Caddy v2 reverse proxy config for server already running on 443

1. My Caddy version (caddy version):

v2.0.0-rc.3

2. How I run Caddy:

caddy run (for now, but eventually as systemd service)

a. System environment:

Ubuntu 18.04

b. Command:

paste command here

c. Service/unit/compose file:

paste full file contents here

d. My complete Caddyfile or JSON config:


meet.mydomain.com {

  reverse_proxy 192.168.11.31:443
}


3. The problem I’m having:

I have a meeting server running on port 443

4. Error messages and/or full log output:

http.log.error x509: cannot validate certificate for 192.168.11.31 because it doesn't contain any IP SANs {"request": {"method": "GET", "uri": "/", "proto": "HTTP/2.0", "remote_addr": "x.x.x.x:45477", "host": "meet.mydomain.com", "headers": {"Sec-Fetch-User": ["?1"], "Sec-Fetch-Dest": ["document"], "User-Agent": ["Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/81.0.4044.122 Safari/537.36 Edg/81.0.416.64"], "Sec-Fetch-Site": ["none"], "Accept": ["text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9"], "Sec-Fetch-Mode": ["navigate"], "Accept-Encoding": ["gzip, deflate, br"], "Accept-Language": ["en-US,en;q=0.9"], "Dnt": ["1"], "Upgrade-Insecure-Requests": ["1"]}, "tls": {"resumed": false, "version": 772, "ciphersuite": 4865, "proto": "h2", "proto_mutual": true, "server_name": "meet.mydomain.com"}}, "status": 502, "err_id": "4uhmencab", "err_trace": "reverseproxy.(*Handler).ServeHTTP (reverseproxy.go:362)"}

5. What I already tried:

this is my caddy v1 Caddyfile

meet.mydomain.com {

  proxy / https://meet.mydomain.com {
      insecure_skip_verify
  }
 errors /opt/meet_errors.log
 gzip
}

6. Links to relevant resources:

The proxied server also has acme certs, running behind an nginx proxy. i tried pointing it to the internal port 4444 but still get the same error

This is an instance of jitsi-meet server

Mysterious are the ways of the reverse proxy transport. The greatest teacher, failure is!

Disable security checks, you must:

reverse_proxy 192.168.11.31:443 {
    transport http {
        tls
        tls_insecure_skip_verify
    }
}

But, hmm… to a dark place this line of thought will carry us. Great care we must take. Once you start down the tls_insecure_skip_verify path, forever will it dominate your destiny. Consume you, it will.

7 Likes

To thank you very much, have I, that worked. Hmmmmmm.

May the force be with you

3 Likes

a simple, stupid syntax…i made… hmmmm

conspiracy it is, this syntax is … missed {}

:joy: :rofl:

3 Likes

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.