1. Caddy version (caddy version
):
2. How I run Caddy:
docker start caddy
a. System environment:
Ubuntu 20.04
Docker 20.10.12
Caddy 2.4.6
b. Command:
CMD ["caddy", "docker-proxy"]
c. Service/unit/compose file:
Dockerfile
ARG CADDY_VERSION=2.4.6
FROM caddy:${CADDY_VERSION}-builder AS builder
RUN xcaddy build \
--with github.com/lucaslorentz/caddy-docker-proxy/plugin/v2 \
--with github.com/greenpau/caddy-security \
--with github.com/greenpau/caddy-trace \
--with github.com/porech/caddy-maxmind-geolocation \
--with github.com/caddy-dns/cloudflare \
--with github.com/kirsch33/realip
FROM caddy:${CADDY_VERSION}-alpine
RUN apk add --no-cache tzdata
COPY --from=builder /usr/bin/caddy /usr/bin/caddy
CMD ["caddy", "docker-proxy"]
docker-compose
caddy:
hostname: caddy
image: caddy220312 #220216
container_name: caddy
restart: always
environment:
- TZ=${TZ}
- CADDY_DOCKER_CADDYFILE_PATH=/data/CaddyFile
- EMAIL=${EMAIL}
- CADDY_EMAIL_SECRET=${CADDY_EMAIL_SECRET}
- SMTP=${SMTP}
- CRYPTO_KEY=${CRYPTO_KEY}
- CLOUDFLARE_DOMAIN=${CLOUDFLARE_DOMAIN}
- CADDY_REG_CODE=${CADDY_REG_CODE}
- GEO_COUNTRY=${GEO_COUNTRY}
- GEO_SUBDIVISION=${GEO_SUBDIVISION}
- GEO_METRO_CODE=${GEO_METRO_CODE}
- CLOUDFLARE_API=${CLOUDFLARE_API}
- FQDN=${FQDN}
- USER=${USER}
ports:
- 8069:8069
- 443:443
- 2019:2019
volumes:
- /var/run/docker.sock:/var/run/docker.sock
- "${docker}/caddy2/data:/data"
- "${docker}/caddy2/config:/config"
- "${docker}:/docker"
- "${xbmc}/ebooks/Magazines:/magazines"
- "/var/log:/logs"
- "/etc/localtime:/etc/localtime"
- "/etc/timezone:/etc/timezone"
labels:
- com.centurylinklabs.watchtower.enable=false
- traefik.http.routers.auth.rule=Host(`${FQDN}`)
networks:
- wg-pia
d. My complete Caddyfile or JSON config:
{"level":"info","ts":1647347192.7575867,"logger":"docker-proxy","msg":"New Caddyfile","caddyfile":"{
http_port 8069
https_port 443
email {$EMAIL}
debug
log {
output file /data/caddy.log
format json {
time_format wall
level_format upper
}
}
security {
credentials {$EMAIL} {
username {$EMAIL}
password {$CADDY_EMAIL_SECRET}
}
messaging email provider gmail {
address {$SMTP}
protocol smtp
sender {$EMAIL}
credentials {$EMAIL}
}
authentication portal myportal {
enable source ip tracking
cookie domain {$CLOUDFLARE_DOMAIN}
cookie lifetime 86400
crypto default token lifetime 86400
crypto key sign-verify {$CRYPTO_KEY}
backend local /config/caddy/users.json local
transform user {
match origin local
require mfa
action add role authp/superadmin authp/user
}
registration {
dropbox /config/caddy/registrations.json
title \"User Registration\"
code {$CADDY_REG_CODE}
require domain mx
email provider gmail
admin email {$EMAIL}
}
ui {
links {
"My Identity" "/auth/whoami" icon "las la-user"
}
}
transform user {
exact match sub {$USER}
action add role authp/superadmin
ui link "Portal Settings" /auth/settings icon "las la-cog"
ui link "Adguard" "/agh" icon "las la-cog" target_blank
}
}
authorization policy mypolicy {
validate source address
set auth url /auth/
crypto key verify {$CRYPTO_KEY}
allow roles authp/superadmin authp/user
}
}
}
auth.samcro1967.net {
tls {
dns cloudflare {{$CLOUDFLARE_API}}
}
route /auth* {
authenticate * with myportal
}
route /xauth* {
authenticate * with myportal
}
route {
redir https://{hostport}/login/ 302
}
log {
output file /data/access.log
format json
}
redir /agh /agh/
route /agh/* {
authorize with mypolicy
uri strip_prefix /agh
reverse_proxy 192.168.1.104:8126 {
header_down Location /login.html /agh/login.html
}
}
}
"}
3. The problem I’m having:
Several hours after restarting caddy I get “Error 525 SSL handshake failed” when accessing auth.samcro1967.net. Restarting the service resolves the issue for a few hours. The only error I see in the logs is “Keeping lock file fresh: unexpected end of JSON input - terminating lock maintenance”.
I do have one lock file “issue_cert_auth.samcro1967.net.lock” that looks like this:
{"created":"2022-03-16T03:05:10.80765497-05:00","updated":"2022-03-16T10:35:29.374659462-05:00"}
This started a few weeks ago after I upgraded from caddy-auth-portal to caddy-security, but I don’t think it is related. Not aware of anything else that changed at the time this started happening.
4. Error messages and/or full log output:
{"level":"info","ts":1647347154.2962456,"logger":"docker-proxy","msg":"Sending configuration to","server":"localhost"}
{"level":"info","ts":1647347154.2994285,"logger":"admin.api","msg":"received request","method":"POST","host":"localhost:2019","uri":"/load","remote_addr":"127.0.0.1:41300","headers":{"Accept-Encoding":["gzip"],"Content-Length":["22129"],"Content-Type":["application/json"],"User-Agent":["Go-http-client/1.1"]}}
{"level":"info","ts":1647347154.3037798,"msg":"redirected default logger","from":"stderr","to":"/data/caddy.log"}
{"level":"info","ts":1647347154.4039662,"logger":"docker-proxy","msg":"Successfully configured","server":"localhost"}
{"level":"info","ts":1647347192.6328156,"logger":"docker-proxy","msg":"Running caddy proxy server"}
{"level":"info","ts":1647347192.6346178,"logger":"admin","msg":"admin endpoint started","address":"tcp/localhost:2019","enforce_origin":false,"origins":["localhost:2019","[::1]:2019","127.0.0.1:2019"]}
{"level":"info","ts":1647347192.6347795,"msg":"autosaved config (load with --resume flag)","file":"/config/caddy/autosave.json"}
{"level":"info","ts":1647347192.6347876,"logger":"docker-proxy","msg":"Running caddy proxy controller"}
{"level":"info","ts":1647347192.6353683,"logger":"docker-proxy","msg":"Start","CaddyfilePath":"/data/CaddyFile","LabelPrefix":"caddy","PollingInterval":30,"ProcessCaddyfile":true,"ProxyServiceTasks":true,"IngressNetworks":"[]"}
{"level":"info","ts":1647347192.635559,"logger":"docker-proxy","msg":"Caddy ContainerID","ID":"7ada9f90bba653f0e23ea2a436d9ba5d88b3f676736914727fb59f0d24da147b"}
{"level":"info","ts":1647347192.63632,"logger":"docker-proxy","msg":"Connecting to docker events"}{"level":"info","ts":1647347192.6391163,"logger":"docker-proxy","msg":"IngressNetworksMap","ingres":"map[12d99874b921591e07c8c2c0c50f6fb013984cd9045b8b0dda296fea3ce8cc18:true]"}
{"level":"info","ts":1647347192.6546054,"logger":"docker-proxy","msg":"Swarm is available","new":false}
{"level":"info","ts":1647347192.6551454,"logger":"docker-proxy","msg":"Skipping swarm config caddyfiles because swarm is not available"}
{"level":"info","ts":1647347192.708459,"logger":"docker-proxy","msg":"Skipping swarm services because swarm is not available"}
{"level":"info","ts":1647347192.7661257,"logger":"docker-proxy","msg":"Sending configuration to","server":"localhost"}
{"level":"info","ts":1647347192.7672646,"logger":"admin.api","msg":"received request","method":"POST","host":"localhost:2019","uri":"/load","remote_addr":"127.0.0.1:41304","headers":{"Accept-Encoding":["gzip"],"Content-Length":["22129"],"Content-Type":["application/json"],"User-Agent":["Go-http-client/1.1"]}}
{"level":"info","ts":1647347192.771858,"msg":"redirected default logger","from":"stderr","to":"/data/caddy.log"}
{"level":"info","ts":1647347192.8547845,"logger":"docker-proxy","msg":"Successfully configured","server":"localhost"}
2022/03/16 04:38:03 [ERROR] Keeping lock file fresh: unexpected end of JSON input - terminating lock maintenance (lockfile: /data/caddy/locks/issue_cert_auth.samcro1967.ne
5. What I already tried:
I found a few similiar issues in the forum, but not sure they are relevant.
I am not using AWS EFS like this one.
I already have the CloudFlare DNS challenge added and see no errors in the log that it is failing.