs/step-ca/step-ca.pem
disable_http_challenge
}
}
}
weather.liamriley.me {
import graylog-logging
#import cloudflare-host
reverse_proxy * http://192.168.5.38:80
reverse_proxy /weatherws http://192.168.5.38:7890
@admin-request path /admin*
handle @admin-request {
header Content-Type text/html
respond "<h1>403 - Access Denied</h1>" 403
}
}
mail.liamriley.me {
import step-ca-acme-cert
import graylog-logging
## Redirect the web root (/) to /SOGo, as this is the only content we are proxying! ##
redir / /SOGo/
reverse_proxy * http://nginx-mailcow:80
}