Https://local.lan for local access only does not work

1. Caddy version (caddy version):

2.3.0

2. How I run Caddy:

Caddy-docker-proxy

a. System environment:

Caddy-docker-proxy via docker-compose on host Ubuntu Budgie 20.10.

b. Command:

Not aware. caddy-docker-proxy takes care of everything.

c. Service/unit/compose file:

Just the labels for the relevant service, since all other services work fine using my own online domain name:

##_____________________ Heimdall [Management/HOMEPAGE] 
  organizr:
    container_name: organizr
    image: organizr/organizr:latest
    restart: always
    networks: 
      - management
    security_opt:
      - no-new-privileges:true
    environment:
      fpm: 'true'
    volumes:
      - $DOCKERDIR/organizr:/config
    labels: 
      caddy: "http://o.belix"
      caddy.reverse_proxy: "{{upstreams 80}}"

d. My complete Caddyfile or JSON config:

{
	email domain@name.com
}

suba.domain.com {
	encode gzip
{
		X-Content-Type-Options none
		X-Frame-Options DENY
		X-XSS-Protection "1; mode=block;"
	}

	reverse_proxy /notifications/hub 172.26.0.3:3012
	reverse_proxy /notifications/hub/negotiate 172.26.0.3:80
	reverse_proxy 172.26.0.3:80
}

subb.domain.com {
	encode gzip
	file_server
{
		Strict-Transport-Security max-age=15768000;
		X-Content-Type-Options nosniff
		X-Frame-Options SAMEORIGIN
		X-XSS-Protection "1; mode=block;"
	}
	reverse_proxy 172.26.0.7:80 {
		header_up Host subb.domain.cloud
	}
}

subc.domain.com {
	reverse_proxy 172.26.0.2:5000
}

http://local.lan {
	reverse_proxy
}

subd.domain.com {
	encode gzip
	file_server
{
		X-Content-Type-Options nosniff
	}
	reverse_proxy 172.26.0.5:80
}

sube.domain.com {
	reverse_proxy 172.26.0.6:8384
}

3. The problem I’m having:

My internet domain with subdomains work, I can use https://suba.domain.com, https://subb.domain.com, …, …, …, https://sube.domain.com
→ However in my router, purely for local lan, I created a domain local.lan that forwards to my server ip (192.168.88.2). I would like to use TLS for it (https://local.lan) without exposing this outside of my LAN.

That part does not work:

4. Error messages and/or full log output:

https://local.lan
Secure Connection Failed
An error occurred during a connection to o.belix. Peer reports it experienced an internal error.
Error code: SSL_ERROR_INTERNAL_ERROR_ALERT

5. What I already tried:

instead of {{ upstreams 80 }} I tried {{ localhost 80 }} which leads to an error in Caddy.

Well you configured http://local.lan but are trying to connect with https://local.lan (note HTTP vs HTTPS). Caddy doesn’t have a TLS certificate for that domain, so it can’t serve it. Either remove http:// and add tls internal to that site to make Caddy issue a certificate using its internal CA (see Automatic HTTPS — Caddy Documentation) or just make your requests with http://local.lan.

3 Likes

Oh that was in my haste last night as I read about tls internal mode before! Thank you.

This does give me the Error code: SEC_ERROR_UNKNOWN_ISSUER in browsers, but I guess that makes sense since you cannot request a certificate from a well known authority like Let’s Encrypt or Zerossl when the domain isn’t registered publicly…

1 Like