Serve directly VS reverse_proxy to a local sites behave differently?

dvt · February 22, 2023, 5:08am

1. Caddy version:

v2.6.4 h1:2hwYqiRwk1tf3VruhMpLcYTg+11fCdr8S3jhNAdnPy8=

2. How I installed, and run Caddy:

a. System environment:

Debian 11 with systemd.

b. Command:

sudo service caddy start

c. Service/unit/compose file:

[Unit]
Description=Caddy
Documentation=https://caddyserver.com/docs/
After=network.target network-online.target
Requires=network-online.target

[Service]
Type=notify
User=caddy
Group=caddy
ExecStart=/usr/bin/caddy run --environ --config /etc/caddy/Caddyfile
ExecReload=/usr/bin/caddy reload --config /etc/caddy/Caddyfile --force
TimeoutStopSec=5s
LimitNOFILE=1048576
LimitNPROC=512
PrivateDevices=yes
PrivateTmp=true
ProtectSystem=full
AmbientCapabilities=CAP_NET_BIND_SERVICE

[Install]
WantedBy=multi-user.target

d. My complete Caddy config:

wrote below

3. The problem I’m having:

Guys, I’ve got two questions:

Q1. First, I wonder why would these two Caddyfile behave differently:

# 1.1
test.forserve.com {
    file_server
    handle_path /heimdall/* {
        reverse_proxy localhost:8000 {
            header_up Host {upstream_hostport}
        }
    }
}

http://localhost:8000 {
    file_server
    root * /srv/www/heimdall/public
    # root * /srv/www/debug
    php_fastcgi unix//run/php/php-fpm.sock
}

# 1.2
test.forserve.com {
    file_server
    php_fastcgi unix//run/php/php-fpm.sock
    handle_path /heimdall/* {
        root * /srv/www/heimdall/public
    }
}

Q2. Second, I found out that no matter what I use like localhost:8000 or 127.0.0.1:8000 or :8000 in Caddyfile, caddy will always listening on *:8000. Is it possible to make caddy listen locally on 127.0.0.1:8000, so it would be a CONNECTION_REFUSED instead of an empty 200 respond to a http(s) request from Internet?

4. Error messages and/or full log output:

`sudo journalctl -u caddy -f`
Got no logs while visting https://test.forserve.com/heimdall/

5. What I already tried:

As guys might know, heimdall is a php landing page project. It provides docker for easy deployment.
The heimdall docker image use Nginx and PHP, exposes port 80 and 443 for connection. So reverse_proxy to heimdall_docker:80 will be the easiest way to deploy, even if running on a sub-path. Just write the sub-path as APP_URL in the .env file, programs do the works.
But that not so cool isn’t it? Cause I’m using Caddy, I want to make it run with just caddy and PHP, natively without docker.

Imitating the way to run with docker. First, I setup a http service on localhost:8000, then use reverse_proxy with handle_path in front. Surprisingly, everythings works well. Heimdall runs on a sub-path with Caddyfile(# 1.1) attach above.

Lately, I try to merge those two blocks into one(# 1.2). However, it didn’t works. Every request return a 404 page.

Wondering why, I figure out a static file test:

# make a simple static index page for test
echo "<table width=100% height=100%><tr><td><center><pre>I will be back.</pre></center></td></tr></table>" | sudo -u caddy tee /srv/www/debug/index.html

These 2 Caddyfile behave the same for the static index:

# 3.1
test.forserve.com {
    file_server
    handle_path /heimdall/* {
        reverse_proxy localhost:8000 {
            header_up Host {upstream_hostport}
        }
    }
}

http://localhost:8000 {
    file_server
    root * /srv/www/debug
    php_fastcgi unix//run/php/php-fpm.sock
}

# 3.2
test.forserve.com {
    file_server
    php_fastcgi unix//run/php/php-fpm.sock
    handle_path /heimdall/* {
        root * /srv/www/debug
    }
}

So confused…Is this blame for PHP?

6. Links to relevant resources:

francislavoie · February 22, 2023, 10:03am

What difference are you seeing? Best if you say exactly what the problem is, so we don’t need to guess what you’re talking about.

Yes, use the bind directive. Site addresses only control the Host header matching, port, and TLS automation. For the interface to bind to, you need to use the bind directive.

dvt · February 28, 2023, 9:15am

While the #1.1 serve sites smoothly, the #1.2 return every request a 404 site(not caddy native 404, it’s generate by heimdall with style). Do these two config pass some arguments differently to the backend PHP?

Thanks for reminding. I’ll try adding a bind directive.

francislavoie · February 28, 2023, 3:06pm

They probably do, yes. But you should turn on the debug global option and compare the logs to see how they differ.

The difference mainly has to do with how php_fastcgi does rewrites. It sends the original request URI to the PHP upstream, not the rewritten one. And see here for an explanation of what the directive does:

dvt · March 9, 2023, 3:46pm

With this Caddyfile, I build up both direct service and reverse_proxy service to different root folder.

{
    debug
}

http://localhost:8001 {
    bind 127.0.0.1
    file_server
    root * /srv/www/debug/heimdall_rpx/public
    # root * /srv/www/debug
    php_fastcgi unix//run/php/php-fpm.sock
    
    log {
		output file /var/log/caddy/heidall_debug/local_serve.json
	}
}
rpx.forserve.com {
    file_server
    redir / /heimdall/
    handle_path /heimdall/* {
        reverse_proxy localhost:8001 {
            header_up Host {upstream_hostport}
        }
    }
    
    log {
		output file /var/log/caddy/heidall_debug/rpx.json
	}
}

test.forserve.com {
    file_server
    php_fastcgi unix//run/php/php-fpm.sock
    redir / /heimdall/
    handle_path /heimdall/* {
        root * /srv/www/debug/heimdall_direct/public
    } 
    log {
		output file /var/log/caddy/heidall_debug/direct.json
	}
}

Then, I got those logs.

#1 local_serve.json

{
    "level": "info",
    "ts": 1678375350.598427,
    "logger": "http.log.access.log4",
    "msg": "handled request",
    "request":
    {
        "remote_ip": "127.0.0.1",
        "remote_port": "58990",
        "proto": "HTTP/1.1",
        "method": "GET",
        "host": "localhost:8001",
        "uri": "/",
        "headers":
        {
            "Accept-Encoding": ["gzip, deflate, br"],
            "Upgrade-Insecure-Requests": ["1"],
            "X-Forwarded-For": ["myip"],
            "X-Forwarded-Host": ["rpx.forserve.com"],
            "X-Forwarded-Proto": ["https"],
            "Accept": ["text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7"],
            "Sec-Fetch-User": ["?1"],
            "Sec-Fetch-Dest": ["document"],
            "Sec-Fetch-Mode": ["navigate"],
            "Sec-Fetch-Site": ["none"],
            "User-Agent": ["Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/110.0.0.0 Safari/537.36 Edg/110.0.1587.63"],
            "Sec-Ch-Ua": ["\"Chromium\";v=\"110\", \"Not A(Brand\";v=\"24\", \"Microsoft Edge\";v=\"110\""],
            "Sec-Ch-Ua-Mobile": ["?0"],
            "Sec-Ch-Ua-Platform": ["\"Windows\""],
            "Accept-Language": ["zh-CN,zh;q=0.9"],
            "Dnt": ["1"]
        }
    },
    "user_id": "",
    "duration": 0.04244868,
    "size": 394,
    "status": 302,
    "resp_headers":
    {
        "Set-Cookie": [],
        "Cache-Control": ["no-cache, private"],
        "Date": ["Thu, 09 Mar 2023 15:22:30 GMT"],
        "Content-Type": ["text/html; charset=UTF-8"],
        "Server": ["Caddy"],
        "Status": ["302 Found"],
        "Location": ["https://rpx.forserve.com/heimdall/login"]
    }
}

#2 rpx.json

{
    "level": "info",
    "ts": 1678375350.5987995,
    "logger": "http.log.access.log5",
    "msg": "handled request",
    "request":
    {
        "remote_ip": "myip",
        "remote_port": "10642",
        "proto": "HTTP/2.0",
        "method": "GET",
        "host": "rpx.forserve.com",
        "uri": "/heimdall/",
        "headers":
        {
            "Sec-Ch-Ua-Mobile": ["?0"],
            "Dnt": ["1"],
            "Upgrade-Insecure-Requests": ["1"],
            "User-Agent": ["Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/110.0.0.0 Safari/537.36 Edg/110.0.1587.63"],
            "Accept": ["text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7"],
            "Sec-Fetch-Dest": ["document"],
            "Accept-Language": ["zh-CN,zh;q=0.9"],
            "Sec-Ch-Ua": ["\"Chromium\";v=\"110\", \"Not A(Brand\";v=\"24\", \"Microsoft Edge\";v=\"110\""],
            "Sec-Ch-Ua-Platform": ["\"Windows\""],
            "Sec-Fetch-Site": ["none"],
            "Sec-Fetch-Mode": ["navigate"],
            "Sec-Fetch-User": ["?1"],
            "Accept-Encoding": ["gzip, deflate, br"]
        },
        "tls":
        {
            "resumed": false,
            "version": 772,
            "cipher_suite": 4865,
            "proto": "h2",
            "server_name": "rpx.forserve.com"
        }
    },
    "user_id": "",
    "duration": 0.043554429,
    "size": 394,
    "status": 302,
    "resp_headers":
    {
        "Location": ["https://rpx.forserve.com/heimdall/login"],
        "Date": ["Thu, 09 Mar 2023 15:22:30 GMT"],
        "Status": ["302 Found"],
        "Content-Length": ["394"],
        "Server": ["Caddy", "Caddy"],
        "Alt-Svc": ["h3=\":443\"; ma=2592000"],
        "Content-Type": ["text/html; charset=UTF-8"],
        "Cache-Control": ["no-cache, private"],
        "Set-Cookie": []
    }
}

#3 direct.json

{
    "level": "error",
    "ts": 1678375349.0430152,
    "logger": "http.log.access.log6",
    "msg": "handled request",
    "request":
    {
        "remote_ip": "myip",
        "remote_port": "10678",
        "proto": "HTTP/2.0",
        "method": "GET",
        "host": "test.forserve.com",
        "uri": "/heimdall/",
        "headers":
        {
            "Accept-Encoding": ["gzip, deflate, br"],
            "Sec-Ch-Ua-Platform": ["\"Windows\""],
            "Dnt": ["1"],
            "User-Agent": ["Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/110.0.0.0 Safari/537.36 Edg/110.0.1587.63"],
            "Accept": ["text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7"],
            "Sec-Fetch-User": ["?1"],
            "Sec-Fetch-Dest": ["document"],
            "Accept-Language": ["zh-CN,zh;q=0.9"],
            "Sec-Ch-Ua": ["\"Chromium\";v=\"110\", \"Not A(Brand\";v=\"24\", \"Microsoft Edge\";v=\"110\""],
            "Sec-Ch-Ua-Mobile": ["?0"],
            "Upgrade-Insecure-Requests": ["1"],
            "Sec-Fetch-Site": ["none"],
            "Sec-Fetch-Mode": ["navigate"]
        },
        "tls":
        {
            "resumed": false,
            "version": 772,
            "cipher_suite": 4865,
            "proto": "h2",
            "server_name": "test.forserve.com"
        }
    },
    "user_id": "",
    "duration": 0.144958951,
    "size": 6609,
    "status": 404,
    "resp_headers":
    {
        "Cache-Control": ["no-cache, private"],
        "Date": ["Thu, 09 Mar 2023 15:22:29 GMT"],
        "Status": ["404 Not Found"],
        "Content-Type": ["text/html; charset=UTF-8"],
        "Server": ["Caddy"],
        "Alt-Svc": ["h3=\":443\"; ma=2592000"]
    }
}

system · April 8, 2023, 3:47pm

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.