1. The problem I’m having:
I’m using caddy to act as a reverse proxy for a webserver on another machine in my local network. When trying to access the website I’m getting a HTTP ERROR 502.
Using this as an example :
I tried to install certificate on my webserver with the following command :
[07:43][octopi] : sudo ./caddy trust --address 192.168.1.23:2019
2023/03/21 06:43:50.244 WARN installing root certificate (you might be prompted for password) {"path": "192.168.1.23:2019/pki/ca/local"}
2023/03/21 06:43:50.245 INFO not NSS security databases found
2023/03/21 06:43:50.245 INFO define JAVA_HOME environment variable to use the Java trust
2023/03/21 06:43:52.053 INFO certificate installed properly in linux trusts
But I’m getting the same error
2. Error messages and/or full log output:
I can’t post the caddy logs as I’m getting an error while submitting this form. But here are the relevant bits
Mar 21 07:14:42 piwall caddy[509]: {"level":"debug","ts":1679379282.7036712,"logger":"http.handlers.reverse_proxy", [ ... ] :["https"],"X-Forwarded-Host":["pav67.fr"]},"tls":{"resumed":true,"version":772,"cipher_suite":4867,"proto":"h3","server_name":"pav67.fr"}},"error":"tls: failed to verify certificate: x509: certificate signed by unknown authority"}
Mar 21 07:14:42 piwall caddy[509]: {"level":"error","ts":1679379282.714907,"logger":"http.log.error.log0","msg":"tls: failed to verify certificate: x509: certificate signed by unknown authority","request": [ ... ] ,"tls":{"resumed":true,"version":772,"cipher_suite":4867,"proto":"h3","server_name":"pav67.fr"}},"duration":0.123664963,"status":502,"err_id":"4fwet2xnu","err_trace":"reverseproxy.statusError (reverseproxy.go:1299)"}
3. Caddy version:
v2.6.4 h1:2hwYqiRwk1tf3VruhMpLcYTg+11fCdr8S3jhNAdnPy8=
4. How I installed and ran Caddy:
a. System environment:
Raspberry pi (armv6l) with raspbian
b. Command:
I’m using a custom static binary
c. Service/unit/compose file:
[Unit]
Description=Caddy
Documentation=https://caddyserver.com/docs/
After=network.target network-online.target
Requires=network-online.target
[Service]
Type=notify
User=caddy
Group=caddy
ExecStart=/usr/bin/caddy run --environ --config /etc/caddy/Caddyfile
ExecReload=/usr/bin/caddy reload --config /etc/caddy/Caddyfile --force
TimeoutStopSec=5s
LimitNOFILE=1048576
LimitNPROC=512
PrivateTmp=true
ProtectSystem=full
ReadWritePaths=/var/log/caddy
AmbientCapabilities=CAP_NET_BIND_SERVICE
[Install]
WantedBy=multi-user.target
d. My complete Caddy config:
{
debug
admin :2019
security {
local identity store localdb {
realm local
path /home/paul/.local/caddy/localauth/users.json
}
authentication portal myportal {
crypto default token lifetime 3600
crypto key sign-verify secret
enable identity store localdb
ui {
links {
"Octoprint" "/print" icon "las la-star"
"WhoAmI" "/auth/whoami" icon "las la-star"
}
}
transform user {
match origin local
action add role authp/user
}
transform user {
match origin local
match roles authp/user
ui link "Portal Settings" "/auth/settings" icon "las la-cog"
}
}
authorization policy users_policy {
set auth url https://pav67.fr/auth
allow roles authp/admin authp/user
crypto key verify secret
acl rule {
comment allow users
match role authp/user
allow stop log info
}
acl rule {
comment default deny
match role any
deny log warn
}
}
}
}
pav67.fr {
@mygeofilter {
maxmind_geolocation {
db_path "/usr/share/GeoIP/GeoLite2-Country.mmdb"
allow_countries FR
}
}
route /auth* {
authenticate with myportal
}
route /print* {
authorize with users_policy
uri strip_prefix /print
reverse_proxy @mygeofilter https://octopi
}
route {
redir https://{hostport}/auth/login 302
}
log {
format transform `{request>remote_addr} - {request>user_id} [{ts}] "{request>method} {requ
est>uri} {request>proto}" {status} {size} "{request>headers>Referer>[0]}" "{request>headers>User-Agent>[0]
}"` {
time_format "02/Jan/2006 15:04:05 -0700"
}
output file /var/log/caddy/caddy.log
}
}
Thanks for your help !