I noticed that the log file does not get created, and I can’t acces the origin as I get a cloudflare bad gateway error. My intention is to pass traffic from the cloudflare tunnel to a local service (i.e. caddy).
a. System environment:
Windows server on server 2019
b. Command:
caddy run
c. Service/unit/compose file:
NA
Paste full file contents here.
Make sure backticks stay on their own lines,
and the post looks nice in the preview pane.
Paste config here, replacing this text.
Use caddy fmt to make it readable.
DO NOT REDACT anything except credentials.
LEAVE DOMAIN NAMES INTACT.
Make sure the backticks stay on their own lines.
### 3. The problem I'm having:
<!-- What are you trying to do, and what isn't working? Please describe the issue thoroughly enough so that anyone can reproduce the exact behavior you're seeing. Be as specific as possible. DO NOT USE WEB BROWSERS; use "curl -v" instead. -->
When browsing to the site, I get a bad gateway error.
### 4. Error messages and/or full log output:
<!-- Please **DO NOT REDACT** any information except credentials. Leave domain names intact! -->
<!-- Please **DO NOT POST TRUNCATED LOG LINES** as systemd is notorious for this. -->
<!-- Please **DO NOT USE WEB BROWSERS.** Use curl -v instead. -->
<!-- Please **DO ENABLE DEBUG MODE FIRST** by adding "debug" to the global options of your Caddyfile. -->
### 5. What I already tried:
<!-- Show us what effort you've put in to solving the problem. Be specific -- people are volunteering their time to help you! Low effort posts are not likely to get good answers! -->
I've spent most of my effort tweaking the caddyfile, but to no luck.
### 6. Links to relevant resources:
It’s a bit hard to grok with the formatting, but your CloudFlare tunnel config first stands out to me first. See their docs for defining ingresses. In particular, service needs to refer to the local host/port where Caddy is listening. By setting it to abc.def.com, it’s an endless loop back to Cloudflare’s edge.
If you’re running the Cloudflare tunnel daemon on the same host as Caddy, try something like this:
Caddy’s reverse_proxy is HTTP by default; you need to turn on TLS by either using https:// as a scheme prefix for the upstream, or adding the tls option inside reverse_proxy.
Either way, you probably don’t need HTTPS between Caddy and IIS, because the connection is happening on the same device, right? There’s no benefit to HTTPS at that point unless you’re worried about software running on the same device being able to listen in on the traffic. HTTP here is simpler and probably slightly faster (avoids some overhead from TLS).
Only specify tls once:
tls abs@gmail.com {
dns cloudflare {env.token}
}
Please run caddy fmt to clean up your Caddyfile’s syntax, it’s really hard to read with that messy indentation.
Also, your original post’s formatting is broken, making it really difficult to read. It would be great if you could fix that up.
Does Cloudflare Tunnels support UDP traffic? Probably not necessary anyways, since Cloudflare will do HTTP/3 at the edge.
The network infrastructure is Cloudflare agent > caddy > web server(s). So Caddy and IIS are seperate servers. In the example caddy files I have shared, I have one backend but this will change as I will add more (just want to sort out the teething issues). I was also thinking that having the web servers handle ssl can be a performance penalty.
This allows me to connect to the backend web servers with ssl enabled on them, and iwth them using SNI. However, I don’t see http3 used? An example log: