Noob questions for caddy docker


(Homer Sim) #1

Hello,

I found a threat which is nearly what I wanna configure but I am struggling right at the beginning.

My setup is a nginx web server as reverse proxy. Behind it I am running nextcloud, pydio, cops, etc… all of these is running in docker contaienrs and I love this way to run it.
My wife wanted now to test a blog writing and I surrendered after millions of trials with reversing for wordpress.

Now I found caddy and read a lot about its eas to use.

This was the start for a trial on a VM with Ubuntu Server 16.04. I setup a portainer container on port 8010 and it is accessable and working.
I then setup with this command a caddy docker

docker run -d \
--name caddy \
-v /docker/config/caddy:/etc \
-v /docker/config/caddy/.caddy:/root/.caddy \
-p 80:80 \
abiosoft/caddy:php

I did not put port 443 in it because on my lab setup I just wanted to test everything without SSL.

My first idea was to do a Caddyfile with a simple reverse proxy to port 8010 with this lines:

localhost:80, 192.168.100.44:80
proxy / 192.168.100.44:8010

This worked for the first time. After that I added a cops container on 8030; Again accessible directly with 192.168.100.44:8030

localhost:80, 192.168.100.44:80
proxy / 192.168.100.44:8010

proxy /ebooks 192.168.100.44:8030 {
transparent
}

on startup php-fpm7

I am receiving some error logs:

[11-Oct-2017 19:44:56] ERROR: failed to open configuration file ‘/etc/php7/php-fpm.conf’: No such file or directory (2)
[11-Oct-2017 19:44:56] ERROR: failed to load configuration file ‘/etc/php7/php-fpm.conf’
[11-Oct-2017 19:44:56] ERROR: FPM initialization failed

and if I try 192.168.100.44/ebooks I am receiving an error message 404 but it is a nginx message??

I appreciate every help! Thanks


(Matthew Fay) #2

Hi @Homer-Sim, welcome to the Caddy community.

While these aren’t Caddy-related issues, I should be able to help you out with configuring your Docker containers.

This one should be a simple fix: Don’t use -v /docker/config/caddy:/etc, mount your Caddyfile directly to /etc/Caddyfile or mount your folder to /etc/caddy instead.

By overwriting the entire /etc folder, you’re removing a lot of files and causing yourself more problems than you might realise (for example, you’ve also overwritten the root CA certificates, so SSL won’t work inside the container).

This is expected behaviour. Here’s what’s happening:

  1. You make a request for 192.168.100.44/ebooks. Caddy receives the request and realises it needs to proxy it to your COPS container.
  2. Caddy makes a request for 192.168.100.44:8030/ebooks. The COPS container receives the request, and the nginx server responds with Status 404 because Calibre doesn’t serve any content at /ebooks.
  3. Caddy gets the 404 from nginx and passes it faithfully back to you, the client.

So Caddy here is working fine, but the problem is that proxying /ebooks isn’t going to work (the back end application - Calibre - would have to be designed specifically with this in mind).

To get it working, you’ll need to proxy / to your COPS container instead. You might need multiple sites in your Caddyfile to achieve this.


(Homer Sim) #3

Thanks Matt,

to be honest I hoped that you will find my post because I read a lot of your other helping posts.

-v /docker/config/caddy:/etc \

I did this because normally I cannot connect single files with docker, can I? And at docker creation the Caddyfile wasn’t present …

But for sure I will follow your hints.

If I understood you right I have to separate each app with a single domain (first.mydomain.com, second.mydomain.com, third.mydomain.com ….)

A way with /ebooks is not possible even if I would look on a redir or rewrite command?!

This is normally no issue I just have to do my trials step by step. With these lines:

First trial
localhost:80, 192.168.100.44:80
proxy / 192.168.100.44:8020

Access and working test

Second trial
localhost:80, 192.168.100.44:80
proxy / 192.168.100.44:8030
Access and working test

This should tell me if I can use the config later in a merged Caddyfile with the separated URL addresses, right?

From my old setup I have already letsencrypt files. Is it as simple to just copy these into .caddy dir?

I setup my container again with you recommandation and there is still a error message

2017/10/12 15:34:30 http://192.168.100.44
2017/10/12 15:34:30 [INFO] Blocking Command with ID 3436ad89-bfe0-4a2f-a2c1-32e62ca42b94: "php-fpm7 "
2017/10/12 15:34:30 [INFO] Blocking Command with ID a1a74a47-8a29-48a9-b33c-e06a99c35599: "php-fpm7 "
2017/10/12 15:34:30 error on ‘on-a1a74a47-8a29-48a9-b33c-e06a99c35599’ hook: exit status 70

This is my new docker command:

docker run -d
–name caddy
-v /docker/config/caddy/Caddyfile:/etc/Caddyfile
-v /docker/config/caddy/.caddy:/root/.caddy
-v /docker/config/caddy/php:/srv
-p 80:80
abiosoft/caddy:php


(Matthew Fay) #4

You can indeed connect single files, but there’s one quirk about it you should know. You might be familiar with the way that Docker will CREATE a folder on the host if you specify a volume mount that doesn’t exist on the host yet.

Well, since Docker has no way to tell whether you meant to mount a file or a folder, it will always assume it’s meant to be a folder, UNLESS the file already exists on the host. If that file isn’t there when you first run the container, it might cause problems if the container really expects it to be a file and not a folder.

TL;DR: Yeah you can mount files, but make sure they exist on the host before you run your container.

Yeah, that’s correct.

Well… sort of. It’s… doable. I’d recommend against it unless you’re willing to muck around with it for a number of hours and maybe end up not achieving what you’re after. If you just want your service up and running, just do a subdomain. Forewarning aside, take a look at http.filter and this thread.

Yep! Something like this:

http://url1.example.com {
  proxy / 192.168.100.44:8020
}
http://url2.example.com {
  proxy / 192.168.100.44:8030
}

Remove the http:// part when you’re ready for Caddy to grab certificates for them.

As long as they’re from a previous Caddy setup, sure. Caddy lays out its ACME directory and certificates in a certain manner, so if you’ve got certificates from elsewhere, it’s much simpler just to let Caddy get new ones.

What I’m seeing here is that php-fpm7 is being run twice, and one of them is exiting. That’s good, you only want one php-fpm7. I’d say that’s fine, unless you’re experiencing any other issues with the web server.


(Homer Sim) #5

Sorry for my late reply. But I tried a lot and I am still not confident enough to switch …

I tried a lot and can not believe it could be that simple:

localhost:80, 192.168.100.44:80 

ebooks.myserveradress.de
#COPS
proxy / 192.168.100.44:8030 {
transparent
gzip
}

dash.myserveradress.de
#portainer
proxy / 192.168.100.44:8010

sync.myserveradress.de
#Syncthing
proxy / 192.168.100.44:8384 {
transparent
gzip
}

blog.myserveradress.de
#wordpress
proxy / 192.168.100.44:90 {
transparent
gzip
}

on startup php-fpm7

Due to hesitating I googled a little and found some example Caddyfiles here:
https://github.com/caddyserver/examples/blob/master/wordpress/Caddyfile

And this brigs me to another question. Is it necessary to define so much as seen in some example files or is my simple approach good at all.

Thanks for your help and patience!


(Matthew Fay) #6

No worries!

I prefer your approach, with WordPress in a container - that’s how I’ve a few sites set up. That way, I let the WordPress Docker maintainer abstract all that configuration away, and I can focus on using Caddy just to route it properly and provide HTTPS.

The WordPress Caddyfile example you’ve liked to is for using Caddy to serve the WordPress files directly, rather than proxying. It’s still pretty simple (as far as some other Caddyfiles go, and especially as far as Apache or nginx config would need to go), and it’s all necessary, except gzip which is just nice.


(Homer Sim) #7

Great!
One, maybe two last (hoefully) question.

Is it neccessary / usefull to add fail2ban with caddy? Is there a how to existing?
How do I secure some pages (cops for instance) with a kind of htpasswd?

Thanks


(Matthew Fay) #8

I don’t use Fail2ban for my webservers, but Caddy can output logs in common log format, so Fail2ban should be able to watch it like it can Apache.

You’ve got plenty of options, ranging from simple to more complex.

  • http.basicauth, about as simple as it gets (the only core plugin, the rest are 3rd party)
  • http.login paired with http.jwt, mostly plug and play
  • http.reauth and some other auth target, including htpasswd, fairly flexible
  • http.authz for for user/role/attribute based access control, based on Casbin, complicated

(Homer Sim) #9

Today was the day …
without success

I fear my plan is maybe too ambitious. (at least for my skills)
Is this possible at all:


(Matthew Fay) #10

Nice diagram!

Yes, Caddy can do that, absolutely. I’ve run almost all of those containers in the past, reverse-proxied behind Caddy.

What problem are you running into at the moment?


(Homer Sim) #11

I hope you will not laugh.
These are my first lines and my caddy container is always shutting down with this error message:
/etc/Caddyfile:6 - Error during parsing: Unknown directive 'MYSERVER.de"

tls mymail@mail.de
gzip

MYSERVER.de, second.MYSERVER.de {
#wordpress
proxy / 192.168.100.10:90 {
transparent
}
}

ebooks.MYSERVER.de {
#COPS
proxy / 192.168.100.10:83 {
transparent
}
}

Do you have maybe some of your old Caddyfiles as an example for me? I really have a hard time with the syntax tutorial …


(Matt Holt) #12

Remember that the first line of your Caddyfile must be an address of a site to serve.

What was difficult about the tutorial? (how could it be improved?)


(Homer Sim) #13

Sorry I missed to copy first line

localhost:80, 192.168.100.10:80

or should this one the
MYSERVER.COM

??
About the tutorial:
I have the feeling it is very basic but if you wanna go for a more complex scenario …

I am not sure which command is a top level only and which is only for directives
Is it a little understandable?


(Matt Holt) #14

If you have more than one server block, they need to be enclosed in curly braces.

I’ll try to clarify that in the tutorial. Within a server block, only directives are “top-level” – within a directive, you have to check that directive’s docs for the syntax to use.


(Homer Sim) #15

Is this error message which is leading for an immediately shutdown of the caddy container, related to letsencrypt? What could be the solution

2017/10/27 19:11:52 [tls] failed to get certificate: acme: Error 400 - urn:acme:error:malformed - Error creating new authz :: DNS name does not have enough labels

I tried to get help here but it seems to be not a letsencrypt issue:
https://community.letsencrypt.org/t/caddy-web-server-error-message-with-more-then-one-domain/45224/4


(Matt Holt) #16

If you have more than one site defined in your Caddyfile, all of them need to have curly braces – if your first line is what you said it is, followed by the rest of what you posted above, it’s malformed. Post your whole unmodified Caddyfile and then we can help you.


(Homer Sim) #17

Hello Matt,

I see there are plenty of room for misinterpretation …
A lot of testing I did and this is the Caddyfile which created the letnsencrypt error:
Only mail address is changed

books.broehlis.my-wan.de {
#COPS
proxy / 192.168.100.10:83
}

nextcloud.broehlis.my-wan.de {
#nextcloud
proxy / 192.168.100.10:4432 {
transparent
}
}

tls something@gmail.com
gzip


(Matt Holt) #18

You have directives outside server blocks, so Caddy thinks they are site addresses. All directives have to go inside a server block.


(Homer Sim) #19

Finally! I understood what you wanna tell me.
Sorry for being that slow …


(Homer Sim) #20

Good news, at least for me.
To make it easier:
green smilie is working
orange some issues
red no function

orange:
wordpress: site accessable but no logo and formating is shown. This is my Caddyfile entry

broehlis.my-wan.de {
#wordpress
root /srv/wordpress
proxy / 192.168.100.10:8090 {
transparent
websocket
}
tls mail@adress.de
gzip
log /etc/log/wordpress_access.log
errors /etc/log/wordpress_errors.log
fastcgi / 127.0.0.1:9000 php
rewrite {
if {path} not_match ^/wp-admin
to {path} {path}/ /index.php?{query}
}
}

orange: portainer … not so important

red: more important
nextcloud forwarding seems not to work …

nextcloud.broehlis.my-wan.de {
#nextcloud
proxy / 192.168.100.10:4432 {
transparent
websocket
}
tls mail@adress.de
fastcgi / 127.0.0.1:9000 php
gzip
log /etc/log/nextcloud_access.log
errors /etc/log/nextcloud_errors.log
}

every trial I di d ended up in a new adress in webbrowser https://_/

Any ideas?
Thank you all so much.