Help with sub-subdomain with Docker


(Alessandro) #21

Here’s the output:

curl -kIL cloudflared.home.domain.com

HTTP/1.1 301 Moved Permanently
Connection: close
Content-Type: text/html; charset=utf-8
Location: https://cloudflared.home.domain.com/
Server: Caddy
Date: Wed, 03 Oct 2018 12:07:35 GMT

HTTP/2 200
accept-ranges: bytes
cache-control: max-age=31536000
content-type: text/html; charset=utf-8
date: Wed, 03 Oct 2018 12:07:35 GMT
last-modified: Sun, 01 Apr 2018 22:05:28 GMT
server: Caddy
content-length: 2748

(Matthew Fay) #22

Yep, looks great with Cloudflare out of the way. It’s got something to do with their end (their middle?).

While they’re reverse proxying your origin server, they terminate TLS with their own certificate. Usually they bulk issue their certificates for this purpose (common “free tier” sites behind Cloudflare are often on the same ticket with 50+ other customers’ websites if you just check the alternate name list).

Dunno, maybe they just haven’t issued yours yet and are trying to hand out an empty cert - not that I’ve ever seen that behaviour before. Anyway, if you need the orange cloud in front, you’ll want to open a ticket with them. It’ll probably help if you can re-break it and demonstrate how to easily verify it’s broken.


(Alessandro) #23

So it may help to re-set the TLS option on Cloudflare’s Crypto page from and to Full (strict) again, even if it says “Active certificte”?


(Matthew Fay) #24

Full (Strict) describes Cloudflare’s behaviour when connecting to your server (the origin server). It requires a scenario where the origin presents a publicly validated HTTPS certificate, ensures that communication only occurs if this is true.

Your Caddy satisfies that requirement. It gets its certificate from LetsEncrypt, validates them by writing a DNS record (incidentally via Cloudflare’s API, but you could easily use any compatible DNS provider).

Changing between Full (Strict) and Full shouldn’t have any affect on the issue (swapping to Flexible or Off should break your site with a different issue), but you should use (Strict) because you get additional security by requiring the certificate to be valid.


(Alessandro) #25

I’m actually amazed by your knowledge!

Also, I thank you officially for your fast help! In the end you solved my problem in a matter of minutes!


(Matthew Fay) #26

Glad to help. If you do go to Cloudflare, and they get back to you about this weirdness, I’d be interested to hear the result.


(Alessandro) #27

Sure, I will contact them as soon as I have time to do that!
Thank you again!
(I marked your reply as the solution)


(Matthew Fay) #28

Cheers for that, might help someone in future.

I also just remembered, none of the things we went over covered this part:

If you ever get this again in the logs, a few of us would be interested in investigating if we can reproduce it. It should never be able to happen (multiplexing listeners on a single port), so it would definitely be a bug.


(Alessandro) #29

Sure, if it happens again I’ll certanly open a new topic!

I’ll make sure to tag you as well, if you want haha.