Proxying local http adresses

Alexwillwissen · March 9, 2023, 7:51pm

1. The problem I’m having:

I have installed Caddy on a Docker stack, and have pi-hole running for local dns-ing. What I am trying to achieve is that i don’t have to enter 192.168.0.2/administrator for example to access the Pi-Hole interface but can enter pi.hole and caddy takes care of it.

Homeassistant doensn’t work either

2. Error messages and/or full log output:

{"level":"error","ts":1678390884.6622994,"logger":"http.log.error","msg":"dial tcp 192.168.0.2:80: i/o timeout","request":{"remote_ip":"192.168.0.31","remote_port":"57346","proto":"HTTP/1.1","method":"GET","host":"pi.hole","uri":"/","headers":{"Upgrade-Insecure-Requests":["1"],"Accept":["text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8"],"User-Agent":["Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/16.3 Safari/605.1.15"],"Accept-Language":["de-DE,de;q=0.9"],"Accept-Encoding":["gzip, deflate"],"Connection":["keep-alive"]}},"duration":3.000354902,"status":502,"err_id":"6de857awz","err_trace":"reverseproxy.statusError (reverseproxy.go:1299)"}
{"level":"error","ts":1678390899.7533762,"logger":"http.log.error","msg":"dial tcp 192.168.0.2:80: i/o timeout","request":{"remote_ip":"192.168.0.31","remote_port":"57371","proto":"HTTP/1.1","method":"GET","host":"pi.hole","uri":"/","headers":{"Accept-Language":["de-DE,de;q=0.9"],"Accept-Encoding":["gzip, deflate"],"Connection":["keep-alive"],"Upgrade-Insecure-Requests":["1"],"Accept":["text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8"],"User-Agent":["Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/16.3 Safari/605.1.15"]}},"duration":3.00017248,"status":502,"err_id":"2e3gf8p5k","err_trace":"reverseproxy.statusError (reverseproxy.go:1299)"}
{"level":"error","ts":1678391120.4832447,"logger":"http.log.error","msg":"dial tcp 192.168.0.2:80: i/o timeout","request":{"remote_ip":"192.168.0.31","remote_port":"57484","proto":"HTTP/1.1","method":"GET","host":"pi.hole","uri":"/","headers":{"Upgrade-Insecure-Requests":["1"],"Accept":["text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8"],"User-Agent":["Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/16.3 Safari/605.1.15"],"Accept-Language":["de-DE,de;q=0.9"],"Accept-Encoding":["gzip, deflate"],"Connection":["keep-alive"]}},"duration":3.000246307,"status":502,"err_id":"skxt7adbn","err_trace":"reverseproxy.statusError (reverseproxy.go:1299)"}

3. Caddy version:

2.6.4

4. How I installed and ran Caddy:

Docker Stack on an Debian LXC on a Proxmox Hypervisor

a. System environment:

as above

b. Command:

PASTE OVER THIS, BETWEEN THE ``` LINES.
Please use the preview pane to ensure it looks nice.

c. Service/unit/compose file:

  caddy:
    image: caddy:2
    container_name: caddy
    restart: always
    ports:
      - 80:80  # Needed for the ACME HTTP-01 challenge.
      - 443:443
    volumes:
      - ./Caddyfile:/etc/caddy/Caddyfile:ro
      - ./caddy-config:/config
      - ./caddy-data:/data
    environment:
      - DOMAIN=mine.duckdns.org  # Your domain.
      - EMAIL=mail@mine.de    # The email address to use for ACME registration.
      - LOG_FILE=/data/access.log

d. My complete Caddy config:

# Vaultwarden
vaultwarden.mine.duckdns.org:443 {
  log {
    level INFO
    output file {$LOG_FILE} {
      roll_size 10MB
      roll_keep 10
    }
  }

  tls mail@mine.de
  encode gzip
  reverse_proxy /notifications/hub vaultwarden:3012
  reverse_proxy vaultwarden:80 {
       header_up X-Real-IP {remote_host}
  }
}
# Vaultwarden intern
192.168.0.29:443 {
  log {
    level INFO
    output file {$LOG_FILE} {
      roll_size 10MB
      roll_keep 10
    }
  }
  tls mail@mine.de
  encode gzip
  reverse_proxy vaultwarden:80
  }

# Homeassistant intern
http://home.assistant:80 {
  reverse_proxy http://192.168.0.12:8123
}

http://pi.hole:80, http://pihole:80 {
	rewrite * /admin{uri}
	reverse_proxy 192.168.0.2:80
}

5. Links to relevant resources:

Pi:Hole

Whitestrake · March 10, 2023, 12:16am

It looks like Caddy is receiving requests for pi.hole just fine, but the host you’ve configured as its upstream is not responding on port 80.

i/o timeout could imply that the IP address is incorrect or that the host is firewalled and ignoring requests from the Caddy host.

I remember you also were working with macvlans. I note that a macvlan client cannot talk directly to the host via the network interface it’s sharing (without additional support from a managed switch).

Alexwillwissen · March 10, 2023, 9:44am

For other readers: The problem with homeassistant could be solved by the Homeassistantconfiguration itself as decribed here:

https://community.home-assistant.io/t/home-assistant-400-bad-request-docker-proxy-solution/322163

But now to the PiHole issue. Host is not firewalled or sth. It’s a container in the same stack as caddy is and you assumed right, I provided PiHole an own IP-Adress via macvlan:

Docker compose:

version: '2'

networks:
  pihole_network:                         # Name of network
    driver: macvlan                       # Use the macvlan network driver
    driver_opts:
      parent: eth0                    # If open vSwitch is disabled use eth0 (or eth1 +)
    ipam:
      config:
        - subnet: "192.168.0.0/24"        # Specify subnet
          gateway: "192.168.0.1"          # Gateway address
          ip_range: "192.168.0.200/27"    # Available IP addresses

Pi-Hole Part:

    networks:
      pihole_network:
        ipv4_address: "192.168.0.2"

I have a managed switch but I’m guessing you talking about the virtual one?

Regards

Whitestrake · March 10, 2023, 10:03am

Some managed switches (not a lot of them) support hairpinning (aka reflective relaying) to take packets from the NIC and return them straight to the NIC on the same port to the other MAC address, solving this connectivity issue.

The alternative is a virtual switch on the host, or a bridge.

I think you could also, potentially, just add the default: network to your PiHole container as well (so it has two virtual interfaces, one for the macvlan, one for the bridge, and Caddy would be able to talk to it over the bridge).

Alexwillwissen · March 10, 2023, 12:26pm

Okay. Thank you for giving me food for thought. What I managed to do is to create a user defined bridge, to which I added every container in my stack.

PiHole has now both interfaces. Internal DNS works

Caddyfile


http://pi.hole:80, http://pihole:80 {
	rewrite * /admin{uri}
	reverse_proxy pihole:80
}

THANK YOU!

system · April 9, 2023, 12:26pm

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.