Reverse proxying to IP address in https

1. Caddy version (caddy version): 2.1.1

2. How I run Caddy:

In a docker container

a. System environment:

b. Command:

docker-compose up -d

c. Service/unit/compose file:

docker-compose.yml:

version: "3.7"

networks:
  default:
    ipam:
      driver: default
      config:
        - subnet: 172.29.24.0/24
services:
  caddy:
    container_name: caddy
    image: caddy:latest
    restart: unless-stopped
    ports:
      - "80:80"
      - "443:443"
        networks:
    default:
      ipv4_address: 172.29.24.2
    volumes:
      - $PWD/caddyfile:/etc/caddy
      - $PWD/site:/srv
      - $PWD/caddy_data:/data
      - $PWD/caddy_config:/config

volumes:
  caddy_data:
  caddy_config:

d. My complete Caddyfile or JSON config:

web.mysite.com
reverse_proxy https://192.168.1.5:9443

3. The problem I’m having:

Trying to connect to https://web.mysite.com gives an error. If the Caddy file points to the http version of the Upstream (reverse_proxy http://192.168.1.5:8080), everything is fine (but presumably not encrypted between Caddy and the web server).

9443 & 8080 are the ports for the web server.

4. Error messages and/or full log output:

{“level”:“error”,“ts”:1606926250.202709,“logger”:“http.log.error”,“msg”:“x509: cannot validate certificate for 192.168.1.5 because it doesn’t contain any IP SANs”,“request”:{“remote_addr”:“192.168.1.1:53972”,“proto”:“HTTP/1.1”,“method”:“GET”,“host”:“web.crach.site”,“uri”:"/",“headers”:{“Accept”:["/"],“User-Agent”:[“curl/7.43.0”]},“tls”:{“resumed”:false,“version”:771,“cipher_suite”:49196,“proto”:“http/1.1”,“proto_mutual”:true,“server_name”:“web.mysite.com”}},“duration”:0.125343725,“status”:502,“err_id”:“6ue14i83n”,“err_trace”:“reverseproxy.(*Handler).ServeHTTP (reverseproxy.go:441)”}

5. What I already tried:

6. Links to relevant resources:

Please take a look at the reverse_proxy http transport’s TLS options:

HTTPS by default requires trust to be established. Caddy is trying to verify the given certificate, but it wasn’t able to.

1 Like

Ok, many thanks for the tip. I now know where to look. Need a way to attach a certificate to an ip address. Was more or less counting on the reverse proxy to handle that, but it probably was not reasonable. I need to brush up my network management skills!

Only the server can present a certificate for itself; so you’d have to get the upstream at 192.168.1.5 to do so. (If it is a Caddy server, it will do this automatically using a self-signed, locally-trusted CA.)

Many thanks!

This topic was automatically closed after 30 days. New replies are no longer allowed.