1. Caddy version (caddy version):
Caddy 2 Release Candidate 3
2. How I run Caddy:
Ubunutu with Unit File sudo systemctl start caddy
a. System environment:
Linux Ubuntu. Systemd
b. Command:
sudo systemctl start caddy
c. Service/unit/compose file:
# caddy-api.service
#
# For using Caddy with its API.
#
# This unit is "durable" in that it will automatically resume
# the last active configuration if the service is restarted.
[Unit]
Description=Caddy
Documentation=https://caddyserver.com/docs/
After=network.target
[Service]
Environment="XDG_CONFIG_HOME=/mnt/efs/fs1"
User=ubuntu
Group=www-data
ExecStart=/usr/bin/caddy run --watch --environ --config /mnt/efs/fs1/caddy/Caddyfile
ExecReload=/usr/bin/caddy reload --config /mnt/efs/fs1/caddy/Caddyfile
TimeoutStopSec=5s
LimitNOFILE=1048576
LimitNPROC=512
PrivateTmp=true
ProtectSystem=full
AmbientCapabilities=CAP_NET_BIND_SERVICE
[Install]
WantedBy=multi-user.target
d. My complete Caddyfile or JSON config:
{
email contact@mylodocs.com
on_demand_tls {
ask https://app.mylodocs.com/domains/ask
}
}
import /mnt/efs/fs1/caddy/sites-enabled/*
app.mylodocs.com {
reverse_proxy {
to 10.0.2.167:80 10.0.4.78:80
lb_policy ip_hash
health_path /healthcheck
health_port 80
health_status 200
health_body "healthy"
fail_duration 15s
max_fails 1
unhealthy_status 5xx
}
tls "/etc/ssl/caddy/mylodocs.com/cert.pem" "/etc/ssl/caddy/mylodocs.com/privkey.pem"
}
*.mylodocs.com/check {
rewrite * "/_check.html?{http.request.uri.query}"
reverse_proxy * {
to "mylodocspublic.s3-website.us-east-2.amazonaws.com:80"
header_up Host "mylodocspublic.s3-website.us-east-2.amazonaws.com"
}
}
*.mylodocs.com {
@mymatcher {
path "*/"
}
@fileMatcher {
path_regexp ".*\.[A-Za-z]+$"
}
@mymatcher1 {
not {
path "*/"
}
not {
path_regexp ".*\.[A-Za-z]+$"
}
}
redir @mymatcher1 "{http.request.uri}/" 308
encode gzip
rewrite @mymatcher "/{http.request.host.labels.2}{http.request.uri}"
reverse_proxy @mymatcher {
to "mylodocspublic.s3-website.us-east-2.amazonaws.com:80"
header_up Host "mylodocspublic.s3-website.us-east-2.amazonaws.com"
}
rewrite @fileMatcher "/{http.request.host.labels.2}{http.request.uri}"
reverse_proxy @fileMatcher {
to "mylodocspublic.s3-website.us-east-2.amazonaws.com:80"
header_up Host "mylodocspublic.s3-website.us-east-2.amazonaws.com"
}
tls "/etc/ssl/caddy/mylodocs.com/cert.pem" "/etc/ssl/caddy/mylodocs.com/privkey.pem"
}
This is the imported file
mdennett.mylodocs.com/mylodocs/* {
redir "mylodocs/*" docs.mitchdennett.com 308
}
docs.mitchdennett.com {
@mymatcher {
path_regexp ".*\.[A-Za-z]+$"
}
@mymatcher1 {
path "*/"
}
@noSlash {
not {
path "*/"
}
not {
path_regexp ".*\.[A-Za-z]+$"
}
}
encode gzip
redir @noSlash "{http.request.uri}/" 308
rewrite @mymatcher1 "/mdennett/mylodocs{http.request.uri}"
reverse_proxy @mymatcher1 {
to "mylodocspublic.s3-website.us-east-2.amazonaws.com:80"
header_up Host "mylodocspublic.s3-website.us-east-2.amazonaws.com"
}
rewrite @mymatcher "/mdennett/mylodocs{http.request.uri}"
reverse_proxy @mymatcher {
to "mylodocspublic.s3-website.us-east-2.amazonaws.com:80"
header_up Host "mylodocspublic.s3-website.us-east-2.amazonaws.com"
}
tls {
on_demand
}
}
3. The problem Iām having:
Jun 21 14:15:23 ip-10-0-1-114 caddy[857]: 2020/06/21 14:15:23 http: TLS handshake error from 192.24.132.212:65208: error checking https://app.mylodocs.com/domains/ask to deterine if certificate for hostname 'docs.mitchdennett.com' should be allowed: Get "https://app.mylodocs.com/domains/ask?domain=docs.mitchdennett.com": x509: certificate signed by unknown authority
The https://app.mylodocs.com endpoint is managed by Caddy. It goes through a load balancer first that does not terminate ssl. but then ends up at a caddy server
4. Error messages and/or full log output:
Jun 21 14:15:23 ip-10-0-1-114 caddy[857]: 2020/06/21 14:15:23 http: TLS handshake error from 192.24.132.212:65208: error checking https://app.mylodocs.com/domains/ask to deterine if certificate for hostname 'docs.mitchdennett.com' should be allowed: Get "https://app.mylodocs.com/domains/ask?domain=docs.mitchdennett.com": x509: certificate signed by unknown authority