Installing SSL + HTTPS using a reverse proxy like caddy on Android

Hello.

I want to install a reverse proxy useful because I want to put online my emby server on top of Android 14.

According with this tutorial :

I’ve installed caddy using termux on Android :

# pkg install caddy

Now I can lauch caddy using termux. At this point,according with this tutorial :

https://emby.media/community/index.php?/topic/81476-ssl-made-easier-with-a-reverse-proxy/

I’ve prepared this caddy config file (called caddyfile.txt) :

ziomario.ns0.it {
               gzip
               timeouts none
               proxy / 192.168.1.6:8096 {
                            transparent
                            websocket
}
}

that I have saved in :

/storage/emulated/0/Android/data/com.emby.embyserver/files

At this point I’ve installed Magisk and I became root,so,in termux I’ve launched caddy with this command :

:/data/data/com.termux/files/usr/bin/./caddy adapt -c /storage/emulated/0/Android/data/com.emby.embyserver/files/caddyfile.txt

but I get the following error :

Error : unrecognized directive: gzip

and if I remove gzip,I get a similar error :

Error : unrecognized directive: timeouts

So,it’s clear that the configuration file that I’m using is totally wrong if applicable on Android,but its good if caddy runs on Windows.

Can someone help me to write the correct caddy conf file for Android ? thanks.

Hi @Mario_Marietto, welcome to the Caddy community.

Your guide supplies configuration for Caddy v1, but you’ve installed Caddy v2.

The format of the site block is pretty much the same, but the directives have changed.

The equivalent of gzip is encode (Caddyfile directive) — Caddy Documentation.

The equivalent of timeouts is found in the global options, but it pretty much defaults to 0 across the board these days, I believe, so you can probably just remove it. See: Global options (Caddyfile) — Caddy Documentation

The equivalent of proxy is reverse_proxy (Caddyfile directive) — Caddy Documentation. You will not need to include transparent or websocket as v2 handles these automatically. You WILL need to be wary of that / though; in v1 it worked as a path prefix, but in v2 it’s an exact match, and you won’t want that. You can just exclude it. I recommend referring to the examples.

Hello.

According with your suggestions,my caddy config file (called caddyfile.txt) could be something like this :

ziomario.ns0.it {
               
                reverse_proxy 192.168.1.6:8096
}

I saved it in :

/storage/emulated/0/Android/data/com.emby.embyserver/files

At this point I’ve installed Magisk and I became root,so,in termux I’ve launched caddy with this command :

/data/data/com.termux/files/usr/bin # ./caddy adapt -c /storage/emulated/0/Android/data/com.emby.embyserver/files/caddy.txt

but when I give the command :

# ps | grep caddy

I don’t see the process. Anyway the message reported is :

{"apps":{"http":{"servers":{"srv0":{"listen":[":443],"routes":[{"match":[{"host":["ziomario.ns0.it"]}],"handle":[{"handler":"subroute","routes":[{"handle":[{"handler":"reverse_proxy","upstreams":[{"dial":"192.168.1.6:8096"}]}]}]}],"terminal":true}]}]}]}]

I’m sure that it does not run because I went to network settings in emby server (and on my router) and I’ve added local http port as 8096 and local https port as 8920. I Checked the box off that says “allow remote connections”. Then I’ve added those same ports to the public http and https sections and my domain under “external domain” but the circle goes round and round and I’m not able to connect to port 8920 (8096 works,but its not HTTPS). Something is wrong for sure.

I tried like this :

/data/data/com.termux/files/usr/bin $ caddy adapt -c /data/caddy.txt status

and I’ve got the same unclear message as before :

{"apps":{"http":{"servers":{"srv0":{"listen":[":443],"routes":[{"match":[{"host":["ziomario.ns0.it"]}],"handle":[{"handler":"subroute","routes":[{"handle":[{"handler":"reverse_proxy","upstreams":[{"dial":"192.168.1.6:8096"}]}]}]}],"terminal":true}]}]}]}]

hard to understand what’s wrong.

All adapt does is transform your Caddyfile to a JSON config. It doesn’t run Caddy.

You need to use caddy run to actually run Caddy.

You config file should be named Caddyfile, not caddy.txt, otherwise you’ll need to specify the --adapter option when you use caddy run.

nano /data/Caddyfile :

ziomario.ns0.it {
               encode
               reverse_proxy 192.168.1.7:8096
}

/data $ caddy run -c /data/Caddyfile
INFO : using config from file "file" : "/data/Caddyfile"
INFO : adapted config to JSON "adapter" : "caddyfile"
INFO : admin admin endpoint started "address": "localhost:2019", "enforce_origin": false, "origins" : ["//localhost:2019", "//[::1]:2019", "//127.0.0.1:2019"]
INFO : http auto_https server is listening only on the HTTPS port but has no TLS connection policies; adding one to enable TLS "server_name" : "srv0" , "https_port" : 443
INFO : http auto_https enabling automatic HTTP-> HTTPS redirects "server_name" "srv0"
INFO :  tls cache maintenance started background certificate maintenance "cache" : "0x400...."
 INFO :  tls cache maintenance stopped background certificate maintenance "cache" : "0x400...."
Error : loading initial config: loading new config : http app module : start : listening on :80 : listen tcp: 80 bind : permission denied

Also tried :

nano /data/Caddyfile :

ziomario.ns0.it {
               encode
               reverse_proxy 192.168.1.7:8096 --disable-redirects
}

/data $ caddy run -c /data/Caddyfile
INFO : using config from file "file" : "/data/Caddyfile"
INFO : adapted config to JSON "adapter" : "caddyfile"
INFO : admin admin endpoint started "address": "localhost:2019", "enforce_origin": false, "origins" : ["//localhost:2019", "//[::1]:2019", "//127.0.0.1:2019"]
INFO : http auto_https server is listening only on the HTTPS port but has no TLS connection policies; adding one to enable TLS "server_name" : "srv0" , "https_port" : 443
INFO : http auto_https enabling automatic HTTP-> HTTPS redirects "server_name" "srv0"
INFO :  tls cache maintenance started background certificate maintenance "cache" : "0x400...."
 INFO :  tls cache maintenance stopped background certificate maintenance "cache" : "0x400...."
Error : loading initial config: loading new config : http app module : start : listening on :443 : listen tcp: 443 bind : permission denied

Probably not too helpful but the error you have was mentioned early in the preview of the tutorial you linked to at the start of this thread:

Never surrender,man. I have fixed the 443 error in this way :

sudo setcap CAP_NET_BIND_SERVICE=+eip $(which caddy)

(solution taken from here Caddy "listen tcp :443: bind: permission denied" - Server Fault)

and I removed the parameter “–disable-redirects” from the Caddyfile.

now I run caddy with this command :

/data $ sudo caddy run -c /data/Caddyfile

the situation seems to be better,but caddy seems to does still run for some reason,but I don’t understand why :

https://ibb.co/r6jw9Ss
https://ibb.co/LrmDBy1

I don’t see errors,it should work,but when I open my website,at address :

https://ziomario.ns0.it:8920

it says : unable to connect. why ?

In the emby control panel I see :

Lan Access = h t t p : / / 192.168.1.7:8096 (and it works)
Wan Access = h t t p s : / / ziomario.ns0.it:8920 (and it does not work)

In Network settings I chosen :

LAN networks = empty
local IP address = empty

http local port = 8096
https local port = 8920

http public port = 8096
https public port = 8920

external domain = ziomario.ns0.it
secure connection mode = managed by the reverse proxy.

On my router I have opened ports : 8096,8920,443,80 in TCP and UDP mode…
What else I need to do ?

No one wants to help again here ?

The precise error that I get right now is :

ERROR : http log error dial tcp 192.168.1.6:8096: connect : connection refused. request remote ip 83.147.52.49 remote port 45394 client IP = 83.147.52.49 proto HTTP/1.1 method GET host ziomario.ns0.it url gitlab-ci.yml headers user-agent go-http-client/1.1 accept encoding gzip tls resumed false version 772 cipher_suite 4867 proto server name ziomario.ns0.it duration 0.0015 status 502 err_id 36k92p912 err_trace reverseproxy.statusError (reverseproxy go:1269)

These mean Caddy was not able to call your upstream 192.168.1.6:8096

Confirm the 2 devices are able to communicate with each other and the proper firewall rules are in place (i.e. port 8096 on target machine is open).

The solution was that both my http public ports should be set to 80 and 443 respectively.

Is there a method to start automatically caddy as soon as Android starts ? At the moment I need to start caddy opening termux and then I should issue the command : sudo caddy run -c /data/Caddyfile everytime that I need to reboot Android.

This is not something within our control nor be able to support. It depends entirely on Termux, so you’ll need to check with them.

I have a problem that I want to fix. I would like to run my caddy script as soon Android boot,but it does not work if I don’t run it with sudo…

This is the scenario :

1. the script tries to run caddy without sudo :

/data/data/com.termux/files/home/.termux/boot/start-caddy :

/data/data/com.termux/files/usr/bin/termux-wake-lock
/data/data/com.termux/files/usr/bin/caddy run -c /data/data/com.termux/files/home/.termux/boot/Caddyfile 

./start-caddy 

INFO : using config from file "file" "/data/data/com.termux/files/home/.termux/boot/Caddyfile
INFO : adapted config to JSON "adapter": "caddyfile"
WARN : Caddyfile input is not formatted; run "caddy fmt --overwrite" to fix inconsistencies "adapter" ; "caddyfile" ; "file": "/data/data/com.termux/files/home/.termux/boot/Caddyfile", "line" : 2
INFO : admin admin endpoint started "address" ; "localhost:2019" , "enforce_origin" : false, "origins" : [//localhost:2019", "//[::1] 2019" , "//127.0.0.1:2019"

INFO : tls cache maintenance started background certificate maintenance "cache" : "0x400"
INFO : http auto_https server is listening only on the HTTPS port but has no TLS connection policies; adding one to enable TLS "server_name" : "srv0" , "https_port" : 443
INFO : http auto_https enabling automatic HTTP-HTTPS redirects "server_name": "srv0"
INFO : tls.cache.maintenance stopped background certificate maintenance "cache" : "0x400"
ERROR : loading initial config: loading new config: http app mobile start : listening on :443 listen tcp: 443 bind: permission denied

2. the script tries to run caddy with sudo :

/data/data/com.termux/files/home/.termux/boot/start-caddy :

/data/data/com.termux/files/usr/bin/termux-wake-lock
/data/data/com.termux/files/usr/bin/sudo caddy run -c /data/data/com.termux/files/home/.termux/boot/Caddyfile

./start-caddy

INFO : using config from file "file" "/data/data/com.termux/files/home/.termux/boot/Caddyfile
INFO : adapted config to JSON "adapter": "caddyfile"
WARN : Caddyfile input is not formatted; run "caddy fmt --overwrite" to fix inconsistencies "adapter" ; "caddyfile" ; "file": "/data/data/com.termux/files/home/.termux/boot/Caddyfile", "line" : 2
INFO : admin admin endpoint started "address" ; "localhost:2019" , "enforce_origin" : false, "origins" : [//localhost:2019", "//[::1] 2019" , "//127.0.0.1:2019"
INFO : http auto_https server is listening only on the HTTPS port but has no TLS connection policies; adding one to enable TLS "server_name" : "srv0" , "https_port" : 443
INFO : http auto_https enabling automatic HTTP-HTTPS redirects "server_name": "srv0"
INFO : tls.cache.maintenance started background certificate maintenance "cache" : "0x400"
INFO : http enabling HTTP/3 listener addr 443
INFO : http log server running "name" ; "srv0" ; "protocols" ; [h1 ; h2 ; h3]
INFO : http log server running "name" ; "remaining_auto_https_redirects" ; "protocols" [h1,h2,h3]
INFO : http enabling automatic TLS certificate management "domains" "ziomario.ns0.it"
INFO : autosaved config (load with --resume flag) "file": "/data/data/com.termux/files/home/.suroot/.config/caddy/autosave.json"
INFO : serving initial configuration
INFO : tls storage cleaning happened too recently; skipping for now "storage": "FileStorage: /data/data/com.termux/files/home/.suroot/caddy" , "instance": "312 bla bla" , "try_again" : "2024/08/17 10:04" , "try_again_in" : 86399
INFO : tls finished cleaning storage units

in both cases,it is not executed when Android starts,but the version that contains sudo is executed after Android started,by opening termux and writing : ./start-caddy.

Again, you need to ask Termux people. We cannot help you with how Termux works. It isn’t a Caddy problem. It’s a problem with Termux.

Can you give a look at this discussion ?

https://emby.media/community/index.php?/topic/131239-installing-ssl-https-using-a-reverse-proxy-like-caddy-on-android/#comment-1378834

He suggested to change the port used by Caddy,that actually is 443,but I don’t know where this port is defined,since inside my Caddyfile the only port that I have defined is the 8096 as reverse proxy.

They suggest to change http and https port. I did something like this :

ziomario.ns0.it {
               http_port 8080
               https_port 8443
               encode
               reverse_proxy 192.168.1.6:8096
}

but its wromg. The error is : unrecognized directives : http_port

Those directives go in a special block at the start of the Caddyfile, with no site address, on their own. They don’t go in a site block. Like this:

{
               http_port 8080
               https_port 8443
}

ziomario.ns0.it { # And the rest

(For more info: Global options (Caddyfile) — Caddy Documentation)

They will move the listening ports to those listed, too. So, to access the sites, you’d need to browse to e.g. https://ziomario.ns0.it:8443.

Running the script without sudo still does not work. Errors is :

ERROR : tls.obtain will retry error ziomario.ns0.it solving challenge authorization failed HTTP 400 urn:iert.params acme error connection: connection refused.

Ports opened on the router are :

Caddy-HTTPS PC192.168.1.6 TCP/UDP 8443 
Caddy-HTTP PC192.168.1.6 TCP/UDP 8080 
Emby-Android PC192.168.1.6 TCP/UDP 8096 
Emby-Android PC192.168.1.6 TCP/UDP 8920 
HTTP PC192.168.1.6 TCP/UDP 80 
HTTPS PC192.168.1.6 TCP/UDP 443

Using sudo in the script,instead,to connect to the Emby server I should use port 8443 :

https://ziomario.ns0.it:8443

While before,I didn’t have to write the port. It was cleaner to open the website like this :

https://ziomario.ns0.it