".local" https in local network with caddy (Openedx Tutor)

venkat_swaminathan · September 24, 2022, 10:12am

1. Output of `caddy version`:

v2.4.6 h1:HGkGICFGvyrodcqOOclHKfvJC0qTU7vny/7FhYp9hNw=

2. How I run Caddy:

docker-compse up

a. System environment:

Docker

b. Command:

Paste command here.

c. Service/unit/compose file:

version: "3.7"
services:
  # Web proxy for load balancing and SSL termination
  caddy:
    image: docker.io/caddy:2.4.6
    restart: unless-stopped
    ports:
      - "80:80"
      - "443:443"
    environment:
      default_site_port: ""
    volumes:
      - ../apps/caddy/Caddyfile:/etc/caddy/Caddyfile:ro
      - ../../data/caddy:/data

d. My complete Caddy config:

# Global configuration
{
    
}

# proxy directive snippet (with logging) to be used as follows:
#
#     import proxy "containername:port"
(proxy) {
    log {
        output stdout
        format filter {
            wrap json
            fields {
                common_log delete
                request>headers delete
                resp_headers delete
                tls delete
            }
        }
    }

    reverse_proxy {args.0} {
        header_up X-Forwarded-Port 443
    }
}

lms.my_AD_ntwk.local{$default_site_port}, preview.lms.my_AD_ntwk.local{$default_site_port} {
    @favicon_matcher {
        path_regexp ^/favicon.ico$
    }
    rewrite @favicon_matcher /theming/asset/images/favicon.ico

    # Limit profile image upload size
    request_body /api/profile_images/*/*/upload {
        max_size 1MB
    }
    request_body {
        max_size 4MB
    }

    import proxy "lms:8000"

    
}

studio.lms.my_AD_ntwk.local{$default_site_port} {
    @favicon_matcher {
        path_regexp ^/favicon.ico$
    }
    rewrite @favicon_matcher /theming/asset/images/favicon.ico

    request_body {
        max_size 250MB
    }

    import proxy "cms:8000"

    
}

mobile.lms.my_AD_ntwk.local{$default_site_port} {
    import proxy "android-app:8000"
}
# Notes
notes.lms.my_AD_ntwk.local{$default_site_port} {
    import proxy "notes:8000"
}

3. The problem I’m having:

I am trying to setup LMS platform (openedx via tutor) on our local DNS server(.local) and this works like a charm. But now I want to enable HTTPS, So that I can make the LMS portal be accessed securely across my local AD network. I need help in setting up procedure to generate certificate & configure caddy manually so that my https works.
These are the certificate certificates I have got from the network team:
root.cer
Intermediate.cer
distribution.cer

that I can reach my local websites/servers (some are running on the docker host 192.168.178.165 and some not) just by typing the url e.g. http://senec.local or http://heimdall.local

4. Error messages and/or full log output:

5. What I already tried:

I am little confused/stuck in the approach on signing certificate process for caddy, any help is much appreciated.

6. Links to relevant resources:

Thanks
Venkat

francislavoie · September 24, 2022, 8:55pm

Please upgrade to v2.6.1! You’re on a pretty old version now.

You won’t need this anymore, common_log is no longer in the access logs.

You can shorten this by using the single-line named matcher syntax:

@favicon_matcher path_regexp ^/favicon.ico$

I’m a bit confused about this question. Are you saying that you have an existing CA from which you want to issue certs for Caddy to use? Or are you trying to figure out how to use Caddy’s own internal CA to issue certs?

Keep in mind that the server always needs the certificate and the private key associated with it to secure TLS connections. Both are two halves of a whole. The cert contains the public key portion which you tell the client to use to encrypt traffic it sends to your server, and the server uses the private key to decrypt that traffic sent to it.

Just as a point of warning, .local is often not ideal to use, especially if you ever have any Apple devices in the network, because they use .local for their Bonjour multicast DNS, and that can screw things up. See .local - Wikipedia

A better domain to use is typically .home.arpa. See What domain name to use for your home network | Ctrl blog

venkat_swaminathan · September 24, 2022, 11:00pm

Hello Francis,

Are you saying that you have an existing CA from which you want to issue certs for Caddy to use : Yes, exactly our network team has a local CA for our network, I need caddy to use that certificate for all TLS communication, so that we can access this site across our local network with HTTPS.

I saw couple of forums about this advice, for now I guess we have to live with this as this is our organisation policy which I cannot override. However, I will put a note to our network team about this.