Proxy to Other SSL Website


(Alex) #1

Hello folks! I’m new to the caddy scene so I’m looking for some help.

I have Caddy .11 installed on Ubuntu 16.04. I am successfully using Caddy to reverse proxy to several sites I have behind my router on several VMs. There are all not using HTTPS on their end, (HTTP traffic locally). I have a site that is https://IP-of-server. Is it possible to get this site proxied? Even if it was just using the self-signed and not the LetsEncrypt, that’s do-able; although I would prefer the LetsEncrypt cert.

I’ve tried setting the Caddy file like:

sub.domain.com {
tls sef_signed
gzip
proxy / 192.168.xxx.xxx:443
}

Also tried the same above but using “transparent”.

The site 192.168.xxx.xxx:443 is using a self-signed cert issued by the server itself and the software does not allow HTTP mode.

Thanks!


(Matthew Fay) #2

Hi @kazea182, welcome to the Caddy community!

Try something like this:

proxy / https://example.com {
  insecure_skip_verify
}

The insecure_skip_verify will tell Caddy not to validate the server’s certificate against a trusted authority (which naturally isn’t feasible for a self-signed certificate).

https://caddyserver.com/docs/proxy


(Alex) #3

After doing that, I get 502 Bad Gateway.

This page does have a sign-in prompt.

Here is what Caddy looks like. I’ve tried it with transparent and websocket each removed.

xxxx.xxxx.net {
gzip
proxy / https://192.168.1.5 {
insecure_skip_verify
transparent
websocket
}
}


(Matthew Fay) #4

Can you post the output of curl -kIL https://192.168.1.5/ from the Caddy host?


(Alex) #5

HTTP/1.1 401 Unauthorized
Content-Length: 0
Server: Microsoft-HTTPAPI/2.0
WWW-Authenticate: Negotiate
WWW-Authenticate: NTLM
Date: Tue, 15 May 2018 00:25:48 GMT


(Matthew Fay) #6

Hmm, Caddy shouldn’t be giving you 502s, then, unless I’m mistaken (it should be passing the 401s on to you).

Can you add errors /path/to/caddy.errors to your Caddyfile, provoke another 502 error, and then post the contents of that file?


(Alex) #7

I added it to the top of my caddy file and it killed Caddy. How do you run caddy without systemctl so I can get the log of that?


(Matthew Fay) #8

You can run it from the command line. Optionally change the line to errors stdout (for convenience), run caddy -log stdout -conf /path/to/Caddyfile in one terminal, and curl -I https://example.net/ in another terminal. Paste the output from the Caddy terminal here.


(Alex) #9

I need to upload to a pastebin, it won’t let me post because it has Links. Give me a moment.


(Alex) #10

https://pastebin.com/vavJ2iL3 (Output of terminal)

This is the output of the curl:

HTTP/1.1 401 Unauthorized
Content-Length: 0
Date: Tue, 15 May 2018 00:36:31 GMT
Server: Caddy
Server: Microsoft-HTTPAPI/2.0
Www-Authenticate: Negotiate
Www-Authenticate: NTLM


(Matthew Fay) #11

There are no 502s there - looks like Caddy is proxying that site successfully now. Run it via systemctl service again and see if the issue returns?


(Alex) #12

Weird, I’m getting 502 when I go to display the page itself.


(Matthew Fay) #13

I’d suspect browser caching? The upstream server is returning a zero-length body with a valid status, so Caddy should be giving you exactly that - no body, blank page, and while I’m not familiar with NTLM, maybe a browser prompt?


(Alex) #14

Alright, so yeah. I opened incognito and I get my login prompt. However login passes but nothing is returned. Not sure if that could be looked at here or if that is something else I need to look into.


(Matthew Fay) #15

Knowing personally that my knowledge of NTLM is wanting, if it were me, I’d look there first to determine exactly what it requires. If it’s not an auth-specific problem… I’d be a bit stumped. Generally the proxy is pretty faithful - everything you send goes upstream, everything coming back makes it to your client.


(Alex) #16

Appears to be a unsupported here: https://github.com/mholt/caddy/issues/663

NTLM Auth requires keep-alive


(Alex) #17

I tried changing it back to http1.1 as stated here:
https://github.com/mholt/caddy/pull/1389 but when I restart caddy, it doesn’t understand the directive http2, can you help?

This is what that entry looks like now:

wac.xxxx.net {
tls {
http2 off
}
proxy / https://192.168.1.5 {
insecure_skip_verify
}
}

This is the error i get:

caddy@caddy:~$ sudo caddy -log stdout -conf /etc/caddy/Caddyfile
2018/05/14 21:20:20 /etc/caddy/Caddyfile:61 - Error during parsing: Unknown subdirective ‘http2’


(Alex) #18

Curious. Do you know anything about this caddy plugin?

https://caddyserver.com/docs/http.reauth

Looks like this might help me according to some other people using NTLM.


(Matthew Fay) #19

I’ve had passing experience with it. It can auth against LDAP, so if you’re a Microsoft shop, that might suffice… But I think you’d have to remove the auth from the upstream server anyway.