Reverse Proxy - no root access


(Daniel) #1

Hi All.

I am trying to setup a reverse proxy with LE SSL but the box I am using I don’t have root access. I’ve pulled down the latest version of CaddyServer for the linux box and it will launch. It can’t get access to port 80 or 443 which makes sense since it can’t access root and those ports are probably tied up anyway.

Based on what I have read I cannot ask Caddy to verify ownership of the domain using different ports so I think I have to use the Cloudflare addon but I am not sure how to pass my credentials to the Caddy Server. Are they to be included as arguments when I am running ./Caddy

Thanks all.


(Matthew Fay) #2

Hi @Dimtar,

Here are the instructions you’ll need to follow to configure Caddy to use DNS verification:

https://caddyserver.com/docs/automatic-https#enabling-the-dns-challenge


(Daniel) #3

Thanks for the reply, I did read that documentation before posting but I do admit I got lost.

Is this meant to be in the Caddy file?

tls {
dns cloudflare
}


(Matthew Fay) #4

Yes, that is the tls directive, it goes in your Caddyfile under the site you want to use DNS validation for. The dns subdirective tells Caddy which DNS provider it is going to use to set the acme-challenge TXT record.

https://caddyserver.com/docs/tls


(Daniel) #5

I get this error:

2017/12/21 00:53:57 Caddyfile:9 - Error during parsing: Unknown directive ‘dns’

./caddy -version
Caddy 0.10.10 (non-commercial use only)

./caddy -plugins

tls
tls.dns.cloudflare
tls.storage.file

The bottom of my Caddyfile:

tls {
dns cloudflare
}


(Matthew Fay) #6

Can you post your entire Caddyfile?


(Daniel) #7

Yes, here it is.

htpps://slot.dimtar.net:14373 {
gzip
proxy /troy localhost:14372 {
transparent
}
}

tls {
dns cloudflare
}


(Matthew Fay) #8

The top-level item of a Caddyfile must always be a site label. You’ve moved your tls directive outside of the site definition block, so Caddy has interpreted “tls” as the name of another site, with dns as a directive (which doesn’t exist, hence the error).

https://caddyserver.com/docs/caddyfile#structure

Instead, move tls directly under the site you want to use it for:

example.com {
  tls {
    dns cloudflare
  }
  ...
}

(Daniel) #9

Now we are getting somewhere:
Activating privacy features…2017/12/21 01:20:32 CloudFlare credentials missing

How do I set the environment variables? I tried CLOUDFLARE_EMAIL= in the Caddyfile and it didn’t work but thats not a surprise.

Do I set it as a switch on ./caddy ? Or do I need to wrap it in something in the Caddyfile?


(Matthew Fay) #10

Environmental variables are not something you set using Caddy, but rather a function of the operating system, and possibly the init/supervisor system, of the host you’re running Caddy on.

Here’s a good run-down, which includes examples for different operating systems:


(Daniel) #11

Ah, an environment variable. I think I understand a little more now. Going to reach out to my host now for help on that one.

Obviously running this without root is less then ideal but if I can get this to work it will be fantastic. Hopefully this thread helps people in future with a similar issue.

Thanks for your time, I do appreciate it.


(Matthew Fay) #12

No worries, happy to help.

Just to be unambiguous, when I refer to the host you’re running Caddy on, I mean the machine or instance (the “box”), not the service provider themselves. If you ask your provider, they will likely point you at some documentation on how to set the variables yourself.


(Daniel) #13

I understand but thanks for clarifying. My host (the company) are very helpful and I assume they will point me to some documentation but I have no issue with that as it gives me something to move on with.

Thanks again.


(Daniel) #14

Ok, me again sorry.

My host support suggested to set the environment variables in ~/.bashrc so I did the following:

nano ~./bashrc
Added these two lines (the real file has the real details I just modified for the sake of a public forum)

CLOUDFLARE_EMAIL=abc
CLOUDFLARE_API_KEY=123

I logged out and back in just incase but it doesn’t work. Also I ran:
echo $CLOUDFLARE_EMAIL
This came back with the correct email address but if I run caddy I get this:
Activating privacy features…2017/12/21 02:44:44 CloudFlare credentials missing

I have no doubt missed something but I cannot see what that is, sorry. If you want me to send you anything thats fine but with API keys it will need to be via a private method please.


(Matthew Fay) #15

What method do you use to run Caddy?

Remember that your .bashrc is only sourced when you run a non-login shell as your user. Running Caddy as a service, for example, wouldn’t source this file.


(Daniel) #16

Just ./caddy

Can I create a file and have it load that, like an additional conf file?


(Matthew Fay) #17

That’s possible, usually done via unit configuration for an init system like systemd.

To rule out a problem with Caddy, try setting the variables inline:

CLOUDFLARE_EMAIL=abc CLOUDFLARE_API_KEY=123 ./caddy

(Daniel) #18

I got a little further

Activating privacy features… done.
2017/12/21 06:17:51 listen tcp :80: bind: permission denied

Hopefully I can get around this because I cannot use port 80


(Matthew Fay) #19

You can change which ports Caddy binds to in two ways:

  1. Specify ports in your Caddyfile, i.e. http://example.com:8080, https://example.com:8443
  2. Use the -http-port and -https-port flags when launching Caddy, i.e. caddy -http-port 8080 -https-port 8443

https://caddyserver.com/docs/cli#http-port


(Daniel) #20

And we have a winner!

(slightly modified for privacy)

CLOUDFLARE_EMAIL=abc CLOUDFLARE_API_KEY=123 ./caddy -http-port 14373 -https-port 14374

I have a working reverse proxy secured by SSL on a box I don’t have root access to. I need to work out how to make it work in screen but thats something else.

Thank you for your patience and help. I am going to do up a guide for the host I use so other users can make use of this great software.
Doesn’t seem like there is a donation link which is ok but I was hoping to send you some beer/chocolate money.