Http proxy https insecure

Glaubert_Dacio · December 11, 2023, 6:26pm

1. The problem I’m having:

I am performing a forwarding proxy for my internal network (router) which does not have an https certificate but when I do it this way, HTTP ERROR 502 appers…

Image for problem:

When access the 100.75.1.90:

2. Error messages and/or full log output:


:80 {

        route /https* {
                reverse_proxy 100.75.1.90 {
                        header_up Host 100.75.1.90
                        lb_policy round_robin
                        lb_try_duration 5s
                        health_status 200
                        health_interval 10s
                        fail_duration 30s
                        transport http {
                            tls_insecure_skip_verify
                        }
               }
        }

    log {
        output file /var/log/caddy/access.log
    }

   log {
        output file /var/log/access.log
   }

}

3. Caddy version:

v2.7.6

4. How I installed and ran Caddy:

Via apt-get

a. System environment:

Ubuntu 22.04 x64_86

b. Command:

systemctl restart caddy

d. My complete Caddy config:

  GNU nano 6.2                                                                                                                  /etc/caddy/Caddyfile                                                                                                                            
# The Caddyfile is an easy way to configure your Caddy web server.
#
# Unless the file starts with a global options block, the first
# uncommented line is always the address of your site.
#
# To use your own domain name (with automatic HTTPS), first make
# sure your domain's A/AAAA DNS records are properly pointed to
# this machine's public IP, then replace ":80" below with your
# domain name.



:80 {

        route /https* {
                reverse_proxy 100.75.1.90 {
                        header_up Host 100.75.1.90
                        lb_policy round_robin
                        lb_try_duration 5s
                        health_status 200
                        health_interval 10s
                        fail_duration 30s
                        transport http {
                            tls_insecure_skip_verify
                        }
               }
        }

    log {
        output file /var/log/caddy/access.log
    }

   log {
        output file /var/log/access.log
   }

}

5. Links to relevant resources:

None

francislavoie · December 12, 2023, 12:22am

You configured Caddy to only listen on port 80, so of course HTTPS will not work.

The default port when none is specified is 80. If you meant to connect over HTTPS, you probably wanted port 443, so specify that.

You don’t need this twice in your config, only the last one will take effect anyway. Remove one of these.

Glaubert_Dacio · December 12, 2023, 12:48pm

Thanks for reply

Tree questions:

Using caddy via https i can proxies sites insecures? (whithout https)
I can access http sites over https from caddy too?
Can Caddy see if the dest of the proxy is http or https? Is there a way?

francislavoie · December 12, 2023, 3:47pm

Think of incoming connections to Caddy and outgoing connections from reverse_proxy as separate things. One can be HTTP and the other HTTPS, there’s no requirement that they match.

Glaubert_Dacio · December 12, 2023, 4:32pm

Thank you very much, you shed some light on Caddy for me… but I have a need which is to act as a proxy for both HTTP and HTTPS.

Example:
mysite.net.br/access/100.75.1.90

This address can be either HTTP or HTTPS with an invalid certificate.

In this scenario, do you think I can use Caddy for this issue, or do you recommend any other auxiliary tool?

francislavoie · December 12, 2023, 10:29pm

You’re probably looking for a layer4 TCP proxy instead.

You can use GitHub - mholt/caddy-l4: Layer 4 (TCP/UDP) app for Caddy

Glaubert_Dacio · December 14, 2023, 12:51am

Do you have any examples or recommendations for my scenario?

francislavoie · December 14, 2023, 1:03am

I think the README explains. If you’re looking to pass through connections to your upstream without terminating TLS, then you want caddy-l4 (or any other layer4 proxy) and not an HTTP server/proxy.

Glaubert_Dacio · December 19, 2023, 12:45am

I’m not developing this project, if anyone has any sketches or tips… I couldn’t install l4-caddy using Ubuntu, Debian, Alpine…

francislavoie · December 19, 2023, 7:14am

What did you try, exactly? What problems did you have? If you don’t say then we can’t help.

system · January 18, 2024, 7:14am

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.