Changed that. Still getting the 502 error.
Thanks for the tip
Also, good to know.
I had hoped to only highlight the minimal parts of my Caddyfile that are relevant to solving the mTLS puzzle, but for the sake of completeness, here are the relevant parts of my Caddyfile, including the global section and snippets, which relate to the udance.com.au
domain.
{
email basil.hendroff@udance.com.au
acme_dns cloudflare [REDACTED]
# debug
log {
format json {
time_format iso8601
}
}
}
#----------------------------------------------------------------------
# Snippet : Description : Arguments
#----------------------------------------------------------------------
# authorise : Basic authentication : subdirectory
# logging : Rolling access log : subdomain
# online : Domain availability : {yes|no|split}
(authorise) {
basicauth {args.0} {
admin [REDACTED]
}
}
(logging) {
log {
format json {
time_format iso8601
}
output file /var/log/caddy/{args.0}.log {
roll_size 100MiB # Default 100MiB
roll_keep 10 # Default 10
roll_keep_for 90d # Default 90d
}
}
}
www.udance.com.au {
redir https://udance.com.au{uri} permanent
}
udance.com.au {
encode gzip zstd
import logging udance.com.au
import authorise /phpmyadmin*
map {path} {backend} {online} {
# PATH BACKEND ONLINE
#---------------------------------------------------------------
~^/tautulli.* 10.1.1.26:8181 yes
~^/transmission.* 10.1.1.28:9091 yes
~^/.* 10.1.1.55:80 yes
}
# Offline handling
@offline expression `{online} == "no"`
handle @offline {
redir https://udance.statuspage.io temporary
}
@split {
expression `{online} == "split"`
not remote_ip 10.1.1.0/24 10.1.2.0/24
}
handle @split {
redir https://udance.statuspage.io temporary
}
reverse_proxy {backend}
}
*.udance.com.au {
encode gzip zstd
import logging udance.com.au
map {labels.3} {backend} {online} {mtls} {phpmyadmin} {
# HOSTNAME BACKEND ONLINE mTLS PHPMYADMIN #COMMENT
#---------------------------------------------------------------
# Docker containers
office 10.1.1.13:8880 yes no no # OnlyOffice
portainer 10.1.1.13:9000 yes no no # Portainer
truecommand 10.1.1.13:8080 yes no no # TrueCommand
tc123 10.1.1.13:8082 yes no no # TrueCommand v1.2.3
nc-fpm 10.1.1.13:8031 yes no no # Nextcloud+Caddy
wordpress 10.1.1.13:5050 yes no no # WordPress
nc-apache 10.1.1.13:8030 yes no no # Nextcloud+Apache
collabora 10.1.1.13:9980 yes no no # Collabora
# Jails
rslsync 10.1.1.22:8888 yes no no # Resilio Sync
cloud 10.1.1.29:80 yes no no # Nextcloud
heimdall 10.1.1.23:80 yes no no # Heimdall
blog 10.1.1.54:80 yes no yes # blog.udance.com.au
test 10.1.1.50:443 yes yes yes # test.udance.com.au
basil 10.1.1.56:80 yes no yes # basil.udance.com.au
sachika 10.1.1.57:80 yes no yes # sachika.udance.com.au
default unknown yes no no # subdomain does not exist
}
# Error handling
@unknown expression `{backend} == "unknown"`
handle @unknown {
respond "Denied" 403
}
# Site offline
@offline expression `{online} == "no"`
handle @offline {
redir https://udance.statuspage.io temporary
}
@split {
expression `{online} == "split"`
not remote_ip 10.1.1.0/24 10.1.2.0/24
}
handle @split {
redir https://udance.statuspage.io temporary
}
# Authenticate phpMyAdmin on production WordPress sites
@phpmyadmin expression `{phpmyadmin} == "yes"`
handle @phpmyadmin {
import authorise /phpmyadmin*
}
# Fix when using the Nextcloud+Apache Docker image with Caddy.
@nc-apache host nc-apache.udance.com.au
handle @nc-apache {
redir /.well-known/carddav /remote.php/carddav 301
redir /.well-known/caldav /remote.php/caldav 301
}
# Enable HSTS for Nextcloud
@hsts host cloud.udance.com.au
handle @hsts {
header {
Strict-Transport-Security max-age=31536000;
}
}
# Secure backend communication
route {
@mtls expression `{mtls} == "yes"`
handle @mtls {
reverse_proxy {backend} {
header_up Host {http.reverse_proxy.upstream.hostport}
header_up X-Forwarded-Host {host}
transport http {
tls
}
}
}
}
# Unsecured backend communication
route {
@nomtls expression `{mtls} == "no"`
handle @nomtls {
reverse_proxy {backend}
}
}
}