How can I use proxy_ssl_name for SNI in Caddy 2

sgasser · April 28, 2020, 1:55pm

Hi!

1. My Caddy version (`caddy version`):

v2.0.0-rc.3

a. System environment:

Linux

2. The problem I’m having:

proxy_ssl_name for SNI should work with Caddy 2:

github.com/caddyserver/caddy

add [proxy_ssl_name]

opened 09:39PM - 24 Feb 19 UTC

closed 11:18PM - 10 Oct 19 UTC

f4nff

feature

``` upstream serlist { server 104.16.70.234:443; server 104.16.72.234:443; s…erver 104.16.69.234:443; server 104.16.71.234:443; server 104.16.68.234:443; } server { listen 80; location /{ proxy_pass https://serlist; proxy_set_header Host “api.cloudflare.com”; proxy_ssl_session_reuse on; proxy_ssl_protocols TLSv1.2; proxy_ssl_verify off; proxy_send_timeout 60s; proxy_ssl_server_name on; proxy_ssl_name “api.cloudflare.com”; proxy_redirect off; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_http_version 1.1; proxy_set_header Upgrade $http_upgrade; proxy_set_header Connection “upgrade”; } } ``` After testing, caddyserver can not achieve the configuration requirements above nginx. If you don't set proxy_ssl_name, you will get a **403 Forbidden cloudflare-nginx**. Caddy can customize the host, but the reverse proxy https, you also need to be able to customize the sni name, otherwise you can not achieve the above nginx configuration requirements.

But I can’t find anything in the documentation.
How I can set proxy_ssl_name in the Caddyfile?

This is my current Caddyfile:


:8000

reverse_proxy {
	to https://mydomain.com
	transport http {
               // this is not working:
		//tls {
		//	server_name mydomain.com
		//}
	}
	header_up X-Real-IP {http.reverse_proxy.upstream.remote}
	header_up X-Forwarded-For {http.reverse_proxy.upstream.remote}
	header_up X-Forwarded-Port {http.reverse_proxy.upstream.hostport}
	header_up X-Forwarded-Proto {http.reverse_proxy.upstream.scheme}
}

Thank you

francislavoie · April 28, 2020, 2:21pm

I think you’re looking to set the Host field to mydomain.com?

:8000

reverse_proxy https://mydomain.com {
	header_up Host mydomain.com
	header_up X-Real-IP {http.request.remote.host}
	header_up X-Forwarded-Port {http.request.port}
	header_up X-Forwarded-Proto {http.request.proto}
}

X-Forwarded-For is set automatically for you, and X-Forwarded-Proto will be set automatically as of the next release.

By default Host is set to the SNI of the original request. I think you’re looking to override that with mydomain.com instead?

matt · April 28, 2020, 2:29pm

@francislavoie The Host header is for the application layer (HTTP); Stefan needs ServerName set in the TLS handshake.

@sgasser The website docs aren’t fully updated yet, but you can set the server_name field of the HTTP transport’s TLS settings here: Modules - Caddy Documentation

sgasser · April 28, 2020, 2:41pm

Thanks @matt and @francislavoie - what a great community

How can I transform this Modules - Caddy Documentation to the Cadddyfile?

I tried:

:8000

reverse_proxy {
	to https://mydomain.com
	transport http {
		tls {
			server_name https://mydomain.com
		}
	}
	header_up X-Real-IP {http.reverse_proxy.upstream.remote}
	header_up X-Forwarded-For {http.reverse_proxy.upstream.remote}
	header_up X-Forwarded-Port {http.reverse_proxy.upstream.hostport}
	header_up X-Forwarded-Proto {http.reverse_proxy.upstream.scheme}
}

but I get the following error:

using adjacent Caddyfile
run: adapting config using caddyfile: parsing caddyfile tokens for 'reverse_proxy': Caddyfile:6 - Error during parsing: unrecognized subdirective {

Thanks

francislavoie · April 28, 2020, 2:45pm

Unfortunately I don’t think that option is available in the Caddyfile yet.

For now, until we add it, you can comment out that one line from your Caddyfile, run caddy adapt --config Caddyfile --pretty and modify the JSON to add that property, then you can run Caddy with the JSON config for now.

francislavoie · April 28, 2020, 3:03pm

I opened a quick PR to add it, should be available in the Caddyfile in v2.1 if not earlier.

github.com/caddyserver/caddy

reverseproxy: Add tls_server_name http transport option to Caddyfile

caddyserver:master ← francislavoie:tls-server-name-caddyfile

opened 03:02PM - 28 Apr 20 UTC

francislavoie

+10 -0

See https://caddy.community/t/how-can-i-use-proxy-ssl-name-for-sni-in-caddy-2/77…39 Caddyfile: ``` :8000 reverse_proxy https://mydomain.com { transport http { tls_server_name mydomain.com } } ``` JSON: ``` { "apps": { "http": { "servers": { "srv0": { "listen": [ ":8000" ], "routes": [ { "handle": [ { "handler": "reverse_proxy", "transport": { "protocol": "http", "tls": { "server_name": "mydomain.com" } }, "upstreams": [ { "dial": "mydomain.com:443" } ] } ] } ] } } } } } ```

You can also try it out right now by grabbing the build artifacts from here:

sgasser · April 28, 2020, 3:08pm

Awesome! It works! Thank you

system · May 28, 2020, 3:08pm

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.

How can I use proxy_ssl_name for SNI in Caddy 2

1. My Caddy version (caddy version):

a. System environment:

2. The problem I’m having:

1. My Caddy version (`caddy version`):