Caddyfile for code-server

1. Caddy version (caddy version):

v2.5.1

2. How I run Caddy:

I want to run caddy in front of a code-server with a TLS frontend.

a. System environment:

Ubuntu 21.10

b. Command:

Using systemd

c. Service/unit/compose file:

N/A

d. My complete Caddyfile or JSON config:

code.chrisshort.net {

	uri strip_prefix /code
	reverse_proxy 127.0.0.1:3000

	tls {
		dns cloudflare {env.CLOUDFLARE_API_TOKEN}
		protocols tls1.2 tls1.3
        }
}

3. The problem I’m having:

I had an ssl error and got that fixed. Now I get a timeout. Port 443 on my EdgeRouter forwards to this system’s IP address. I’m really not sure what’s going wrong.

4. Error messages and/or full log output:

# curl -v https://localhost
*   Trying 127.0.0.1:443...
* Connected to localhost (127.0.0.1) port 443 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
* successfully set certificate verify locations:
*  CAfile: /etc/ssl/certs/ca-certificates.crt
*  CApath: /etc/ssl/certs
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
* TLSv1.3 (IN), TLS alert, internal error (592):
* error:14094438:SSL routines:ssl3_read_bytes:tlsv1 alert internal error
* Closing connection 0
curl: (35) error:14094438:SSL routines:ssl3_read_bytes:tlsv1 alert internal error

5. What I already tried:

I’ve tried a few config snippets but I’m kinda stuck at the moment.

6. Links to relevant resources:

Remove this, it’s redundant. Caddy default to TLS 1.2 as minimum and the maximum that exists currently is TLS 1.3. Having this in your config would prevent a future version of Caddy from being able to automatically enable some theoretical TLS 1.4 if/when that is introduced. Let Caddy do the smart thing.

Are you sure you need this? You already have a code subdomain.

You made a request to localhost but you configured your domain as code.chrisshort.net. Make a request to code.chrisshort.net instead and it should work. You didn’t configure Caddy to serve a certificate for localhost.

1 Like

Turns out the firewall configuration on my EdgeRouter didn’t take. Traffic to 443 wasn’t being passed to the server. Now it is and everything is working wonderfully.

Thank you!