Reverse Proxy for Synology apps

tmb4016 · September 13, 2022, 7:34pm

1. Output of `caddy version`:

v2.4.3

2. How I run Caddy:

a. System environment:

Raspberry Pi, Bulleye using systemctl with Caddyfile

b. Command:

sudo systemctl caddy start

c. Service/unit/compose file:

Paste full file contents here.
Make sure backticks stay on their own lines,
and the post looks nice in the preview pane. -->

d. My complete Caddy config:


www.photo.website.com, photo.website.com {
reverse_proxy 192.168.25.210:8025

}

3. The problem I’m having:

The above caddyfile works fine … The port 8025 is a normal http port for the synology photos application. The problem occurs if I change the port to the https port for the Synology photos app.

reverse_proxy 192.168.25.210:8935

4. Error messages and/or full log output:

A Browser displays the message 
400 BAD Request 
The plain HTTP request was sent to HTTPS port

5. What I already tried:

I’ve tried numerous options with the transport http but no sucess.
It looks like caddy is only using https as far as the caddy server and not providing a certificate to the internal address. Is this the default and if so how do I get caddy to server https between the caddy server and the internal application.

The caddy reverse proxy is inside a dmz but I would like to use https all the way to the endpoint.

Apologies if this is a dumb question but this is an early excursion into this type of deployment, so I am trying to understand things before any live applications are deployed.

6. Links to relevant resources:

matt · September 13, 2022, 7:47pm

The docs have an example for reverse-proxying to an HTTPS backend: reverse_proxy (Caddyfile directive) — Caddy Documentation

reverse_proxy https://example.com {
	header_up Host {upstream_hostport}
}

So in your case:

reverse_proxy https://192.168.25.210:8935 {
	header_up Host {upstream_hostport}
}

(Make sure the certificate offered by the backend is trusted by Caddy’s system. If not, you can tell Caddy to trust it using tls_trusted_ca_certs or by installing the root into your system store.)

Btw, HTTPS on internal networks is often unnecessary if you can trust the network.

tmb4016 · September 13, 2022, 8:35pm

Hi Matt,

Thanks for the quick response … I’ve given it a quick try and still get the same response. I will do some more reading and try a few things.

the https on the internal side is more of an exercise in how to - more out of curiosity on my part.

Thanks for the info.

system · October 13, 2022, 7:35pm

This topic was automatically closed after 30 days. New replies are no longer allowed.