1. Caddy version (caddy version):
2.5.1
2. How I run Caddy:
I run Caddy as a docker container. I build the image for this container like this:
FROM caddy:2.5.1-builder AS builder
RUN xcaddy build \
--with github.com/mholt/caddy-l4/layer4 \
--with github.com/mholt/caddy-l4/modules/l4tls \
--with github.com/mholt/caddy-l4/modules/l4proxy \
--with github.com/mholt/caddy-l4/modules/l4proxyprotocol \
--with github.com/mholt/caddy-l4/modules/l4echo
FROM caddy:2.5.1
COPY --from=builder /usr/bin/caddy /usr/bin/caddy
a. System environment:
Docker Desktop running on Windows 10
b. Command:
I run Caddy through the docker compose using
docker-compose up
c. Service/unit/compose file:
Here is a subset of the docker compose I use to run the Caddy container
services:
hxd-proxy:
container_name: hxd-proxy
restart: ${RESTART_CONTAINERS}
image: "hyperxdashboard-caddy:latest"
ports:
- 80:80
- 443:443
- 3317:3317
volumes:
- ./temp/caddy-config.json:/etc/caddy/caddy-config.json
- ./certs/hx-dashboard.crt:/etc/caddy/hx-dashboard.crt
- ./certs/hx-dashboard.key:/etc/caddy/hx-dashboard.key
- hxd-dashboard-proxy:/data
command: ["caddy", "run", "--config", "/etc/caddy/caddy-config.json"]
networks:
- hxd-network
extra_hosts:
- "${DASH_HOSTNAME}:${DASH_IP}"
d. My complete Caddyfile or JSON config:
{
{
"apps": {
"http": {
"servers": {
"srv0": {
"listen": [":443"],
"routes": [
{
"match": [
{
"path": ["/auth*"]
}
],
"handle": [
{
"handler": "reverse_proxy",
"upstreams": [
{
"dial": "hxd-keycloak:14040"
}
]
}
]
},
{
"match": [
{
"path": ["/api*"]
}
],
"handle": [
{
"handler": "reverse_proxy",
"upstreams": [
{
"dial": "hxd-backend:35500"
}
]
}
]
},
{
"handle": [
{
"handler": "reverse_proxy",
"upstreams": [
{
"dial": "hxd-frontend:8080"
}
]
}
]
}
],
"tls_connection_policies": [
{
"certificate_selection": {
"any_tag": ["cert0"]
}
}
]
},
"srv1": {
"listen": [":80"],
"routes": [
{
"handle": [
{
"handler": "static_response",
"headers": {
"Location": [
"https://{http.request.host}{http.request.uri}"
]
},
"status_code": 302
}
]
}
]
}
}
},
"layer4": {
"servers": {
"secure-imap": {
"listen": [":3317"],
"routes": [
{
"match": [
{
"tls": {
"sni": ["r92"]
}
}
],
"handle": [
{"handler": "tls"},
{"handler": "echo"},
{
"handler": "proxy",
"proxy_protocol": "v2",
"upstreams": [
{
"dial": ["hxd-mariadb:3306"]
}
]
}
]
}
]
}
}
},
"tls": {
"certificates": {
"load_files": [
{
"certificate": "/etc/caddy/hx-dashboard.crt",
"key": "/etc/caddy/hx-dashboard.key",
"tags": ["cert0"]
}
]
}
}
}
}
3. The problem I’m having:
When I try to connect to my mariadb database using DBeaver (a database manager), DBeaver seems to get stuck trying to connect (it just shows a loading bar at 0% for 5+ minutes). No logs show up on the Caddy container during this time.
I’ve also tried connecting manually via command line using the command below (r92 is the hostname associated with my TLS cert, and points to my laptop).
mysql -u root --password=password -h r92 -P 3317
This command acts in a similar way to DBeaver, where it just gets stuck and doesn’t yield any output.
If I forcibly kill this command using CTRL+C, I get this output from Caddy:
hxd-proxy | {"level":"error","ts":1654096574.4075031,"logger":"layer4","msg":"matching connection","error":"EOF"}
I can connect to the database if I expose the mariadb container to my laptop network and connect to the database directly. However, I’d like to hide the mariadb container behind Caddy so that I can encrypt traffic to and from the database using TLS.
It’s very possible the problem lies with how I’ve configured my mariadb container. However, if someone could take a look at my layer4 Caddy config and see if I’ve made any obvious configuration errors there, I would greatly appreciate it!
