Err Too Many Redirects

flasewa · April 26, 2022, 2:07am

Super noob, undoubtedly. I’ve been doing a metric poop-ton of fabricobbling all kinds of configs together and feel I have landed on the most promising, but I’m at a loss. Any help is much appreciated. I’ve honestly tried so many things, I do not know if I am coming or going, love this project, though.

1. Caddy version (`caddy version`):

v2.4.6

2. How I run Caddy:

a. System environment:

System: Home Assistant OS 7.6 (aarch64 / raspberrypi4-64)
Home Assistant Core: 2022.4.7
Home Assistant Supervisor: 2022.04.0
Add-on version: 1.1.0

b. Command:

N/A

Paste command here.

c. Service/unit/compose file:

args:
  - '--watch'
env_vars:
  - name: EMAIL
    value: email@protonmail.com
  - name: DOMAIN
    value: cj2quared
  - name: SUB_DOMAIN_1
    value: nextcloud
  - name: PORT
    value: '8123'
  - name: SUB_PORT_1
    value: '8088'
  - name: DUCKDNS_TOKEN
    value: '!secret duckdns_token'
log_level: debug
non_caddyfile_config:
  destination: localhost
  domain: unuseddomain.com
  email: your@email.com
  port: 8123
config_path: /share/caddy/Caddyfile
custom_binary_path: /share/caddy/caddy
caddy_upgrade: false
caddy_fmt: false

d. My complete Caddyfile or JSON config:

{
  email {env.EMAIL}
}
(common) {
  tls {
    dns duckdns {env.DUCKDNS_TOKEN}
    on_demand
  }
  header {
    Strict-Transport-Security "max-age=31536000; includeSubdomains; preload"
    X-XSS-Protection "1; mode=block"
    X-Content-Type-Options "nosniff"
    Referrer-Policy "same-origin"
    Content-Security-Policy "frame-ancestors {env.DOMAIN}.duckdns.org *-{env.DOMAIN}.duckdns.org"
    -Server
    Permissions-Policy "geolocation=(self), microphone=()"
  }
}
{env.DOMAIN}.duckdns.org {
  import common
  reverse_proxy localhost:{env.PORT}
}

{env.SUB_DOMAIN_1}-{env.DOMAIN}.duckdns.org {
  import common
  reverse_proxy localhost:{env.SUB_PORT_1}
}

3. The problem I’m having:

I’m running Home Assistant OS on a rPi4. The rPi has some resources available and I thought I would run Nextcloud as a file server. Both Caddy and Nextcloud are add-ons (essentially managed, docker containers) running on the same rPi as Home Assistant.

I am able to reach my Home Assistant instance via the desired url. However, when I attempt to reach the Nextcloud instance, I am only able to accomplish “ERR_TOO_MANY_REDIRECTS”

4. Error messages and/or full log output:

[s6-init] making user provided files available at /var/run/s6/etc...exited 0.
[s6-init] ensuring user provided files have correct perms...exited 0.
[fix-attrs.d] applying ownership & permissions fixes...
[fix-attrs.d] scripts: applying... 
[fix-attrs.d] scripts: exited 0.
[fix-attrs.d] done.
[cont-init.d] executing container initialization scripts...
[cont-init.d] 00-banner.sh: executing... 
-----------------------------------------------------------
 Add-on: Caddy 2
 Open source web and proxy server with automatic HTTPS
-----------------------------------------------------------
 Add-on version: 1.1.0
 There is an update available for this add-on!
 Latest add-on version: 1.1.1
 Please consider upgrading as soon as possible.
 System: Home Assistant OS 7.6  (aarch64 / raspberrypi4-64)
 Home Assistant Core: 2022.4.7
 Home Assistant Supervisor: 2022.04.0
-----------------------------------------------------------
 Please, share the above information when looking for help
 or support in, e.g., GitHub, forums or the Discord chat.
-----------------------------------------------------------
[cont-init.d] 00-banner.sh: exited 0.
[cont-init.d] 01-log-level.sh: executing... 
Log level is set to DEBUG
[cont-init.d] 01-log-level.sh: exited 0.
[cont-init.d] done.
[services.d] starting services
[services.d] done.
INFO: Setting EMAIL to email@protonmail.com
INFO: Setting DOMAIN to cj2quared
INFO: Setting SUB_DOMAIN_1 to nextcloud
INFO: Setting PORT to 8123
INFO: Setting SUB_PORT_1 to 8088
INFO: Setting DUCKDNS_TOKEN to <redacted>
INFO: Prepare Caddy...
DEBUG: Set custom Caddy binary path
INFO: Found custom Caddy at /share/caddy/caddy
v2.4.6 h1:HGkGICFGvyrodcqOOclHKfvJC0qTU7vny/7FhYp9hNw=
INFO: Prepare Caddyfile...
DEBUG: Set custom Caddyfile path
INFO: Caddyfile found at /share/caddy/Caddyfile
INFO: Run Caddy...
DEBUG: '/share/caddy/caddy' run --config '/share/caddy/Caddyfile' '--watch'
{"level":"info","ts":1650934676.109111,"msg":"using provided configuration","config_file":"/share/caddy/Caddyfile","config_adapter":""}
{"level":"warn","ts":1650934676.115702,"msg":"input is not formatted with 'caddy fmt'","adapter":"caddyfile","file":"/share/caddy/Caddyfile","line":2}
{"level":"info","ts":1650934676.1205304,"logger":"admin","msg":"admin endpoint started","address":"tcp/localhost:2019","enforce_origin":false,"origins":["localhost:2019","[::1]:2019","127.0.0.1:2019"]}
{"level":"info","ts":1650934676.1216671,"logger":"tls.cache.maintenance","msg":"started background certificate maintenance","cache":"0x291d5e0"}
{"level":"info","ts":1650934676.1224818,"logger":"http","msg":"server is listening only on the HTTPS port but has no TLS connection policies; adding one to enable TLS","server_name":"srv0","https_port":443}
{"level":"info","ts":1650934676.1225903,"logger":"http","msg":"enabling automatic HTTP->HTTPS redirects","server_name":"srv0"}
{"level":"warn","ts":1650934676.1246877,"logger":"tls","msg":"YOUR SERVER MAY BE VULNERABLE TO ABUSE: on-demand TLS is enabled, but no protections are in place","docs":"https://caddyserver.com/docs/automatic-https#on-demand-tls"}
{"level":"info","ts":1650934676.1250205,"logger":"tls","msg":"cleaning storage unit","description":"FileStorage:/ssl/caddy"}
{"level":"info","ts":1650934676.126279,"logger":"http","msg":"enabling automatic TLS certificate management","domains":["cj2quared.duckdns.org","nextcloud-cj2quared.duckdns.org"]}
{"level":"info","ts":1650934676.1281104,"logger":"tls","msg":"finished cleaning storage units"}
{"level":"info","ts":1650934676.133375,"msg":"autosaved config (load with --resume flag)","file":"/data/caddy/autosave.json"}
{"level":"info","ts":1650934676.1335027,"msg":"serving initial configuration"}
{"level":"info","ts":1650934676.1340487,"logger":"watcher","msg":"watching config file for changes","config_file":"/share/caddy/Caddyfile"}
{"level":"info","ts":1650934999.1352873,"logger":"watcher","msg":"config file changed; reloading","config_file":"/share/caddy/Caddyfile"}
{"level":"info","ts":1650934999.1362777,"msg":"using provided configuration","config_file":"/share/caddy/Caddyfile","config_adapter":""}
{"level":"warn","ts":1650934999.1433623,"msg":"input is not formatted with 'caddy fmt'","adapter":"caddyfile","file":"/share/caddy/Caddyfile","line":2}
{"level":"info","ts":1650934999.1473007,"logger":"admin","msg":"admin endpoint started","address":"tcp/localhost:2019","enforce_origin":false,"origins":["127.0.0.1:2019","localhost:2019","[::1]:2019"]}
{"level":"info","ts":1650934999.1480482,"logger":"tls.cache.maintenance","msg":"started background certificate maintenance","cache":"0x2995ae0"}
{"level":"info","ts":1650934999.1487734,"logger":"http","msg":"server is listening only on the HTTPS port but has no TLS connection policies; adding one to enable TLS","server_name":"srv0","https_port":443}
{"level":"info","ts":1650934999.1488652,"logger":"http","msg":"enabling automatic HTTP->HTTPS redirects","server_name":"srv0"}
{"level":"info","ts":1650934999.1494017,"logger":"admin","msg":"stopped previous server","address":"tcp/localhost:2019"}
{"level":"warn","ts":1650934999.150705,"logger":"tls","msg":"YOUR SERVER MAY BE VULNERABLE TO ABUSE: on-demand TLS is enabled, but no protections are in place","docs":"https://caddyserver.com/docs/automatic-https#on-demand-tls"}
{"level":"info","ts":1650934999.1510751,"logger":"http","msg":"enabling automatic TLS certificate management","domains":["cj2quared.duckdns.org","nextcloud-cj2quared.duckdns.org"]}
{"level":"info","ts":1650935000.2284508,"logger":"tls.cache.maintenance","msg":"stopped background certificate maintenance","cache":"0x291d5e0"}
{"level":"info","ts":1650935000.2296348,"msg":"autosaved config (load with --resume flag)","file":"/data/caddy/autosave.json"}

5. What I already tried:

Honestly, I’ve tried so many things over the past 4 days. I would love to provide an intelligent response here, but I’m ill-equipped at the moment.

6. Links to relevant resources:

Link to Caddy add-on repo: GitHub - einschmidt/app-caddy-2: Caddy 2 is a powerful, open source web server with automatic HTTPS · GitHub

Thank you for any insight and for entertaining this one-man clown parade.

francislavoie · April 26, 2022, 2:22am

flasewa:

{"level":"warn","ts":1650934676.1246877,"logger":"tls","msg":"YOUR SERVER MAY BE VULNERABLE TO ABUSE: on-demand TLS is enabled, but no protections are in place","docs":"https://caddyserver.com/docs/automatic-https#on-demand-tls"}

As noted here – don’t enable on_demand without configuring ask. It’s dangerous, and puts you at risk of DDoS.

You should probably use the Caddyfile-style env here instead, to avoid issues with dynamic placeholders:

reverse_proxy localhost:{$PORT}

Probably best to do the same for site addresses as well:

{$DOMAIN}.duckdns.org {
  ...
}

Make a request with curl -v; what do you see? You should see the Location header with the redirect.

It’s probably a misconfiguration with your NextCloud instance where it’s triggering redirects because it thinks it’s being served by a different domain, or something.

flasewa · April 26, 2022, 3:36am

@francislavoie, thank you much for the quick and thorough reply!

I have removed ‘on_demand’ from my Caddyfile
I have conformed to the Caddyfile-style env
curl -v localhost:8088
‘Location: https://localhost/’

Any assistance with what light that response sheds? And, again, thank you very much for your assistance and support.

francislavoie · April 26, 2022, 3:47am

Seems like NextCloud thinks it’s running on port 80 instead of 8088. Make sure to look at NextCloud’s config/docs for putting a proxy in front of it.

See here:

https://docs.nextcloud.com/server/latest/admin_manual/configuration_server/reverse_proxy_configuration.html