mTLS under FreeBSD

Help
7

I should have tested out the modified wildcard domain before continuing. It turns out it wasn’t working the way I expected it to. Attempting to access a subdomain (when {mtls} is either yes and no} returned a blank screen.

An extract from caddy adapt --pretty for the unmodified wildcard domain block…

                                                                                {
                                                                                        "handle": [
                                                                                                {
                                                                                                        "handler": "reverse_proxy",
                                                                                                        "upstreams": [
                                                                                                                {
                                                                                                                        "dial": "{backend}"
                                                                                                                }
                                                                                                        ]
                                                                                                }
                                                                                        ]
                                                                                }

…and from the modified wildcard domain block…

                                                                                {
                                                                                        "group": "group28",
                                                                                        "handle": [
                                                                                                {
                                                                                                        "handler": "subroute"
                                                                                                }
                                                                                        ],
                                                                                        "match": [
                                                                                                {
                                                                                                        "expression": "{mtls} == \"yes\""
                                                                                                }
                                                                                        ]
                                                                                },
                                                                                {
                                                                                        "group": "group28",
                                                                                        "handle": [
                                                                                                {
                                                                                                        "handler": "subroute",
                                                                                                        "routes": [
                                                                                                                {
                                                                                                                        "handle": [
                                                                                                                                {
                                                                                                                                        "handler": "reverse_proxy",
                                                                                                                                        "upstreams": [
                                                                                                                                                {
                                                                                                                                                        "dial": "{backend}"
                                                                                                                                                }
                                                                                                                                        ]
                                                                                                                                }
                                                                                                                        ]
                                                                                                                }
                                                                                                        ]
                                                                                                }
                                                                                        ],
                                                                                        "match": [
                                                                                                {
                                                                                                        "expression": "{mtls} == \"no\""
                                                                                                }
                                                                                        ]

It appears the handler changed from reverse_proxy to subroute with the modified wildcard subdomain. After reviewing @matt’s wiki article Composing in the Caddyfile and with a bit of experimentation, I found that wrapping the matcher and associated handle directive in a route block fixed the issue.

This was confirmed in this caddy adapt --pretty extract;

                          "handle": [
                                  {
                                          "handler": "subroute",
                                          "routes": [
                                                  {
                                                          "handle": [
                                                                  {
                                                                          "handler": "subroute"
                                                                  }
                                                          ],
                                                          "match": [
                                                                  {
                                                                          "expression": "{mtls} == \"yes\""
                                                                  }
                                                          ]
                                                  }
                                          ]
                                  },
                                  {
                                          "handler": "subroute",
                                          "routes": [
                                                  {
                                                          "handle": [
                                                                  {
                                                                          "handler": "subroute",
                                                                          "routes": [
                                                                                  {
                                                                                          "handle": [
                                                                                                  {
                                                                                                          "handler": "reverse_proxy",
                                                                                                          "upstreams": [
                                                                                                                  {
                                                                                                                          "dial": "{backend}"
                                                                                                                  }
                                                                                                          ]
                                                                                                  }
                                                                                          ]
                                                                                  }
                                                                          ]
                                                                  }
                                                          ],
                                                          "match": [
                                                                  {
                                                                          "expression": "{mtls} == \"no\""
                                                                  }
                                                          ]
                                                  }
                                          ]
                                  }
                          ]

This is the working wildcard subdomain Caddy block…

*.udance.com.au {
  ...
  map {labels.3} {backend} {online} {mtls} {phpmyadmin} {

#   HOSTNAME     BACKEND         ONLINE mTLS PHPMYADMIN #COMMENT
#---------------------------------------------------------------
    ...
    # Jails
    ...
    test         10.1.1.50:80    yes    yes  yes        # test.udance.com.au

    ...
  }
  ...
# Secure backend communication

  route {
    @mtls expression `{mtls} == "yes"`
    handle @mtls {
      # Watch this space!
    }
  }

# Unsecured backend communication

  route {
    @nomtls expression `{mtls} == "no"`
    handle @nomtls {
      reverse_proxy {backend}
    }
  }
}
1 Like