LXC and reverse proxy

Help
1

1. My Caddy version (caddy version):

v2.0.0-beta.17 h1:x+Ur3uX83j+STerOWsrLDlknXe7z71VnO5xD+H2OwAw=

2. How I run Caddy:

By systemd

a. System environment:

Host on Ubuntu 18.04
LXD Containers on Ubuntu-minimal 18.04

b. Command:

systemd start/reload caddy.service

c. Service/unit/compose file:

[Unit]
Description=Caddy Web Server
Documentation=https://caddyserver.com/docs/
After=network.target

[Service]
User=caddy
Group=caddy
ExecStart=/usr/bin/caddy run --config /etc/caddy/Caddyfile --adapter caddyfile --resume --environ
ExecReload=/usr/bin/caddy reload --config /etc/caddy/Caddyfile --adapter caddyfile
TimeoutStopSec=5s
LimitNOFILE=1048576
LimitNPROC=512
PrivateTmp=true
ProtectSystem=full
AmbientCapabilities=CAP_NET_BIND_SERVICE

[Install]
WantedBy=multi-user.target

d. My complete Caddyfile or JSON config:

Frontend container reverse_proxy:

http://domain.com {
reverse_proxy wordpress01:80
log {
	output file /var/log/caddy/log_http_domain.com.log
	}
}


https://domain.com {
reverse_proxy wordpress01:443
log {
        output file /var/log/caddy/log_https_domain.com.log
        }
}

On backend container wordpress01 for exemple:

domain.com
root * /var/www/
log {
        output file /var/log/caddy/domain.com.log
        }
file_server

3. The problem I’m having:

I would like to create a reverse_proxy and backend only with caddy instances.
I had to lxd host, with proxy command to redirect requests from 80 and 443 port to my reverse proxy container, and after, go to container with hostname. On the right backend container, I provide a simple caddyfile for deserve for example, wordpress installation or others applications.

4. Error messages and/or full log output:

At each request

On reverse proxy
tail -f /var/log/caddy/log_https_domain.com.log

2020/03/17 19:13:55.695	ERROR	http.log.access.log1	handled request	{"request": {"method": "GET", "uri": "/", "proto": "HTTP/2.0", "remote_addr": "127.0.0.1:48270", "host": "domain.com", "headers": {"Dnt": ["1"], "Upgrade-Insecure-Requests": ["1"], "Te": ["trailers"], "User-Agent": ["Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:73.0) Gecko/20100101 Firefox/73.0"], "Accept": ["text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8"], "Accept-Language": ["fr,fr-FR;q=0.8,en-US;q=0.5,en;q=0.3"], "Accept-Encoding": ["gzip, deflate, br"]}, "tls": {"resumed": true, "version": 772, "ciphersuite": 4865, "proto": "h2", "proto_mutual": true, "server_name": "domain.com"}}, "common_log": "127.0.0.1 - - [17/Mar/2020:19:13:55 +0000] \"GET / HTTP/2.0\" 502 0", "latency": 5.025220824, "size": 0, "status": 502, "resp_headers": {"Server": ["Caddy"]}}
2020/03/17 19:13:56.367	ERROR	http.log.access.log1	handled request	{"request": {"method": "GET", "uri": "/favicon.ico", "proto": "HTTP/2.0", "remote_addr": "127.0.0.1:48270", "host": "domain.com", "headers": {"User-Agent": ["Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:73.0) Gecko/20100101 Firefox/73.0"], "Accept": ["image/webp,*/*"], "Accept-Language": ["fr,fr-FR;q=0.8,en-US;q=0.5,en;q=0.3"], "Accept-Encoding": ["gzip, deflate, br"], "Dnt": ["1"], "Te": ["trailers"]}, "tls": {"resumed": true, "version": 772, "ciphersuite": 4865, "proto": "h2", "proto_mutual": true, "server_name": "domain.com"}}, "common_log": "127.0.0.1 - - [17/Mar/2020:19:13:56 +0000] \"GET /favicon.ico HTTP/2.0\" 502 0", "latency": 0.005896485, "size": 0, "status": 502, "resp_headers": {"Server": ["Caddy"]}}

tail -f /var/log/caddy/log_http_domain.com.log

2020/03/17 19:17:34.185	ERROR	http.log.access.log1	handled request	{"request": {"method": "GET", "uri": "/", "proto": "HTTP/2.0", "remote_addr": "127.0.0.1:48280", "host": "alainponcel.fr", "headers": {"User-Agent": ["Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:73.0) Gecko/20100101 Firefox/73.0"], "Accept": ["text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8"], "Accept-Language": ["fr,fr-FR;q=0.8,en-US;q=0.5,en;q=0.3"], "Accept-Encoding": ["gzip, deflate, br"], "Dnt": ["1"], "Upgrade-Insecure-Requests": ["1"], "Cache-Control": ["max-age=0"], "Te": ["trailers"]}, "tls": {"resumed": true, "version": 772, "ciphersuite": 4865, "proto": "h2", "proto_mutual": true, "server_name": "alainponcel.fr"}}, "common_log": "127.0.0.1 - - [17/Mar/2020:19:17:34 +0000] \"GET / HTTP/2.0\" 502 0", "latency": 0.004566808, "size": 0, "status": 502, "resp_headers": {"Server": ["Caddy"]}}

On backend:

2020/03/17 19:21:09 http: TLS handshake error from 10.244.32.196:36814: no certificate available for 'wordpress01'

Mar 17 19:28:45 wordpress01 caddy[3025]: 2020/03/17 19:28:45 [INFO][cache:0xc0006388c0] Started certificate maintenance routine
Mar 17 19:28:45 wordpress01 caddy[3025]: 2020/03/17 19:28:45.075        INFO        http        enabling automatic HTTP->HTTPS redirects        {"server_name": "srv0"}
Mar 17 19:28:45 wordpress01 caddy[3025]: 2020/03/17 19:28:45.076        INFO        tls        cleaned up storage units
Mar 17 19:28:45 wordpress01 caddy[3025]: 2020/03/17 19:28:45.076        INFO        http        enabling automatic TLS certificate management        {"domains": ["domain.com"]}
Mar 17 19:28:45 wordpress01 caddy[3025]: 2020/03/17 19:28:45 [WARNING] Stapling OCSP: no OCSP stapling for [domain.com]: parsing OCSP response: ocsp: error from server: unauthor
ized
Mar 17 19:28:45 wordpress01 caddy[3025]: 2020/03/17 19:28:45.146        INFO        autosaved config        {"file": "/var/lib/caddy/.config/caddy/autosave.json"}
Mar 17 19:28:45 wordpress01 caddy[3025]: 2020/03/17 19:28:45.146        INFO        serving initial configuration

and

root@wordpress01:~# curl -i https://localhost
curl: (35) error:14094438:SSL routines:ssl3_read_bytes:tlsv1 alert internal error

root@wordpress01:~# curl -i http://localhost
HTTP/1.1 308 Permanent Redirect
Connection: close
Location: https://localhost/
Server: Caddy
Date: Tue, 17 Mar 2020 19:26:13 GMT
Content-Length: 0

5. What I already tried:

I tried to create a simple web server instead reverse_proxy on container01 and it’s work. But when I tried to modify to reverse_proxy, it’s not work and try many configurations found on this community, but don’t work. I’m very sorry.
I don’t know if I need to configure something different? Do I need to disable https on reverse proxy, but I don’t how to configure it on caddy file, I see documentation about json configuration.
But what is the best pratice to optimize security? encryption on reverse proxy and encyption too on backend?

I just try to add:

    header {
        Strict-Transport-Security max-age=31536000; includeSubDomains; preload
        Host {http.request.host}
        X-Forwarded-Proto {http.request.scheme}
        X-Forwarded-For {http.request.remote}
        X-Real-IP {http.request.remote}
    }

or

        header_up X-Forwarded-Proto {scheme}
        header_up X-Forwarded-For {remote}
        header_up X-Real-IP {remote}

No more working…

Other effort, create an account on this community :stuck_out_tongue:

6. Links to relevant resources:

https://github.com/caddyserver/caddy/issues/3147

Thanks

2

I think for your proxy the simplest approach is to just do this:

domain.com {
    reverse_proxy wordpress01:80
    log {
        output file /var/log/caddy/log_domain.com.log
    }
}

Your reverse proxy should terminate TLS and just connect to your wordpress container over HTTP. It will also redirect any http:// connections to https:// (which frankly is the right approach, you shouldn’t let people keep connecting to your server over HTTP).

Alternatively, with Caddy v2 beta 17, you can enable internal TLS with tls internal which sets up a CA. You can install the CA’s root certificate to your proxy’s trust store so that it will trust connections to your backend service. Then, your proxy Caddyfile would look like this:

domain.com {
    reverse_proxy wordpress01:443 {
        transport http {
            tls_trusted_ca_certs path/to/root/ca/cert.pem
        }
    }
    log {
        output file /var/log/caddy/log_domain.com.log
    }
}
3

Hello, thanks!

I created a cert.pem and store it and I changed for reverse proxy:

domain.com {
reverse_proxy wordpress01:443 {
        transport http {
            tls_trusted_ca_certs /etc/ssl/caddy/ca/cert.pem
        }
    }
log {
        output file /var/log/caddy/log_https_domain.com.log
        }
}

But always 502 error in log. For the backend, always with Caddy, does I needed to change something?

I kept the simple Caddyfile like above, but I’m not sure now. With you explanation, I think I need to change, but very sorry to be dumb…

4

Please use the caddy fmt command to format your Caddyfile when posting it here, it’s quite hard to follow without proper indentation.

What I was suggesting is to do this on your wordpress instance: Automatic HTTPS — Caddy Documentation, read the parts about local HTTPS.

To force enable it you can use tls internal tls (Caddyfile directive) — Caddy Documentation

Then look at the logs of that server, you should see the storage path to the root certificate. Copy that to your proxy and set tls_trusted_ca_certs to that file.

But really, I think all this is an unnecessary step. If you don’t understand what’s going on here, you should just proxy over HTTP (my first example). If you’re in a private network or if it’s all running on the same machine, there’s not really any security concerns with HTTP, unless you’re also running untrusted services (you shouldn’t be).

1 Like
5

So.
Like you said:

root@haproxy01:~# caddy fmt /etc/caddy/Caddyfile
domain.com {
	reverse_proxy wordpress01:80
	log {
		output file /var/log/caddy/log_https_domain.com.log
	}
		{
		debug
	}
}

And on the backend.

root@wordpress01:~# caddy fmt /etc/caddy/Caddyfile
localhost
root * /var/www/
log {
	output file /var/log/caddy/domain.com.log
}
file_server

And now! Ladies and gentlemen, I have:
The same error like with issue: Fail to start caddy2, not NSS security databases found - #7 by ggilmore

root@wordpress01:~# caddy run --config /etc/caddy/Caddyfile
2020/03/18 03:48:06.001	INFO	using provided configuration	{"config_file": "/etc/caddy/Caddyfile", "config_adapter": ""}
2020/03/18 03:48:06.002	INFO	admin	admin endpoint started	{"address": "localhost:2019", "enforce_origin": false, "origins": ["localhost:2019"]}
2020/03/18 03:48:06 [INFO][cache:0xc000553cc0] Started certificate maintenance routine
2020/03/18 03:48:06.010	INFO	http	server is listening only on the HTTPS port but has no TLS connection policies; adding one to enable TLS	{"server_name": "srv0", "https_port": 443}
2020/03/18 03:48:06.010	INFO	http	enabling automatic HTTP->HTTPS redirects	{"server_name": "srv0"}
2020/03/18 03:48:06.027	INFO	tls	cleaned up storage units
2020/03/18 03:48:06.094	WARN	pki.ca.local	trusting root certificate (you might be prompted for password)	{"path": "storage:pki/authorities/local/root.crt"}
run: loading initial config: loading new config: pki app module: start: adding root certificate to trust store: not NSS security databases found

So I will wait for another release I’m thinking.
And hope.
Unless you have an idea.

I will re-open this thread after.
Thanks Francis!

6

Just build from source on the v2 branch, we’ve already fixed that :slight_smile: we could really use your help to test it before we release it.

7

Ok, it’s goal of tomorrow!

8

I tried:

root@wordpress01:~# caddy run --config /etc/caddy/Caddyfile
2020/03/19 19:29:29.877	INFO	using provided configuration	{"config_file": "/etc/caddy/Caddyfile", "config_adapter": ""}
2020/03/19 19:29:29.893	INFO	admin	admin endpoint started	{"address": "localhost:2019", "enforce_origin": false, "origins": ["localhost:2019"]}
2020/03/19 19:29:29 [INFO][cache:0xc0005f1ae0] Started certificate maintenance routine
2020/03/19 19:29:29.898	INFO	http	server is listening only on the HTTPS port but has no TLS connection policies; adding one to enable TLS	{"server_name": "srv0", "https_port": 443}
2020/03/19 19:29:29.898	INFO	http	enabling automatic HTTP->HTTPS redirects	{"server_name": "srv0"}
2020/03/19 19:29:29.916	INFO	tls	setting internal issuer for automation policy that has only internal subjects but no issuer configured	{"subjects": ["localhost"]}
2020/03/19 19:29:29.924	INFO	tls	cleaned up storage units
2020/03/19 19:29:30.072	WARN	pki.ca.local	trusting root certificate (you might be prompted for password)	{"path": "storage:pki/authorities/local/root.crt"}
2020/03/19 19:29:30.075	ERROR	pki	failed to install root certificate	{"error": "not NSS security databases found", "certificate_file": "storage:pki/authorities/local/root.crt"}
2020/03/19 19:29:30.076	INFO	http	enabling automatic TLS certificate management	{"domains": ["localhost"]}
2020/03/19 19:29:30.077	INFO	autosaved config	{"file": "/root/.config/caddy/autosave.json"}
2020/03/19 19:29:30.077	INFO	serving initial configuration
2020/03/19 19:29:30 [INFO][localhost] Obtain certificate; acquiring lock...
2020/03/19 19:29:30 [INFO][localhost] Obtain: Lock acquired; proceeding...
2020/03/19 19:29:30 [INFO][localhost] Certificate obtained successfully
2020/03/19 19:29:30 [INFO][localhost] Obtain: Releasing lock
2020/03/19 19:29:30 [WARNING] Stapling OCSP: no OCSP stapling for [localhost]: no OCSP server specified in certificate

Request by web browser:

2020/03/19 19:30:02 http: TLS handshake error from 10.244.32.196:39176: no certificate available for 'wordpress01'
2020/03/19 19:30:03 http: TLS handshake error from 10.244.32.196:39178: no certificate available for 'wordpress01'

root@wordpress01:~# caddy version
(devel)
9

@matt is this when on_demand comes into play with tls internal?

10

Huh? What’s the config being used exactly?

11

Which config?

reverse_proxy LXD container01:

domain.com {
	reverse_proxy wordpress01:80
	log {
		output file /var/log/caddy/domain.com.log
	}
		{
		debug
	}
}

And backend LXD container wordpress01:

localhost
root * /var/www/
log {
        output file /var/log/caddy/domain.com.log
}
file_server

Caddy build form github.

12

Which one gives you the errors?

13

For your wordpress container, I think you should instead do this:

:443

tls internal {
    on_demand
}

root * /var/www/
log {
        output file /var/log/caddy/domain.com.log
}
file_server

If I’m not mistaken, that should allow any connection on port 443, using the internal CA to issue certificates on demand for whatever host is requested.

14

Now:

Reverse Proxy Frontend LXD container:

root@haproxy01:~# caddy run --config /etc/caddy/Caddyfile
2020/03/19 22:30:50.480	INFO	using provided configuration	{"config_file": "/etc/caddy/Caddyfile", "config_adapter": ""}
2020/03/19 22:30:50.482	INFO	admin	admin endpoint started	{"address": "localhost:2019", "enforce_origin": false, "origins": ["localhost:2019"]}
2020/03/19 22:30:50.483	INFO	http	server is listening only on the HTTPS port but has no TLS connection policies; adding one to enable TLS	{"server_name": "srv0", "https_port": 443}
2020/03/19 22:30:50.483	INFO	http	enabling automatic HTTP->HTTPS redirects	{"server_name": "srv0"}
2020/03/19 22:30:50 [INFO][cache:0xc0004abbd0] Started certificate maintenance routine
2020/03/19 22:30:50.485	INFO	tls	cleaned up storage units
2020/03/19 22:30:50.486	INFO	http	enabling automatic TLS certificate management	{"domains": ["domain.com"]}
2020/03/19 22:30:50.501	INFO	autosaved config	{"file": "/root/.config/caddy/autosave.json"}
2020/03/19 22:30:50.501	INFO	serving initial configuration

Backend LXD container wordpress:

root@wordpress01:~# caddy run --config /etc/caddy/Caddyfile
2020/03/19 22:30:53.335	INFO	using provided configuration	{"config_file": "/etc/caddy/Caddyfile", "config_adapter": ""}
2020/03/19 22:30:53.337	INFO	admin	admin endpoint started	{"address": "localhost:2019", "enforce_origin": false, "origins": ["localhost:2019"]}
2020/03/19 22:30:53 [INFO][cache:0xc00074b9a0] Started certificate maintenance routine
2020/03/19 22:30:53.338	INFO	http	server is listening only on the HTTPS port but has no TLS connection policies; adding one to enable TLS	{"server_name": "srv0", "https_port": 443}
2020/03/19 22:30:53.338	INFO	http	enabling automatic HTTP->HTTPS redirects	{"server_name": "srv0"}
2020/03/19 22:30:53.353	INFO	tls	setting internal issuer for automation policy that has only internal subjects but no issuer configured	{"subjects": ["localhost"]}
2020/03/19 22:30:53.356	INFO	tls	cleaned up storage units
2020/03/19 22:30:53.469	WARN	pki.ca.local	trusting root certificate (you might be prompted for password)	{"path": "storage:pki/authorities/local/root.crt"}
2020/03/19 22:30:53.470	ERROR	pki	failed to install root certificate	{"error": "not NSS security databases found", "certificate_file": "storage:pki/authorities/local/root.crt"}
2020/03/19 22:30:53.470	INFO	http	enabling automatic TLS certificate management	{"domains": ["localhost"]}
2020/03/19 22:30:53 [WARNING] Stapling OCSP: no OCSP stapling for [localhost]: no OCSP server specified in certificate
2020/03/19 22:30:53.472	INFO	autosaved config	{"file": "/root/.config/caddy/autosave.json"}
2020/03/19 22:30:53.472	INFO	serving initial configuration

And when I try in my firefox, I have :

The page isn't redirecting properly

    Firefox has detected that the server is redirecting the request for this address in a way that will never complete.

    This problem can sometimes be caused by disabling or refusing to accept cookies.

And in frontend revese_proxy log:

2020/03/19 22:33:52.482	INFO	http.log.access.log0	handled request	{"request": {"method": "GET", "uri": "/", "proto": "HTTP/2.0", "remote_addr": "127.0.0.1:51200", "host": "domain.com", "headers": {"Accept": ["text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8"], "Accept-Language": ["fr,fr-FR;q=0.8,en-US;q=0.5,en;q=0.3"], "Accept-Encoding": ["gzip, deflate, br"], "Dnt": ["1"], "Upgrade-Insecure-Requests": ["1"], "Te": ["trailers"], "User-Agent": ["Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:73.0) Gecko/20100101 Firefox/73.0"]}, "tls": {"resumed": false, "version": 772, "ciphersuite": 4865, "proto": "h2", "proto_mutual": true, "server_name": "domain.com"}}, "common_log": "127.0.0.1 - - [19/Mar/2020:22:33:52 +0000] \"GET / HTTP/2.0\" 308 0", "latency": 0.002303113, "size": 0, "status": 308, "resp_headers": {"Server": ["Caddy", "Caddy"], "Date": ["Thu, 19 Mar 2020 22:33:52 GMT"], "Content-Length": ["0"], "Location": ["https://domain.com/"]}}

NO activity on backend.

15

Hello,
I updated to v2.0.0-beta.18 h1:N8CR8nO+n9Sk16CBx6ysVZWIZv0hgtU1J84st1bFWgI=
and add to backend caddyfile:

localhost
root * /var/www/
tls {
	on_demand
}
log {
	output file /var/log/caddy/domain.com.log
}
file_server

And I have always the same error in the backend container:

root@wordpress01:~# caddy run --config /etc/caddy/Caddyfile
2020/03/21 02:05:44.655	INFO	using provided configuration	{"config_file": "/etc/caddy/Caddyfile", "config_adapter": ""}
2020/03/21 02:05:44.657	INFO	admin	admin endpoint started	{"address": "localhost:2019", "enforce_origin": false, "origins": ["localhost:2019"]}
2020/03/21 02:05:44.658	INFO	tls	setting internal issuer for automation policy that has only internal subjects but no issuer configured	{"subjects": ["localhost"]}
2020/03/21 02:05:44 [INFO][cache:0xc0002a7cc0] Started certificate maintenance routine
2020/03/21 02:05:44.672	INFO	http	enabling automatic HTTP->HTTPS redirects	{"server_name": "srv0"}
2020/03/21 02:05:44.742	WARN	pki.ca.local	trusting root certificate (you might be prompted for password)	{"path": "storage:pki/authorities/local/root.crt"}
2020/03/21 02:05:44.788	ERROR	pki	failed to install root certificate	{"error": "not NSS security databases found", "certificate_file": "storage:pki/authorities/local/root.crt"}
2020/03/21 02:05:44.791	INFO	tls	cleaned up storage units
2020/03/21 02:05:44.791	INFO	http	enabling automatic TLS certificate management	{"domains": ["localhost"]}
2020/03/21 02:05:44.791	INFO	autosaved config	{"file": "/root/.config/caddy/autosave.json"}
2020/03/21 02:05:44.791	INFO	serving initial configuration

And on the frontend container:

2020/03/21 02:06:44.236	INFO	http.log.access.log0	handled request	{"request": {"method": "GET", "uri": "/", "proto": "HTTP/2.0", "remote_addr": "127.0.0.1:52874", "host": "domain.com", "headers": {"Upgrade-Insecure-Requests": ["1"], "Te": ["trailers"], "User-Agent": ["Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:74.0) Gecko/20100101 Firefox/74.0"], "Accept": ["text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8"], "Accept-Language": ["fr,fr-FR;q=0.8,en-US;q=0.5,en;q=0.3"], "Accept-Encoding": ["gzip, deflate, br"], "Dnt": ["1"]}, "tls": {"resumed": true, "version": 772, "ciphersuite": 4865, "proto": "h2", "proto_mutual": true, "server_name": "domain.com"}}, "common_log": "127.0.0.1 - - [21/Mar/2020:02:06:44 +0000] \"GET / HTTP/2.0\" 308 0", "latency": 0.002299566, "size": 0, "status": 308, "resp_headers": {"Date": ["Sat, 21 Mar 2020 02:06:44 GMT"], "Content-Length": ["0"], "Server": ["Caddy", "Caddy"], "Location": ["https://domain.com/"]}

Sorry…

16

I changed in frontend reverse_proxy 80 by 443

And now:
on frontend logs:

2020/03/21 07:37:53.671	ERROR	http.log.access.log0	handled request	{"request": {"method": "GET", "uri": "/", "proto": "HTTP/2.0", "remote_addr": "127.0.0.1:53444", "host": "domain.com", "headers": {"Accept-Language": ["fr,fr-FR;q=0.8,en-US;q=0.5,en;q=0.3"], "Accept-Encoding": ["gzip, deflate, br"], "Dnt": ["1"], "Upgrade-Insecure-Requests": ["1"], "Cache-Control": ["max-age=0"], "Te": ["trailers"], "User-Agent": ["Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:74.0) Gecko/20100101 Firefox/74.0"], "Accept": ["text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8"]}, "tls": {"resumed": false, "version": 772, "ciphersuite": 4865, "proto": "h2", "proto_mutual": true, "server_name": "domain.com"}}, "common_log": "127.0.0.1 - - [21/Mar/2020:07:37:53 +0000] \"GET / HTTP/2.0\" 502 0", "latency": 0.010296563, "size": 0, "status": 502, "resp_headers": {"Server": ["Caddy"]}}

and on backend container:

2020/03/21 07:37:53 http: TLS handshake error from 10.244.32.196:41970: no certificate available for 'wordpress01'

Maybe I near of a solution.

17

Listen to :443 instead of localhost on your wordpress backend (first line of your Caddyfile)

18

with :443 instead of localhost, at each time of browser request my backend log:

2020/03/21 17:12:38 [INFO] Obtaining new certificate for wordpress01
2020/03/21 17:12:38 [INFO][wordpress01] Obtain certificate; acquiring lock...
2020/03/21 17:12:38 [INFO][wordpress01] Obtain: Lock acquired; proceeding...
2020/03/21 17:12:39 [INFO][wordpress01] Waiting on rate limiter...
2020/03/21 17:12:39 [INFO][wordpress01] Done waiting
2020/03/21 17:12:39 [INFO] [wordpress01] acme: Obtaining bundled SAN certificate given a CSR
2020/03/21 17:12:39 [ERROR] acme: error: 400 :: POST :: https://acme-v02.api.letsencrypt.org/acme/new-order :: urn:ietf:params:acme:error:rejectedIdentifier :: Error creating new order :: Cannot issue for "wordpress01": Domain name needs at least one dot, url:  (challenge=tls-alpn-01 remaining=[http-01])
2020/03/21 17:12:41 [INFO] [wordpress01] acme: Obtaining bundled SAN certificate given a CSR
2020/03/21 17:12:42 [ERROR] acme: error: 400 :: POST :: https://acme-v02.api.letsencrypt.org/acme/new-order :: urn:ietf:params:acme:error:rejectedIdentifier :: Error creating new order :: Cannot issue for "wordpress01": Domain name needs at least one dot, url:  (challenge=http-01 remaining=[])
2020/03/21 17:12:44 [INFO][wordpress01] Obtain: Releasing lock
2020/03/21 17:12:44 http: TLS handshake error from 10.244.32.196:42398: [wordpress01] Obtain: [wordpress01] acme: error: 400 :: POST :: https://acme-v02.api.letsencrypt.org/acme/new-order :: urn:ietf:params:acme:error:rejectedIdentifier :: Error creating new order :: Cannot issue for "wordpress01": Domain name needs at least one dot, url:

and frontend:

2020/03/21 17:13:05.959	ERROR	http.log.error.log0	remote error: tls: internal error	{"request": {"method": "GET", "uri": "/", "proto": "HTTP/2.0", "remote_addr": "127.0.0.1:53864", "host": "domain.com", "headers": {"Accept-Encoding": ["gzip, deflate, br"], "Dnt": ["1"], "Upgrade-Insecure-Requests": ["1"], "Cache-Control": ["max-age=0"], "Te": ["trailers"], "User-Agent": ["Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:74.0) Gecko/20100101 Firefox/74.0"], "Accept": ["text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8"], "Accept-Language": ["fr,fr-FR;q=0.8,en-US;q=0.5,en;q=0.3"]}, "tls": {"resumed": false, "version": 772, "ciphersuite": 4865, "proto": "h2", "proto_mutual": true, "server_name": "domain.com"}}, "status": 502, "err_id": "4iqeqncyf", "err_trace": "reverseproxy.(*Handler).ServeHTTP (reverseproxy.go:363)"}
2020/03/21 17:13:05.960	ERROR	http.log.access.log0	handled request	{"request": {"method": "GET", "uri": "/", "proto": "HTTP/2.0", "remote_addr": "127.0.0.1:53864", "host": "domain.com", "headers": {"Accept": ["text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8"], "Accept-Language": ["fr,fr-FR;q=0.8,en-US;q=0.5,en;q=0.3"], "Accept-Encoding": ["gzip, deflate, br"], "Dnt": ["1"], "Upgrade-Insecure-Requests": ["1"], "Cache-Control": ["max-age=0"], "Te": ["trailers"], "User-Agent": ["Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:74.0) Gecko/20100101 Firefox/74.0"]}, "tls": {"resumed": false, "version": 772, "ciphersuite": 4865, "proto": "h2", "proto_mutual": true, "server_name": "domain.com"}}, "common_log": "127.0.0.1 - - [21/Mar/2020:17:13:05 +0000] \"GET / HTTP/2.0\" 502 0", "latency": 4.556397078, "size": 0, "status": 502, "resp_headers": {"Server": ["Caddy"]}}
19

You can’t use Let’s Encrypt to get a certificate for wordpress01, so use the local issuer instead:

tls internal {
   on_demand
}

This is documented here: Automatic HTTPS — Caddy Documentation and here: tls (Caddyfile directive) — Caddy Documentation

20

I already posted my backend config, as you can see:

localhost
root * /var/www/
tls {
	on_demand
}
log {
	output file /var/log/caddy/domain.com.log
}
file_server