LXC and reverse proxy

Yes, and? :face_with_monocle:

(and I thought you were changed localhost to :443)

1 Like

Sorry Matt, but read post above. Obvious I’m not an expert, so I sent all I have, each time, and nothing work. I would like to help, but I don’t know how.

With the last backend config, I have:

localhost
root * /var/www/
tls {
        on_demand
}
log {
        output file /var/log/caddy/domain.com.log
}
file_server

and frontend config:

domain.com {
        reverse_proxy wordpress01:443
        log {
                output file /var/log/caddy/domain.com.log
        }
                {
                debug
        }
}

And logs frontend:

root@haproxy01:~# caddy run --config /etc/caddy/Caddyfile
2020/03/21 18:27:42.024	INFO	using provided configuration	{"config_file": "/etc/caddy/Caddyfile", "config_adapter": ""}
2020/03/21 18:27:42.047	INFO	admin	admin endpoint started	{"address": "localhost:2019", "enforce_origin": false, "origins": ["localhost:2019"]}
2020/03/21 18:27:42 [INFO][cache:0xc000694aa0] Started certificate maintenance routine
2020/03/21 18:27:42.047	INFO	http	server is listening only on the HTTPS port but has no TLS connection policies; adding one to enable TLS	{"server_name": "srv0", "https_port": 443}
2020/03/21 18:27:42.047	INFO	http	enabling automatic HTTP->HTTPS redirects	{"server_name": "srv0"}
2020/03/21 18:27:42.048	INFO	http	enabling automatic TLS certificate management	{"domains": ["domain.com"]}
2020/03/21 18:27:42.062	INFO	tls	cleaned up storage units
2020/03/21 18:27:42.063	INFO	autosaved config	{"file": "/root/.config/caddy/autosave.json"}
2020/03/21 18:27:42.063	INFO	serving initial configuration
2020/03/21 18:27:48.316	ERROR	http.log.error.log0	remote error: tls: internal error	{"request": {"method": "GET", "uri": "/", "proto": "HTTP/2.0", "remote_addr": "127.0.0.1:53950", "host": "domain.com", "headers": {"Dnt": ["1"], "Upgrade-Insecure-Requests": ["1"], "Cache-Control": ["max-age=0"], "Te": ["trailers"], "User-Agent": ["Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:74.0) Gecko/20100101 Firefox/74.0"], "Accept": ["text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8"], "Accept-Language": ["fr,fr-FR;q=0.8,en-US;q=0.5,en;q=0.3"], "Accept-Encoding": ["gzip, deflate, br"]}, "tls": {"resumed": false, "version": 772, "ciphersuite": 4865, "proto": "h2", "proto_mutual": true, "server_name": "domain.com"}}, "status": 502, "err_id": "2vtezdphd", "err_trace": "reverseproxy.(*Handler).ServeHTTP (reverseproxy.go:363)"}
2020/03/21 18:27:48.316	ERROR	http.log.access.log0	handled request	{"request": {"method": "GET", "uri": "/", "proto": "HTTP/2.0", "remote_addr": "127.0.0.1:53950", "host": "domain.com", "headers": {"Te": ["trailers"], "User-Agent": ["Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:74.0) Gecko/20100101 Firefox/74.0"], "Accept": ["text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8"], "Accept-Language": ["fr,fr-FR;q=0.8,en-US;q=0.5,en;q=0.3"], "Accept-Encoding": ["gzip, deflate, br"], "Dnt": ["1"], "Upgrade-Insecure-Requests": ["1"], "Cache-Control": ["max-age=0"]}, "tls": {"resumed": false, "version": 772, "ciphersuite": 4865, "proto": "h2", "proto_mutual": true, "server_name": "domain.com"}}, "common_log": "127.0.0.1 - - [21/Mar/2020:18:27:48 +0000] \"GET / HTTP/2.0\" 502 0", "latency": 0.003536149, "size": 0, "status": 502, "resp_headers": {"Server": ["Caddy"]}}

and backend frontend:

root@wordpress01:~# caddy run --config /etc/caddy/Caddyfile
2020/03/21 18:27:39.356	INFO	using provided configuration	{"config_file": "/etc/caddy/Caddyfile", "config_adapter": ""}
2020/03/21 18:27:39.358	INFO	admin	admin endpoint started	{"address": "localhost:2019", "enforce_origin": false, "origins": ["localhost:2019"]}
2020/03/21 18:27:39.359	INFO	tls	setting internal issuer for automation policy that has only internal subjects but no issuer configured	{"subjects": ["localhost"]}
2020/03/21 18:27:39 [INFO][cache:0xc000243ef0] Started certificate maintenance routine
2020/03/21 18:27:39.373	INFO	http	enabling automatic HTTP->HTTPS redirects	{"server_name": "srv0"}
2020/03/21 18:27:39.373	INFO	http	enabling automatic TLS certificate management	{"domains": ["localhost"]}
2020/03/21 18:27:39.441	WARN	pki.ca.local	trusting root certificate (you might be prompted for password)	{"path": "storage:pki/authorities/local/root.crt"}
2020/03/21 18:27:39.441	ERROR	pki	failed to install root certificate	{"error": "not NSS security databases found", "certificate_file": "storage:pki/authorities/local/root.crt"}
2020/03/21 18:27:39.443	INFO	tls	cleaned up storage units
2020/03/21 18:27:39.444	INFO	autosaved config	{"file": "/root/.config/caddy/autosave.json"}
2020/03/21 18:27:39.444	INFO	serving initial configuration
2020/03/21 18:27:48 http: TLS handshake error from 10.244.32.196:42474: no certificate available for 'wordpress01'

We’ve asked you multiple times to switch your backend to this:

:443
root * /var/www/
tls {
        on_demand
}
log {
        output file /var/log/caddy/domain.com.log
}
file_server
1 Like

You’re also still not using the config I suggested!

Your responses are not being productive, because if you don’t make any changes that we recommend, we cannot make progress. Please go back and try what we have suggested first. We are volunteering our time on a weekend to help you. Please put in some effort to pay attention to what we are recommending to make this work.

localhost
root * /var/www/
tls internal
log {
        output file /var/log/caddy/domain.com.log
}
file_server

logs after browser request:

root@wordpress01:~# caddy run --config /etc/caddy/Caddyfile
2020/03/21 18:49:31.428	INFO	using provided configuration	{"config_file": "/etc/caddy/Caddyfile", "config_adapter": ""}
2020/03/21 18:49:31.430	INFO	admin	admin endpoint started	{"address": "localhost:2019", "enforce_origin": false, "origins": ["localhost:2019"]}
2020/03/21 18:49:31 [INFO][cache:0xc0004b7f40] Started certificate maintenance routine
2020/03/21 18:49:31.446	INFO	http	enabling automatic HTTP->HTTPS redirects	{"server_name": "srv0"}
2020/03/21 18:49:31.523	WARN	pki.ca.local	trusting root certificate (you might be prompted for password)	{"path": "storage:pki/authorities/local/root.crt"}
2020/03/21 18:49:31 define JAVA_HOME environment variable to use the Java trust
2020/03/21 18:49:31.524	ERROR	pki	failed to install root certificate	{"error": "not NSS security databases found", "certificate_file": "storage:pki/authorities/local/root.crt"}
2020/03/21 18:49:31.526	INFO	tls	cleaned up storage units
2020/03/21 18:49:31.526	INFO	http	enabling automatic TLS certificate management	{"domains": ["localhost"]}
2020/03/21 18:49:31 [WARNING] Stapling OCSP: no OCSP stapling for [localhost]: no OCSP server specified in certificate
2020/03/21 18:49:31.529	INFO	autosaved config	{"file": "/root/.config/caddy/autosave.json"}
2020/03/21 18:49:31.529	INFO	serving initial configuration
2020/03/21 18:49:31 [INFO][localhost] Renew certificate; acquiring lock...
2020/03/21 18:49:31 [INFO][localhost] Renew: Lock acquired; proceeding...
2020/03/21 18:49:31 [INFO][localhost] Renew: -11h12m26.531791496s remaining
2020/03/21 18:49:31 [INFO][localhost] Certificate renewed successfully
2020/03/21 18:49:31 [INFO][localhost] Renew: Releasing lock
2020/03/21 18:49:31 [INFO] Reloading managed certificate for [localhost]
2020/03/21 18:49:31 [WARNING] Stapling OCSP: no OCSP stapling for [localhost]: no OCSP server specified in certificate
2020/03/21 18:49:31 [INFO] Replaced certificate in cache for [localhost] (new expiration date: 2020-03-22 06:49:31)
2020/03/21 18:49:44 http: TLS handshake error from 10.244.32.196:42510: no certificate available for 'wordpress01'

with:

localhost
root * /var/www/
tls internal {
        on_demand
}
log {
        output file /var/log/caddy/domain.com.log
}
file_server

logs, after browser request:

root@wordpress01:~# caddy run --config /etc/caddy/Caddyfile
2020/03/21 18:52:05.286	INFO	using provided configuration	{"config_file": "/etc/caddy/Caddyfile", "config_adapter": ""}
2020/03/21 18:52:05.289	INFO	admin	admin endpoint started	{"address": "localhost:2019", "enforce_origin": false, "origins": ["localhost:2019"]}
2020/03/21 18:52:05 [INFO][cache:0xc000632870] Started certificate maintenance routine
2020/03/21 18:52:05.303	INFO	http	enabling automatic HTTP->HTTPS redirects	{"server_name": "srv0"}
2020/03/21 18:52:05.376	WARN	pki.ca.local	trusting root certificate (you might be prompted for password)	{"path": "storage:pki/authorities/local/root.crt"}
2020/03/21 18:52:05.376	ERROR	pki	failed to install root certificate	{"error": "not NSS security databases found", "certificate_file": "storage:pki/authorities/local/root.crt"}
2020/03/21 18:52:05.379	INFO	tls	cleaned up storage units
2020/03/21 18:52:05.379	INFO	http	enabling automatic TLS certificate management	{"domains": ["localhost"]}
2020/03/21 18:52:05.379	INFO	autosaved config	{"file": "/root/.config/caddy/autosave.json"}
2020/03/21 18:52:05.379	INFO	serving initial configuration
2020/03/21 18:52:10 http: TLS handshake error from 10.244.32.196:42512: no certificate available for 'wordpress01'

I really don’t understand what we have to tell you to make you understand what we’re asking, we literally gave you the exact config you need to try but you keep using the wrong config.

This message is because your backend is only listening for connections to the localhost hostname, and only has certificates for localhost.

You need to change your site label to :443 instead of localhost (the first line in your backend Caddyfile) so that the backend will accept connections to any hostname. Then, the on_demand tls option will tell Caddy to generate a certificate for whatever hostname is requested.

This is getting very frustrating for us. It’s making us feel like we’re wasting our time. Please just use this config in your backend:

:443
root * /var/www/
tls internal {
        on_demand
}
log {
        output file /var/log/caddy/domain.com.log
}
file_server
1 Like

It might also be helpful to try the latest artifacts for bug fixes.

@francislavoie Don’t forget internal. (Unless I’m missing something, but he’ll probably need that if he’s not using localhost.)

1 Like

Oh geez, you’re right, my bad. Edited. I was copy-pasting his config and just changing localhost to :443

1 Like

I paste francis config suggestion. And build last devel version of caddy.

backend’s log:

root@wordpress01:~# caddy run --config /etc/caddy/Caddyfile
2020/03/21 19:23:18.955	INFO	using provided configuration	{"config_file": "/etc/caddy/Caddyfile", "config_adapter": ""}
2020/03/21 19:23:18.961	INFO	admin	admin endpoint started	{"address": "localhost:2019", "enforce_origin": false, "origins": ["localhost:2019"]}
2020/03/21 19:23:18 [INFO][cache:0xc0007dc5a0] Started certificate maintenance routine
2020/03/21 19:23:19.060	WARN	pki.ca.local	trusting root certificate (you might be prompted for password)	{"path": "storage:pki/authorities/local/root.crt"}
2020/03/21 19:23:19.060	ERROR	pki	failed to install root certificate	{"error": "not NSS security databases found", "certificate_file": "storage:pki/authorities/local/root.crt"}
2020/03/21 19:23:19.062	INFO	tls	cleaned up storage units
2020/03/21 19:23:19.063	INFO	autosaved config	{"file": "/root/.config/caddy/autosave.json"}
2020/03/21 19:23:19.063	INFO	serving initial configuration
2020/03/21 19:23:26 [WARNING] Stapling OCSP: no OCSP stapling for [wordpress01]: no OCSP server specified in certificate
2020/03/21 19:23:26 http: TLS handshake error from 10.244.32.196:42548: remote error: tls: bad certificate

frontend’s log:

root@haproxy01:~# caddy run --config /etc/caddy/Caddyfile
2020/03/21 19:23:21.790	INFO	using provided configuration	{"config_file": "/etc/caddy/Caddyfile", "config_adapter": ""}
2020/03/21 19:23:21.793	INFO	admin	admin endpoint started	{"address": "localhost:2019", "enforce_origin": false, "origins": ["localhost:2019"]}
2020/03/21 19:23:21 [INFO][cache:0xc00055ddb0] Started certificate maintenance routine
2020/03/21 19:23:21.793	INFO	http	server is listening only on the HTTPS port but has no TLS connection policies; adding one to enable TLS	{"server_name": "srv0", "https_port": 443}
2020/03/21 19:23:21.793	INFO	http	enabling automatic HTTP->HTTPS redirects	{"server_name": "srv0"}
2020/03/21 19:23:21.795	INFO	tls	cleaned up storage units
2020/03/21 19:23:21.795	INFO	http	enabling automatic TLS certificate management	{"domains": ["domain.com"]}
2020/03/21 19:23:21.808	INFO	autosaved config	{"file": "/root/.config/caddy/autosave.json"}
2020/03/21 19:23:21.808	INFO	serving initial configuration
2020/03/21 19:23:26.197	ERROR	http.log.error.log0	x509: certificate signed by unknown authority	{"request": {"method": "GET", "uri": "/", "proto": "HTTP/2.0", "remote_addr": "127.0.0.1:54024", "host": "domain.com", "headers": {"Accept": ["text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8"], "Accept-Language": ["fr,fr-FR;q=0.8,en-US;q=0.5,en;q=0.3"], "Accept-Encoding": ["gzip, deflate, br"], "Dnt": ["1"], "Upgrade-Insecure-Requests": ["1"], "Cache-Control": ["max-age=0"], "Te": ["trailers"], "User-Agent": ["Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:74.0) Gecko/20100101 Firefox/74.0"]}, "tls": {"resumed": false, "version": 772, "ciphersuite": 4865, "proto": "h2", "proto_mutual": true, "server_name": "domain.com"}}, "status": 502, "err_id": "8n25s07z1", "err_trace": "reverseproxy.(*Handler).ServeHTTP (reverseproxy.go:363)"}
2020/03/21 19:23:26.197	ERROR	http.log.access.log0	handled request	{"request": {"method": "GET", "uri": "/", "proto": "HTTP/2.0", "remote_addr": "127.0.0.1:54024", "host": "domain.com", "headers": {"Accept-Encoding": ["gzip, deflate, br"], "Dnt": ["1"], "Upgrade-Insecure-Requests": ["1"], "Cache-Control": ["max-age=0"], "Te": ["trailers"], "User-Agent": ["Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:74.0) Gecko/20100101 Firefox/74.0"], "Accept": ["text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8"], "Accept-Language": ["fr,fr-FR;q=0.8,en-US;q=0.5,en;q=0.3"]}, "tls": {"resumed": false, "version": 772, "ciphersuite": 4865, "proto": "h2", "proto_mutual": true, "server_name": "domain.com"}}, "common_log": "127.0.0.1 - - [21/Mar/2020:19:23:26 +0000] \"GET / HTTP/2.0\" 502 0", "latency": 0.072733097, "size": 0, "status": 502, "resp_headers": {"Server": ["Caddy"]}}

Okay great! Now we’re finally back to this:

You’ll need to set tls_trusted_ca_certs on your frontend to the root certificate from your backend, like this:

    reverse_proxy wordpress01:443 {
        transport http {
            tls_trusted_ca_certs /etc/ssl/caddy/ca/cert.pem
        }
    }

You’ll find the root certificate in your backend in the Caddy storage directory, pki/authorities/local/root.crt. Copy that to your frontend and set the tls_trusted_ca_certs path to that file.

1 Like

frontend and backend are not on same “host”, in separate containers.

So when I copy root.crt path of backend, frontend said no such file and directory.

Understood, you’ll need to copy the file to the other container.

I try this before, and I found a way to work.

Frontend:

domain.com {
        reverse_proxy wordpress01:80
        log {
                output file /var/log/caddy/domain.com.log
        }
                {
                debug
        }
}

Backend:

:80
root * /var/www/
tls internal {
        on_demand
}
log {
        output file /var/log/caddy/domain.com.log
}
file_server

So it’s work. But you know better than me. Does it create problems or lacks of security by this way?

If I would like to access in local network to backend container, I need to create another rules like you said @francislavoie with cert on backend?

Thanks.

I don’t know why, but I’m not statisfied enough.

with:

domain.com {
        reverse_proxy wordpress01 {
        transport http {
            tls_trusted_ca_certs /etc/ssl/caddy/ca/root.crt
            }
        }
        log {
                output file /var/log/caddy/domain.com.log
        }
                {
                debug
        }
}

logs:

ERROR	http.log.error.log0	making dial info: upstream wordpress01:: invalid dial address wordpress01:: invalid start port: strconv.ParseUint: parsing "": invalid syntax	{"request": {"method": "GET", "uri": "/", "proto": "HTTP/2.0", "remote_addr": "127.0.0.1:54650", "host": "alainponcel.fr", "headers": {"Accept-Encoding": ["gzip, deflate, br"], "Dnt": ["1"], "Upgrade-Insecure-Requests": ["1"], "Cache-Control": ["max-age=0"], "Te": ["trailers"], "User-Agent": ["Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:74.0) Gecko/20100101 Firefox/74.0"], "Accept": ["text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8"], "Accept-Language": ["fr,fr-FR;q=0.8,en-US;q=0.5,en;q=0.3"]}, "tls": {"resumed": false, "version": 772, "ciphersuite": 4865, "proto": "h2", "proto_mutual": true, "server_name": "alainponcel.fr"}}}
2020/03/22 01:45:58.279	ERROR	http.log.access.log0	handled request	{"request": {"method": "GET", "uri": "/", "proto": "HTTP/2.0", "remote_addr": "127.0.0.1:54650", "host": "alainponcel.fr", "headers": {"Accept-Language": ["fr,fr-FR;q=0.8,en-US;q=0.5,en;q=0.3"], "Accept-Encoding": ["gzip, deflate, br"], "Dnt": ["1"], "Upgrade-Insecure-Requests": ["1"], "Cache-Control": ["max-age=0"], "Te": ["trailers"], "User-Agent": ["Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:74.0) Gecko/20100101 Firefox/74.0"], "Accept": ["text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8"]}, "tls": {"resumed": false, "version": 772, "ciphersuite": 4865, "proto": "h2", "proto_mutual": true, "server_name": "alainponcel.fr"}}, "common_log": "127.0.0.1 - - [22/Mar/2020:01:45:58 +0000] \"GET / HTTP/2.0\" 500 0", "latency": 0.000139918, "size": 0, "status": 500, "resp_headers": {"Server": ["Caddy"]}}

I tried, this:
frontend config:

domain.com {
        reverse_proxy http://wordpress01
        log {
                output file /var/log/caddy/domain.com.log
        }
                {
                debug
        }
}

backend config:

:80, localhost:443 {
root * /var/www/
tls internal {
        on_demand
}
log {
        output file /var/log/caddy/domain.com.log
}
file_server
}

It’s work too, but I don’t know if it’s a good pratice.