1. The problem I’m having:
I have a site which I would have to access (HP iLO web interface for my server) but I’m facing a problem since the web page is served with HTTPS using TLS1.0/1.1.
The connection is forced to be in HTTPS and no modern TLS version is available for the server (HP does not provide support anymore for this system). I am trying to connect to this service with software that does not support older TLS versions.
My first idea would be, is it possible to replace/wrap this old TLS with modern TLS version using Caddy as a reverse proxy in front of the web interface?
Basically like this:
HP iLO < – Old TLS – >Caddy < – New TLS – > Web browser
My own attempt is below in the Caddy config.
2. Error messages and/or full log output:
Error in the web browser when trying to access the iLO service (either directly or via the current Caddy configuration at https://ilo-galaxy.home.arpa
:
SSL_ERROR_UNSUPPORTED_VERSION
The page you are trying to view cannot be shown because the authenticity of the received data could not be verified.
Please contact the website owners to inform them of this problem.
This website might not support the TLS 1.2 protocol, which is the minimum version supported by Firefox.
By enabling TLS 1.0 support in the Firefox config, the site is OK and accessible.
3. Caddy version:
v2.7.6
4. How I installed and ran Caddy:
a. System environment:
Ubuntu server 22.04.4 LTS, Caddy running as docker image.
b. Command:
No specific command, running in docker-compose.
c. Service/unit/compose file:
version: "3.8"
########################### SECRETS
########################### NETWORKS
networks:
t2_proxy:
name: t2_proxy
driver: bridge
########################### VOLUMES
########################### SERVICES
services:
# Caddy for internal routing
caddy:
image: caddy:2.7-alpine
container_name: caddy
restart: unless-stopped
healthcheck:
test: caddy validate --config /etc/caddy/Caddyfile || exit 1
interval: "60s"
retries: 5
start_period: "30s"
timeout: "10s"
security_opt:
- no-new-privileges:true
networks:
- t2_proxy
ports:
- "82:80"
- "444:443"
volumes:
- $APPDATADIR/caddy/Caddyfile:/etc/caddy/Caddyfile
- $APPDATADIR/caddy/data:/data
- $APPDATADIR/caddy/config:/config
- $DOCKERDIR/logs/web/caddy:/logs
environment:
- PUID=$PUID
- PGID=$PGID
- TZ=$TZ
d. My complete Caddy config:
{
log {
output file /logs/caddy.log
}
servers {
trusted_proxies static 192.168.200.0/24
}
}
(snippet) {
tls internal
}
ilo-galaxy.home.arpa {
reverse_proxy 192.168.200.63:443 {
transport http {
tls
tls_insecure_skip_verify
}
}
import snippet
}
5. Links to relevant resources:
Some discussion in the HP forums about the non-upgradebility of TLS:
https://community.hpe.com/t5/server-management-remote-server/ilo2-tls-upgrade/td-p/6870639