Reverse proxy - can you redirect https to http?

1. The problem I’m having:

Is it possible to reverse proxy a https request to internal http server? As those are different (http, https) I guess this might be tricky, but I wonder if there’s a way. I’ve set up an environment in podman containers to try things out and learn - the default redirect to https proves problematic in this isolated, local scenario.

2. Error messages and/or full log output:

When trying to http->http all works correctly. But when I try https->https curl gives me:

error:0A000438:SSL routines::tlsv1 alert internal error

3. Caddy version:

2.7.6

4. How I installed and ran Caddy:

Here’s my compose file and caddyfile:

---
services:
  caddy:
    image: docker.io/library/caddy:2
    name: "caddy"
    restart: always
    cap_add:
      - NET_ADMIN
    ports:
      - "80:80"
      - "443:443"
      - "443:443/udp"
    volumes:
      - /home/uslugi/cont_sample/Caddyfile:/etc/caddy/Caddyfile:z
      - /home/uslugi/cont_sample/site:/srv:z
      - /home/uslugi/cont_sample/caddy_data:/data:z
      - /home/uslugi/cont_sample/caddy_config:/config:z
    networks:
      - caddytestnet
      - intnet

  hello1:
    image: nginxdemos/hello
    name: "hello1"
    networks:
      - intnet

  hello2:
    image: nginxdemos/hello
    name: "hello2"
    networks:
      - intnet

  hello3:
    image: nginxdemos/hello
    name: "hello3"
    networks:
      - intnet

networks:
  caddytestnet:
    driver: bridge
  intnet:
    internal: true

... 

http://127.0.0.1 {
    reverse_proxy hello1:80
}

http://127.0.0.2 {
    reverse_proxy hello2:80
}

127.0.0.3 {
    reverse_proxy http://hello3:80
}

I run it with podman compose up.

Naturally in the above scenario https://127.0.0.3 fails.

You don’t seem to have a https listener.

https://mydom.com {
	reverse_proxy http://127.0.0.1:80 {
		header_up Host {upstream_hostport}
	}
}

You’re not redirecting, you’re reverse proxying. A redirect has a specific meaning, i.e. a kind of HTTP repsonse which has the Location header which tells the client “try again at this URL instead”.

To serve HTTPS without a domain, you need to install Caddy’s root CA cert on the host machine so that the client trusts the server’s certificate. See Keep Caddy Running — Caddy Documentation

Thank you Forza. I’ve looked at the docs here:

… but have to admit it might have been written in foreign language. Don’t get it.

So I’ve simply tried changing Caddyfile:

    reverse_proxy http://hello3:80 {
        header_up Host {upstream_hostport}
    }

but that didn’t help. With curl https://127.0.0.3 I get tlsv1 alert internal error, while curl 127.0.0.3:443 gets me Client sent an HTTP request to an HTTPS server.

@francislavoie Thank you for pointing out difference in meaning between redirection and reverse proxying.

I’ll try generating certs. But - ok, so I’d have less trouble trying things out on an actual web server, not locally?

Yeah you don’t need that, that’s about when Caddy is sending requests to the upstream over HTTPS instead of HTTP, which you’re not doing (the proxy defaults to HTTP unless you use https://, but you used http:// so obviously it’s not HTTPS).

As a proxy, the way it works is your client (e.g. Curl or your browser) makes a request to Caddy, then Caddy makes a new request as a copy of the original request, and sends that to the upstream, then gets the response and returns it to the original client. So you can have HTTPS between the client and Caddy, then HTTP between Caddy and the upstream. That’s normal and how it’s normally done.

You don’t need to “generate” anything. Caddy does that for you. All you need to do is grab the root CA cert from Caddy’s storage (follow the instructions I linked) then install it on your host machine’s trust store. There’s a one-liner command you can run to do that on Linux. Obviously since you’re using podman you’ll need to adjust it to work with that instead of Docker, but the same idea applies.

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.