Reverse proxy for Cloudfront

1. Caddy version (caddy version):

Tried both 2 and 2.2.1

2. How I run Caddy:

I run Caddy as a reverse proxy to external cloudfront domains.

a. System environment:

Using Ubunte 18.0.4 on AWS Lightsail with docker-compose.

b. Command:

docker-compose up

c. Service/unit/compose file:

docker-compose.yml

version: "3.7"

networks:
  web:
    external: true

services:
  caddy:
    image: caddy:2.2.1-alpine
    restart: unless-stopped
    ports:
      - "80:80"
      - "443:443"
    volumes:
      - "$HOME/Caddyfile:/etc/Caddyfile"
      - "$HOME/caddy:/root/.caddy"
    networks:
      - web

d. My complete Caddyfile or JSON config:

grailbyte.de:443 {
    reverse_proxy * dcsu781bfzy0r.cloudfront.net:443 {
       # added those as they were mentioned in caddy v1 configs / transparent option, default in v2?
        header_up Host {http.request.host}
        header_up X-Real-IP {http.request.remote}
        header_up X-Forwarded-For {http.request.remote}
        header_up X-Forwarded-Port {http.request.port}
        header_up X-Forwarded-Proto {http.request.scheme}
    }
    # unfortunately does not work, as rewrite only works for internal urls, according to one post 
    # rewrite * https://dcsu781bfzy0r.cloudfront.net:443
}

3. The problem I’m having:

Getting a 400 error from cloudfront when opening the website --> If I redirect, it works like a charm, but I need the client-side url to stay the same. So figured use a reverse-proxy.

No errors logged by Caddy.

4. Error messages and/or full log output:

5. What I already tried:

tried to solve it

  1. using rewrite (only for internal, already mentioned above)
  2. checked if redir works --> it does
  3. added headers as they were in the tutorials for caddy v1 or configuration with option “transparent”. If I recall correctly, that is default behavior for caddy v2, but just to keep it safe.
  4. Went through all post regarding and/or mentioning cloudfront, as I suspect it to be the problem. Tried all of the suggestions mentioned in those posts. If needed, I will link all of them in a separate answer down below, as I saw new users can only add 4 links.

6. Links to relevant resources:

Used the following ressources apart from the docs as well as community posts

Happy for all the help I can get on this! Really appreciate it!

Your docker-compose.yml doesn’t look quite right. Please review the docs on Docker Hub.

Remove these lines, they are not useful in Caddy v2:

By default, reverse_proxy will use the host from the original request. To properly connect to Cloudfront, you’ll probably need to use the Cloudfront hostname. There’s an example at the bottom of the reverse_proxy docs for this:

reverse_proxy https://dcsu781bfzy0r.cloudfront.net {
	header_up Host {http.reverse_proxy.upstream.hostport}
}
2 Likes

Thanks for the quick answer! It loads the provided content from cloudfront now (no more errors)!

sry copied an old version of my docker-compose.yml (that one would not even work, you are right).
Here is the correct version (works):

version: "3"

networks:
    web:
        external: true

services:
    caddy:
        image: caddy:2.2.1-alpine
        restart: unless-stopped
        ports:
            - "80:80"
            - "443:443"
        volumes:
            - /data/caddy/Caddyfile:/etc/caddy/Caddyfile
            - /data/caddy/data:/data
            - /data/caddy/config:/config
        networks:
            - web

edit: everything works as expected! Thanks!

1 Like