1. Caddy version (caddy version
):
v2.5.1 h1:bAWwslD1jNeCzDa+jDCNwb8M3UJ2tPa8UZFFzPVmGKs=
2. How I run Caddy:
Caddy is run using systemd with /etc/caddy/Caddyfile as main config
a. System environment:
CloudLinux 8.x (CentOS/AlmaLinux based)
b. Command:
systemctl start caddy
c. Service/unit/compose file:
[Unit]
Description=Caddy
Documentation=https://caddyserver.com/docs/
After=network.target network-online.target
Requires=network-online.target
[Service]
Type=notify
User=caddy
Group=caddy
ExecStart=/usr/bin/caddy run --environ --config /etc/caddy/Caddyfile
ExecReload=/usr/bin/caddy reload --config /etc/caddy/Caddyfile
TimeoutStopSec=5s
LimitNOFILE=1048576
LimitNPROC=512
PrivateTmp=true
ProtectSystem=full
AmbientCapabilities=CAP_NET_BIND_SERVICE
ReadWritePaths=/etc/pki
[Install]
WantedBy=multi-user.target
d. My complete Caddyfile or JSON config:
Caddyfile
{
admin 127.0.0.1:8888
grace_period 3s
log {
output file /var/log/caddy/caddy.log {
roll_size 250MiB
roll_keep_for 15d
}
level INFO
}
email some@mail.com
on_demand_tls {
#ask https://api.swisscenter.com/webservices.php/caddy/dnslookup
interval 2m
burst 5
}
order realip first
}
(common) {
bind 127.0.0.1 [::1] 94.103.96.188 [2a00:a500:0:96::188]
realip {
header "X-Forwarded-For"
from cloudflare
maxhops 5
}
@sc_server_fqdn {
path /_sc_get_server_fqdn
}
respond @sc_server_fqdn "web23.swisscenter.com" 200 {
close
}
reverse_proxy http://127.0.0.80:80
}
(manager) {
bind 94.103.96.188 [2a00:a500:0:96::188]
reverse_proxy http://127.0.0.1:9000
}
import /etc/caddy/host.conf
import /etc/caddy/customers/*.conf
host.conf
web23.swisscenter.com {
@only_obs {
path /imav*
not remote_ip 192.168.50.0/24 2a00:a500:0:10::/64
}
respond @only_obs "We're sorry, but this resource is not available for you. If you feed this is an error, please contact your amazing server administrator." 403 {
close
}
import common
}
manager.web23.swisscenter.com {
@only_obs {
not remote_ip 192.168.50.0/24
}
route @only_obs {
respond "We're sorry, but this resource is not available for you. If you feed this is an error, please contact your amazing server administrator." 403 {
close
}
}
import manager
}
127.0.0.1, [::1], 94.103.96.188, [2a00:a500:0:96::188] {
import common
tls internal
}
Example customers/*.conf file
cybermind.ch, www.cybermind.ch, 276668.web23.swisscenter.com {
import common
tls {
on_demand
}
}
3. The problem I’m having:
We use caddy as a SSL terminator for our hosting. We use it with on-demand and the ASK hook to verify that the domain we want to request a certificate for is really pointing to the server to avoid any requests that would lead to an unsuccessfull result.
For thiis our ASK script call a special URL on the domain and need this url to return a 200 with the servername in the body that matches the servername of the host calling the ASK url.
However, when calling cybermind.ch/_sc_get_server_fqdn URL it is redirected to HTTPS, which makes sense thanks to the auto HTTP->HTTPS, but it is a problem, beacause the certificate is not yet available, so it ends up with an internal SSL error.
$ curl -v cybermind.ch/_sc_get_server_fqdn
* Trying 2a00:a500:0:96::188:80...
* Connected to cybermind.ch (2a00:a500:0:96::188) port 80 (#0)
> GET /_sc_get_server_fqdn HTTP/1.1
> Host: cybermind.ch
> User-Agent: curl/7.74.0
> Accept: */*
>
* Mark bundle as not supporting multiuse
< HTTP/1.1 308 Permanent Redirect
< Connection: close
< Location: https://cybermind.ch/_sc_get_server_fqdn
< Server: Caddy
< Date: Thu, 26 May 2022 06:18:31 GMT
< Content-Length: 0
<
* Closing connection 0
We need this particular URL to be exempt from auto HTTP->HTTPS to avoid this issue so the ASK script can confirm the domain is pointing on the correct server before allowing a certificate to be requested.
4. Error messages and/or full log output:
The ASK script we wrote returns that cURL can’t connect to the redirected resource as the SSL engine is doing an internal error (certificate missing…)
caddy_dnslookup.log-20220524.gz:2022-05-23T07:42:58.042905+00:00 > 628b3af80d6f9 > ERROR > Error calling http://cybermind.ch/_sc_get_server_fqdn: cURL error 35: Peer reports it experienced an internal error. (see https://curl.haxx.se/libcurl/c/libcurl-errors.html) for https://cybermind.ch/_sc_get_server_fqdn
5. What I already tried:
To be honest I don’t know where to start to at this point, to exclude a single URL from the auto HTTP->HTTPS redirect.