Can I connect to the domain of AWS Private ALB+Private HostedZone using Caddy's Reverse Proxy?

Help
1

1. The problem I’m having:

Can I connect to the domain of AWS Private ALB+Private HostedZone using Caddy’s Reverse Proxy?
I have a Private ALB connected to an application configured as a Private Subnet.
And it is connected to Route53’s Private HostedZone with an A record.
This configuration is completely private and can only be accessed internally.
However, you must access this private URL from the public Internet as well.
I find Caddy very attractive, so I want to use Caddy.

I configured Caddy with EC2, created a Public ALB, and set it to send traffic to the Caddy server when accessing test.foobar.com with the ‘Host Header’ listener rule.
And, I connected test.foobar.com to ALB in Route53.
My Caddyfile is below.
However, in reality, when I access test.foobar.com, the private URL is not accessed as I want.
Can I use Caddy’s Resverse Proxy in my environment to access it as I want?

For reference, if you check http://private.foobar on the caddy server with curl, it is accessible.

< HTTP/1.1 200 OK
< Date: Wed, 26 Jun 2024 10:48:58 GMT
< Content-Type: text/html; charset=utf-8
< Content-Length: 12
< Connection: keep-alive
< X-Powered-By: Express

2. Error messages and/or full log output:

{"level":"info","ts":1719364460.7490625,"logger":"http.log.access.log0","msg":"handled request","request":{"remote_ip":"172.16.10.10","remote_port":"24638","proto":"HTTP/1.1","method":"GET","host":"test.foobar.com","uri":"/","headers":{"X-Forwarded-Proto":["http"],"X-Forwarded-Port":["80"],"X-Amzn-Trace-Id":["Root=1-xxxx-xxxx"],"Upgrade-Insecure-Requests":["1"],"X-Forwarded-For":["111.111.111.111"],"User-Agent":["Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/126.0.0.0 Safari/537.36"],"Accept":["text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7"],"Accept-Encoding":["gzip, deflate"]}},"user_id":"","duration":0.000037808,"size":0,"status":308,"resp_headers":{"Connection":["close"],"Location":["https://test.foobar.com/"],"Content-Type":[],"Server":["Caddy"]}}

Jun 26 11:06:28 ip-172-31-98-9 caddy[23171]: {"level":"info","ts":1719399988.2851932,"logger":"http.log.access","msg":"handled request","request":{"remote_ip":"172.31.224.52","remote_port":"53848","proto":"HTTP/1.1","method":"GET","host":"172.31.98.9","uri":"/","headers":{"Connect>

Jun 26 11:06:20 ip-172-31-98-9 caddy[23171]: {"level":"info","ts":1719399980.899922,"logger":"http.log.access","msg":"handled request","request":{"remote_ip":"172.31.224.52","remote_port":"10866","proto":"HTTP/1.1","method":"GET","host":"test.foobar.com","uri":"/favicon.ico",">

## This is the log I checked after changing the Caddyfile settings because the logs were not stacking up.
{"level":"error","ts":1719401731.2886975,"logger":"http.log.access.log0","msg":"handled request","request":{"remote_ip":"172.31.224.125","remote_port":"23252","proto":"HTTP/1.1","method":"GET","host":"test.foobar.com","uri":"/","headers":{"X-Forwarded-For":["110.110.110.110"],"X-Forwarded-Proto":["http"],"X-Forwarded-Port":["80"],"X-Amzn-Trace-Id":["Root=1-xxxx-xxxxx"],"User-Agent":["curl/8.4.0"],"Accept":["*/*"]}},"user_id":"","duration":0.00229305,"size":0,"status":502,"resp_headers":{"Server":["Caddy"]}}

3. Caddy version:

2.6.2

4. How I installed and ran Caddy:

sudo apt install -y debian-keyring debian-archive-keyring apt-transport-https curl
curl -1sLf 'https://dl.cloudsmith.io/public/caddy/stable/gpg.key' | sudo gpg --dearmor -o /usr/share/keyrings/caddy-stable-archive-keyring.gpg
curl -1sLf 'https://dl.cloudsmith.io/public/caddy/stable/debian.deb.txt' | sudo tee /etc/apt/sources.list.d/caddy-stable.list
sudo apt update
sudo apt install caddy

a. System environment:

AWS EC2 / Ubuntu 24.04 LTS

b. Command:

systemctl restart caddy.service

c. Service/unit/compose file:

PASTE OVER THIS, BETWEEN THE ``` LINES.
Please use the preview pane to ensure it looks nice.

d. My complete Caddy config:

I changed Caddyfile to Setting2.

### Setting 1
test.foobar.com:80 {
        reverse_proxy http://private.foobar {
            header_up Host {host}
            header_up X-Real-Ip {remote_host}
            header_up X-Forwarded-For {remote_host}
            header_up X-Forwarded-Proto {scheme}
        }

    log {
        output file /var/log/caddy/access.log {
            roll_size 10MiB
            roll_keep 20
            roll_local_time
        }
    }
        encode gzip
}

### Setting 2
:80 {
        # Set this path to your site's directory.
        root * /usr/share/caddy

        # Enable the static file server.
        file_server

        # Another common task is to set up a reverse proxy:
        # reverse_proxy localhost:8080

        # Or serve a PHP site through php-fpm:
        # php_fastcgi localhost:9000
}

# Refer to the Caddy docs for more information:
# https://caddyserver.com/docs/caddyfile

test.foobar.com:80 {
    reverse_proxy private.foobar {
        transport http {
            tls_insecure_skip_verify
        }

    }
    log {
        output file /var/log/caddy/access.log {
            roll_size 10MiB
            roll_keep 10
            roll_keep_for 720h
        }
    }
    encode gzip
}

5. Links to relevant resources:

2

Please use the latest version, v2.8.4.

v2.6.2 is very old.

Remove all this, it’s junk.

If you configure this, you’re enabling TLS, so Caddy will try to connect to the upstream over HTTPS. Are you sure that’s what you want? Typically proxying happens over HTTP because it goes over private networks, so encryption is not necessary (and adds wasteful overhead).

Enable the debug global option, and please show your full logs after making a request with curl -v. Show your Caddy process logs, not your access logs (i.e. the service logs). See Keep Caddy Running — Caddy Documentation

1 Like
3

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.