Problem accessing yunohost and some docker containers in vms over caddy

I’m using caddy to proxy traffic to virtual machines, I use the following scheme:

subdomain.mysite.org {
    proxy / firstvm:80 {
        transparent
    }
}

This works in most cases. However with some docker containers I get “The page isn’t redirecting properly” in the browser ( ERR_TOO_MANY_REDIRECTS).
I also installed yunohost on a virtual machine, and get the same problem.
For quite some time, I was thinking the problem may come from the containers or yunohost, but I finally setup ports forwarding to bypass caddy (getting the request from a custom port and forwarding it directly to the vm, and I can access yunohost via this custom port).

I guess the issue may come from the fact that caddy is automatically making https and maybe those services are not designed for that. I don’t know.
I also tried to redirect to port 443 in the config, instead of 80, or to make different section for http and https, like this:

http://subdomain.mysite.org {
    proxy / firstvm:80 {
        transparent
    }
}

https://subdomain.mysite.org {
    proxy / firstvm:443 {
        transparent
    }
}

but I end up getting this error 400: “The plain HTTP request was sent to HTTPS port”.

I wonder if there is any way I could configure caddy for those services to be reachable, or to bypass it for those services, and let them create their ssl certificates themselves.

Hi @chateau, welcome to the Caddy community.

When you use the hostname firstvm, there is an implicit http:// scheme added to the front (which in turn implies port 80).

You’re thinking somewhat along the right lines by trying to proxy to port 443 instead, but it’s not Automatic HTTPS that’s causing the problem, per se. Automatic HTTPS just hosts your site on HTTPS by default and upgrades HTTP connections. The issue is that your proxy is always connecting over HTTP, so your VM issues a redirect to HTTPS, and your client reconnects to Caddy over HTTPS, which proxies to HTTP, rinse repeat…

So, you don’t need to split your site labels up, but you do need to proxy to HTTPS. Try:

subdomain.example.com {
  proxy / https://firstvm {
    transparent
  }
}

Now, your VM might not have a publicly validated certificate, so you might end up with 500-series errors from Caddy. If that’s the case, you can add insecure_skip_verify to your proxy, which will tell Caddy not to validate the certificate when connecting.

1 Like

Hello @Whitestrake, thank you for your answer and the crystal clear explanations.
It’s exactly the setup I was looking for and works perfect :slight_smile:
:+1::+1::+1:

1 Like

This topic was automatically closed 90 days after the last reply. New replies are no longer allowed.