Issue turning on gzip (tries issuing cert for 'gzip' instead)

1. Caddy version (caddy version):

2.0.0

2. How I run Caddy:

Serving up static files from a folder. Behind a Traefik reverse proxy.

a. System environment:

Ubuntu 20.04
Docker, Docker Compose

b. Command:

docker-compose up -d

c. Service/unit/compose file:

version: "3.3"

services:

  traefik:
    image: "traefik:v2.2"
    container_name: "traefik"
    command:
      - "--providers.docker=true"
      - "--providers.docker.exposedbydefault=false"
      - "--entrypoints.web.address=:80"
      - "--entrypoints.web.http.redirections.entryPoint.to=websecure"
      - "--entrypoints.web.http.redirections.entryPoint.scheme=https"
      - "--entrypoints.websecure.address=:443"
      - "--certificatesresolvers.myresolver.acme.tlschallenge=true"
      - "--certificatesresolvers.myresolver.acme.email=my@email.address"
      - "--certificatesresolvers.myresolver.acme.storage=/letsencrypt/acme.json"
    ports:
      - "80:80"
      - "443:443"
      - "8080:8080"
    volumes:
      - "./letsencrypt:/letsencrypt"
      - "/var/run/docker.sock:/var/run/docker.sock:ro"

  nzz:
    image: "caddy"
    container_name: "nzz-caddy"
    volumes:
        - "caddy_nzz_data:/data"
        - "caddy_nzz_config:/config"
        - "/home/fmbra/websites/nzz:/usr/share/caddy"
        - "/home/fmbra/websites/Caddyfile-nzz:/etc/caddy/Caddyfile"
    labels:
      - "traefik.enable=true"
      - "traefik.http.routers.nzz.rule=Host(`nzz.tld`)"
      - "traefik.http.routers.nzz.entrypoints=websecure"
      - "traefik.http.routers.nzz.tls.certresolver=myresolver"

volumes:
    caddy_nzz_data:
    caddy_nzz_config:

d. My complete Caddyfile or JSON config:

encode gzip
templates

3. The problem I’m having:

I’m very much a newbie, so apologies if this is obvious. I’ve set up a very basic Caddy 2 server behind a Traefik reverse proxy using Docker Compose. It works fine until I try to use a custom Caddyfile to turn on gzip compression. Caddy attempts to get lets encrypt certificates for “encode” and “gzip” instead of treating them as configuration options.

4. Error messages and/or full log output:

e[33mnzzus-caddy |e[0m {“level”:“info”,“ts”:1590436589.078648,“msg”:“using provided configuration”,“config_file”:"/etc/caddy/Caddyfile",“config_adapter”:“caddyfile”}
e[33mnzz-caddy |e[0m {“level”:“info”,“ts”:1590436589.0814178,“logger”:“admin”,“msg”:“admin endpoint started”,“address”:“tcp/localhost:2019”,“enforce_origin”:false,“origins”:[“localhost:2019”,"[::1]:2019",“127.0.0.1:2019”]}
e[33mnzzus-caddy |e[0m 2020/05/25 19:56:29 [INFO][cache:0xc000763590] Started certificate maintenance routine
e[33mnzz-caddy |e[0m {“level”:“info”,“ts”:1590436589.096234,“logger”:“http”,“msg”:“server is listening only on the HTTPS port but has no TLS connection policies; adding one to enable TLS”,“server_name”:“srv0”,“https_port”:443}
e[33mnzz-caddy |e[0m {“level”:“info”,“ts”:1590436589.0963771,“logger”:“http”,“msg”:“enabling automatic HTTP->HTTPS redirects”,“server_name”:“srv0”}
e[33mnzz-caddy |e[0m {“level”:“info”,“ts”:1590436589.096867,“logger”:“tls”,“msg”:“cleaned up storage units”}
e[33mnzz-caddy |e[0m {“level”:“info”,“ts”:1590436589.0974503,“logger”:“http”,“msg”:“enabling automatic TLS certificate management”,“domains”:[“encode”,“gzip”]}
e[33mnzz-caddy |e[0m {“level”:“info”,“ts”:1590436589.097868,“msg”:“autosaved config”,“file”:"/config/caddy/autosave.json"}
e[33mnzz-caddy |e[0m {“level”:“info”,“ts”:1590436589.0978787,“msg”:“serving initial configuration”}
e[33mnzz-caddy |e[0m 2020/05/25 19:56:29 [INFO][encode] Obtain certificate; acquiring lock…
e[33mnzz-caddy |e[0m 2020/05/25 19:56:29 [INFO][gzip] Obtain certificate; acquiring lock…
e[33mnzz-caddy |e[0m 2020/05/25 19:56:29 [INFO][gzip] Obtain: Lock acquired; proceeding…
e[33mnzz-caddy |e[0m 2020/05/25 19:56:29 [INFO][encode] Obtain: Lock acquired; proceeding…
e[33mnzz-caddy |e[0m 2020/05/25 19:56:29 [INFO][gzip] Waiting on rate limiter…
e[33mnzz-caddy |e[0m 2020/05/25 19:56:29 [INFO][gzip] Done waiting
e[33mnzz-caddy |e[0m 2020/05/25 19:56:29 [INFO] [gzip] acme: Obtaining bundled SAN certificate given a CSR
e[33mnzz-caddy |e[0m 2020/05/25 19:56:29 [INFO][encode] Waiting on rate limiter…
e[33mnzz-caddy |e[0m 2020/05/25 19:56:29 [INFO] [encode] acme: Obtaining bundled SAN certificate given a CSR
e[33mnzz-caddy |e[0m 2020/05/25 19:56:29 [INFO][encode] Done waiting
e[33mnzz-caddy |e[0m 2020/05/25 19:56:29 [ERROR] acme: error: 400 :: POST :: https://acme-v02.api.letsencrypt.org/acme/new-order :: urn:ietf:params:acme:error:rejectedIdentifier :: Error creating new order :: Cannot issue for “gzip”: Domain name needs at least one dot, url: (challenge=tls-alpn-01 remaining=[http-01])
e[33mnzzus-caddy |e[0m 2020/05/25 19:56:29 [ERROR] acme: error: 400 :: POST :: https://acme-v02.api.letsencrypt.org/acme/new-order :: urn:ietf:params:acme:error:rejectedIdentifier :: Error creating new order :: Cannot issue for “encode”: Domain name needs at least one dot, url: (challenge=tls-alpn-01 remaining=[http-01])
e[33mnzz-caddy |e[0m 2020/05/25 19:56:31 [INFO] [gzip] acme: Obtaining bundled SAN certificate given a CSR
e[33mnzz-caddy |e[0m 2020/05/25 19:56:31 [INFO] [encode] acme: Obtaining bundled SAN certificate given a CSR
e[33mnzzus-caddy |e[0m 2020/05/25 19:56:32 [ERROR] acme: error: 400 :: POST :: https://acme-v02.api.letsencrypt.org/acme/new-order :: urn:ietf:params:acme:error:rejectedIdentifier :: Error creating new order :: Cannot issue for “gzip”: Domain name needs at least one dot, url: (challenge=http-01 remaining=[])
e[33mnzzus-caddy |e[0m 2020/05/25 19:56:32 [ERROR] acme: error: 400 :: POST :: https://acme-v02.api.letsencrypt.org/acme/new-order :: urn:ietf:params:acme:error:rejectedIdentifier :: Error creating new order :: Cannot issue for “encode”: Domain name needs at least one dot, url: (challenge=http-01 remaining=[])

5. What I already tried:

6. Links to relevant resources:

A site label needs to be the first thing in your Caddyfile. Caddy is parsing “encode” and “gzip” as separate hostnames to serve your site on!

Btw, I recommend trying the caddy-docker-proxy plugin, it could replace Traefik for you!

@francislavoie Thanks. I added the domain name to the top of the Caddyfile, but the site still won’t load. I’m not seeing any obvious errors in the docker-compose logs. My impression is that adding the domain to the Caddyfile automatically generates a lets encrypt certificate - is it possible this is conflicting with the one generated in my Traefik setup?

regarding caddy-docker-proxy, I actually looked at that before using Traefik, but as a novice, I found the instructions quite hard to follow. It looks like there’s an example docker-compose.yml file provided, so I might experiment with using Caddy as a reverse proxy using that, but for my own edification, I’d like to figure out what I’m doing wrong with the current setup.

Attaching to modwheel-lighttpd, nzzus-caddy, traefik
e[33mnzz-caddy |e[0m {"level":"info","ts":1590442139.7320766,"msg":"using provided configuration","config_file":"/etc/caddy/Caddyfile","config_adapter":"caddyfile"}
e[33mnzz-caddy |e[0m {"level":"info","ts":1590442139.7361267,"logger":"admin","msg":"admin endpoint started","address":"tcp/localhost:2019","enforce_origin":false,"origins":["127.0.0.1:2019","localhost:2019","[::1]:2019"]}
e[33mnzz-caddy |e[0m {"level":"info","ts":1590442139.7548141,"logger":"http","msg":"server is listening only on the HTTPS port but has no TLS connection policies; adding one to enable TLS","server_name":"srv0","https_port":443}
e[33mnzz-caddy |e[0m {"level":"info","ts":1590442139.7548592,"logger":"http","msg":"enabling automatic HTTP->HTTPS redirects","server_name":"srv0"}
e[33mnzz-caddy |e[0m 2020/05/25 21:28:59 [INFO][cache:0xc0004ca0f0] Started certificate maintenance routine
e[33mnzz-caddy |e[0m {"level":"info","ts":1590442139.7596836,"logger":"tls","msg":"cleaned up storage units"}
e[33mnzz-caddy |e[0m {"level":"info","ts":1590442139.7601783,"logger":"http","msg":"enabling automatic TLS certificate management","domains":["nzz.tld"]}
e[33mnzz-caddy |e[0m {"level":"info","ts":1590442139.7715766,"msg":"autosaved config","file":"/config/caddy/autosave.json"}
e[33mnzz-caddy |e[0m {"level":"info","ts":1590442139.7716098,"msg":"serving initial configuration"}
e[32mtraefik     |e[0m time="2020-05-25T21:29:00Z" level=info msg="Configuration loaded from flags."

If you’re only trying to serve a static site and nothing else, then using Traefik here is unnecessary. Caddy is good enough on its own.

If the set of services you want to run are well-known, then you could easily just use Caddy to reverse proxy to all your services, no need for Traefik either.

What does your Caddyfile look like now? If you simply put your domain name at the top of the file with no scheme/port, then Caddy will automatically enable HTTPS. See the docs here:

To avoid that, you can prefix your domain with http:// to tell Caddy not to enable HTTPS.

Also, in Caddy v2, you’ll need to enable a file server with the file_server directive, and you’ll need to tell it where to look for files with the root directive. The templates and encode directives are just middleware, they don’t serve files on their own.

I checked the default Caddyfile for guidance (I should have done that to start!) and my Caddyfile now looks like this:

:80 

encode gzip
root * /usr/share/caddy
file_server

The site loads and the Traefic certificate is working, but gzip is still not active.

I set up the reverse proxy because I have another web server running and am planning on adding several more containers, so I wanted to figure out how to operate the proxy before I took everything else online.

I’m sure gzip is functional in v2.0.0, what gives the indication it’s not active?

Remember that Caddy won’t arbitrarily gzip all responses, just response bodies where the client advises they accept gzip encoding, and the response body is above a certain size.

@Whitestrake It looks like that was it - my initial tests were on small files - larger ones are being gzipped - thanks!

For ref, Caddy’s default minimum response size for compression is 512 bytes. It skips anything smaller.

This topic was automatically closed after 30 days. New replies are no longer allowed.