sgasser
(Stefan Gasser)
April 28, 2020, 1:55pm
1
Hi!
1. My Caddy version (caddy version
):
v2.0.0-rc.3
a. System environment:
Linux
2. The problem I’m having:
proxy_ssl_name for SNI should work with Caddy 2:
opened 09:39PM - 24 Feb 19 UTC
closed 11:18PM - 10 Oct 19 UTC
feature
```
upstream serlist {
server 104.16.70.234:443;
server 104.16.72.234:443;
s… erver 104.16.69.234:443;
server 104.16.71.234:443;
server 104.16.68.234:443;
}
server {
listen 80;
location /{
proxy_pass https://serlist;
proxy_set_header Host “api.cloudflare.com”;
proxy_ssl_session_reuse on;
proxy_ssl_protocols TLSv1.2;
proxy_ssl_verify off;
proxy_send_timeout 60s;
proxy_ssl_server_name on;
proxy_ssl_name “api.cloudflare.com”;
proxy_redirect off;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection “upgrade”;
}
}
```
After testing, caddyserver can not achieve the configuration requirements above nginx.
If you don't set proxy_ssl_name, you will get a **403 Forbidden cloudflare-nginx**.
Caddy can customize the host, but the reverse proxy https, you also need to be able to customize the sni name, otherwise you can not achieve the above nginx configuration requirements.
But I can’t find anything in the documentation.
How I can set proxy_ssl_name in the Caddyfile?
This is my current Caddyfile:
:8000
reverse_proxy {
to https://mydomain.com
transport http {
// this is not working:
//tls {
// server_name mydomain.com
//}
}
header_up X-Real-IP {http.reverse_proxy.upstream.remote}
header_up X-Forwarded-For {http.reverse_proxy.upstream.remote}
header_up X-Forwarded-Port {http.reverse_proxy.upstream.hostport}
header_up X-Forwarded-Proto {http.reverse_proxy.upstream.scheme}
}
Thank you
I think you’re looking to set the Host
field to mydomain.com
?
:8000
reverse_proxy https://mydomain.com {
header_up Host mydomain.com
header_up X-Real-IP {http.request.remote.host}
header_up X-Forwarded-Port {http.request.port}
header_up X-Forwarded-Proto {http.request.proto}
}
X-Forwarded-For
is set automatically for you, and X-Forwarded-Proto
will be set automatically as of the next release.
By default Host
is set to the SNI of the original request. I think you’re looking to override that with mydomain.com
instead?
matt
(Matt Holt)
April 28, 2020, 2:29pm
3
@francislavoie The Host header is for the application layer (HTTP); Stefan needs ServerName set in the TLS handshake.
@sgasser The website docs aren’t fully updated yet, but you can set the server_name field of the HTTP transport’s TLS settings here: Modules - Caddy Documentation
sgasser
(Stefan Gasser)
April 28, 2020, 2:41pm
4
Thanks @matt and @francislavoie - what a great community
How can I transform this Modules - Caddy Documentation to the Cadddyfile?
I tried:
:8000
reverse_proxy {
to https://mydomain.com
transport http {
tls {
server_name https://mydomain.com
}
}
header_up X-Real-IP {http.reverse_proxy.upstream.remote}
header_up X-Forwarded-For {http.reverse_proxy.upstream.remote}
header_up X-Forwarded-Port {http.reverse_proxy.upstream.hostport}
header_up X-Forwarded-Proto {http.reverse_proxy.upstream.scheme}
}
but I get the following error:
using adjacent Caddyfile
run: adapting config using caddyfile: parsing caddyfile tokens for 'reverse_proxy': Caddyfile:6 - Error during parsing: unrecognized subdirective {
Thanks
Unfortunately I don’t think that option is available in the Caddyfile yet.
For now, until we add it, you can comment out that one line from your Caddyfile, run caddy adapt --config Caddyfile --pretty
and modify the JSON to add that property, then you can run Caddy with the JSON config for now.
I opened a quick PR to add it, should be available in the Caddyfile in v2.1 if not earlier.
caddyserver:master
← francislavoie:tls-server-name-caddyfile
opened 03:02PM - 28 Apr 20 UTC
See https://caddy.community/t/how-can-i-use-proxy-ssl-name-for-sni-in-caddy-2/77… 39
Caddyfile:
```
:8000
reverse_proxy https://mydomain.com {
transport http {
tls_server_name mydomain.com
}
}
```
JSON:
```
{
"apps": {
"http": {
"servers": {
"srv0": {
"listen": [
":8000"
],
"routes": [
{
"handle": [
{
"handler": "reverse_proxy",
"transport": {
"protocol": "http",
"tls": {
"server_name": "mydomain.com"
}
},
"upstreams": [
{
"dial": "mydomain.com:443"
}
]
}
]
}
]
}
}
}
}
}
```
You can also try it out right now by grabbing the build artifacts from here:
1 Like
sgasser
(Stefan Gasser)
April 28, 2020, 3:08pm
7
Awesome! It works! Thank you
system
(system)
Closed
May 28, 2020, 3:08pm
8
This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.