Migrating TLS domain from apache to caddy (load balanced domain)

drio · September 28, 2022, 3:31pm

Hi there,

I am trying to migrate a domain from Apache to Caddy.

The setup consists of two machines behind a load balancer. The loadbalancer is load balancing https traffic to two boxes running apache.

Everything works fine when I run apache but when I run caddy it seems the loadbalancer cannot talk over https with Caddy.

I do not have control of the load balancer. What they told me is that the load balancer is performing a health check against the boxes on port 443 (GET request) and it does not get any answer.

Again, this all works fine with apache that means both ports (80 and 443) should be reachable from the loadbalancer. I can confirm locally that caddy is serving everything correctly:

$ curl -k --resolve domainhere:443:127.0.0.1 https://domainhere
Correct answer from server here

One thing that is different between how I run apache and how I run Caddy is that apache is running via docker. I expose ports 443 and 80 from the container to the host machine. When I test Caddy I do not use docker (I will in the future) and run the binary directly on the host machine(s).

I know this is very limited information but I thought I’d ask the community just in case someone has some idea what may be happening.

Thank you,
-drd

Some more info:

My Caddyfile looks like:

$ cat Caddyfile
https://domainhere https://domainhere2 {
        tls cert key
        root * /home/zuviz/caddy_test/public
        file_server
        log
}

http:/domainhere http://domainhere2 {
        root * /home/zuviz/caddy_test/public
        file_server
        log
}

I am running:

$ ./bin/caddy version
v2.6.1 h1:EDqo59TyYWhXQnfde93Mmv4FJfYe00dO60zMiEt+pzo=

drio · September 28, 2022, 3:51pm

I think I may find out what is going on.

When I look at the ports caddy is binding to, I see it is binding to :::80 and :::443. But when I compare that to apache I see 0.0.0.0:80 and 0.0.0.0:443. I think Caddy is not listening on all the interfaces.

I have tried to use bind 0.0.0.0 but that doesn’t work. How can I tell caddy to bind to all the interfaces?

matt · September 28, 2022, 5:13pm

Caddy binds on all the interfaces by default. Apache is just binding to IPv4 and Caddy is binding to “all” which depending on your kernel config might be IPv6, as it seems to be in your case.

drio · September 28, 2022, 5:30pm

Thank you, Matt. How can I make Caddy bind to all the IPv4 interfaces?

Compare the netstat outputs for apache and caddy:

# CADDY
netstat -antl | grep LISTEN | grep -P "80|443"
2022/09/28 17:27:40.749 INFO    using adjacent Caddyfile
tcp6       0      0 :::80                   :::*                    LISTEN
tcp6       0      0 :::443                  :::*                    LISTEN

# APACHE
   $ netstat -antl | grep LISTEN | grep -P "80|443"
tcp        0      0 0.0.0.0:443             0.0.0.0:*               LISTEN
tcp        0      0 0.0.0.0:80              0.0.0.0:*               LISTEN
tcp6       0      0 :::443                  :::*                    LISTEN
tcp6       0      0 :::80                   :::*                    LISTEN

matt · September 28, 2022, 5:32pm

You can either hard-code it with bind [::] 0.0.0.0 or read this thread for more info:

github.com/moby/moby

Port redirecting binding to IPv6 but not IPv4 interfaces.

opened 01:40PM - 11 Oct 13 UTC

closed 03:08PM - 24 Mar 17 UTC

marklit

exp/expert kind/bug area/networking

Is there a way I can tell docker to only bind redirected ports to IPv4 interface…s? I have a machine running with IPv6 disabled: ``` # echo '1' > /proc/sys/net/ipv6/conf/lo/disable_ipv6 # echo '1' > /proc/sys/net/ipv6/conf/lo/disable_ipv6 # echo '1' > /proc/sys/net/ipv6/conf/all/disable_ipv6 # echo '1' > /proc/sys/net/ipv6/conf/default/disable_ipv6 # /etc/init.d/networking restart ``` `ifconfig` reports there are no IPv6-enabled interfaces: ``` # ifconfig docker0 Link encap:Ethernet HWaddr 00:00:00:00:00:00 inet addr:172.17.42.1 Bcast:0.0.0.0 Mask:255.255.0.0 UP BROADCAST MULTICAST MTU:1500 Metric:1 RX packets:1372 errors:0 dropped:0 overruns:0 frame:0 TX packets:7221 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:0 RX bytes:88091 (88.0 KB) TX bytes:10655750 (10.6 MB) eth0 Link encap:Ethernet HWaddr 04:01:08:c1:b1:01 inet addr:198.XXX.XXX.XXX Bcast:198.199.90.255 Mask:255.255.255.0 UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 RX packets:97602 errors:0 dropped:4 overruns:0 frame:0 TX packets:15362 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:1000 RX bytes:141867997 (141.8 MB) TX bytes:1376970 (1.3 MB) lo Link encap:Local Loopback inet addr:127.0.0.1 Mask:255.0.0.0 UP LOOPBACK RUNNING MTU:65536 Metric:1 RX packets:0 errors:0 dropped:0 overruns:0 frame:0 TX packets:0 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:0 RX bytes:0 (0.0 B) TX bytes:0 (0.0 B) lxcbr0 Link encap:Ethernet HWaddr 9e:51:04:ed:13:d4 inet addr:10.0.3.1 Bcast:10.0.3.255 Mask:255.255.255.0 UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 RX packets:0 errors:0 dropped:0 overruns:0 frame:0 TX packets:0 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:0 RX bytes:0 (0.0 B) TX bytes:0 (0.0 B) ``` When I launch a new docker container and ask it to port forward 8000 to 8000 in the container it does so only on IPv6 interfaces. Is there a way to make it only bind to IPv4 interfaces? ``` # docker run -p 8000:8000 -i -t colinsurprenant/ubuntu-raring-amd64 /bin/bash ``` When I check with `lsof` it says that only IPv6-related bindings have been made: ``` # lsof -OnP | grep LISTEN sshd 1275 root 3u IPv4 ... TCP *:22 (LISTEN) sshd 1275 root 4u IPv6 ... TCP *:22 (LISTEN) dnsmasq 2975 lxc-dnsmasq 7u IPv4 ... TCP 10.0.3.1:53 (LISTEN) docker 9629 root 7u IPv6 ... TCP *:8000 (LISTEN) docker 9629 9630 root 7u IPv6 ... TCP *:8000 (LISTEN) docker 9629 9631 root 7u IPv6 ... TCP *:8000 (LISTEN) docker 9629 9632 root 7u IPv6 ... TCP *:8000 (LISTEN) docker 9629 9633 root 7u IPv6 ... TCP *:8000 (LISTEN) docker 9629 9634 root 7u IPv6 ... TCP *:8000 (LISTEN) docker 9629 9698 root 7u IPv6 ... TCP *:8000 (LISTEN) ```

drio · September 28, 2022, 6:00pm

That was a long thread!

What I tried based on reading that thread was to use caddy via docker.
When I do that, then I see caddy binding to 80 and 443 on IPv4.

 $ netstat -antl | grep LISTEN | grep -P "80|443"
tcp        0      0 0.0.0.0:443             0.0.0.0:*               LISTEN
tcp        0      0 0.0.0.0:80              0.0.0.0:*               LISTEN
tcp6       0      0 :::443                  :::*                    LISTEN
tcp6       0      0 :::80                   :::*                    LISTEN

Unfortunately the loadbalancer keeps dropping the connection. I will keep digging. Let me know if you have more ideas about how to troubleshoot.

emilylange · September 28, 2022, 11:23pm

You could try setting docs/caddyfile/options#default-sni and see if it changes anything.

It could very much be, that the mentioned health check doesn’t send a SNI.
Caddy won’t respond to https requests that omit their SNI or have it set to something Caddy isn’t configured to serve - at least by default.

You can test that yourself by running the following on your Caddy machine:

❯ curl https://127.0.0.1 -k

curl will send 127.0.0.1 as SNI, but your Caddy isn’t configured to serve that - so it won’t and curl returns an error.

Or you could also use --resolve, just like you did in your opening post, but with a hostname that you aren’t serving to yield the same error:

❯ curl -k https://example.com -v --resolve example.com:443:127.0.0.1

Also, :::443 and :::80 is listing on both IPv4 and IPv6 - no need to worry.
You actually tested that before by running --resolve domainhere:443:127.0.0.1 - which is IPv4 and you said worked

drio · September 29, 2022, 11:09am

Success!

That was it @emilylange. Thank you so much for taking the time to read the thread and respond.

The solution, as @emilylange suggested was to add a default_sni global option to the caddyfile.

-drd

system · October 28, 2022, 3:32pm

This topic was automatically closed after 30 days. New replies are no longer allowed.