Reverse proxying only HTTP

sig · March 20, 2024, 1:31pm

1. The problem I’m having:

I’m trying to reverse proxying a web (ruby) app over HTTP (port 80) only.
From my understanding (Disable automatic https - #2 by matt) requesting http://172.14.0.14 or 172.14.0.14:80 should just work. However, that is not working.

curl -vL 172.14.0.14:80
*   Trying 172.14.0.14:80...
* Connected to 172.14.0.14 (172.14.0.14) port 80
> GET / HTTP/1.1
> Host: 172.14.0.14
> User-Agent: curl/8.4.0
> Accept: */*
>
< HTTP/1.1 308 Permanent Redirect
< Connection: close
< Location: https://172.14.0.14/
< Server: Caddy
< Date: Wed, 20 Mar 2024 13:05:25 GMT
< Content-Length: 0
<
* Closing connection
* Clear auth, redirects to port from 80 to 443
* Issue another request to this URL: 'https://172.14.0.14/'
*   Trying 172.14.0.14:443...
* connect to 172.14.0.14 port 443 failed: Connection refused
* Failed to connect to 172.14.0.14 port 443 after 79 ms: Couldn't connect to server
* Closing connection
curl: (7) Failed to connect to 172.14.0.14 port 443 after 79 ms: Couldn't connect to server

So, I have also tried to disable auto HTTPS redirection by adding the following at the very top of my Caddyfile.

{
  auto_https off
}

With this global option, I don’t get the redirect but still I’m not able to connect.

curl -vL 172.17.1.14:80
*   Trying 172.17.1.14:80...
* connect to 172.17.1.14 port 80 failed: Connection refused
* Failed to connect to 172.17.1.14 port 80 after 184 ms: Couldn't connect to server
* Closing connection
curl: (7) Failed to connect to 172.17.1.14 port 80 after 184 ms: Couldn't connect to server

Everything works fine if I try to connect directly to port 9292.

Am I missing something here? Thanks.

2. Error messages and/or full log output:

SEE ABOVE curl OUTPUTS.

3. Caddy version:

docker-compose exec proxy caddy version
v2.7.6 h1:w0NymbG2m9PcvKWsrXO6EEkY9Ru4FJK8uQbYcev1p3A=

4. How I installed and ran Caddy:

a. System environment:

lsb_release -a
No LSB modules are available.
Distributor ID:	Ubuntu
Description:	Ubuntu 20.04 LTS
Release:	20.04
Codename:	focal

docker -v
Docker version 19.03.12, build 48a66213fe

b. Command:

docker compose up

c. Service/unit/compose file:

version: '2'

services:
  web:
    container_name: 'dm4sea'
    image: dm4sea:2024.1.q1
    command: bin/puma
    ports:
      - 9292:9292
    networks:
      - net
    restart: unless-stopped

  proxy:
    container_name: 'caddy'
    image: caddy:2.7.6-alpine
    volumes:
      - /etc/timezone:/etc/timezone:ro
      - /etc/localtime:/etc/localtime:ro
      - /usr/caddy/Caddyfile:/etc/caddy/Caddyfile:ro
      - caddy_data:/data
      - caddy_config:/config
    ports:
      - 80:80
    depends_on:
      - web
    networks:
      - net
    restart: unless-stopped

volumes:
  caddy_data:
  caddy_config:

networks:
  net:
    driver: bridge
    ipam:
      driver: default
      config:
        - subnet: 166.0.0.0/24
          gateway: 166.0.0.1

d. My complete Caddy config:

172.14.0.14 {
  handle {
    reverse_proxy web:9292
  }
}

matt · March 20, 2024, 9:49pm

That post of mine that you linked to is from early 2020, during Caddy’s beta period. Things have changed a bit and we now serve every site over HTTPS unless you explicitly declare HTTP. We just use a locally-trusted CA for IP addresses by default.

So this should be your config:

http://172.14.0.14 {
  handle {
    reverse_proxy web:9292
  }
}

sig · March 21, 2024, 8:14am

Hi Matt,
Thanks for the reply.
http:// did the trick.

You said We just use a locally-trusted CA for IP addresses by default. Does that mean I could switch to https even if my machine is not connected to the Internet?

I tried to open port 443 on my Cuddy container (with my original Caddyfile - so no http://) but when I point the browser to https://172.14.0.14 I get Error code: SSL_ERROR_INTERNAL_ERROR_ALERT.

Is there any additional step I should be aware of to enable https?

This is the content of my volume. The certificate looks there to me.

ls /var/lib/docker/volumes/test_caddy_data/_data/caddy/pki/authorities/local/
intermediate.crt  intermediate.key  root.crt  root.key
ls /var/lib/docker/volumes/test_caddy_data/_data/caddy/certificates/local/172.14.0.14/
172.14.0.14.crt  172.14.0.14.json  172.14.0.14.key

matt · March 21, 2024, 2:27pm

Any errors in the logs?

If you’re running caddy in a container then it’s unlikely the host will trust the certificate. I recommend just running on the host if you can. Or you’ll have to install the root ca on your host yourself.

francislavoie · March 22, 2024, 2:24am

Yes, Caddy can act as its own CA to issue certificates, but they won’t be trusted by any machine unless you do some additional setup.

See the steps here for setting up local HTTPS with a Docker container:

sig · March 22, 2024, 7:30pm

Thanks for your reply.
I have copied the certificate at /usr/local/share/ca-certificates/root.crt of the host

 sudo cat /usr/local/share/ca-certificates/root.crt
-----BEGIN CERTIFICATE-----
...
-----END CERTIFICATE-----

and added it to my Firefox

But I still get Error code: SSL_ERROR_INTERNAL_ERROR_ALERT.

Any ideas what I am missing?
Thanks again.

francislavoie · March 23, 2024, 7:42am

That’s the wrong cert. If you’re running Caddy in Docker, then you need to grab the cert from inside the container. See the instructions at the link I gave.

sig · March 23, 2024, 8:50am

Hi Francis,
Sorry, I have mistyped “on”.

I have copied the certificate at /usr/local/share/ca-certificates/root.crt ON the host.
The certificate in the container has been copied to the host.

Thanks again.

system · April 22, 2024, 8:51am

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.