I am trying to use Caddy as a reverse proxy, but it seems the 80 and 443 port are blocked by the ISP.
How can I get https now?
Update: I have made a call to ISP, and they tell me the ports 80 8080 443 are all blocked.
To make my 3 hours worth it, I will write down what I tried. God knows how many times I checked almost everything.
The system info is here:
Router and firewall : OpnSense
Linux : Manjaro with IP address 192.168.1.100, for example
Caddy : latest version in Docker 18.09.0-ce
Here is what I have done to find out what happened.
-
Change the Opnsense webui ports from 443 to 8443,and disable web GUI redirect rule,in case the firewall redirect the 80 port.
-
Add a NAT rule,to redirect port 80 and 443 to 192.168.1.100,and the OpnSense will automatic add a firewall rule on interface WAN.This function works well because I have tried on other ports.
And the I make the Caddy docker start,the Caddyfile looks like this:
home.example.me
{
log ./caddy.log
redir /opnsense /opnsense/
proxy /opnsense 192.168.1.2:8443 {
without /opnsense
websocket
transparent
header_upstream -Origin
}
}
And booooom! Caddy shows error like this.
2018/12/07 15:17:20 [home.example.me] failed to get certificate: acme: Error 400 - urn:ietf:params:acme:error:connection - Fetching http://home.example.me/.well-known/acme-challenge/XXXXXXXXXXXXXXXXXXXX: Timeout during connect (likely firewall problem),
2018/12/07 15:17:09 [INFO][home.example.me] acme: Trying to solve HTTP-01,
2018/12/07 15:17:09 [INFO][home.example.me] acme: Could not find solver for: tls-alpn-01,
2018/12/07 15:17:09 [INFO][home.example.me] acme: Could not find solver for: dns-01,
2018/12/07 15:17:09 [INFO][home.example.me] AuthURL: https://acme-v02.api.letsencrypt.org/acme/authz/XXXXXXXXXXXXXXX,Activating privacy features...
2018/12/07 15:17:08 [INFO][home.example.me] acme: Obtaining bundled SAN certificate
So I edit the Caddyfile, add tls self_signed into it.
And now things getting wired. Caddy shows it is running on port 2015.
Activating privacy features... done.,
https://home.example.me:2015,
2018/12/07 16:29:50 https://home.example.me:2015
So I add a NAT rule, and this works well, of course with showing a 404 error message.
So I tried to test the firewall rules and the Caddyfile for many times.
I tested the 443 port of the Manjaro machine, but even the Caddy docker is running and the 443 port is been listening on the Manjaro(host) machine, the test shows the 443 port can not be reached from the LAN.
I tried to run a netdata in a docker, forwording port 19998 to 19999(because the port 19999 has been using by the netdata running in my host), and add a NAT rule to the firewall, it can be visited from the internet.
So I changed the netdata docker port forward, from host 443 to docker 19999, and of course a NAT rule, the port test shows the Manjaro host 443 port can be reached from the LAN, but I can`t visit netdata from the internet.What makes this interesting is, the log of the firewall shows it allows the connection from the internet to the netdata docker.
Update: I have made a call to ISP, and they tell me the ports 80 8080 443 are all blocked.
Well I can`t visit the netdata, so maybe the 443 port is blocked? But if it is blocked, why there is logs show the firewall accepted the connection?
And just in case, here is my firewall rules and NAT rules.
What ever, I think the 80 port and the 443 port are both blocked.
So now I am facing a new problem.
How can I get https certificate while there is no 80 and 443 port to use?
And one more question, can I make Caddy running in a docker to reverse proxy a IP like 192.168.1.150?And how to do that?
