[proxy] 2 caddy servers with 1 reverse proxy

Hello,

I am trying to setup Caddy as reverse proxy to pass requests to another physical server running caddy as well on the same LAN.

Here is my setup:

I have 2 servers behind a router.
Server A is 192.168.0.2
Server B is 192.168.0.3
My ISP gives me a fixed IP, I have a domain name, and I forward all requests on the port 443 (I want https only) to the server A.

The caddyfile of the server A looks like this and it works correctly:

subdomain1.domain.com {
    root /srv/http/subdomain1
    tls {
       dns gandiv5
    }
}

Now, I want all the requests to subdomain2.domain.com be forwarded to server B.

The new caddyfile of the server A is updated that way:

subdomain1.domain.com {
    root /srv/http/subdomain1
    tls {
       dns gandiv5
    }
}

subdomain2.domain.com {
    proxy / 192.168.0.3:443 {
      transparent
    }
    tls {
       dns gandiv5
    }
}

And the caddyfile of the server B looks like this:

subdomain2.domain.com {
    root /srv/http/subdomain2
    tls {
       dns gandiv5
    }
}

It does not work, I have a time-out when I try to reach subdomain2.domain.com from the WAN.
Also I am not sure if the DNS challenge must be solved by the proxy (server A) or by the server hosting the app (server B)

Any help would be appreciated :slight_smile:
Thanks in advance!

Time-out means that a connection can’t be established, usually because the packets don’t get where they need to be.

Places to check:

  • DNS A records are set correctly
  • Port forwarding is configured correctly
  • Firewalls are allowing traffic on those ports

@Whitestrake, thank you for your suggestions.

The DNS record has been tested without proxy setup and it works.

The 2 other points are network related and I guess this is where something is wrong.

If my knowledge is correct, I don’t need any additional forwarding rule beside the existing one (public IP:443 to 192.168.0.2:443) as I stay on the same LAN when the packets are forwarded from 192.168.0.2 to 192.168.0.3 but maybe I am wrong.

The firewall is embedded in the router and I assume it filters the packets coming from the WAN not LAN to LAN. Also none of the servers have a FW.

Once back home, I’ll try to get error logs

1 Like

Hello,

I made some progress. Now, it works if I am not in https between the proxy and the web server (https to reach the proxy from internet works).

But if I want to have https on the LAN (meaning betwean the proxy and the web server), I get this error:

Jun 16 21:26:57 n2 caddy[4847]: 2019/06/16 21:26:57 [INFO] [subdomain2.domain.com] AuthURL: https://acme-v02.api.letsencrypt.org/acme/authz/43NBMgcC8OV_mXvK-wNIUeb6lbYBnHHbkvGWsySvE4Y
Jun 16 21:26:57 n2 caddy[4847]: 2019/06/16 21:26:57 [INFO] [subdomain2.domain.com] acme: Could not find solver for: tls-alpn-01
Jun 16 21:26:57 n2 caddy[4847]: 2019/06/16 21:26:57 [INFO] [subdomain2.domain.com] acme: Could not find solver for: http-01
Jun 16 21:26:57 n2 caddy[4847]: 2019/06/16 21:26:57 [INFO] [subdomain2.domain.com] acme: use dns-01 solver
Jun 16 21:26:57 n2 caddy[4847]: 2019/06/16 21:26:57 [INFO] [subdomain2.domain.com] acme: Preparing to solve DNS-01
Jun 16 21:26:57 n2 caddy[4847]: 2019/06/16 21:26:57 [INFO] [subdomain2.domain.com] acme: Cleaning DNS-01 challenge
Jun 16 21:26:58 n2 caddy[4847]: 2019/06/16 21:26:58 [subdomain2.domain.com] failed to obtain certificate: acme: Error -> One or more domains had a problem:
Jun 16 21:26:58 n2 caddy[4847]: [subdomain2.domain.com] [subdomain2.domain.com] acme: error presenting token: gandiv5: findZoneByFqdn failure: unexpected response code 'SERVFAIL' for _acme-challenge.subdomain2.domain.com.

Here is the config of the proxy:

https://subdomain2.domain.com {

    errors visible

    proxy / https://192.168.0.3:443 {
        transparent
    }

    tls {
        dns gandiv5
    }
}

Here the config of the web server:

https://subdomain2.domain.com {

    errors visible

    root /srv/http

    tls {
        dns gandiv5
    }

}

Thanks for your help!

acme: error presenting token: gandiv5: findZoneByFqdn failure: unexpected response code 'SERVFAIL' for _acme-challenge.subdomain2.domain.com.

This isn’t a config issue, this looks like a bug in the DNS provider for gandiv5. Just to confirm, what version of Caddy are you using?

The version 1.0.0.

Should I open a ticket here : https://github.com/caddyserver/dnsproviders ?

Yeah, I think that’s probably the best place to create an issue.

Include a link to this thread, where you posted the logs and configs.

Done https://github.com/caddyserver/dnsproviders/issues/70