Yes, and?
(and I thought you were changed localhost to :443)
Yes, and?
(and I thought you were changed localhost to :443)
Sorry Matt, but read post above. Obvious Iām not an expert, so I sent all I have, each time, and nothing work. I would like to help, but I donāt know how.
With the last backend config, I have:
localhost
root * /var/www/
tls {
on_demand
}
log {
output file /var/log/caddy/domain.com.log
}
file_server
and frontend config:
domain.com {
reverse_proxy wordpress01:443
log {
output file /var/log/caddy/domain.com.log
}
{
debug
}
}
And logs frontend:
root@haproxy01:~# caddy run --config /etc/caddy/Caddyfile
2020/03/21 18:27:42.024 INFO using provided configuration {"config_file": "/etc/caddy/Caddyfile", "config_adapter": ""}
2020/03/21 18:27:42.047 INFO admin admin endpoint started {"address": "localhost:2019", "enforce_origin": false, "origins": ["localhost:2019"]}
2020/03/21 18:27:42 [INFO][cache:0xc000694aa0] Started certificate maintenance routine
2020/03/21 18:27:42.047 INFO http server is listening only on the HTTPS port but has no TLS connection policies; adding one to enable TLS {"server_name": "srv0", "https_port": 443}
2020/03/21 18:27:42.047 INFO http enabling automatic HTTP->HTTPS redirects {"server_name": "srv0"}
2020/03/21 18:27:42.048 INFO http enabling automatic TLS certificate management {"domains": ["domain.com"]}
2020/03/21 18:27:42.062 INFO tls cleaned up storage units
2020/03/21 18:27:42.063 INFO autosaved config {"file": "/root/.config/caddy/autosave.json"}
2020/03/21 18:27:42.063 INFO serving initial configuration
2020/03/21 18:27:48.316 ERROR http.log.error.log0 remote error: tls: internal error {"request": {"method": "GET", "uri": "/", "proto": "HTTP/2.0", "remote_addr": "127.0.0.1:53950", "host": "domain.com", "headers": {"Dnt": ["1"], "Upgrade-Insecure-Requests": ["1"], "Cache-Control": ["max-age=0"], "Te": ["trailers"], "User-Agent": ["Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:74.0) Gecko/20100101 Firefox/74.0"], "Accept": ["text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8"], "Accept-Language": ["fr,fr-FR;q=0.8,en-US;q=0.5,en;q=0.3"], "Accept-Encoding": ["gzip, deflate, br"]}, "tls": {"resumed": false, "version": 772, "ciphersuite": 4865, "proto": "h2", "proto_mutual": true, "server_name": "domain.com"}}, "status": 502, "err_id": "2vtezdphd", "err_trace": "reverseproxy.(*Handler).ServeHTTP (reverseproxy.go:363)"}
2020/03/21 18:27:48.316 ERROR http.log.access.log0 handled request {"request": {"method": "GET", "uri": "/", "proto": "HTTP/2.0", "remote_addr": "127.0.0.1:53950", "host": "domain.com", "headers": {"Te": ["trailers"], "User-Agent": ["Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:74.0) Gecko/20100101 Firefox/74.0"], "Accept": ["text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8"], "Accept-Language": ["fr,fr-FR;q=0.8,en-US;q=0.5,en;q=0.3"], "Accept-Encoding": ["gzip, deflate, br"], "Dnt": ["1"], "Upgrade-Insecure-Requests": ["1"], "Cache-Control": ["max-age=0"]}, "tls": {"resumed": false, "version": 772, "ciphersuite": 4865, "proto": "h2", "proto_mutual": true, "server_name": "domain.com"}}, "common_log": "127.0.0.1 - - [21/Mar/2020:18:27:48 +0000] \"GET / HTTP/2.0\" 502 0", "latency": 0.003536149, "size": 0, "status": 502, "resp_headers": {"Server": ["Caddy"]}}
and backend frontend:
root@wordpress01:~# caddy run --config /etc/caddy/Caddyfile
2020/03/21 18:27:39.356 INFO using provided configuration {"config_file": "/etc/caddy/Caddyfile", "config_adapter": ""}
2020/03/21 18:27:39.358 INFO admin admin endpoint started {"address": "localhost:2019", "enforce_origin": false, "origins": ["localhost:2019"]}
2020/03/21 18:27:39.359 INFO tls setting internal issuer for automation policy that has only internal subjects but no issuer configured {"subjects": ["localhost"]}
2020/03/21 18:27:39 [INFO][cache:0xc000243ef0] Started certificate maintenance routine
2020/03/21 18:27:39.373 INFO http enabling automatic HTTP->HTTPS redirects {"server_name": "srv0"}
2020/03/21 18:27:39.373 INFO http enabling automatic TLS certificate management {"domains": ["localhost"]}
2020/03/21 18:27:39.441 WARN pki.ca.local trusting root certificate (you might be prompted for password) {"path": "storage:pki/authorities/local/root.crt"}
2020/03/21 18:27:39.441 ERROR pki failed to install root certificate {"error": "not NSS security databases found", "certificate_file": "storage:pki/authorities/local/root.crt"}
2020/03/21 18:27:39.443 INFO tls cleaned up storage units
2020/03/21 18:27:39.444 INFO autosaved config {"file": "/root/.config/caddy/autosave.json"}
2020/03/21 18:27:39.444 INFO serving initial configuration
2020/03/21 18:27:48 http: TLS handshake error from 10.244.32.196:42474: no certificate available for 'wordpress01'
Weāve asked you multiple times to switch your backend to this:
:443
root * /var/www/
tls {
on_demand
}
log {
output file /var/log/caddy/domain.com.log
}
file_server
Youāre also still not using the config I suggested!
Your responses are not being productive, because if you donāt make any changes that we recommend, we cannot make progress. Please go back and try what we have suggested first. We are volunteering our time on a weekend to help you. Please put in some effort to pay attention to what we are recommending to make this work.
localhost
root * /var/www/
tls internal
log {
output file /var/log/caddy/domain.com.log
}
file_server
logs after browser request:
root@wordpress01:~# caddy run --config /etc/caddy/Caddyfile
2020/03/21 18:49:31.428 INFO using provided configuration {"config_file": "/etc/caddy/Caddyfile", "config_adapter": ""}
2020/03/21 18:49:31.430 INFO admin admin endpoint started {"address": "localhost:2019", "enforce_origin": false, "origins": ["localhost:2019"]}
2020/03/21 18:49:31 [INFO][cache:0xc0004b7f40] Started certificate maintenance routine
2020/03/21 18:49:31.446 INFO http enabling automatic HTTP->HTTPS redirects {"server_name": "srv0"}
2020/03/21 18:49:31.523 WARN pki.ca.local trusting root certificate (you might be prompted for password) {"path": "storage:pki/authorities/local/root.crt"}
2020/03/21 18:49:31 define JAVA_HOME environment variable to use the Java trust
2020/03/21 18:49:31.524 ERROR pki failed to install root certificate {"error": "not NSS security databases found", "certificate_file": "storage:pki/authorities/local/root.crt"}
2020/03/21 18:49:31.526 INFO tls cleaned up storage units
2020/03/21 18:49:31.526 INFO http enabling automatic TLS certificate management {"domains": ["localhost"]}
2020/03/21 18:49:31 [WARNING] Stapling OCSP: no OCSP stapling for [localhost]: no OCSP server specified in certificate
2020/03/21 18:49:31.529 INFO autosaved config {"file": "/root/.config/caddy/autosave.json"}
2020/03/21 18:49:31.529 INFO serving initial configuration
2020/03/21 18:49:31 [INFO][localhost] Renew certificate; acquiring lock...
2020/03/21 18:49:31 [INFO][localhost] Renew: Lock acquired; proceeding...
2020/03/21 18:49:31 [INFO][localhost] Renew: -11h12m26.531791496s remaining
2020/03/21 18:49:31 [INFO][localhost] Certificate renewed successfully
2020/03/21 18:49:31 [INFO][localhost] Renew: Releasing lock
2020/03/21 18:49:31 [INFO] Reloading managed certificate for [localhost]
2020/03/21 18:49:31 [WARNING] Stapling OCSP: no OCSP stapling for [localhost]: no OCSP server specified in certificate
2020/03/21 18:49:31 [INFO] Replaced certificate in cache for [localhost] (new expiration date: 2020-03-22 06:49:31)
2020/03/21 18:49:44 http: TLS handshake error from 10.244.32.196:42510: no certificate available for 'wordpress01'
with:
localhost
root * /var/www/
tls internal {
on_demand
}
log {
output file /var/log/caddy/domain.com.log
}
file_server
logs, after browser request:
root@wordpress01:~# caddy run --config /etc/caddy/Caddyfile
2020/03/21 18:52:05.286 INFO using provided configuration {"config_file": "/etc/caddy/Caddyfile", "config_adapter": ""}
2020/03/21 18:52:05.289 INFO admin admin endpoint started {"address": "localhost:2019", "enforce_origin": false, "origins": ["localhost:2019"]}
2020/03/21 18:52:05 [INFO][cache:0xc000632870] Started certificate maintenance routine
2020/03/21 18:52:05.303 INFO http enabling automatic HTTP->HTTPS redirects {"server_name": "srv0"}
2020/03/21 18:52:05.376 WARN pki.ca.local trusting root certificate (you might be prompted for password) {"path": "storage:pki/authorities/local/root.crt"}
2020/03/21 18:52:05.376 ERROR pki failed to install root certificate {"error": "not NSS security databases found", "certificate_file": "storage:pki/authorities/local/root.crt"}
2020/03/21 18:52:05.379 INFO tls cleaned up storage units
2020/03/21 18:52:05.379 INFO http enabling automatic TLS certificate management {"domains": ["localhost"]}
2020/03/21 18:52:05.379 INFO autosaved config {"file": "/root/.config/caddy/autosave.json"}
2020/03/21 18:52:05.379 INFO serving initial configuration
2020/03/21 18:52:10 http: TLS handshake error from 10.244.32.196:42512: no certificate available for 'wordpress01'
I really donāt understand what we have to tell you to make you understand what weāre asking, we literally gave you the exact config you need to try but you keep using the wrong config.
This message is because your backend is only listening for connections to the localhost
hostname, and only has certificates for localhost
.
You need to change your site label to :443
instead of localhost
(the first line in your backend Caddyfile) so that the backend will accept connections to any hostname. Then, the on_demand
tls option will tell Caddy to generate a certificate for whatever hostname is requested.
This is getting very frustrating for us. Itās making us feel like weāre wasting our time. Please just use this config in your backend:
:443
root * /var/www/
tls internal {
on_demand
}
log {
output file /var/log/caddy/domain.com.log
}
file_server
It might also be helpful to try the latest artifacts for bug fixes.
@francislavoie Donāt forget internal
. (Unless Iām missing something, but heāll probably need that if heās not using localhost.)
Oh geez, youāre right, my bad. Edited. I was copy-pasting his config and just changing localhost
to :443
I paste francis config suggestion. And build last devel version of caddy.
backendās log:
root@wordpress01:~# caddy run --config /etc/caddy/Caddyfile
2020/03/21 19:23:18.955 INFO using provided configuration {"config_file": "/etc/caddy/Caddyfile", "config_adapter": ""}
2020/03/21 19:23:18.961 INFO admin admin endpoint started {"address": "localhost:2019", "enforce_origin": false, "origins": ["localhost:2019"]}
2020/03/21 19:23:18 [INFO][cache:0xc0007dc5a0] Started certificate maintenance routine
2020/03/21 19:23:19.060 WARN pki.ca.local trusting root certificate (you might be prompted for password) {"path": "storage:pki/authorities/local/root.crt"}
2020/03/21 19:23:19.060 ERROR pki failed to install root certificate {"error": "not NSS security databases found", "certificate_file": "storage:pki/authorities/local/root.crt"}
2020/03/21 19:23:19.062 INFO tls cleaned up storage units
2020/03/21 19:23:19.063 INFO autosaved config {"file": "/root/.config/caddy/autosave.json"}
2020/03/21 19:23:19.063 INFO serving initial configuration
2020/03/21 19:23:26 [WARNING] Stapling OCSP: no OCSP stapling for [wordpress01]: no OCSP server specified in certificate
2020/03/21 19:23:26 http: TLS handshake error from 10.244.32.196:42548: remote error: tls: bad certificate
frontendās log:
root@haproxy01:~# caddy run --config /etc/caddy/Caddyfile
2020/03/21 19:23:21.790 INFO using provided configuration {"config_file": "/etc/caddy/Caddyfile", "config_adapter": ""}
2020/03/21 19:23:21.793 INFO admin admin endpoint started {"address": "localhost:2019", "enforce_origin": false, "origins": ["localhost:2019"]}
2020/03/21 19:23:21 [INFO][cache:0xc00055ddb0] Started certificate maintenance routine
2020/03/21 19:23:21.793 INFO http server is listening only on the HTTPS port but has no TLS connection policies; adding one to enable TLS {"server_name": "srv0", "https_port": 443}
2020/03/21 19:23:21.793 INFO http enabling automatic HTTP->HTTPS redirects {"server_name": "srv0"}
2020/03/21 19:23:21.795 INFO tls cleaned up storage units
2020/03/21 19:23:21.795 INFO http enabling automatic TLS certificate management {"domains": ["domain.com"]}
2020/03/21 19:23:21.808 INFO autosaved config {"file": "/root/.config/caddy/autosave.json"}
2020/03/21 19:23:21.808 INFO serving initial configuration
2020/03/21 19:23:26.197 ERROR http.log.error.log0 x509: certificate signed by unknown authority {"request": {"method": "GET", "uri": "/", "proto": "HTTP/2.0", "remote_addr": "127.0.0.1:54024", "host": "domain.com", "headers": {"Accept": ["text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8"], "Accept-Language": ["fr,fr-FR;q=0.8,en-US;q=0.5,en;q=0.3"], "Accept-Encoding": ["gzip, deflate, br"], "Dnt": ["1"], "Upgrade-Insecure-Requests": ["1"], "Cache-Control": ["max-age=0"], "Te": ["trailers"], "User-Agent": ["Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:74.0) Gecko/20100101 Firefox/74.0"]}, "tls": {"resumed": false, "version": 772, "ciphersuite": 4865, "proto": "h2", "proto_mutual": true, "server_name": "domain.com"}}, "status": 502, "err_id": "8n25s07z1", "err_trace": "reverseproxy.(*Handler).ServeHTTP (reverseproxy.go:363)"}
2020/03/21 19:23:26.197 ERROR http.log.access.log0 handled request {"request": {"method": "GET", "uri": "/", "proto": "HTTP/2.0", "remote_addr": "127.0.0.1:54024", "host": "domain.com", "headers": {"Accept-Encoding": ["gzip, deflate, br"], "Dnt": ["1"], "Upgrade-Insecure-Requests": ["1"], "Cache-Control": ["max-age=0"], "Te": ["trailers"], "User-Agent": ["Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:74.0) Gecko/20100101 Firefox/74.0"], "Accept": ["text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8"], "Accept-Language": ["fr,fr-FR;q=0.8,en-US;q=0.5,en;q=0.3"]}, "tls": {"resumed": false, "version": 772, "ciphersuite": 4865, "proto": "h2", "proto_mutual": true, "server_name": "domain.com"}}, "common_log": "127.0.0.1 - - [21/Mar/2020:19:23:26 +0000] \"GET / HTTP/2.0\" 502 0", "latency": 0.072733097, "size": 0, "status": 502, "resp_headers": {"Server": ["Caddy"]}}
Okay great! Now weāre finally back to this:
Youāll need to set tls_trusted_ca_certs
on your frontend to the root certificate from your backend, like this:
reverse_proxy wordpress01:443 {
transport http {
tls_trusted_ca_certs /etc/ssl/caddy/ca/cert.pem
}
}
Youāll find the root certificate in your backend in the Caddy storage directory, pki/authorities/local/root.crt
. Copy that to your frontend and set the tls_trusted_ca_certs
path to that file.
frontend and backend are not on same āhostā, in separate containers.
So when I copy root.crt path of backend, frontend said no such file and directory.
Understood, youāll need to copy the file to the other container.
I try this before, and I found a way to work.
Frontend:
domain.com {
reverse_proxy wordpress01:80
log {
output file /var/log/caddy/domain.com.log
}
{
debug
}
}
Backend:
:80
root * /var/www/
tls internal {
on_demand
}
log {
output file /var/log/caddy/domain.com.log
}
file_server
So itās work. But you know better than me. Does it create problems or lacks of security by this way?
If I would like to access in local network to backend container, I need to create another rules like you said @francislavoie with cert on backend?
Thanks.
I donāt know why, but Iām not statisfied enough.
with:
domain.com {
reverse_proxy wordpress01 {
transport http {
tls_trusted_ca_certs /etc/ssl/caddy/ca/root.crt
}
}
log {
output file /var/log/caddy/domain.com.log
}
{
debug
}
}
logs:
ERROR http.log.error.log0 making dial info: upstream wordpress01:: invalid dial address wordpress01:: invalid start port: strconv.ParseUint: parsing "": invalid syntax {"request": {"method": "GET", "uri": "/", "proto": "HTTP/2.0", "remote_addr": "127.0.0.1:54650", "host": "alainponcel.fr", "headers": {"Accept-Encoding": ["gzip, deflate, br"], "Dnt": ["1"], "Upgrade-Insecure-Requests": ["1"], "Cache-Control": ["max-age=0"], "Te": ["trailers"], "User-Agent": ["Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:74.0) Gecko/20100101 Firefox/74.0"], "Accept": ["text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8"], "Accept-Language": ["fr,fr-FR;q=0.8,en-US;q=0.5,en;q=0.3"]}, "tls": {"resumed": false, "version": 772, "ciphersuite": 4865, "proto": "h2", "proto_mutual": true, "server_name": "alainponcel.fr"}}}
2020/03/22 01:45:58.279 ERROR http.log.access.log0 handled request {"request": {"method": "GET", "uri": "/", "proto": "HTTP/2.0", "remote_addr": "127.0.0.1:54650", "host": "alainponcel.fr", "headers": {"Accept-Language": ["fr,fr-FR;q=0.8,en-US;q=0.5,en;q=0.3"], "Accept-Encoding": ["gzip, deflate, br"], "Dnt": ["1"], "Upgrade-Insecure-Requests": ["1"], "Cache-Control": ["max-age=0"], "Te": ["trailers"], "User-Agent": ["Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:74.0) Gecko/20100101 Firefox/74.0"], "Accept": ["text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8"]}, "tls": {"resumed": false, "version": 772, "ciphersuite": 4865, "proto": "h2", "proto_mutual": true, "server_name": "alainponcel.fr"}}, "common_log": "127.0.0.1 - - [22/Mar/2020:01:45:58 +0000] \"GET / HTTP/2.0\" 500 0", "latency": 0.000139918, "size": 0, "status": 500, "resp_headers": {"Server": ["Caddy"]}}
I tried, this:
frontend config:
domain.com {
reverse_proxy http://wordpress01
log {
output file /var/log/caddy/domain.com.log
}
{
debug
}
}
backend config:
:80, localhost:443 {
root * /var/www/
tls internal {
on_demand
}
log {
output file /var/log/caddy/domain.com.log
}
file_server
}
Itās work too, but I donāt know if itās a good pratice.
This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.