Caddy server is unable to make direct requests to the internet and must go through an outbound proxy.
I was expecting to find a configuration item under the acme issuer to make such requests via an upstream http proxy but can’t see one. Does such a thing exist?
This has sorted the ACME part of the process but seems to have resulted in all outbound requests being sent via the proxy which is not what I need… it’s just the ACME requests I want routed via the external proxy.
Is there a configuration method to force reverse_proxy to not honour HTTP_PROXY?
Perhaps. Issues and feature requests are typically reported on our GitHub repository. Can you share more about your use case? What is your setup like? Keep in mind that NO_PROXY accepts CIDR and DNS names with * wildcard. Is it still not good enough for your use case?
I’m thinking of a situation where the nodes on which Caddy runs don’t have direct outbound internet access (as a security measure)… all outbound HTTP requests must go via a restricted proxy (we use squid for this).
Caddy’s function is to reverse-proxy client requests to internal nodes (directly, not via another proxy layer).
ACME requests need to traverse the HTTP (squid) proxy to get out onto the internet.
Given what you’ve said, it would be possible to use:
Ok, the global nature of the environment variables is at odds with the specificity of the proxying needs (internal vs external communication). Also, the nodes addresses being single-label makes it hard to use a wildcard without stepping on the toes of the multi-label external address, i.e. setting NO_PROXY=* ends up being equivalent to not setting the HTTP_PROXY vars.
There was an addition of support of a specific/explicit forward-proxy URL in reverse-proxy for similar reason, i.e. the env vars are global and affect all modules.
I’m proposing a modular setting of the proxy URL that could work for reverse-proxy and the ACME client. It’s up for discussion. Feel free to continue discussion on GitHub: