How to reverse proxy adguardhome DNS over HTTPS /dns-query

Marcus1Pierce · July 24, 2023, 2:27pm

1. The problem I’m having:

I can’t reverse proxy AdGuardHome DoH.

2. Error messages and/or full log output:

{"level":"error","ts":1690207331.5979323,"logger":"http.log.error","msg":"tls: failed to verify certificate: x509: certificate is valid for *.example.com, example.com, not adguardhome","request":{"remote_ip":"180.245.195.103","remote_port":"53727","proto":"HTTP/3.0","method":"POST","host":"dns-ads.example.com","uri":"/dns-query","headers":{"Accept-Encoding":["identity"],"Content-Type":["application/dns-message"],"Accept":["application/dns-message"],"Accept-Language":["*"],"User-Agent":["Chrome"]},"tls":{"resumed":true,"version":772,"cipher_suite":4865,"proto":"h3","server_name":"dns-ads.example.com"}},"duration":0.003965345,"status":502,"err_id":"t3tq4atj9","err_trace":"reverseproxy.statusError (reverseproxy.go:1299)"}

3. Caddy version:

v2.6.4 h1:2hwYqiRwk1tf3VruhMpLcYTg+11fCdr8S3jhNAdnPy8=

4. How I installed and ran Caddy:

a. System environment:

Docker running on Debian 11

b. Command:

c. Service/unit/compose file:

  proxy:
    image: caddy:2
    container_name: proxy
    restart: unless-stopped
    ports:
      - "80:80"
      - "443:443/tcp"
      - "443:443/udp"
    volumes:
      - ./caddy/Caddyfile:/etc/caddy/Caddyfile:ro
      - ./caddy/site:/srv
      - ./caddy/data:/data
      - ./caddy/config:/config
      - ./certbot/cert:/etc/letsencrypt:ro
    environment:
      - TZ=Asia/Jakarta
    networks:
      proxy:
        ipv4_address: 10.1.1.254

d. My complete Caddy config:

# TLS Security
(tls) {
  tls /etc/letsencrypt/live/example.com/fullchain.pem /etc/letsencrypt/live/example.com/privkey.pem {
    protocols tls1.2 tls1.3
    ciphers TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256 TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256
  }
}

dns-ads.example.com {
  route /dns-query/*
    uri strip_prefix /dns-query
    reverse_proxy https://adguardhome:443 {
      header_up Host {host}
  }
  import tls
}

5. Links to relevant resources:

francislavoie · July 24, 2023, 10:45pm

See the docs for proxying over HTTPS

Marcus1Pierce · July 25, 2023, 3:54am

Thank you for replying. I still can’t reverse proxy /dns-query. I relly blind with caddy. And before using caddy, i use nginx with this following example config

location /dns-query {
   # …
   proxy_set_header Host $host;
   proxy_set_header X-Real-IP '1.2.3.4';
   proxy_bind 192.168.1.2;
   # …
}

How can i convert this to caddyfile?

Whitestrake · July 25, 2023, 4:13am

You’ll need to use the transport http subdirective inside your reverse_proxy and configure Caddy to either:

A. expect the example.com HTTPS certificate with tls_server_name (ideal)

or

B. disable TLS validation for this proxy with tls_insecure_skip_verify (not recommended)

See:

Marcus1Pierce · July 26, 2023, 6:13am

Using this config the error now gone. And i modify my Caddyfile to

dns-ads.example.com {
  handle /dns-query {
    reverse_proxy https://adguardhome:443 {
      trusted_proxies 10.1.1.0/24
      header_up Host {upstream_hostport}
      header_up X-Real-IP 1.2.3.4
      transport http {
        tls
        tls_server_name example.com
      }
    }
  }

  handle /dns-query/* {
    reverse_proxy https://adguardhome:443 {
      trusted_proxies 10.1.1.0/24
      header_up Host {upstream_hostport}
      transport http {
        tls
        tls_server_name example.com
      }
    }
  }

  import tls
}

system · August 25, 2023, 6:13am

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.