One Caddy server Forward to another Caddy with on-demand tls

Help
1

1. The problem I’m having:

Trying to “forward-only” one domain to a second caddy server.

First caddy server is being used for home “production” and I don’t want to mess with that one.
End goal is to have a catch all uknonwn/not defined and forward without doing anything else to the request and led the second caddy do ASK and on-demand tls.

2. Error messages and/or full log output:

caddy@caddy:~$ curl -vL klysner.fugemandwinther.dk
*   Trying 87.104.29.170:80...
* Connected to klysner.fugemandwinther.dk (87.104.29.170) port 80 (#0)
> GET / HTTP/1.1
> Host: klysner.fugemandwinther.dk
> User-Agent: curl/7.74.0
> Accept: */*
> 
* Mark bundle as not supporting multiuse
< HTTP/1.1 308 Permanent Redirect
< Connection: close
< Location: https://klysner.fugemandwinther.dk/
< Server: Caddy
< Date: Thu, 25 May 2023 16:05:09 GMT
< Content-Length: 0
< 
* Closing connection 0
* Clear auth, redirects to port from 80 to 443Issue another request to this URL: 'https://klysner.fugemandwinther.dk/'
*   Trying 87.104.29.170:443...
* Connected to klysner.fugemandwinther.dk (87.104.29.170) port 443 (#1)
* ALPN, offering h2
* ALPN, offering http/1.1
* successfully set certificate verify locations:
*  CAfile: /etc/ssl/certs/ca-certificates.crt
*  CApath: /etc/ssl/certs
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
* TLSv1.3 (IN), TLS handshake, Server hello (2):
* TLSv1.3 (IN), TLS handshake, Encrypted Extensions (8):
* TLSv1.3 (IN), TLS handshake, Certificate (11):
* TLSv1.3 (IN), TLS handshake, CERT verify (15):
* TLSv1.3 (IN), TLS handshake, Finished (20):
* TLSv1.3 (OUT), TLS change cipher, Change cipher spec (1):
* TLSv1.3 (OUT), TLS handshake, Finished (20):
* SSL connection using TLSv1.3 / TLS_AES_128_GCM_SHA256
* ALPN, server accepted to use h2
* Server certificate:
*  subject: CN=klysner.fugemandwinther.dk
*  start date: May 24 17:31:10 2023 GMT
*  expire date: Aug 22 17:31:09 2023 GMT
*  subjectAltName: host "klysner.fugemandwinther.dk" matched cert's "klysner.fugemandwinther.dk"
*  issuer: C=US; O=Let's Encrypt; CN=R3
*  SSL certificate verify ok.
* Using HTTP2, server supports multi-use
* Connection state changed (HTTP/2 confirmed)
* Copying HTTP/2 data in stream buffer to connection buffer after upgrade: len=0
* Using Stream ID: 1 (easy handle 0x55d0e54012e0)
> GET / HTTP/2
> Host: klysner.fugemandwinther.dk
> user-agent: curl/7.74.0
> accept: */*
> 
* TLSv1.3 (IN), TLS handshake, Newsession Ticket (4):
* Connection state changed (MAX_CONCURRENT_STREAMS == 250)!
< HTTP/2 502 
< alt-svc: h3=":443"; ma=2592000
< server: Caddy
< content-length: 0
< date: Thu, 25 May 2023 16:05:09 GMT
< 
* Connection #1 to host klysner.fugemandwinther.dk left intact
caddy@caddy:~$

3. Caddy version:

Caddy server 1 (Home Production)
v2.6.4 h1:2hwYqiRwk1tf3VruhMpLcYTg+11fCdr8S3jhNAdnPy8=

Caddy server 2 (Test server)
v2.6.4 h1:2hwYqiRwk1tf3VruhMpLcYTg+11fCdr8S3jhNAdnPy8=

4. How I installed and ran Caddy:

a. System environment:

Server 1 & 2
Debian 11 in a LXC on separate Proxmox.
Installed caddy following the “Install — Caddy Documentation” instruction

b. Command:

nano Caddyfile
caddy validate --config Caddyfile
caddy fmt Caddyfile --overwrite
cp Caddyfile /etc/caddy/Caddyfile
systemctl reload caddy.service

c. Service/unit/compose file:

d. My complete Caddy config:

server 1

#{
#       acme_ca https://acme-staging-v02.api.letsencrypt.org/directory
#}
{
        debug
}

auth.fugemandwinther.dk {
        header {
                server# anonymizes Caddy# disable FLoC tracking
                Permissions - Policy interest - cohort = ()# enable HSTS
                Strict - Transport - Security max - age = 31536000;#
                disable clients from sniffing the media type
                X - Content - Type - Options nosniff# clickjacking protection
                X - Frame - Options DENY# keep referrer data off of HTTP connections
                Referrer - Policy no - referrer - when - downgrade
        }
        encode zstd gzip
        reverse_proxy 192.168.1.7:4000
}

tv.fugemandwinther.dk {
        reverse_proxy 192.168.1.11:8096
}

https://drev.fugemandwinther.dk:443 {
        reverse_proxy 192.168.1.10:11000
}

kristensen.asuscomm.com {
        handle {
                request_body {
                        max_size 1G
                }
                reverse_proxy {
                        to https://192.168.1.6:443
                        transport http {
                                # SNI
                                tls_server_name kristensen.asuscomm.com
                                # Turn off back-end TLS authentication
                                tls_insecure_skip_verify
                        }
                }
        }
}

klysner.fugemandwinther.dk {
        reverse_proxy {
                to https://192.168.1.220:443
                transport http {
                        tls_server_name kristensen.asuscomm.com
                        tls_insecure_skip_verify
                }
        }
}

server 2

{
        acme_ca https://acme-staging-v02.api.letsencrypt.org/directory
        debug
}

:80 {
        root * /usr/share/caddy
        file_server
}

klysner.fugemandwinther.dk {
        root * /srv/public/klysner.fugemandwinther.dk
        file_server
}

5. Links to relevant resources:

2

Vanilla Caddy doesn’t support proxying HTTPS without terminating TLS. To do that, you’d need a TCP-layer proxy like GitHub - mholt/caddy-l4: Layer 4 (TCP/UDP) app for Caddy

2 Likes
3

Thanks for the reply, maybe i’ll try that out then, thanks :slightly_smiling_face: