1. Caddy version (caddy version
):
activated and installed caddy via copr repo @caddy/caddy
v2.4.5 with Hetzner DNS plugin
2. How I run Caddy:
systemd (copr repo caddy install provided)
a. System environment:
Rocky Linux, LXC unpriviliged Container
b. Command:
systemctl start caddy.
c. Service/unit/compose file:
[Unit]
Description=Caddy
Documentation=https://caddyserver.com/docs/
After=network.target network-online.target
Requires=network-online.target
[Service]
Type=notify
User=caddy
Group=caddy
ExecStart=/usr/bin/caddy run --environ --config /etc/caddy/Caddyfile
ExecReload=/usr/bin/caddy reload --config /etc/caddy/Caddyfile
TimeoutStopSec=5s
LimitNOFILE=1048576
LimitNPROC=512
PrivateTmp=true
ProtectSystem=full
AmbientCapabilities=CAP_NET_BIND_SERVICE
[Install]
WantedBy=multi-user.target
d. My complete Caddyfile or JSON config:
frontend
##############
### Snippets ###
##############
(log_file) {
log {
format logfmt
output file /var/log/caddy/{host}.access.log {
roll_keep 7
}
}
}
(custom_header) {
header_up X-Forwarded-Host {host}
header_up Host {http.reverse_proxy.upstream.hostport}
}
(privacy_header) {
header {
# disable FLoC tracking
Permissions-Policy interest-cohort=()
# enable HSTS
Strict-Transport-Security max-age=31536000;
# disable clients from sniffing the media type
X-Content-Type-Options nosniff
# clickjacking protection
X-Frame-Options DENY
# keep referrer data off of HTTP connections
Referrer-Policy no-referrer-when-downgrade
}
}
(hetzner_dns01) {
tls admin@mydomain.tld {
dns hetzner APIKEYREDACTED
ca https://acme-v02.api.letsencrypt.org/directory
}
}
##############
### Global ###
##############
{
debug
}
##############
### config ###
##############
proxin.dmz.mydomain.tld {
acme_server
tls internal
}
s3.mydomain.tld {
import hetzner_dns01
import privacy_header
reverse_proxy https://s3.subdomain.mydomain.tld {
import custom_header
}
}
console.s3.mydomain.tld {
#basicauth * {
# user PASSWORDREDACTED
#}
import hetzner_dns01
import privacy_header
@websockets {
header Connection *Upgrade*
header Upgrade websocket
}
reverse_proxy @websockets console.s3.subdomain.mydomain.tld/ws/* {
#import custom_header
}
reverse_proxy https://console.s3.subdomain.mydomain.tld {
import custom_header
}
}
backend
########### snippets ##################################
(custom_headers) {
#header_up X-Forwarded-Ssl on
header_up Host {host}
header_up X-Real-IP {remote}
#header_up X-Forwarded-For {remote}
#header_up X-Forwarded-Port {server_port}
#header_up X-Url-Scheme {scheme}
#header_up X-Forwarded-Host {host}
#header_up X-Forwarded-Proto {scheme}
}
(proxin_acme) {
tls {
ca https://proxin.dmz.mydomain.tld/acme/local/directory
ca_root /etc/ssl/certs/root.crt
}
}
######################################################
{
debug
}
s3.subdomain.mydomain.tld {
import proxin_acme
reverse_proxy s3.subdomain.mydomain.tld:9000 {
import custom_headers
}
}
console.s3.subdomain.mydomain.tld {
import proxin_acme
reverse_proxy console.s3.subdomain.mydomain.tld:9001 {
import custom_headers
}
}
3. The problem I’m having:
Download of Diagnose Data via minio webconsole is failing for me, when trying to access the webconsole through frontend.
browser devtools showing that the websocket connection cant be established with the following error
connection is closed by by server with code:1006
However, access and Download Works fine if i access the minio webconsole directly via console.s3.subdomain.mydomain.tld
So my guess was that something is missing to pass trough the websocket connections at the frontend and ended up with the websockets handler config in the frontend with no luck.
Also trying to play with the header-up
options due to no success
I am using mTLS for frontend/backend communication and everything just works fine with no errors after a few tries, thanks for making the setup a piece of cake! donations incoming
i was looking for minio use cases here in the forum i stumbled upon a minio config from user m90 and would like to know more about this part, especially the header_down options.
thanks in advance
mysite.com {
log
encode gzip
reverse_proxy {
to minio:9000
header_down -Server
header_down -Content-Security-Policy
header_down -X-Amz-Request-Id
}
header {
Permissions-Policy interest-cohort=()
}
@noslash {
not expression {path}.endsWith("/")
path_regexp ^[a-z\-/]*$
}
@with_query {
not expression {query}.size() == 0
}
handle @noslash {
redir @with_query {path}/?{query} permanent
redir {path}/ permanent
}
handle {
@document expression {path}.endsWith("/")
route @document {
rewrite {path}index.html
}
rewrite * /bucket{path}
}
...