1. The problem I’m having:
Hello,
I have configured Caddy with VaultWarden (pw manager) and it works flawlessly.
Now I want to make my home router accessible externally via domain “router.stevecraft.cz”.
I have two options:
- enable it on the router itself (less secure as I cannot put any security “between”)
- use reverse proxy and route it from custom sub-domain to Caddy
My current setup is as follows:
- I access router.stevecraft.cz
- DNS forwards this request to my public IP (router)
- Via port forwarding this request on port 80 gets on my server (neccessary as I run more services on my server which are using port 80)
- I want Caddy to handle this request and if its from router.stevecraft.cz, reverse proxy to router, effectively making me able to access my router from the outside
The problem is that when I access the subdomain via browser, I get error - too many redirects. It seems that Caddy is infinitely redirecting it, because in the response I see this:
alt-svc: h3=":443"; ma=2592000
content-length: 0
date: Sun, 05 Mar 2023 12:06:59 GMT
location: https://router.stevecraft.cz/
server: Caddy
server: Caddy
2. Error messages and/or full log output:
Here is log which I received by docker logs caddy
command and then formatted it. I have shortened all the redirects, I kept only 2 first redirects. They are all the same, just repeating like 50 times or so.
{
"level":"debug",
"ts":1678016429.6251771,
"logger":"events",
"msg":"event",
"name":"tls_get_certificate",
"id":"c979e09a-55c7-4230-a6e8-22f647fae5bc",
"origin":"tls",
"data":{
"client_hello":{
"CipherSuites":[
39578,
4865,
4866,
4867,
49195,
49199,
49196,
49200,
52393,
52392,
49171,
49172,
156,
157,
47,
53
],
"ServerName":"router.stevecraft.cz",
"SupportedCurves":[
10794,
29,
23,
24
],
"SupportedPoints":"AA==",
"SignatureSchemes":[
1027,
2052,
1025,
1283,
2053,
1281,
2054,
1537
],
"SupportedProtos":[
"h2",
"http/1.1"
],
"SupportedVersions":[
14906,
772,
771
],
"Conn":{
}
}
}
}{
"level":"debug",
"ts":1678016429.6252482,
"logger":"tls.handshake",
"msg":"choosing certificate",
"identifier":"router.stevecraft.cz",
"num_choices":1
}{
"level":"debug",
"ts":1678016429.6252596,
"logger":"tls.handshake",
"msg":"default certificate selection results",
"identifier":"router.stevecraft.cz",
"subjects":[
"router.stevecraft.cz"
],
"managed":true,
"issuer_key":"acme.zerossl.com-v2-DV90",
"hash":"39debcf86a6cf987ef09a94cdbb9c2d4b8069d6360552c80245b0b3bec6216b3"
}{
"level":"debug",
"ts":1678016429.6252651,
"logger":"tls.handshake",
"msg":"matched certificate in cache",
"remote_ip":"172.17.0.1",
"remote_port":"51434",
"subjects":[
"router.stevecraft.cz"
],
"managed":true,
"expiration":1685836800,
"hash":"39debcf86a6cf987ef09a94cdbb9c2d4b8069d6360552c80245b0b3bec6216b3"
}{
"level":"debug",
"ts":1678016429.6294632,
"logger":"http.handlers.reverse_proxy",
"msg":"selected upstream",
"dial":"192.168.0.1:80",
"total_upstreams":1
}{
"level":"debug",
"ts":1678016429.6360264,
"logger":"http.handlers.reverse_proxy",
"msg":"upstream roundtrip",
"upstream":"192.168.0.1:80",
"duration":0.006494406,
"request":{
"remote_ip":"172.17.0.1",
"remote_port":"51434",
"proto":"HTTP/2.0",
"method":"GET",
"host":"router.stevecraft.cz",
"uri":"/",
"headers":{
"Sec-Fetch-Dest":[
"document"
],
"X-Forwarded-Host":[
"router.stevecraft.cz"
],
"Sec-Fetch-User":[
"?1"
],
"Sec-Ch-Ua":[
"\"Chromium\";v=\"110\", \"Not A(Brand\";v=\"24\", \"Google Chrome\";v=\"110\""
],
"Accept":[
"text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7"
],
"Upgrade-Insecure-Requests":[
"1"
],
"X-Forwarded-Proto":[
"https"
],
"X-Forwarded-For":[
"172.17.0.1"
],
"Sec-Fetch-Mode":[
"navigate"
],
"Accept-Encoding":[
"gzip, deflate, br"
],
"User-Agent":[
"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/110.0.0.0 Safari/537.36"
],
"Sec-Fetch-Site":[
"none"
],
"Accept-Language":[
"cs,en-GB;q=0.9,en-US;q=0.8,en;q=0.7"
],
"Sec-Ch-Ua-Platform":[
"\"Windows\""
],
"Cache-Control":[
"max-age=0"
],
"Sec-Ch-Ua-Mobile":[
"?0"
]
},
"tls":{
"resumed":false,
"version":772,
"cipher_suite":4865,
"proto":"h2",
"server_name":"router.stevecraft.cz"
}
},
"headers":{
"Server":[
"Caddy"
],
"Date":[
"Sun, 05 Mar 2023 11:40:29 GMT"
],
"Content-Length":[
"0"
],
"Location":[
"https://router.stevecraft.cz/"
]
},
"status":308
}{
"level":"debug",
"ts":1678016429.6396546,
"logger":"http.handlers.reverse_proxy",
"msg":"selected upstream",
"dial":"192.168.0.1:80",
"total_upstreams":1
}{
"level":"debug",
"ts":1678016429.6452146,
"logger":"http.handlers.reverse_proxy",
"msg":"upstream roundtrip",
"upstream":"192.168.0.1:80",
"duration":0.005509861,
"request":{
"remote_ip":"172.17.0.1",
"remote_port":"51434",
"proto":"HTTP/2.0",
"method":"GET",
"host":"router.stevecraft.cz",
"uri":"/",
"headers":{
"User-Agent":[
"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/110.0.0.0 Safari/537.36"
],
"Sec-Fetch-Mode":[
"navigate"
],
"Upgrade-Insecure-Requests":[
"1"
],
"Sec-Fetch-Dest":[
"document"
],
"X-Forwarded-For":[
"172.17.0.1"
],
"X-Forwarded-Host":[
"router.stevecraft.cz"
],
"Accept":[
"text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7"
],
"Accept-Encoding":[
"gzip, deflate, br"
],
"Sec-Fetch-Site":[
"none"
],
"Sec-Fetch-User":[
"?1"
],
"Sec-Ch-Ua-Platform":[
"\"Windows\""
],
"Sec-Ch-Ua-Mobile":[
"?0"
],
"Accept-Language":[
"cs,en-GB;q=0.9,en-US;q=0.8,en;q=0.7"
],
"Cache-Control":[
"max-age=0"
],
"Sec-Ch-Ua":[
"\"Chromium\";v=\"110\", \"Not A(Brand\";v=\"24\", \"Google Chrome\";v=\"110\""
],
"X-Forwarded-Proto":[
"https"
]
},
"tls":{
"resumed":false,
"version":772,
"cipher_suite":4865,
"proto":"h2",
"server_name":"router.stevecraft.cz"
}
},
"headers":{
"Date":[
"Sun, 05 Mar 2023 11:40:29 GMT"
],
"Content-Length":[
"0"
],
"Location":[
"https://router.stevecraft.cz/"
],
"Server":[
"Caddy"
]
},
"status":308
}
Here is what happens when I curl to http://router.stevecraft.cz
C:\Windows\System32>curl -vL http://router.stevecraft.cz
* Trying 83.240.92.68:80...
* Connected to router.stevecraft.cz (83.240.92.68) port 80 (#0)
> GET / HTTP/1.1
> Host: router.stevecraft.cz
> User-Agent: curl/7.83.1
> Accept: */*
>
* Mark bundle as not supporting multiuse
< HTTP/1.1 308 Permanent Redirect
< Connection: close
< Location: https://router.stevecraft.cz/
< Server: Caddy
< Date: Sun, 05 Mar 2023 12:01:46 GMT
< Content-Length: 0
<
* Closing connection 0
* Clear auth, redirects to port from 80 to 443
* Issue another request to this URL: 'https://router.stevecraft.cz/'
* Trying 83.240.92.68:443...
* Connected to router.stevecraft.cz (83.240.92.68) port 443 (#1)
* schannel: disabled automatic use of client certificate
* ALPN: offers http/1.1
* ALPN: server accepted http/1.1
> GET / HTTP/1.1
> Host: router.stevecraft.cz
> User-Agent: curl/7.83.1
> Accept: */*
>
* Mark bundle as not supporting multiuse
< HTTP/1.1 308 Permanent Redirect
< Alt-Svc: h3=":443"; ma=2592000
< Content-Length: 0
< Date: Sun, 05 Mar 2023 12:01:46 GMT
< Location: https://router.stevecraft.cz/
< Server: Caddy
< Server: Caddy
<
* Connection #1 to host router.stevecraft.cz left intact
* Issue another request to this URL: 'https://router.stevecraft.cz/'
* Found bundle for host: 0x1a9bb615fc0 [serially]
* Re-using existing connection #1 with host router.stevecraft.cz
* Connected to router.stevecraft.cz (83.240.92.68) port 443 (#1)
> GET / HTTP/1.1
> Host: router.stevecraft.cz
> User-Agent: curl/7.83.1
> Accept: */*
>
* Mark bundle as not supporting multiuse
< HTTP/1.1 308 Permanent Redirect
< Alt-Svc: h3=":443"; ma=2592000
< Content-Length: 0
< Date: Sun, 05 Mar 2023 12:01:46 GMT
< Location: https://router.stevecraft.cz/
< Server: Caddy
< Server: Caddy
<
* Connection #1 to host router.stevecraft.cz left intact
* Issue another request to this URL: 'https://router.stevecraft.cz/'
* Found bundle for host: 0x1a9bb615fc0 [serially]
* Re-using existing connection #1 with host router.stevecraft.cz
* Connected to router.stevecraft.cz (83.240.92.68) port 443 (#1)
> GET / HTTP/1.1
> Host: router.stevecraft.cz
> User-Agent: curl/7.83.1
> Accept: */*
>
* Mark bundle as not supporting multiuse
< HTTP/1.1 308 Permanent Redirect
< Alt-Svc: h3=":443"; ma=2592000
< Content-Length: 0
< Date: Sun, 05 Mar 2023 12:01:46 GMT
< Location: https://router.stevecraft.cz/
< Server: Caddy
< Server: Caddy
<
* Connection #1 to host router.stevecraft.cz left intact
* Issue another request to this URL: 'https://router.stevecraft.cz/'
* Found bundle for host: 0x1a9bb615fc0 [serially]
* Re-using existing connection #1 with host router.stevecraft.cz
* Connected to router.stevecraft.cz (83.240.92.68) port 443 (#1)
> GET / HTTP/1.1
> Host: router.stevecraft.cz
> User-Agent: curl/7.83.1
> Accept: */*
(shortened of repeating redirects)
3. Caddy version:
I got this version by opening Docker Desktop GUI, connecting to terminal and running caddy version
command.
v2.6.4 h1:2hwYqiRwk1tf3VruhMpLcYTg+11fCdr8S3jhNAdnPy8=
4. How I installed and ran Caddy:
I’m running Caddy in Docker Desktop on Windows 11 and I’ve made container using this command
docker run --detach --name caddy --volume /d/Vaultwarden/caddy/caddyfile/Caddyfile:/etc/caddy/Caddyfile --volume /d/Vaultwarden/caddy/:/root/.local/share/caddy/ --volume /d/Vaultwarden/caddy/data/:/data/ --publish 80:80 --publish 443:443 --restart on-failure caddy:2
My complete Caddy config:
{
debug
}
vault.stevecraft.cz {
encode gzip
# The negotiation endpoint is also proxied to Rocket
reverse_proxy /notifications/hub/negotiate 172.17.0.1:8080
# Notifications redirected to the websockets server
reverse_proxy /notifications/hub 172.17.0.1:3012
# Send all other traffic to the regular Vaultwarden endpoint
reverse_proxy 172.17.0.1:8080
}
router.stevecraft.cz {
reverse_proxy 192.168.0.1:80
}
Disclaimer
I’m very beginner in Docker, networking, servers etc… So I’m sorry if I did something clearly very wrong.