Routing acme requests via http proxy

1. The problem I’m having:

Caddy server is unable to make direct requests to the internet and must go through an outbound proxy.

I was expecting to find a configuration item under the acme issuer to make such requests via an upstream http proxy but can’t see one. Does such a thing exist?

For example:

        tls {
                issuer acme {https://acme.example.com/} {
                        proxy http://my.proxy.internal:3128/
                }
        }

2. Error messages and/or full log output:

n/a

3. Caddy version:

# caddy version
unknown

# apk info caddy | head
caddy-2.7.6-r3 description:

4. How I installed and ran Caddy:

apk add caddy

5. Links to relevant resources:

None that I can think of

I’m pretty sure we obey the HTTP_PROXY and HTTPS_PROXY env vars. Have you tried setting those?

Thanks, I had expected a reference to that in the documentation but that does appear to work. I’ll give it a proper go and confirm later.

Thanks!

This has sorted the ACME part of the process but seems to have resulted in all outbound requests being sent via the proxy which is not what I need… it’s just the ACME requests I want routed via the external proxy.

Is there a configuration method to force reverse_proxy to not honour HTTP_PROXY?

We respect the convention of NO_PROXY environment variable, so you can set it for your reverse proxy.

1 Like

Just so I’m clear, the only way to achieve this is to:

  1. Set a “global” proxy that applies to everything
  2. Explicitly list everything other than ACME requests in NO_PROXY

Is that right?

Would you be amenable to having an RFE raised for this somewhere? And if so, where?

That’s right

Perhaps. Issues and feature requests are typically reported on our GitHub repository. Can you share more about your use case? What is your setup like? Keep in mind that NO_PROXY accepts CIDR and DNS names with * wildcard. Is it still not good enough for your use case?

1 Like

I’m thinking of a situation where the nodes on which Caddy runs don’t have direct outbound internet access (as a security measure)… all outbound HTTP requests must go via a restricted proxy (we use squid for this).

Caddy’s function is to reverse-proxy client requests to internal nodes (directly, not via another proxy layer).

ACME requests need to traverse the HTTP (squid) proxy to get out onto the internet.

Given what you’ve said, it would be possible to use:

HTTP_PROXY=squid:3128
NO_PROXY=node1,node2,node3,node4,...

But this isn’t particularly scalable and being able to explicitly say, for ACME requests, to use a specific proxy, would be useful.

(or am I misunderstanding?)

Ok, the global nature of the environment variables is at odds with the specificity of the proxying needs (internal vs external communication). Also, the nodes addresses being single-label makes it hard to use a wildcard without stepping on the toes of the multi-label external address, i.e. setting NO_PROXY=* ends up being equivalent to not setting the HTTP_PROXY vars.

There was an addition of support of a specific/explicit forward-proxy URL in reverse-proxy for similar reason, i.e. the env vars are global and affect all modules.

I’m proposing a modular setting of the proxy URL that could work for reverse-proxy and the ACME client. It’s up for discussion. Feel free to continue discussion on GitHub:

2 Likes