File or directory not found in TLS directive

Help
21

That’s particularly weird. I don’t see Server: Caddy in here, so I don’t think Caddy handled the request.

Oh, you removed the Server header. Please don’t do that, it makes debugging harder. It doesn’t increase security in any way. If it was harmful at all, we wouldn’t enable it in the first place. It’s a very useful header to see which servers a request passed through.

1 Like
22

Below are my setup and if you can detect any mistake …

  1. Vaultwarden docker-compose.yml
services:

  vaultwarden:
    image: vaultwarden/server
    container_name: vaultwarden
    hostname: vaultwarden
    restart: unless-stopped
    env_file: .env
    volumes:
      - ./vaultwarden_data/:/data/
    expose:
      - 80:80
      - 3012:3012

networks:
  default:
    name: $DOCKER_MY_NETWORK
    external: true
  1. Caddy docker-compose.yml
services:

  caddy:
    image: caddy
    container_name: caddy
    hostname: caddy
    restart: unless-stopped
    env_file: .env
    ports:
      - "80:80"
      - "443:443"
      - "443:443/udp"
    volumes:
      - ./Caddyfile:/etc/caddy/Caddyfile
      - ./caddy_config:/config
      - ./caddy_data:/data
      - /etc/ssl/certs:/etc/ssl/certs:ro
      - ./site:/srv

networks:
  default:
    name: $DOCKER_MY_NETWORK
    external: true
  1. the .env file
# GENERAL
TZ=North America/Toronto
DOCKER_MY_NETWORK=caddy_net
  1. The Caddyfile
{$MY_DOMAIN2} {
  encode gzip

  # Uncomment to improve security (WARNING: only use if you understand the implications!)
  # If you want to use FIDO2 WebAuthn, set X-Frame-Options to "SAMEORIGIN" or the Browser >
  header {
       # Enable HTTP Strict Transport Security (HSTS)
       Strict-Transport-Security "max-age=31536000;"
       # Enable cross-site filter (XSS) and tell browser to block detected attacks
       X-XSS-Protection "1; mode=block"
       # Disallow the site to be rendered within a frame (clickjacking protection)
       X-Frame-Options "DENY"
       # Prevent search engines from indexing (optional)
       X-Robots-Tag "none"
      
  }
 # tls  /etc/ssl/certs/_wildcard.zung102-olympic.nord.pem  /etc/ssl/certs/_wildcard.zung10>
#  acme_server
  tls internal

  # Notifications redirected to the websockets server
  reverse_proxy /notifications/hub localhost:3012  

  # Proxy everything else to Rocket
  reverse_proxy localhost:80  {   # 100.122.127.103:80  {
       # Send the true remote IP to Rocket, so that vaultwarden can put this in the
       # log, so that fail2ban can ban the correct IP.
       header_up X-Real-IP {remote_host}
  }
)

here is a portion of caddy_net

   "Containers": {
            "3dbe05e15c5e70da8f067f33853386772b758db0b46451e5afefb61df5f5526e": {
                "Name": "caddy",
                "EndpointID": "ac1c1fc3be36e56351a745515d5f5143decedb41086386d9b8cdca04faf3fa0f",
                "MacAddress": "02:42:ac:12:00:03",
                "IPv4Address": "172.18.0.3/16",
                "IPv6Address": ""
            },
            "f73fcd2287483602b4a9b8ce364818317fe83919450ff9f76c20cb93356c65e3": {
                "Name": "vaultwarden",
                "EndpointID": "47deb3cc9ff5256b991e2b873a26c754934b0fc2c02c28235fbfbba1f44ae2b2",
                "MacAddress": "02:42:ac:12:00:02",
                "IPv4Address": "172.18.0.2/16",
                "IPv6Address": ""
            }
        },

If I took down Caddy container I got this …

docker compose down
[+] Running 1/1
 ✔ Container caddy  Removed                                                           0.3s 
zung25@zung-1:~/docker/caddy$ curl -v https://zung102-olympic.nord
*   Trying 100.122.127.103:443...
* connect to 100.122.127.103 port 443 failed: Connection refused
* Failed to connect to zung102-olympic.nord port 443 after 0 ms: Connection refused
* Closing connection 0
curl: (7) Failed to connect to zung102-olympic.nord port 443 after 0 ms: Connection refused

Thank you very much for your great help!

23

Keep in mind that localhost inside of a container means “this same container” so Caddy would be proxying to itself. Make sure to use the name of the other container you want to connect to, e.g. vaultwarden:80

Okay, but try without removing the Server header. It’ll tell us what’s causing the redirect loop. And what’s in Caddy’s logs with debug enabled?

Make sure your upstream isn’t configured to perform HTTP->HTTPS redirects, or at least is configured to recognize that Caddy is passing X-Forwarded-Proto: https which should tell it not to.

1 Like
24

reverse-proxy localhost:80 was what I found on internet for allowing HTTPS access to local domain name. An example was here https://caddy.community/t/making-a-https-local-domain-for-local-service/18051.

I also have tried to specify reverse-proxy vaultwarden:80, The results from curl appeared better …

curl -v https://zung102-olympic.nord
*   Trying 100.122.127.103:443...
* Connected to zung102-olympic.nord (100.122.127.103) port 443 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
*  CAfile: /etc/ssl/certs/ca-certificates.crt
*  CApath: /etc/ssl/certs
* TLSv1.0 (OUT), TLS header, Certificate Status (22):
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
* TLSv1.2 (IN), TLS header, Certificate Status (22):
* TLSv1.3 (IN), TLS handshake, Server hello (2):
* TLSv1.2 (IN), TLS header, Finished (20):
* TLSv1.2 (IN), TLS header, Supplemental data (23):
* TLSv1.3 (IN), TLS handshake, Encrypted Extensions (8):
* TLSv1.2 (IN), TLS header, Supplemental data (23):
* TLSv1.3 (IN), TLS handshake, Certificate (11):
* TLSv1.2 (IN), TLS header, Supplemental data (23):
* TLSv1.3 (IN), TLS handshake, CERT verify (15):
* TLSv1.2 (IN), TLS header, Supplemental data (23):
* TLSv1.3 (IN), TLS handshake, Finished (20):
* TLSv1.2 (OUT), TLS header, Finished (20):
* TLSv1.3 (OUT), TLS change cipher, Change cipher spec (1):
* TLSv1.2 (OUT), TLS header, Supplemental data (23):
* TLSv1.3 (OUT), TLS handshake, Finished (20):
* SSL connection using TLSv1.3 / TLS_AES_128_GCM_SHA256
* ALPN, server accepted to use h2
* Server certificate:
*  subject: [NONE]
*  start date: Jun 23 19:30:10 2023 GMT
*  expire date: Jun 24 07:30:10 2023 GMT
*  subjectAltName: host "zung102-olympic.nord" matched cert's "zung102-olympic.nord"
*  issuer: CN=Caddy Local Authority - ECC Intermediate
*  SSL certificate verify ok.
* Using HTTP2, server supports multiplexing
* Connection state changed (HTTP/2 confirmed)
* Copying HTTP/2 data in stream buffer to connection buffer after upgrade: len=0
* TLSv1.2 (OUT), TLS header, Supplemental data (23):
* TLSv1.2 (OUT), TLS header, Supplemental data (23):
* TLSv1.2 (OUT), TLS header, Supplemental data (23):
* Using Stream ID: 1 (easy handle 0x56053c448560)
* TLSv1.2 (OUT), TLS header, Supplemental data (23):
> GET / HTTP/2
> Host: zung102-olympic.nord
> user-agent: curl/7.81.0
> accept: */*
> 
* TLSv1.2 (IN), TLS header, Supplemental data (23):
* TLSv1.3 (IN), TLS handshake, Newsession Ticket (4):
* TLSv1.2 (IN), TLS header, Supplemental data (23):
* Connection state changed (MAX_CONCURRENT_STREAMS == 250)!
* TLSv1.2 (OUT), TLS header, Supplemental data (23):
* TLSv1.2 (IN), TLS header, Supplemental data (23):
* TLSv1.2 (IN), TLS header, Supplemental data (23):
* TLSv1.2 (IN), TLS header, Supplemental data (23):
< HTTP/2 200 
< alt-svc: h3=":443"; ma=2592000
< cache-control: public, max-age=600
< content-security-policy: default-src 'self'; base-uri 'self'; form-action 'self'; object-src 'self' blob:; script-src 'self' 'wasm-unsafe-eval'; style-src 'self' 'unsafe-inline'; child-src 'self' https://*.duosecurity.com https://*.duofederal.com; frame-src 'self' https://*.duosecurity.com https://*.duofederal.com; frame-ancestors 'self' chrome-extension://nngceckbapebfimnlniiiahkandclblb chrome-extension://jbkfoedolllekgbhcbcoahefnbanhhlh moz-extension://* ; img-src 'self' data: https://haveibeenpwned.com https://www.gravatar.com ; connect-src 'self' https://api.pwnedpasswords.com https://api.2fa.directory https://app.simplelogin.io/api/ https://app.anonaddy.com/api/ https://api.fastmail.com/ ;
< content-type: text/html; charset=utf-8
< date: Fri, 23 Jun 2023 22:20:04 GMT
< expires: Fri, 23 Jun 2023 22:30:04 GMT
< permissions-policy: accelerometer=(), ambient-light-sensor=(), autoplay=(), battery=(), camera=(), display-capture=(), document-domain=(), encrypted-media=(), execution-while-not-rendered=(), execution-while-out-of-viewport=(), fullscreen=(), geolocation=(), gyroscope=(), keyboard-map=(), magnetometer=(), microphone=(), midi=(), payment=(), picture-in-picture=(), screen-wake-lock=(), sync-xhr=(), usb=(), web-share=(), xr-spatial-tracking=()
< referrer-policy: same-origin
< server: Caddy
< server: Rocket
< strict-transport-security: max-age=31536000;
< x-content-type-options: nosniff
< x-frame-options: DENY
< x-frame-options: SAMEORIGIN
< x-robots-tag: none
< x-xss-protection: 1; mode=block
< x-xss-protection: 0
< content-length: 1240
< 
* TLSv1.2 (IN), TLS header, Supplemental data (23):
<!doctype html><html class="theme_light"><head><meta charset="utf-8"/><meta name="viewport" content="width=1010"/><meta name="theme-color" content="#175DDC"/><title page-title>Vaultwarden Web Vault</title><link rel="apple-touch-icon" sizes="180x180" href="images/apple-touch-icon.png"/><link rel="icon" type="image/png" sizes="32x32" href="images/favicon-32x32.png"/><link rel="icon" type="image/png" sizes="16x16" href="images/favicon-16x16.png"/><link rel="mask-icon" href="images/safari-pinned-tab.svg" color="#175DDC"/><link rel="manifest" href="ca8f66ed7fccfcd0809f.json"/><script defer="defer" src="theme_head.5f24ba8d7aa944e6f52b.js"></script><link href="app/main.c107f7b9354b6317446a.css" rel="stylesheet"></head><body class="layout_frontend"><app-root><div class="mt-5 d-flex justify-content-center"><div><img class="mb-4 logo logo-themed" alt="Bitwarden"/><p class="text-center"><i class="bwi bwi-spinner bwi-spin bwi-2x text-muted" title="Loading" aria-hidden="true"></i></p></div></div></app-root><script defer="* Connection #0 to host zung102-olympic.nord left intact
defer" src="app/polyfills.428c25638840333a09ee.js"></script><script defer="defer" src="app/vendor.776201439bfdefee32dc.js"></script><script defer="defer" src="app/main.3a27378a743dd4ad9f70.js"

but from Microsoft Edge browser from another local PC it still said the site was not secure…is that normal or as expected

https://zung102-olympic.nord/#/login
prefix https was crossed out
Your connection isn't private
Attackers might be trying to steal your information from zung102-olympic.nord (for example, passwords, messages, or credit cards).
NET::ERR_CERT_AUTHORITY_INVALID
25

Yep that looks good :+1:

You need to install Caddy’s root CA cert on every machine that will be making requests to your server. You can use the same command I linked earlier to copy it out of your container, then copy it to your other machines and install it there.

26

You mean the root.crt file? if so where do I copy it to in a Windows PC?

27

Yes, that file. Use Google to find instructions for installing your own root certificate.

28

Thank you again for all the help you provided. I have found some instructions in the internet to import the root CA into Windows. It worked now.

2 Likes
29

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.