1. The problem I’m having:
Hi,
I have 3 machines, one (M4) on a public wifi which can only access ipv4 addresses, one with both ipv4 and ipv6 stacks (M46) and one which has only an ipv6 (M6). M6 is exposing a web app.
I want to give access to the webapp on M6 to the M4 ipv4 only machine, using a reverse proxy with caddy on the M46 (dual stack) server.
I’ve read that it’s doable with “sniproxy” using nginx for example (but I prefer caddy) and I haven’t even understood how it could work with nginx.
I tried with caddy on M46 with this conf :
mydomain.fr {
bind 127.0.0.1 # I also use sslh on M46
reverse_proxy tcp6/[2a02:xxx:yyy:zzz]:443 {
header_up Host {upstream_hostport}
transport http {
tls_server_name mydomain.fr
}
}
}
I set up an AAAA dns the M6 address and an A to the M46 server.
M6 is also using caddy to expose its webapp and is working well when I use an ipv6 aware client.
In the logs I only have debug messages, no error.
And on the M6 logs I only have :
oct. 24 13:45:59 M6 caddy[196061]: {"level":"info","ts":1729770359.708006,"logger":"http.log.access","msg":"NOP","request":{"remote_ip":"M::46::IPV6","remote_port":"48862","client_ip":"M::46::IPV6","proto":"HTTP/2.0","method":"GET","host":"[2a02:xxx:yyy:zzz]:443","uri":"/test.txt","headers":{"Accept-Encoding":["gzip"],"X-Forwarded-Proto":["https"],"X-Forwarded-Host":["mydomain.fr"],"User-Agent":["curl/8.5.0"],"X-Forwarded-For":["127.0.0.1"]},"tls":{"resumed":false,"version":772,"cipher_suite":4867,"proto":"h2","server_name":"mydomain.fr"}},"bytes_read":0,"user_id":"","duration":0.001061135,"size":0,"status":0,"resp_headers":{"Server":["Caddy"],"Alt-Svc":["h3=\":443\"; ma=2592000"]}}
it seems that caddy on M6 receive the proxied request, but couldn’t use the right configuration for this request, since caddy-test.log is empty.
My caddyfile on M6 :
{
debug
}
mydomain.fr mydomain.fr:8448 {
reverse_proxy 127.0.0.1:8008 [::1]:8008 {
}
log {
output file /var/log/caddy-test.log
}
}
2. Error messages and/or full log output:
oct. 24 13:31:53 M46 caddy[2260272]: {"level":"debug","ts":1729769513.6078794,"logger":"http.handlers.reverse_proxy","msg":"selected upstream","dial":"[2a02:xxx:yyy:zzz]:443","total_upstreams":1}
oct. 24 13:31:53 M46 caddy[2260272]: {"level":"debug","ts":1729769513.7594256,"logger":"http.handlers.reverse_proxy","msg":"upstream roundtrip","upstream":"tcp6/[2a02:xxx:yyy:zzz]:443","duration":0.151227342,"request":{"remote_ip":"127.0.0.1","remote_port":"51280","client_ip":"127.0.0.1","proto":"HTTP/2.0","method":"GET","host":"[2a02:xxx:yyy:zzz]:443","uri":"/test.txt","headers":{"User-Agent":["curl/8.5.0"],"Accept":["*/*"],"X-Forwarded-For":["127.0.0.1"],"X-Forwarded-Proto":["https"],"X-Forwarded-Host":["mydomain.fr"]},"tls":{"resumed":false,"version":772,"cipher_suite":4867,"proto":"h2","server_name":"mydomain.fr"}},"headers":{"Alt-Svc":["h3=\":443\"; ma=2592000"],"Server":["Caddy"],"Content-Length":["0"],"Date":["Thu, 24 Oct 2024 11:31:53 GMT"]},"status":200}
oct. 24 13:32:03 M46 caddy[2260272]: {"level":"debug","ts":1729769523.2788794,"logger":"events","msg":"event","name":"tls_get_certificate","id":"399eba5c-309c-4f07-8b23-a80f90bfcfcf","origin":"tls","data":{"client_hello":{"CipherSuites":[4866,4867,4865,49196,49200,159,52393,52392,52394,49195,49199,158,49188,49192,107,49187,49191,103,49162,49172,57,49161,49171,51,157,156,61,60,53,47,255],"ServerName":"mydomain.fr","SupportedCurves":[29,23,30,25,24,256,257,258,259,260],"SupportedPoints":"AAEC","SignatureSchemes":[1027,1283,1539,2055,2056,2057,2058,2059,2052,2053,2054,1025,1281,1537,771,769,770,1026,1282,1538],"SupportedProtos":["h2","http/1.1"],"SupportedVersions":[772,771],"RemoteAddr":{"IP":"127.0.0.1","Port":51146,"Zone":""},"LocalAddr":{"IP":"127.0.0.1","Port":443,"Zone":""}}}}
oct. 24 13:32:03 M46 caddy[2260272]: {"level":"debug","ts":1729769523.2791035,"logger":"tls.handshake","msg":"choosing certificate","identifier":"mydomain.fr","num_choices":1}
oct. 24 13:32:03 M46 caddy[2260272]: {"level":"debug","ts":1729769523.2792454,"logger":"tls.handshake","msg":"default certificate selection results","identifier":"mydomain.fr","subjects":["mydomain.fr"],"managed":true,"issuer_key":"acme-v02.api.letsencrypt.org-directory","hash":"97cd803ea9b2a587a36a74373fabc2356d0ac4bc98348afd00c1a24e14768fbe"}
oct. 24 13:32:03 M46 caddy[2260272]: {"level":"debug","ts":1729769523.279334,"logger":"tls.handshake","msg":"matched certificate in cache","remote_ip":"127.0.0.1","remote_port":"51146","subjects":["mydomain.fr"],"managed":true,"expiration":1737492835,"hash":"97cd803ea9b2a587a36a74373fabc2356d0ac4bc98348afd00c1a24e14768fbe"}
oct. 24 13:32:03 M46 caddy[2260272]: {"level":"debug","ts":1729769523.2909312,"logger":"http.handlers.reverse_proxy","msg":"selected upstream","dial":"[2a02:xxx:yyy:zzz]:443","total_upstreams":1}
oct. 24 13:32:03 M46 caddy[2260272]: {"level":"debug","ts":1729769523.3066406,"logger":"http.handlers.reverse_proxy","msg":"upstream roundtrip","upstream":"tcp6/[2a02:xxx:yyy:zzz]:443","duration":0.015384083,"request":{"remote_ip":"127.0.0.1","remote_port":"51146","client_ip":"127.0.0.1","proto":"HTTP/2.0","method":"GET","host":"[2a02:xxx:yyy:zzz]:443","uri":"/test.txt","headers":{"X-Forwarded-For":["127.0.0.1"],"X-Forwarded-Proto":["https"],"X-Forwarded-Host":["mydomain.fr"],"User-Agent":["curl/8.5.0"],"Accept":["*/*"]},"tls":{"resumed":false,"version":772,"cipher_suite":4867,"proto":"h2","server_name":"mydomain.fr"}},"headers":{"Alt-Svc":["h3=\":443\"; ma=2592000"],"Server":["Caddy"],"Content-Length":["0"],"Date":["Thu, 24 Oct 2024 11:32:03 GMT"]},"status":200}
3. Caddy version:
v2.8.4 h1:q3pe0wpBj1OcHFZ3n/1nl4V4bxBrYoSoab7rL9BMYNk=
4. How I installed and ran Caddy:
from https://dl.cloudsmith.io/public/caddy/stable/deb/debian
a. System environment:
debian 11 on M46
b. Command:
sudo service caddy start
c. Service/unit/compose file:
d. My complete Caddy config:
see above, that’s the complete conf.