Need help configuring caddy & l4 for git ssh access on domain

nitanmarcel · November 20, 2024, 11:20am

1. The problem I’m having:

I’m trying to use caddy-l4 to set up an OneDev server. Until now I used my ip address for ssh ssh://1.2.3.4:661/repo but I want to use the domain name instead.

I figured out I can direct the requests to either the http port or the ssh port with layer4, and while I managed to make the http direct work, I’m having issues with the ssh one.

2. Error messages and/or full log output:

Nothing gets printed in the logs

3. Caddy version:

4. How I installed and ran Caddy:

sudo apt install caddy

then

xcaddy build --with github.com/caddy-dns/cloudflare --with github.com/mholt/caddy-dynamicdns --with github.com/mholt/caddy-l4 --with github.com/pieterlouw/caddy-net ( I did replaced the original caddy executable with the new one)
→

a. System environment:

Ubuntu 20.04, with systemd

b. Commands

systemctl restart/start caddy
caddy reload

c. Service/unit/compose file:

d. My complete Caddy config:

# The Caddyfile is an easy way to configure your Caddy web server.
#
# Unless the file starts with a global options block, the first
# uncommented line is always the address of your site.
#
# To use your own domain name (with automatic HTTPS), first make
# sure your domain's A/AAAA DNS records are properly pointed to
# this machine's public IP, then replace ":80" below with your
# domain name.
{
	debug
	acme_dns cloudflare abcdf
	dynamic_dns {
		provider cloudflare abcdf
		domains {
			example.com @ www
		}
		dynamic_domains
	}
	layer4 {
		0.0.0.0:587 {
			route {
				proxy localhost:1507
			}
		}
		0.0.0.0:993 {
			route {
				proxy localhost:1903
			}
		}
		0.0.0.0:6612 {
			route {
				proxy localhost:6611
			}
		}

		0.0.0.0:6612 {
			@ssh ssh
			route @ssh {
				proxy localhost:6611
			}
			@ui http
			route @ui {
				proxy localhost:6610
			}
		}
	}
}

mail.example.com {
	tls internal {
		key_type rsa2048
	}

	# Optional, can be useful for troubleshooting
	# connection to Caddy with correct certificate:
	respond "Hello DMS"
}

example.com {
	# Set this path to your site's directory.
	root * /usr/share/caddy

	# Enable the static file server.
	file_server

	# Another common task is to set up a reverse proxy:
	# reverse_proxy localhost:8080

	# Or serve a PHP site through php-fpm:
	# php_fastcgi localhost:9000
}

docker.example.com {
	reverse_proxy localhost:9000
}

it.example.com {
	reverse_proxy 172.17.0.3:80
}

git.example.com {
	reverse_proxy localhost:6612
}

gpt.example.com {
	reverse_proxy localhost:3080
}

gptproxy.example.com {
	reverse_proxy localhost:8121
}

stats.example.com {
	reverse_proxy 172.20.0.2:3000
}

5. Links to relevant resources:

Whitestrake · November 21, 2024, 12:20am

Howdy @nitanmarcel,

Just to clarify, you say you can connect over HTTP but you’re having issues with SSH.

What issues are you running into? Can you document / demonstrate them for us?

nitanmarcel · November 21, 2024, 6:53am

Apparently I was connecting the wrong way with the ssh, by not providing the right port. Also did some modifications, moved my sshd port to 6662 and used 22 for layer4, and it works perfectly fine, I can clone with ssh by just using my domain.

I did encounter another issue with the certificate. I can’t seem to make it work with caddy auto certificate and layer4.

More exactly I can’t figure out how to properly use caddy for tls and layer4 for proxy, without having caddy to handle the request

{
	debug
	acme_dns cloudflare 1234 
	dynamic_dns {
		provider cloudflare 1234
		domains {
			marcelsoftware.dev @ www
		}
		dynamic_domains
	}
	layer4 {
		0.0.0.0:587 {
			route {
				proxy localhost:1507
			}
		}
		0.0.0.0:993 {
			route {
				proxy localhost:1903
			}
		}
		0.0.0.0:6612 {
			route {
				proxy localhost:6611
			}
		}

		:443 {
			@secure tls sni git.marcelsoftware.dev
			route @secure {
				proxy :6610
			}
			@ssh ssh
			route @ssh {
				proxy :6611
			}
		}
	}
}

git.marcelsoftware.dev {
	tls mail@marcelsoftware.dev {
		on_demand
	}
}

francislavoie · November 21, 2024, 5:51pm

When you use on_demand, you’re telling Caddy “don’t try to fetch a cert right away, only do it if you have a TLS connection come in”. Then you use layer4 on port :443 which intercepts those TLS bytes and proxies it, so no connections ever make it to Caddy’s TLS handshake logic which would trigger cert issuance.

Just remove on_demand. You should only use it if you don’t know the domains ahead of time, i.e. you’re having customers point their domains to your server and you can’t have Caddy issue the certs up-front because it needs to be dynamic. That’s not your situation, you know your domain, so no need for on-demand.