Caddyfile for code-server

1. Caddy version (caddy version):

v2.5.1

2. How I run Caddy:

I want to run caddy in front of a code-server with a TLS frontend.

a. System environment:

Ubuntu 21.10

b. Command:

Using systemd

c. Service/unit/compose file:

N/A

d. My complete Caddyfile or JSON config:

code.chrisshort.net {

	uri strip_prefix /code
	reverse_proxy 127.0.0.1:3000

	tls {
		dns cloudflare {env.CLOUDFLARE_API_TOKEN}
		protocols tls1.2 tls1.3
        }
}

3. The problem I’m having:

I had an ssl error and got that fixed. Now I get a timeout. Port 443 on my EdgeRouter forwards to this system’s IP address. I’m really not sure what’s going wrong.

4. Error messages and/or full log output:

# curl -v https://localhost
*   Trying 127.0.0.1:443...
* Connected to localhost (127.0.0.1) port 443 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
* successfully set certificate verify locations:
*  CAfile: /etc/ssl/certs/ca-certificates.crt
*  CApath: /etc/ssl/certs
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
* TLSv1.3 (IN), TLS alert, internal error (592):
* error:14094438:SSL routines:ssl3_read_bytes:tlsv1 alert internal error
* Closing connection 0
curl: (35) error:14094438:SSL routines:ssl3_read_bytes:tlsv1 alert internal error

5. What I already tried:

I’ve tried a few config snippets but I’m kinda stuck at the moment.

6. Links to relevant resources:

Remove this, it’s redundant. Caddy default to TLS 1.2 as minimum and the maximum that exists currently is TLS 1.3. Having this in your config would prevent a future version of Caddy from being able to automatically enable some theoretical TLS 1.4 if/when that is introduced. Let Caddy do the smart thing.

Are you sure you need this? You already have a code subdomain.

You made a request to localhost but you configured your domain as code.chrisshort.net. Make a request to code.chrisshort.net instead and it should work. You didn’t configure Caddy to serve a certificate for localhost.

Turns out the firewall configuration on my EdgeRouter didn’t take. Traffic to 443 wasn’t being passed to the server. Now it is and everything is working wonderfully.

Thank you!