Trying to figure out how to use Caddy 2 as a reverse proxy to backend nginx over https.
public IP ---> Caddy server with auto https ---> reverse proxy to nginx over https on a private ip
I’m on a vps with a “private ip” but traffic on the “private IPs” are visible by other servers in the same data center. So I would like the communication to be encrypted.
Ideally I would use Caddy 2 for the backend but we have lots of sites with various rules and rewrites in nginx already so it would be hard to migrate everything to caddy configs.
I’ve put links to 3 articles that I think could work together but I can’t figure out how to connect everything.
4. Error messages and/or full log output:
5. What I already tried:
I’ve successfully setup a reverse_proxy over http using json configs
I’ve read all the docs I could find but can’t wrap my head around it.
I’ll test the nginx adapter, but doubt it would work since we use some 3rd party nginx modules and complex logging formats. But was hoping on getting help just understanding the process involved in the local https certificate generation and if we could get nginx to request a ssl certificate.
In the 2nd article I attached it says to do this on the backend to get a certificate from the frontend:
office.roadrunner {
tls {
ca https://caddy.roadrunner/acme/local/directory
ca_root /etc/ssl/certs/root.crt
}
I was hoping there would be a way to get nginx to use the root certificate and somehow request certificate generation from the first article:
Configure Nginx to require clients to authenticate with a certificate issued by your CA
That tells Caddy to get its certificates from an ACME server at https://caddy.roadrunner/acme/local/directory, not “the frontend.”
It sounds/looks like you are trying to do TLS mutual auth? (aka “client auth” with the normal “server auth” also happening)
But this sounds like you want Caddy to generate a certificate, not verify a client certificate.
So, best I can guess so far, is:
You want Caddy to serve your site over HTTPS
You want Caddy to proxy to an nginx backend also over HTTPS (Why nginx? And do you really need HTTPS on a private network? Caddy can do that, but most people don’t need that.)
To clarify:
Caddy will use HTTPS for all sites by default.
For internal-looking hostnames or IP addresses, Caddy will generate its own certificate automatically; otherwise for every other hostname, it will get a publicly-trusted certificate automatically instead.
You can use self-signed certificates without risk of MITM.