My working backend Caddyfile under Caddy 2.3.0 before adding in the mTLS constructs:
:80 {
root * /usr/local/www/wordpress
encode gzip
php_fastcgi 127.0.0.1:9000 {
env SERVER_PORT 80
}
file_server
log {
format json
output file /var/log/access.log {
roll_keep 7
}
}
# External access denied to these files.
@forbidden {
path /wp-content/uploads/*.php
path /wp-includes/*.php
path /wp-config.php
path /.user.ini
path /wp-content/debug.log
}
respond @forbidden 404
}
I then followed the instructions under the section Backend in the wiki article Use Caddy for local HTTPS (TLS) between front-end reverse proxy and LAN hosts . My backend Caddyfile under Caddy 2.4.0-RC.1 including mTLS constructs.
{
log {
format json {
time_format iso8601
}
}
# debug
# TLS Options
acme_ca https://acme.lan/acme/local/directory # point to ACME server
acme_ca_root /etc/ssl/certs/root.crt # define root certificate
}
test.lan {
root * /usr/local/www/wordpress
encode gzip
php_fastcgi 127.0.0.1:9000 {
env SERVER_PORT 80
}
file_server
log {
format json {
time_format iso8601
}
output file /var/log/access.log {
roll_keep 7
}
}
# External access denied to these files.
@forbidden {
path /wp-content/uploads/*.php
path /wp-includes/*.php
path /wp-config.php
path /.user.ini
path /wp-content/debug.log
}
respond @forbidden 404
}
After restarting both frontend and backend Caddy services, I attempt to access the test site. Unfortunately, I get a 502 error.
Where to from here?
Here’s an extract of the frontend Caddy log post-restart.
{"level":"info","ts":"2021-05-09T22:55:21.393+0800","msg":"shutting down apps, then terminating","signal":"SIGTERM"}
{"level":"warn","ts":"2021-05-09T22:55:21.393+0800","msg":"exiting; byeee!! 👋","signal":"SIGTERM"}
{"level":"info","ts":"2021-05-09T22:55:21.950+0800","logger":"tls.cache.maintenance","msg":"stopped background certificate maintenance","cache":"0xc000344930"}
{"level":"debug","ts":"2021-05-09T22:55:21.950+0800","logger":"http.handlers.acme_server","msg":"unloading unused CA database","db_key":"local"}
{"level":"info","ts":"2021-05-09T22:55:21.952+0800","logger":"admin","msg":"stopped previous server","address":"tcp/localhost:2019"}
{"level":"info","ts":"2021-05-09T22:55:21.952+0800","msg":"shutdown complete","signal":"SIGTERM","exit_code":0}
{"level":"info","ts":1620572122.0956097,"msg":"using provided configuration","config_file":"/usr/local/www/Caddyfile","config_adapter":"caddyfile"}
{"level":"warn","ts":1620572122.1175373,"msg":"input is not formatted with 'caddy fmt'","adapter":"caddyfile","file":"/usr/local/www/Caddyfile","line":2}
{"level":"info","ts":"2021-05-09T22:55:22.125+0800","logger":"admin","msg":"admin endpoint started","address":"tcp/localhost:2019","enforce_origin":false,"origins":["localhost:2019","[::1]:2019","127.0.0.1:2019"]}
{"level":"info","ts":"2021-05-09T22:55:22.126+0800","logger":"tls.cache.maintenance","msg":"started background certificate maintenance","cache":"0xc00033e850"}
{"level":"info","ts":"2021-05-09T22:55:22.155+0800","logger":"http","msg":"server is listening only on the HTTPS port but has no TLS connection policies; adding one to enable TLS","server_name":"srv0","https_port":443}
{"level":"info","ts":"2021-05-09T22:55:22.155+0800","logger":"http","msg":"enabling automatic HTTP->HTTPS redirects","server_name":"srv0"}
{"level":"warn","ts":"2021-05-09T22:55:35.176+0800","logger":"pki.ca.local","msg":"installing root certificate (you might be prompted for password)","path":"storage:pki/authorities/local/root.crt"}
2021/05/09 22:55:35 Note: NSS support is not available on your platform
2021/05/09 22:55:35 define JAVA_HOME environment variable to use the Java trust
{"level":"error","ts":"2021-05-09T22:55:35.176+0800","logger":"pki.ca.local","msg":"failed to install root
certificate","error":"trust not supported","certificate_file":"storage:pki/authorities/local/root.crt"}
{"level":"info","ts":"2021-05-09T22:55:35.176+0800","logger":"tls","msg":"cleaning storage unit","description":"FileStorage:/.local/share/caddy"}
{"level":"info","ts":"2021-05-09T22:55:35.176+0800","logger":"http","msg":"enabling automatic TLS certificate management","domains":["www.xenografix.com.au","*.udance.com.au","acme.lan","caffigoalkeeping.com.au","www.caffigoalkeeping.com","caffigoalkeeping.com","www.caffigoalkeeping.com.au","readymcgetty.com.au","www.readymcgetty.com.au","xenografix.com.au","udance.com.au","www.udance.com.au"]}
{"level":"warn","ts":"2021-05-09T22:55:35.191+0800","logger":"tls","msg":"stapling OCSP","error":"no OCSP stapling for [acme.lan]: no OCSP server specified in certificate"}
{"level":"info","ts":"2021-05-09T22:55:35.191+0800","logger":"tls","msg":"finished cleaning storage units"}
{"level":"info","ts":"2021-05-09T22:55:35.191+0800","msg":"autosaved config (load with --resume flag)","file":"/.config/caddy/autosave.json"}
{"level":"info","ts":"2021-05-09T22:55:35.191+0800","msg":"serving initial configuration"}
Successfully started Caddy (pid=77501) - Caddy is running in the background
…and an extract from the backend Caddy log post-restart:
{"level":"info","ts":"2021-05-09T22:55:57.526+0800","msg":"shutting down apps, then terminating","signal":"SIGTERM"}
{"level":"warn","ts":"2021-05-09T22:55:57.526+0800","msg":"exiting; byeee!! 👋","signal":"SIGTERM"}
{"level":"info","ts":"2021-05-09T22:55:57.529+0800","logger":"tls.cache.maintenance","msg":"stopped background certificate maintenance","cache":"0xc0002c6d90"}
{"level":"info","ts":"2021-05-09T22:55:57.531+0800","logger":"admin","msg":"stopped previous server","address":"tcp/localhost:2019"}
{"level":"info","ts":"2021-05-09T22:55:57.531+0800","msg":"shutdown complete","signal":"SIGTERM","exit_code":0}
{"level":"info","ts":1620572157.6563253,"msg":"using provided configuration","config_file":"/usr/local/www/Caddyfile","config_adapter":"caddyfile"}
{"level":"warn","ts":1620572157.6602314,"msg":"input is not formatted with 'caddy fmt'","adapter":"caddyfile","file":"/usr/local/www/Caddyfile","line":2}
{"level":"info","ts":"2021-05-09T22:55:57.662+0800","logger":"admin","msg":"admin endpoint started","address":"tcp/localhost:2019","enforce_origin":false,"origins":["localhost:2019","[::1]:2019","127.0.0.1:2019"]}
{"level":"info","ts":"2021-05-09T22:55:57.663+0800","logger":"tls.cache.maintenance","msg":"started backgroundcertificate maintenance","cache":"0xc0002de380"}
{"level":"info","ts":"2021-05-09T22:55:57.663+0800","logger":"http","msg":"server is listening only on theHTTPS port but has no TLS connection policies; adding one to enable TLS","server_name":"srv0","https_port":443}
{"level":"info","ts":"2021-05-09T22:55:57.664+0800","logger":"http","msg":"enabling automatic HTTP->HTTPS redirects","server_name":"srv0"}
{"level":"info","ts":"2021-05-09T22:55:57.665+0800","logger":"http","msg":"enabling automatic TLS certificate management","domains":["test.lan"]}
{"level":"info","ts":"2021-05-09T22:55:57.665+0800","logger":"tls","msg":"cleaning storage unit","description":"FileStorage:/.local/share/caddy"}
{"level":"info","ts":"2021-05-09T22:55:57.667+0800","logger":"tls","msg":"finished cleaning storage units"}
{"level":"warn","ts":"2021-05-09T22:55:57.688+0800","logger":"tls","msg":"stapling OCSP","error":"no OCSP stapling for [test.lan]: no OCSP server specified in certificate"}
{"level":"info","ts":"2021-05-09T22:55:57.689+0800","msg":"autosaved config (load with --resume flag)","file":"/.config/caddy/autosave.json"}
{"level":"info","ts":"2021-05-09T22:55:57.689+0800","msg":"serving initial configuration"}
Successfully started Caddy (pid=80607) - Caddy is running in the background
There’s an error about OCSP stapling in both Caddy logs, but I’m not sure what this means. Help! Please!