How can I use client_auth with wildcard setup?

rafaelmagu · August 11, 2023, 6:24am

1. The problem I’m having:

I’m trying to configure Caddy to use the wildcard example with a Digital Ocean DNS challenge and adding client certificate authentication to some but not all hosts in the group, but getting a fatal error from Caddy on startup.

2. Error messages and/or full log output:

2023/08/11 06:08:24.642	INFO	using provided configuration	{"config_file": "/etc/caddy/Caddyfile", "config_adapter": "caddyfile"}
Error: adapting config using caddyfile: parsing caddyfile tokens for 'handle': directive 'tls' is not an ordered HTTP handler, so it cannot be used here - try placing within a route block or using the order global option

3. Caddy version:

2.7.3

4. How I installed and ran Caddy:

Using a custom-built Docker image to add the Digital Ocean module.

FROM caddy:2.7-builder AS builder

RUN xcaddy build \
    --with github.com/caddy-dns/digitalocean@master

FROM caddy:latest

COPY --from=builder /usr/bin/caddy /usr/bin/caddy

a. System environment:

Docker on Intel-based Synology NAS.

b. Command:

Not applicable.

c. Service/unit/compose file:

Not applicable.

d. My complete Caddy config:

{
	acme_dns digitalocean {env.DIGITALOCEAN_API_KEY}
}

(client_auth) {
	tls {
		client_auth {
			mode require_and_verify
			trusted_ca_cert_file /config/certs/CA.crt
		}
	}
}

*.casa.fonseca.org {
	@unifi host unifi.casa.fonseca.org
	handle @unifi {
		encode gzip
		reverse_proxy https://172.16.1.1:443 {
			header_up Host {host}
			transport http {
				tls_insecure_skip_verify
			}
		}
	}

	@dsm host dsm.casa.fonseca.org
	handle @dsm {
		import client_auth
		encode gzip
		reverse_proxy https://172.16.1.20:5001 {
			header_up Host {host}
			transport http {
				tls_insecure_skip_verify
			}
		}
	}

	@assistant host assistant.casa.fonseca.org
	handle @assistant {
		encode gzip
		reverse_proxy 172.16.1.20:8123
	}

	@plex host plex.casa.fonseca.org
	handle @plex {
		encode gzip
		reverse_proxy 172.16.1.20:32400
	}

	@movies host movies.casa.fonseca.org
	handle @movies {
		import client_auth
		encode gzip
		reverse_proxy 172.16.1.20:7878 {
			header_up Host {host}
		}
	}

	@books host books.casa.fonseca.org
	handle @books {
		import client_auth
		encode gzip
		reverse_proxy 172.16.1.20:8787 {
			header_up Host {host}
		}
	}

	@series host series.casa.fonseca.org
	handle @series {
		# import client_auth
		encode gzip
		reverse_proxy 172.16.1.20:8989
	}

	@tautulli host tautulli.casa.fonseca.org
	handle @tautulli {
		import client_auth
		encode gzip
		reverse_proxy 172.16.1.20:8181
	}

	@music host music.casa.fonseca.org
	handle @music {
		import client_auth
		encode gzip
		reverse_proxy 172.16.1.20:8686
	}

	@bridge host bridge.casa.fonseca.org
	handle @bridge {
		import client_auth
		encode gzip
		reverse_proxy 172.16.1.20:8581
	}

	@requests host requests.casa.fonseca.org
	handle @requests {
		encode gzip
		reverse_proxy 172.16.1.20:5055
	}
}

5. Links to relevant resources:

francislavoie · August 11, 2023, 6:31am

Unfortunately that’s not possible with the Caddyfile currently. You’d need to be able to set up SNI matching for TLS connection policies, which is complicated with how the Caddyfile is designed.

It’s possible with JSON config though, and you have full control over TLS connection policies.

For now, you’ll need to make separate site blocks for the ones that you want to use client auth with, you can’t use the wildcard site pattern.

rafaelmagu · August 12, 2023, 2:13am

Thanks for the answer! I’ll split my config between the wildcard hosts that don’t need client auth and the ones that do.

system · September 11, 2023, 2:13am

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.