1. The problem I’m having:
I am running Caddy to reverse proxy a couple of services, stuff like File Browser, StirlingPDF, FreshRSS, etc.
Everything works great on every computer within my LAN except for my work laptop which has Cloudflare WARP on it (Zero Trust).
The web filter/proxy is blocking my domain name (justinhome.vip) and so I thought I could just use internal routing (e.g. files.internal vs. files.justinhome.vip) with Caddy’s internal CA.
When I access files.internal over HTTP, then I can connect. When I use the tls internal directive, then I get a page saying We can't connect to the server at files.internal.
I have played around with so much stuff, I’m just making my head spin and I’m getting more confused.
I would just like to learn why my services are accessible via HTTP and not HTTPS and if there is any solution to get HTTPS working.
2. Error messages and/or full log output:
Everything Caddy related is working correctly [to my knowledge], so there are no error logs relating to Caddy.
What may help is saying WARP has manually set the client device’s DNS to the following:
IPV4
127.0.2.2
127.0.2.3
IPV6
::ffff:127.0.2.2
::ffff:127.0.2.3
The server used for stuff like nslookup is connectivity-check.warp-svc.
Within the Cloudflare WARP client app, there is a section called Local Domain Fallback with the description:
Use Local Domain Fallback to instruct the WARP client to ignore DNS requests to a given list of domains. These DNS requests will be passed back to other DNS servers configured on existing network interfaces on the device.
All private TLDs are listed here, including internal, although I think because my DNS is manually configured to use the above, it doesn’t matter?
3. Caddy version:
2.8.4-builder with GitHub - caddy-dns/porkbun
4. How I installed and ran Caddy:
a. System environment:
Windows 10 host running WSL2. Caddy is installed via Docker, using the following Dockerfile:
FROM caddy:2.8.4-builder AS builder
RUN xcaddy build --with github.com/caddy-dns/porkbun
FROM caddy:2.8.4
COPY --from=builder /usr/bin/caddy /usr/bin/caddy
I have an .env file for the API keys and I have also created host overrides in pfSense for files.internal to redirect to my server IP, which is 192.168.1.163.
Because I’m using WSL2 on Windows 10, I also had to create the following port proxy rules:
netsh interface portproxy add v4tov4 listenport=80 listenaddress=0.0.0.0 connectport=80 connectaddress=172.17.228.79
netsh interface portproxy add v4tov4 listenport=443 listenaddress=0.0.0.0 connectport=443 connectaddress=172.17.228.79
as well as creating 2 Windows Firewall rules to allow ports 80 and 443.
b. Command:
docker compose up --build -d
c. Service/unit/compose file:
networks:
caddy_net:
external: true
services:
caddy:
build:
context: .
dockerfile: Dockerfile
container_name: caddy
image: caddy-porkbun:latest
restart: unless-stopped
environment:
- PORKBUN_API_KEY
- PORKBUN_API_SECRET_KEY
ports:
- "80:80"
- "443:443"
- "443:443/udp"
volumes:
- ./Caddyfile:/etc/caddy/Caddyfile
- ./site:/srv
- ./caddy_data:/data
- ./caddy_config:/config
networks:
- caddy_net
d. My complete Caddy config:
{
acme_dns porkbun {
api_key {env.PORKBUN_API_KEY}
api_secret_key {env.PORKBUN_API_SECRET_KEY}
}
email <email>
}
justinhome.vip {
respond "Welcome to Justin's Home Server!"
}
files.justinhome.vip {
reverse_proxy filebrowser:80
}
files.internal {
reverse_proxy filebrowser:80
tls internal
}
# Service 2
#service2.justinhome.vip {
# reverse_proxy localhost:8082
#}
#
## Service 3
#service3.justinhome.vip {
# reverse_proxy localhost:8083
#}
5. Links to relevant resources:
N/A