1. Caddy version (caddy version
):
v2.4.3 h1:Y1FaV2N4WO3rBqxSYA8UZsZTQdN+PwcoOcAiZTM8C0I=
2. How I run Caddy:
a. System environment:
Ubuntu Server 20.04.3 LTS
Docker CE - 20.10.9
b. Command:
docker-compose up -d
c. Service/unit/compose file:
docker-compose.yml
version: '3.6'
services:
caddy:
restart: always
logging:
driver: "json-file"
options:
max-size: "500k"
max-file: "1"
network_mode: "bridge"
image: alexandzors/caddy
ports:
- 80:80
- 443:443
- 10000:10000
volumes:
- /opt/docker/caddy/Caddyfile:/etc/caddy/Caddyfile:ro
- /opt/docker/caddy:/data
- /opt/docker/caddy:/config
- /opt/docker/caddy/auth/local/users.json:/etc/caddy/auth/local/users.json
- /media/plex:/srv
d. My complete Caddyfile or JSON config:
{
email <email>
# acme_ca https://acme-staging-v02.api.letsencrypt.org/directory
# default_sni centaurus
admin localhost:2019
# order filter after encode
debug
}
(header) {
header {
Strict-Transport-Security "max-age=31536000; includeSubDomains; preload"
X-Xss-Protection "1; mode=block"
X-Content-Type-Options "nosniff"
X-Frame-Options "DENY"
Content-Security-Policy "upgrade-insecure-requests"
Referrer-Policy "strict-origin-when-cross-origin"
Cache-Control "public, max-age=15, must-revalidate"
Feature-Policy "accelerometer 'none'; ambient-light-sensor 'none'; autoplay 'self'; camera 'none'; encrypted-media 'none'; fullscreen 'self'; geolocation 'none'; gyroscope 'none'; magnetometer 'none'; microphone 'none'; midi 'none'; payment 'none'; picture-in-picture *; speaker 'none'; sync-xhr 'none'; usb 'none'; vr 'none'"
}
}
(tls) {
tls {
dns cloudflare <key>
}
}
alexslab.dev:10000 {
# import header
import tls
# respond * 503
log {
output file /config/logs/lab.log {
roll_size 50mb
roll_keep 2
roll_keep_for 24h
}
}
root /* /config
file_server {
index index.html
}
route /sonarr* {
reverse_proxy 192.168.9.3:8989
}
route /radarr* {
reverse_proxy 192.168.9.3:7878
}
route /4kradarr* {
reverse_proxy 192.168.9.3:7879
}
route /tautulli* {
reverse_proxy 192.168.9.3:8181
}
# route /lidarr* {}
route /bazarr* {
reverse_proxy 192.168.9.3:6767
}
}
3. The problem I’m having:
I am trying to get Caddy to respond to requests from cloudflared over port 10000. I moved and my new ISP blocks inbound 80 and 443…
cloudflared config.yml:
tunnel: <id>
credentials-file: /home/alexander/.cloudflared/<id>.json
logfile: cloudflared.log
ingress:
- service: https://127.0.0.1:10000
CF DNS Config
capella was the original CNAME created when running:
cloudflared tunnel route dns <uid> <name>
4. Error messages and/or full log output:
journalctl -u cloudflared
Nov 08 17:16:53 capella cloudflared[656477]: 2021-11-08T17:16:53Z ERR error="Unable to reach the origin service. The service may be down or it may not be responding to traffic from cloudflared: remote error: tls: internal error"
only caddy log error:
{"level":"debug","ts":1636391925.463325,"logger":"http.stdlib","msg":"http: TLS handshake error from 172.17.0.1:56720: no certificate available for '172.17.0.2'"}
cloudflared tunnel info
NAME: capella
ID: <id>
CREATED: 2021-11-08 16:29:40.631129 +0000 UTC
CONNECTOR ID CREATED ARCHITECTURE VERSION ORIGIN IP EDGE
<id> 2021-11-08T17:16:41Z linux_amd64 2021.11.0 24.115.20.47 2xIAD, 2xORD
curl -kIL --resolve alexslab.dev:127.0.0.1 https://alexslab.dev/sonarr:10000
HTTP/2 502
date: Mon, 08 Nov 2021 17:40:38 GMT
cf-cache-status: DYNAMIC
expect-ct: max-age=604800, report-uri="https://report-uri.cloudflare.com/cdn-cgi/beacon/expect-ct"
report-to: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=nMYrMx2q8%2FDa7ixIzlOz3cMD93ouAy%2B%2BGwLkXe%2FH6Sdlgr2QjPT2SLF4YO1MZlr39AvAq0N75ifrWD2dRhLlpI%2FgA6xQoht0YjdCbK4FSkF%2Fomk6uxpL%2BFB4hiwhTuA%3D"}],"group":"cf-nel","max_age":604800}
nel: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
server: cloudflare
cf-ray: 6ab0966e2a1703fc-ORD
alt-svc: h3=":443"; ma=86400, h3-29=":443"; ma=86400, h3-28=":443"; ma=86400, h3-27=":443"; ma=86400
curl -kIL --resolve alexslab.dev:127.0.0.1 https://alexslab.dev:10000
HTTP/2 200
accept-ranges: bytes
content-type: text/html; charset=utf-8
etag: "qxee8h14b"
last-modified: Fri, 06 Aug 2021 03:12:17 GMT
server: Caddy
content-length: 1451
date: Mon, 08 Nov 2021 23:11:01 GMT
5. What I already tried:
- Forcing new certificates from LE by removing the ./caddy data dir.
- Switching between:
url: https://127.0.0.1:10000
and:
ingress:
- service: https://127.0.0.1:10000
in config.yml
6. Links to relevant resources:
Cloudflare for Teams documentation
Caddy(docker) reverse proxy with dns-01 on Cloudflare - Help - Caddy Community