1. Caddy version (caddy version
):
v2.2.1 h1:Q62GWHMtztnvyRU+KPOpw6fNfeCD3SkwH7SfT1Tgt2c=
2. How I run Caddy:
Custom built docker image with following Dockerfile:
FROM caddy:builder AS builder
RUN xcaddy build \
--with github.com/caddy-dns/cloudflare
FROM caddy:latest
COPY --from=builder /usr/bin/caddy /usr/bin/caddy
a. System environment:
Raspberry Pi 3 with Docker.
b. Command:
docker-compose -f caddycloudflare/docker-compose.yml up -d
c. Service/unit/compose file:
version: "3.8"
services:
caddy:
image: caddy_cloudflare:1.0
container_name: caddy_cloudflare
hostname: caddy_cloudflare
env_file:
- ../.env
- ./secret.env
restart: unless-stopped
ports:
- "80:80"
- "443:443"
volumes:
- ./Caddyfile:/etc/caddy/Caddyfile:ro
- ./data:/data
- ./config:/config
networks:
default:
external:
name: $NETWORK
d. My complete Caddyfile or JSON config:
# External
portainer.{$DOMAIN} {
reverse_proxy {$IP_PORTAINER}:9000
}
home.{$DOMAIN} {
reverse_proxy {$IP_HOMEASSISTANT}:8123
}
# Internal
*.lan.{$DOMAIN} {
tls MyEMAIL@gmail.com {
dns cloudflare {$CLOUDFLARE_API_TOKEN}
}
@unifi host unifi.lan.{$DOMAIN}
handle @unifi {
reverse_proxy {$IP_UNIFI}:8443
}
@home host home.lan.{$DOMAIN}
handle @home {
reverse_proxy {$IP_HOMEASSISTANT}:8123
}
@portainer host portainer.lan.{$DOMAIN}
handle @portainer {
reverse_proxy {$IP_PORTAINER}:9000
}
# For anything else, falls through to this:
handle {
respond "404 bruh." 404 {
close
}
}
}
3. The problem I’m having:
SSL works great for home.
and portainer.
services and I see the padlock and the *.lan.mydomain.com
cert when i click the padlock to inspect it, Both of those services actually run on the exact same machine as the docker container running caddy which is 192.168.1.100
so the reverse proxy is effectively routing to itself. I’m not sure if this matters or not considering the other services are running in docker containers that wouldn’t have the certificates installed into them (unless docker does this automatically by migrating the certs out of the caddy container?).
For unifi.lan.mydomain.com, the reverse proxy sends it to IP_UNIFI which is 192.168.1.1
and gives it the port for the service for the Unifi controller on my Unifi Dream Machine router/gateway.
When i navigate to unifi.lan.mydomain.com caddy successfully proxies me over to the correct IP address and i see the router login page, but I am noticing that it has no padlock and. says “Not Secure”.
I have noticed something a little odd. When i navigate to home.lan.mydomain.com
in my browser the URL stays as that and i see the cert for *.lan.mydomain.com
. You can see an image here:
Notice the URL has not changed, aside from having stuff tacked onto it by Home Assistant it stays as home.lan.mydomain.com
.
But when i navigate to unifi.lan.mydomain.com
the URL changes to the IP that caddy is sending it to (`192.168.1.1). See image here:
I am wondering if the self-signed certificate on the Unifi Dream Machine device is causing a conflict, but I don’t quite understand why this wouldn’t be the case with HomeAssistant or Portainer which are both in their own isolated docker containers.
4. Error messages and/or full log output:
None, per se.
5. What I already tried:
I tried adding a transport
block to the reverse proxy directive
reverse_proxy https://{$IP_UNIFI}:8443{
transport http {
tls
}
}
and adding https://
in from of {$IP_UNIFI} but the same thing results.