Reverse proxy + nginx over https

patforg · July 5, 2022, 2:57pm

1. Caddy version (`caddy version`):

v2.4.6 h1:HGkGICFGvyrodcqOOclHKfvJC0qTU7vny/7FhYp9hNw=

2. How I run Caddy:

manualy using json configs

a. System environment:

Ubuntu 22.04 LTS

b. Command:

c. Service/unit/compose file:

d. My complete Caddyfile or JSON config:

3. The problem I’m having:

Trying to figure out how to use Caddy 2 as a reverse proxy to backend nginx over https.

public IP ---> Caddy server with auto https ---> reverse proxy to nginx over https on a private ip

I’m on a vps with a “private ip” but traffic on the “private IPs” are visible by other servers in the same data center. So I would like the communication to be encrypted.

Ideally I would use Caddy 2 for the backend but we have lots of sites with various rules and rewrites in nginx already so it would be hard to migrate everything to caddy configs.

I’ve put links to 3 articles that I think could work together but I can’t figure out how to connect everything.

4. Error messages and/or full log output:

5. What I already tried:

I’ve successfully setup a reverse_proxy over http using json configs
I’ve read all the docs I could find but can’t wrap my head around it.

6. Links to relevant resources:

https://smallstep.com/hello-mtls/doc/combined/nginx/requests

matt · July 5, 2022, 3:02pm

We have an nginx adapter for that, no need to migrate them (probably):

Anyway, we can’t help you unless you fill out the help template completely. There’s not enough info here.

patforg · July 5, 2022, 3:21pm

Thanks for the reply.

I’ll test the nginx adapter, but doubt it would work since we use some 3rd party nginx modules and complex logging formats. But was hoping on getting help just understanding the process involved in the local https certificate generation and if we could get nginx to request a ssl certificate.

In the 2nd article I attached it says to do this on the backend to get a certificate from the frontend:
office.roadrunner {

	tls {
		ca https://caddy.roadrunner/acme/local/directory
		ca_root /etc/ssl/certs/root.crt
	}

I was hoping there would be a way to get nginx to use the root certificate and somehow request certificate generation from the first article:

Configure Nginx to require clients to authenticate with a certificate issued by your CA

server {
    listen                 443 ssl;
    server_name            myserver.internal.net;
    # ...
    ssl_client_certificate /etc/nginx/client_certs/ca.crt;
    ssl_verify_client      optional;

    # ...


    location / {
      if ($ssl_client_verify != SUCCESS) {
        return 403;
      }
    # ...
}

I filled out the template the best I could. I’m more at the understanding how things work so I don’t have info for all the sections

patforg · July 5, 2022, 3:39pm

I think I might be able to use self signed certificates securely. I always thought they were always suceptible of man in the middle attacks.

matt · July 5, 2022, 4:21pm

Thanks for elaborating.

That tells Caddy to get its certificates from an ACME server at https://caddy.roadrunner/acme/local/directory, not “the frontend.”

It sounds/looks like you are trying to do TLS mutual auth? (aka “client auth” with the normal “server auth” also happening)

But this sounds like you want Caddy to generate a certificate, not verify a client certificate.

So, best I can guess so far, is:

You want Caddy to serve your site over HTTPS
You want Caddy to proxy to an nginx backend also over HTTPS (Why nginx? And do you really need HTTPS on a private network? Caddy can do that, but most people don’t need that.)

To clarify:

Caddy will use HTTPS for all sites by default.
For internal-looking hostnames or IP addresses, Caddy will generate its own certificate automatically; otherwise for every other hostname, it will get a publicly-trusted certificate automatically instead.
You can use self-signed certificates without risk of MITM.

system · August 4, 2022, 2:58pm

This topic was automatically closed after 30 days. New replies are no longer allowed.