1. Caddy version (caddy version
):
caddy v2 latest docker
2. How I run Caddy:
dev.arwd.circ8.dcn {
tls /root/certs/example.crt /root/certs/example.key
reverse_proxy /calendar/* http://calendarservice
reverse_proxy /fcsf/* http://signup-api:1984
reverse_proxy /auth/* http://jenieauth
reverse_proxy /hasura/* http://graphql-engine:8080
reverse_proxy /graphql/* http://travelvouchers-server:3000
reverse_proxy /employees/* http://employee-sync:3004
reverse_proxy /directory-api/* http://directory-api:4005
}
a. System environment:
b. Command:
docker-compose up -d --build
docker-compose restart
c. Service/unit/compose file:
version: "3.7"
services:
caddy:
image: caddy:latest
restart: unless-stopped
ports:
- "80:80"
- "443:443"
volumes:
- ./Caddyfile:/etc/caddy/Caddyfile
- ./certs:/root/certs
- caddy_data:/data
- caddy_config:/config
networks:
- backend
volumes:
caddy_data:
caddy_config:
networks:
backend:
external: true
d. My complete Caddyfile or JSON config:
dev.arwd.circ8.dcn {
tls /root/certs/example.crt /root/certs/example.key
reverse_proxy /calendar/* http://calendarservice
reverse_proxy /fcsf/* http://signup-api:1984
reverse_proxy /auth/* http://jenieauth
reverse_proxy /hasura/* http://graphql-engine:8080
reverse_proxy /graphql/* http://travelvouchers-server:3000
reverse_proxy /employees/* http://employee-sync:3004
reverse_proxy /directory-api/* http://directory-api:4005
}
3. The problem I’m having:
I want to move away from Nginx and start using Caddy.
Trying to run caddy in front of several applications. Most of importantly is a nextjs app. I get a 502 error when trying to access the backend services. I have this setup on a different server that works well, but it only has one service.
2021/05/03 20:21:02 http: TLS handshake error from 156.127.60.152:55571: remote error: tls: unknown certificate authority.
I chaulk this to some type of browser not liking the cert – either because its now being served under caddy instead of nginx, but I’m not sure. I don’t get this error on my other server that I’m running my own certs on.
4. Error messages and/or full log output:
2021/05/03 19:54:35 http: TLS handshake error from 156.127.60.152:53052: read tcp 172.31.0.3:443->156.127.60.152:53052: read: connection timed out
2021/05/03 19:55:27 http: TLS handshake error from 156.127.60.152:60446: remote error: tls: unknown certificate authority
2021/05/03 19:55:27 http: TLS handshake error from 156.127.60.152:60447: remote error: tls: unknown certificate authority
2021/05/03 19:55:27 http: TLS handshake error from 156.127.60.152:60448: remote error: tls: unknown certificate authority
2021/05/03 19:55:27 http: TLS handshake error from 156.127.60.152:60451: remote error: tls: unknown certificate authority
2021/05/03 19:55:27 http: TLS handshake error from 156.127.60.152:60449: remote error: tls: unknown certificate authority
2021/05/03 19:55:27 http: TLS handshake error from 156.127.60.152:60450: remote error: tls: unknown certificate authority
2021/05/03 19:55:27 http: TLS handshake error from 156.127.60.152:60452: remote error: tls: unknown certificate authority
5. What I already tried:
I need help debugging why my services aren’t showing up on the paths. NextJs app should be on /fcsf and forwarded to the signup-api (dockerhostname) on port 1984 – But, I don’t see any foot traffic on the nextjs logs. I’ve confirmed the docker network names and that is carried over from nginx. So, I’m confident that the docker containers are talking to each other.
I’ve tried to disable http->https redirect to see if its an issue with the certs. I added this
{
auto_https off
}
to the top of the Caddyfile, but I still get redirects in firefox.
6. Links to relevant resources: nginx.conf
proxy_cache_path /var/cache/nginx levels=1:2 keys_zone=STATIC:10m inactive=7d use_temp_path=off;
upstream fcsf-api {
server signup-api:1984;
}
upstream internal-site {
server www.arwd.circ8.dcn;
}
server {
listen 443 ssl http2 default_server;
server_name _;
ssl_certificate /etc/nginx/ssl/self.cer;
ssl_certificate_key /etc/nginx/ssl/self-ssl.key;
ssl_protocols TLSv1.2 TLSv1.3;
ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY130
5:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384;
ssl_prefer_server_ciphers off;
ssl_ecdh_curve secp384r1;
ssl_session_timeout 5m;
ssl_session_cache shared:SSL:5m;
ssl_session_tickets off;
ssl_stapling off;
ssl_stapling_verify off;
add_header Strict-Transport-Security "max-age=63072000; includeSubdomains";
add_header X-Frame-Options DENY;
add_header X-Content-Type-Options nosniff;
#access_log /var/log/nginx/host.access.log main;
location / {
proxy_pass https://internal-site/;
proxy_set_header X-Real-IP $remote_addr;
}
location /fcsf {
proxy_pass http://fcsf-api/fcsf/;
proxy_redirect off;
proxy_set_header X-Real-IP $remote_addr;
}
location /fcsf/_next/static/ {
proxy_cache STATIC;
proxy_pass http://fcsf-api/fcsf/_next/static/;
# For testing cache - remove before deploying to production
#add_header X-Cache-Status $upstream_cache_status;
}
location /fcsf/static/ {
proxy_cache STATIC;
proxy_ignore_headers Cache-Control;
proxy_cache_valid 60m;
proxy_pass http://fcsf-api/fcsf/static/;
# For testing cache - remove before deploying to production
#add_header X-Cache-Status $upstream_cache_status;
}
location /fcsf2 {
proxy_pass http://fcsf-api/;
proxy_redirect off;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
}
location /listen/ {
proxy_pass http://icecast:8000/;
proxy_redirect off;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
}
location /calendar/ {
proxy_pass http://calendarservice/;
}
location /jenieauth/ {
proxy_pass http://jenieauth/;
}
location /hasura/ {
proxy_pass http://graphql-engine:8080/;
}
location /graphql/ {
proxy_pass http://travelvouchers-server:3000/;
}
location /employees/ {
proxy_pass http://employee-sync:3004/;
}
location /directory-api/ {
proxy_pass http://directory-api:4005/;
}
error_page 500 502 503 504 /50x.html;
location = /50x.html {
root /usr/share/nginx/html;
}
}