HTTPS on LAN - Access via different host

1. Caddy version (caddy version):

v2.3.0

2. How I run Caddy:

Podman/Docker

$ cat Caddyfile 
localhost    

respond "Hello, world!"
$ cat genCaddy.sh 
#!/bin/bash

podman run --detach -p 4080:80 -p 4443:443 \
    --volume /home/$USER/podman-config/nextcloud/Caddyfile:/etc/caddy/Caddyfile:Z \
    --volume nextcloud-caddy:/data \
    --name nextcloud-caddy \
    caddy

a. System environment:

Fedora 33 (Server Edition)
podman version 2.2.1

b. Command:

./genCaddy

c. Service/unit/compose file:

$ cat genCaddy.sh 
#!/bin/bash

podman run --detach -p 4080:80 -p 4443:443 \
    --volume /home/$USER/podman-config/nextcloud/Caddyfile:/etc/caddy/Caddyfile:Z \
    --volume nextcloud-caddy:/data \
    --name nextcloud-caddy \
    caddy

d. My complete Caddyfile or JSON config:

$ cat Caddyfile 
localhost    

respond "Hello, world!"

3. The problem I’m having:

I was trying to set-up caddy as a reverse proxy for my local nextcloud instance. I am only accessing this over my LAN. However, when I run my podman container and go to my servers IP (in this case https://192.168.1.251:4443/) I get the error message in the next section.

4. Error messages and/or full log output:

Firefox error message

5. What I already tried:

I tried running the same container on my workstation and I can access the webpage (via https://localhost:4443), so I am wondering if I am misunderstanding local https. I.e. does local only refer to the machine caddy is running on?

6. Links to relevant resources:

The problem is that you specified localhost in the Caddyfile. This tells Caddy to only manage a certificate for localhost. If you need to access it from elsewhere on your network, you’ll need to configure Caddy to issue certificates for more than just that.

One approach is to use On-Demand TLS, a feature that tells Caddy to issue a cert during the TLS handshake if it doesn’t have one already for that given request. Looks like this:

https:// {
	tls internal {
		on_demand
	}

	respond "Hello world!"
}

Using https:// as the host matcher means that Caddy will accept requests from any hostname instead of only localhost.

1 Like

Thanks .@francislavoie! That fixes the issue!

In addition for anyone else that is using podman and interested in using the nextcloud-fpm container with local HTTPS see Example: Docker Nextcloud-FPM + Caddy v2 webserver - #6

One question though, it seems those certs expire after 24 hours. Is there a way to have those last longer? Since now when I log into my nextcloud I have to re-trust the certs every day.

image

You need to add the root CA cert to your trust stores. Short certificate lifetimes are on purpose.

As in adding the root cert to my client machine?

That’s correct. Since you’re running in Docker, you can find it in /data/pki/authorities/local/root.crt

1 Like

You wrote you are on LAN, do not use automatic HTTPs and domain names.

May I ask why you want Caddy in front of Nextcloud?

Don’t take me wrong. I love Caddy and use it on productive environments with nextcloud.
But I miss the reason why you want to tunnel everything through a reverse proxy (single point of failure) when the source can be directly reached. Nextcloud also could do self signed SSL.

It’s not so much that it’s a single point of failure that’s an issue (in terms of security, a fail-closed single point of ingress is a good thing).

That said, this traffic being entirely local, what Caddy does here is introduce an extra point of failure.

However, that might be worth it if you’re talking about exporting Caddy’s CA and importing that to your clients’ trust stores for internal, validated HTTPS. That’s a winner!

If you’re not exporting Caddy’s CA to your clients, though, @zec is right in that it’s more or less equivalent to just accessing Nextcloud directly with Nextcloud supplying the self-signed cert.

1 Like

That and some people may want more services accesable from the internet via the official port (443). In that case you have to put a Caddy in front. Within the LAN you can choose to have http only or have Caddy issue certificates for your local hosts.

I just wrote a WIki for this.

Thanks! So I’ve added /data/pki/authorities/local/root.crt to my iPhone and enabled it, however if I go to the address in safari it still throws a warning about the cert. Then on my linux machine I’ve imported it to firefox as an authority and it says SEC_ERROR_BAD_SIGNATURE if I visit the address.

This topic was automatically closed after 30 days. New replies are no longer allowed.