Infinite redirection

I have setup Caddy and it works with one domain. When I tried to add another, it failed. It seems it keeps redirecting to itself.

my caddy config:

site1.com {
    proxy / localhost:3000
}

site2.com {
    proxy / localhost:3002
}

What I find strange is, when I do curl with site1 without HTTP, it rediects to HTTPS. And when I do curl with HTTPS, my page loads.

However, when I do curl with site2, with HTTPS, it redirects to same!

$curl https://site2.com

<a href="https://sit2.com/">Moved Permanently</a>.

Is that the entire Caddyfile? There are no other directives at all?

I’m assuming that for your curl output, https://site2.com and https://sit2.com are actually the same thing, but mispelled when you edited them to hide the actual domain?

What is the output of curl -i https://site2.com?

Yes, thats my entire Caddyfile and nothing else.

No, didn’t make any mistake in copy paste either. Here is the curl output:

$ curl -i https://site2.com

HTTP/1.1 301 Moved Permanently
Date: Thu, 18 Jan 2018 04:13:32 GMT
Content-Type: text/html; charset=utf-8
Transfer-Encoding: chunked
Connection: keep-alive
Set-Cookie: __cfduid=df19760ac719f485935d1757b31a491d61516248812; expires=Fri, 18-Jan-19 04:13:32 GMT; path=/; domain=.site2.com; HttpOnly
Location: https://site2.com/
Expect-CT: max-age=604800, report-uri="https://report-uri.cloudflare.com/cdn-cgi/beacon/expect-ct"
Server: cloudflare
CF-RAY: 3deeb8e7aa639b99-DFW

<a href="https://site2.com/">Moved Permanently</a>.

Seeing the cloudflare in headers, I suspected if it related to that. So when I disabled, it started working!

Cloudflare has both options, DNS + HTTP Proxy or DNS only. It started working when I switched to DNS only.

I will dig more and figure out how to make Caddy to work with Cloudflare.

If you have any pointers regarding same, then it would be nice!

To understand why this is happening, you should understand what Cloudflare’s main features are and how they work.

In “orange-cloud” mode, Cloudflare acts as a transparent proxy between your clients and your server. It does this by directing DNS queries for your website to itself, and when a client connects, Cloudflare queries your server on the client’s behalf. In this mode they can provide caching, DDOS mitigation, and TLS termination in front of your server.

In the Cloudflare account panel, under the Crypto settings for your site, you’ll find an SSL setting. The default mode is Flexible, which provides the above-mentioned TLS termination. To quote their site:

Flexible SSL: You cannot configure HTTPS support on your origin, even with a certificate that is not valid for your site. Visitors will be able to access your site over HTTPS, but connections to your origin will be made over HTTP. Note: You may encounter a redirect loop with some origin configurations.

From this we can infer (and the linked article explicitly explains) that when your client connects via HTTPS, Cloudflare connects to your server via HTTP, and your server tells Cloudflare to upgrade to HTTPS, and Cloudflare then passes that back to the client (which will just confuse them, as they connected via HTTPS in the first place - a redirect loop).

There’s a few ways to go about Caddy and Cloudflare co-existing.

If you want to use Cloudflare’s additional features

  • With valid certificates from LetsEncrypt:
    1. HTTP / TLS-SNI validation is tricky with Cloudflare in the way, so DNS validation is highly recommended to simplify things. Cloudflare is a supported provider for this, see the docs for more info: Automatic HTTPS — Caddy Documentation
    2. Swap the SSL mode in the Cloudflare Crypto settings to Full SSL (Strict) to indicate that Cloudflare should connect via HTTPS and validate the LE certificate.
  • With an Origin Certificate signed by Cloudflare:
    1. On the Crypto settings page, scroll down to Origin Certificates create a certificate.
      Feel free to set a long expiration, use wildcard hosts, etc - this certificate won’t be used for the general public, but for Cloudflare itself to authenticate your origin server.
    2. Download they key and certificate and save them to the server you run Caddy on.
    3. Specify the key and cert locations in your Caddyfile with tls cert key.
    4. Providing your own cert and key will break Automatic HTTPS, so be sure to set your site labels to specify scheme (prefix them with http:// and https://) or port (suffix with :80 and :443), and set up HTTP->S redirection as required.
    5. Set the SSL mode in Crypto settings to Full SSL (Strict).
  • With a self-signed certificate from Caddy:
    Note: without certificate validation, if an attacker takes control of your IP address, they could fool Cloudflare and any connecting clients.
    1. Use tls self-signed in your Caddyfile.
    2. Swap SSL mode in Cloudflare Crypto settings to Full SSL to indicate that Cloudflare should connect via HTTPS, but should not validate the certificate provided.
  • With HTTPS disabled in Caddy:
    Note: this method has the same vulnerability as self-signed certificates, and in addition, transport between Cloudflare and your server is totally unencrypted.
    1. Prefix your site labels with http:// in your Caddyfile to disable Automatic HTTPS and serve your sites directly on port 80.
    2. Leave SSL mode in Cloudflare Crypto settings as Flexible.

If you don’t want to use Cloudflare’s additional features

  1. “Grey-cloud” your A / CNAME records to disable the Cloudflare reverse proxy.
  2. Use Caddy normally - Cloudflare now only provides DNS services, so clients connect directly to your server and regular certificate validation should be unimpeded.
6 Likes

Wow. Thank you soooo much! I will make changes and report here :smiley:

This topic was automatically closed 90 days after the last reply. New replies are no longer allowed.