How can i use caddy on other port

kpinarci · May 17, 2022, 1:57pm

1. Caddy version (`caddy version`):


v2.5.0

2. How I run Caddy:


Revers Proxy

a. System environment:


caddy runs as docker container on

Sles 15 wiht docker version: 20.10.12-ce

b. Command:


docker-compose up -d

c. Service/unit/compose file:


version: "3"

services:

  caddy:

    container_name: caddy

    build:

     context: .

     dockerfile: Dockerfile

    volumes:

     - ./Caddyfile:/etc/caddy/Caddyfile

     - ./data/caddy:/data

     - ./config:/config

    ports:

     - 8880:8880

     - 8843:8843

    networks:

     - intern

Promtail docker-compose file:


version: "3"

services:

  grafana:

    container_name: grafana

    user: "0:0"

    image: /grafana/grafana:latest

    restart: always

    depends_on:

      - prometheus

      - promtail

    volumes:

      - ./conf/grafana/provisioning/datasources:/etc/grafana/provisioning/datasources

      - ./conf/grafana/provisioning/dashboards:/etc/grafana/provisioning/dashboards

      - ./data/grafana:/var/lib/grafana

    environment:

     GF_SECURITY_ADMIN_USER: ${GF_SECURITY_ADMIN_USER}

     GF_SECURITY_ADMIN_PASSWORD: ${GF_SECURITY_ADMIN_PASSWORD}

     GF_USERS_VIEWERS_EDIT: "true"

    # GF_SERVER_ROOT_URL: {{ gf_server_root_url }}

     GF_SERVER_DOMAIN: example.com

     GF_SERVER_ROOT_URL: https://example.com/grafana/

     GF_SERVER_SERVE_FROM_SUB_PATH: "true"

    networks:

      - intern

  promtail:

    container_name: promtail

    image: /grafana/promtail:latest

    restart: always

    environment:

      - TZ=Europe/Berlin

    command: -config.file=/etc/promtail-config/promtail.yml

    volumes:

      - ./conf/promtail/promtail.yml:/etc/promtail-config/promtail.yml

      - /var/lib/docker/containers:/var/lib/docker/containers:ro

      - /var/log/:/var/log/:ro

    networks:

      - intern

        

  prometheus:

    container_name: prometheus

    user: "0"

    image: prom/prometheus:latest

    networks:

      - intern

    volumes:

      - ./conf/prometheus:/etc/prometheus

      - ./data/prometheus:/prometheus

      - /etc/timezone:/etc/timezone:ro

      - /etc/localtime:/etc/localtime:ro

    command:

      - '--storage.tsdb.retention.time=1w'            

      - '--storage.tsdb.retention.size=800MB'

      - '--log.level=error'        

      - '--storage.tsdb.wal-compression'          

      - '--config.file=/etc/prometheus/prometheus.yml'

      - '--web.enable-lifecycle'                      

      - '--web.enable-admin-api'                      

      - '--storage.tsdb.path=data/'

     # - '--web.config.file=/etc/prometheus/web.yml'  

       - '--web.external-url=http://localhost:9090/prometheus/'

d. My complete Caddyfile config:


{

  http_port 8880

  https_port 8843

}

example.com:8843 {

  handle /promtail* {

    reverse_proxy promtail:9080

    basicauth /promtail/* {

      admin JDJhJDE0JDFrVXLHLKHKNBZWVXOy5rQ3pEdnUasd5cWxCRFZPWnkzUk10NSF2NJV2gV29T

        }

  }

  handle /grafana* {

    reverse_proxy grafana:3000

  }

  handle /loki* {

    reverse_proxy loki:3100

    basicauth /loki/* {

    admin JDJDEhJDE0JDFrVXNBZWVXOEHby5rQ3pEdnU5cWxCRFZJV2gzTWxÖLÖJÖHDHV29T

        }

  }

  handle /prometheus* {

    reverse_proxy prometheus:9090

    basicauth /prometheus/* {

      admin JDJhJDE0JDNBJÖIOJLKJHIZWVXOE9WNEVTMFlGRn5cWxCRFZPWnkzUk10N2NJV2g29T

    }

   

  }

tls acme@company.com {

  ca https://server:8001/acme/acme/directory

  ca_root /usr/local/share/ca-certificates/company_bundle.crt

}

}

3. The problem I’m having:


I want to use Caddy with other ports because ports 80 and 443 are not free. How can I make Caddy not use ports 80 and 443 and instead use 8880 (for http) and 8843 (https)?

With the current configuration it does not work.

4. Error messages and/or full log output:


{"level":"error","ts":1652771760.8610604,"logger":"tls.obtain","msg":"will retry","error":"[example.com] Obtain: [example.com] solving challenges: [example.com] authorization took too long (order=https://server:8001/acme/acme/order/nDWa79wasdfadsfasfasdfaZrPRY) (ca=https://server:8001/acme/acme/directory)","attempt":7,"retrying_in":1200,"elapsed":4500.804962957,"max_duration":2592000}

example.com, is a placeholder.

5. What I already tried:


first:

{

 http_port 8880

 https_port 8843

}

example.com: {......config abbreviated

#####################################

second:

{

 http_port 8880

 https_port 8843

}

example.com:8843 {....... config abbreviated

######################################

thrid:

example.com:8843 {....... config abbreviated

6. Links to relevant resources:


example.com {

  handle /promtail* {

    reverse_proxy 127.0.0.1:9080

  }

  handle /grafana* {

    reverse_proxy 127.0.0.1:3000

  }

  handle /loki* {

    reverse_proxy 127.0.0.1:3100

  }

  handle /prometheus* {

    reverse_proxy 127.0.0.1:9090

  }

Loki config:


server:

  http_listen_port: 3100

  grpc_listen_port: 9095

  http_path_prefix: /loki

Promtail config:


server:

  http_listen_port: 9080

  http_path_prefix: /promtail

francislavoie · May 17, 2022, 2:17pm

You must have traffic on ports 80 and 443 reach Caddy if you want to solve ACME HTTP and/or TLS-ALPN challenges.

Your alternative is to use the ACME DNS challenge, but that involves building Caddy with a plugin (pretty easy to do though) and connecting it to your DNS provider.

Really though, the easiest solution is to move away whatever you have running on those ports to another port, then use Caddy to proxy to it whatever was using 80 and 443 instead.

Also, I strongly recommend using subdomains for each of your services, not subpaths.

kpinarci · May 18, 2022, 2:51pm

Thank you for the superfast feedback. That’s incredible how fast it went.

The situation is a bit complicated. Let me start from the beginning. I want to monitor an appliance with Promtail and Telegraf (docker based), the two containers provide metrics and logs unencrypted over http and do not provide standard basic-auth. Therefore, the caddyserver comes before the two containers as a reverse proxy and takes care of the https encryption and basic-auth which is great.

The problem is that the appliance has a haproxy and already uses ports 80 and 443.

Therefore, I wanted to use ports 8880 and 8843 for caddy. Now I realize that it is not possible. ACME DNS is currently not possible for us. But I could use existing TLS certs?

I could map the existing ssl.cert and ssl.key into the caddy container and use the existing ssl with it.

Question: Can I put the certificates in the docker container, so would it work with that?
Question: Is the reference correct?
Since I don’t have a wildcard certificate, the connection would not be secure for now. First I want to skip this until I get a wildcard certificate. Can I realize this with tls_insecure_skip_verify?

docker-compose


version: "3"

services:

  caddy:

    container_name: caddy

    image: caddy:2.5.0

    volumes:

     - "/opt/app/monitoring/caddy/Caddyfile:/etc/caddy/Caddyfilse"

     - "/opt/app/monitoring/caddy/data/caddy:/data"

     - "/opt/app/monitoring/caddy/config:/config"

     - "/etc/haproxy/ssl.crt:/etc/ssl/app/ssl.crt:ro"

     - "/etc/haproxy/ssl.key:/etc/ssl/app/ssl.key:ro"

    ports:

     - "8880:8880"

     - "8843:8843"

    networks:

     - app_monitoring

networks:

  app_monitoring:

     driver: bridge

     name: app_monitoring

Caddyfile


promtail.example.com {

            tls /etc/ssl/app/ssl.crt /etc/ssl/app/ssl.key     # <=== 1.question

                reverse_proxy app_promtail:9080               # <=== 2.question

                basicauth promtail* {

                 admin JDJhJDE0JERa5SUM1Sasdfa0ZzZEUWo1Ujd0asdaZkF5ZasdfasfasdfasLmF3Si9OL0Z1

                transport http {

                        tls

                        tls_insecure_skip_verify              # <=== 3.question

        }

            }

telegraf.example.comt {

                tls /etc/ssl/app/ssl.crt /etc/ssl/app/ssl.key

                reverse_proxy app_telegram:9080

                basicauth telegraf* {

                 admin JDJhJDE0JER5Saasdfasd6OEVzekFXU0asdfaasdfaEUWo1Ujd0ZkF5ZVRsLmF3Si9OL0Z1

                transport http {

                        tls

                        tls_insecure_skip_verify

        }

            }

francislavoie · May 18, 2022, 2:57pm

Anywhere, really. You could mount it in a dir called /certs if you like.

Yeah, that’s probably correct assuming app_promtail is a docker container that shares a docker network with the Caddy container.

This doesn’t look right – you’re missing a closing } for basicauth

This isn’t in the right place. transport is a subdirective of reverse_proxy, so it would have to go within a block in reverse_proxy. But I don’t think you need this at all, it doesn’t look like you’re proxying to your promtail container over HTTPS (I’m assuming by the port number being 9080). So you can remove all that.

No. You need a cert that has promtail.example.com (or whatever your real domain is) as a name inside of it.

I think you have a mistake here, you wrote Caddyfilse instead of Caddyfile.

Are you sure you can’t move haproxy to use different ports, then have Caddy proxy to haproxy?

system · June 16, 2022, 1:58pm

This topic was automatically closed after 30 days. New replies are no longer allowed.