How to bypass a specific domain in Reverse Proxy and terminate wildcard SSL directly in the backend?

1. Caddy version (caddy version):

v2.5.1 h1:bAWwslD1jNeCzDa+jDCNwb8M3UJ2tPa8UZFFzPVmGKs=

2. How I run Caddy:

a. System environment:

Ubuntu 22.04 LTS

b. Command:

sudo systemctl start caddy

c. Service/unit/compose file:


d. My complete Caddyfile or JSON config:

{
    acme_ca ```https://acme-staging-v02.api.letsencrypt.org/directory```
    on_demand_tls {
        interval 2m
        burst 5
    }
}

https:// {
    tls {
        on_demand
    }
    reverse_proxy {
        to ```https://backend.example.com```
        header_up Host {http.reverse_proxy.upstream.host}
        header_up X-Real-IP {http.reverse-proxy.upstream.address}
    }
}

http://*.example.com {
    reverse_proxy {
        to ```https://backend.example.com```
        header_up Host {http.reverse_proxy.upstream.host}
        header_up X-Real-IP {http.reverse-proxy.upstream.address}
    }
}

3. The problem I’m having:

I have a backend that already has a wildcard installed for the domain example.com, that is, my backend already responds to any subdomain *.example.com

I would like any HTTPS request that arrives at Caddy to generate a certificate on demand except for the example.com domain and this is working fine.

The problem is that when I access subdomain1.example.com I am redirected to my backend as expected behavior by reverse proxy, but it doesn’t work presenting https (wildcard in backend), it just shows http.

I’m just thinking that this problem is in not hitting the header_up correctly yet.

NOTE: when I “point” subdomain1.example.com as an A record directly to backend (i.e. without “going” through the caddy), I can see the wildcard working, but when I “point” subdomain2.example.com as a record CNAME to Caddy (i.e. now going through reverse proxy), I only see http (without the padlock).

I see that there is an option to use the Cloudflare DNS plugin for example and generate a wildcard directly by Caddy, but I’m not sure if this domain in Cloudflare needs to be exactly example.com or if it could be anything.com just to be an acme-challenge ?

At this first moment, I still preferred to use the existing wildcard in the backend.

4. Error messages and/or full log output:

5. What I already tried:

Tried several different header_up options, also tried using transport http {tls} without success

6. Links to relevant resources: How to bypass a specific domain in Reverse Proxy and terminate wildcard SSL directly in the backend?

Well, you configured it with http://… so that’s to be expected

Hi,
Tks for your answer!

I set it to http because I wouldn’t want to generate the ssl for that domain so I based it on this other thread.

Please any suggestions what I can do or what setting I’m missing?

Regards,

I don’t understand. You want HTTPS, but you don’t want Caddy to manage a cert? How are you expecting this to work?

Hi,
Let me explain further, I want Caddy to generate SSL on demand for all domains except this domain, for this specific domain I would like caddy to ignore it.

As I understand one way to bypass this domain was by adding http in front, so that worked, I no longer have caddy generating ssl for that domain, but the problem is that I also can’t use the wildcard installed on the backend.

So basically the flow I’m trying to achieve would be:

User >> subdomain1.example.com >> (caddy doesn’t generate SSL and does reverse proxy to backend) >> backend displays wildcard installed on it

Regards,

Caddy needs a certificate to be able to complete the TLS handshake. Where do you plan to get that cert from, if not from ACME issuers? You can’t do HTTPS without a certificate.

Also FYI, SSL is the deprecated term, it hasn’t been called SSL since 1999 when TLS 1.0 replaced it. Transport Layer Security - Wikipedia

Hi,
I already have a wildcard certificate installed on the backend for this specific domain, which is why I want Caddy to ignore it.

I managed to do this by adding “http” in front as mentioned in this other thread:

But by doing this my backend is only reached over http (thus not using the wildcard certificate installed on it) and this is my problem now.

Regards,

That’s not possible. Caddy is an HTTP proxy, not a TCP proxy. Caddy would need to terminate TLS to handle the connection, it can’t just send the still-encrypted bytes to the upstream.

You could use GitHub - mholt/caddy-l4: Layer 4 (TCP/UDP) app for Caddy though, which is a layer-4 (TCP) proxy which would let you do this, but it would significantly complicate your setup because it doesn’t have Caddyfile support at this time.

1 Like

Hi,
I understand and tks for your explanatory answer :slight_smile:

Caddy is excellent! It solves a complex problem in a simple way, so before I try for this suggestion which might be more difficult, I will try to use a Cloudflare plugin to get the wildcard directly in the caddy and discard my wildcard in the backend.

Please in this approach, let’s say my domain is example.com - is it mandatory that it is hosted on Cloudflare?

Or can I have another domain example-tls.com hosted on Cloudflare, and in that account get the API token for it to be used as _acme-challenge?

Regards,

You need to use an API key from an account that has permissions to write DNS records for the domain you’re trying to use. For the DNS challenge Caddy needs to ask Cloudflare to write a DNS TXT record with the challenge value. So if you use an account with a different domain, then that’ll obviously not work. The point of the DNS challenge is to prove control of the domain, by showing that you’re able to change a DNS record.

You don’t necessarily need to use the Cloudflare plugin though, if your domain is managed by a different DNS provider, then you’d use the DNS plugin for that provider instead.

1 Like

Hi,
Interesting, I see there are several different DNS plugins, I’ll try :slight_smile:

Tks again for the help so far.