Can I proxy for for a service I've moved?

1. Caddy version (caddy version):

Latest

2. How I run Caddy:

OpenShift Container Platform

a. System environment:

Docker container from Docker Hub.

Hey,

EDIT: I have a Rocket Chat server running on an OpenShift Container Platform (essentially Kubernets) and I need to move it to a different cluster; when I do this the URL is gong to change. To give teams a chance to migrate but still let me move the service, I hoped to leave a proxy on the old cluster to proxy traffic to the new cluster.

When I try this it fails with 502 or 503 depending on what I do. My setup looks like

foo.somewhere.com → Cluster A → F5 (TLS Termination) → Caddy v2 in Pod (container) → foo.elsewhere.com → Cluster B-> F5 (TLS Termination) → Rocket Chat.

  • All routes use proper internet routable domains;
  • All routes use TLS;
  • Both routes use different TLS certificates;
  • The k8s routers/F5 will terminate TLS so what comes in port 2017 will not be SSL.

From my laptop I can verify that I can talk to Caddy on cluster A; also, from my laptop I can reach the service on cluster B. And from the pod on cluster A I can wget the service on cluster B. So communication is open.

Even though communication is open, when I put Caddy between me and Rocket Chat the logs in Caddy just say 502 when try and access Rocket Chat.

Caddyfile

:2017
reverse_proxy * https://foo.elsewhere.com

This also does not work:

http://foo.somewhere.com:2015 {
    reverse_proxy * https://foo.elsewhere.com
    respond /ehlo 200  # for k8s ready probes

    log {
        # errors stdout
        output stdout 
        format single_field common_log
        level debug
   }
}

You might be right. I think that entering no domain and having just a port (like :80, or in your case, :2017), will not use HTTPS. Try changing the URL to http://

If you use a domain name in place of :2017, then it will use HTTPS and then you can change the link in your reverse proxy to HTTPS. I had the exact same issue and that’s what solved it for me.

I’m confused, your thread is pretty light on detail. Can you post you Caddy logs you’re seeing? What does it look like when you make a request with curl -v? You didn’t fill out most of the thread template.

What’s an “F5”?

1 Like

I’m guessing it’s a firewall or hardware LB or something enterprisey from F5. I agree more details are needed.

Fancy enterprise load balancing firewall.

Ooookay, but that doesn’t get us any further to understand what you’re trying to do here.

I edited my post just now. Hope it adds some more details.

Okay - I think the missing piece is that the Host header in the proxied request by default is the same as what’s in the original request. To override that when proxying you can do this:

reverse_proxy https://foo.elsewhere.com {
	header_up Host {http.reverse_proxy.upstream.hostport}
}

Basically just means "set the Host to foo.elsewhere.com", but with a placeholder so you don’t need to repeat yourself.

But you’ll need to look at your Caddy logs to see why you get a 502, if that doesn’t work. You could get a 502 for any number of reasons.

1 Like

Thanks! That did the trick.

This topic was automatically closed after 30 days. New replies are no longer allowed.