My main problem is I want on_demand SSL while also needing health checks from the load balancer. (I have several Caddy servers behind a load balancer all sharing a filesystem).
Everything works fine if I use the healthcheck from the load balancer on port 80. However, the rest of the traffic on port 80 is not redirected to 443 and in turn not generating certificates
5. What I already tried:
I tried changing the healthchecks to use Port 81. However, that does’t work and the healthchecks from Amazon always fail.
Here’s the updated Caddyfile I tried with no luck. I tried many variations of this and am hoping someone can point out a proper approach or what I’m doing wrong.
In what manner, specifically, do they always fail? What information does Amazon provide on its health check? It’s really important to get the exact error. Did their check timeout? Was there a protocol error? Is Amazon seeing non-200 responses for the endpoint? The nature of Amazon’s error will tell us what we need to troubleshoot.
Unfortunately, Amazon does not supply any sort of information on the type of load balancer I’m using. Simply says “unhealthy”
From my understanding Amazon load balancer is simply asking looking for a 200 success code message. And this does work perfectly on port 80. Just when I try this on port 81 (or any other port) it doesn’t work.
I guess what my bottom line is:
Assuming the issue is let’s say on Amazon, does CaddyServer support having ports 80 and 443 do reverse proxy, while a different port just reponse to the health check.
From my Caddyfile above, am I missing something?
I’m testing for hours different things and it seems very inconsistent (to me at least).
For example, this would work:
*.amazonaws.com:80 {
respond "Working!"
}
But this won't:
:80 {
respond "Working!"
}
I'm hoping you can shed some more light on this, I'd really appreciate even random ideas of what I can attempt and test.
I’m going to guess that one possibility is that Amazon requires a HTTP endpoint, not a HTTPS endpoint.
*.amazonaws.com:80 will produce a HTTP listener, *.amazonaws.com:81 will produce a self-signed/locally-trusted HTTPS listener with a redirect set up on port 80 (Caddy is HTTPS-first, HTTP only on explicit scheme or default HTTP port).
Try http://*.amazonaws.com:81 and see if that makes a difference.
Thanks @Whitestrake
I just tried that but unfortunately it didn’t work. However it gave me several ideas of things I can try along these lines. I’ll try different ports, protocols and combinations of those. Hopefully if I shoot enough I’ll hit something.
Job for caddy.service failed because the control process exited with error code. See "systemctl status caddy.service" and "journalctl -xe" for details.
Error I"m seeing:
cannot make a TLS automation policy from a server block that has a host-less address when there are other server block addresses lacking a host
This is really where I keep getting stuck. The ondemand SSL is for domains that are not predefined so I must just keep that as host-less.
Here’s my findings.
If I forward my domain directly to the Caddy server it does forward correctly to HTTPS. However if I forward my domain to the static IP address on my load balancer, that doesn’t seem to forward to https. Clearly not an issue with Caddy.
Here’s a screenshot of the network tab for these requests. I don’t see the “server : Caddy” in the header, I guess that means it’s not even hitting the Caddy server.
Thanks everyone for your help. This ended up mostly being an issue with my configuration on AWS.
All good now.
In case anyone else is building something similar using AWS. Keep in mind you must use a TCP load balancer but since each target group only accepts one type of traffic (http or https) and you can’t redirect on network load balancer, you must create 2 different target groups. One of http and one for https.