Set up a single https access point to several podman containers in a Fedora-Server

1. The problem I’m having:

A server (Fedora-F44) does not render a https page, that has been configured as a revered-proxy to a local http access point. The server and the client with the firefox resides inside a LAN (router is a fritzbox). Whenever i am trying to access the https://chasmash/service my browser shows a ERR_SSL_PROTOCOL_ERROR

2. Error messages and/or full log output:

curl -vL  https://chasmash/kivitendo
* Host chasmash:443 was resolved.
* IPv6: (none)
* IPv4: 192.168.170.121
*   Trying 192.168.170.121:443...
* ALPN: curl offers h2,http/1.1
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
* SSL Trust Anchors:
*   CAfile: /etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem
* TLSv1.3 (IN), TLS alert, internal error (592):
* TLS connect error: error:0A000438:SSL routines::tlsv1 alert internal error
* closing connection #0
curl: (35) TLS connect error: error:0A000438:SSL routines::tlsv1 alert internal error

So chasmash is the server dns name, that can be resolved and kivitendo is the part of the url, that should be rewritten inside a directive. Anyway the problem is to grant a proper https access from a browser, that actually fails.

3. Caddy version:

caddy-2.10.2-5.fc44.x86_64

4. How I installed and ran Caddy:

I am running a standard Fedeora-Server F44 with a installed caddy. The installation of caddy is very simple. I installed it as a package from the Fedora-Standard repository. Fedora comes with its own infrastructure using a /etc/caddy/Caddyfile file and a service oriented subdir /etc/caddy/Caddyfile.d directory (similar to postgres) that holds all services.
In order to keep installed files untouched (due to possible changes by updates) i decided to put all to-be exposed http urls into individual service.caddyfile files.

# my kivitendo.caddyfile
https://chasmash.fritz.box {
   handle_path /kivitendo/* {
   reverse_proxy  localhost:9190
}

Caddy should work as a host-local distribution and functional distribution service to all install container with their local http service access points.

a. System environment:

A simple out of the box Fedora-Server F44 running in a LAN. The standard package caddy has been installed. Caddy should act here as a

b. Command:

see above

c. Service/unit/compose file:

PASTE OVER THIS HERE IN THIS CODE BLOCK.
Please ensure it looks nice.

d. My complete Caddy config:

# file /etc/caddy/Caddyfile:
http:// {
	# Set this path to your site's directory.
	root * /usr/share/caddy

	# Enable the static file server.
	file_server

	# Another common task is to set up a reverse proxy:
	# reverse_proxy localhost:8080

	# Or serve a PHP site through php-fpm:
	# php_fastcgi localhost:9000

	# Refer to the directive documentation for more options.
	# https://caddyserver.com/docs/caddyfile/directives
}

# file /etc/caddy/Caddyfile.d/kivitendo:
https://chasmash.fritz.box {
	handle_path /kivitendo/* {
		reverse_proxy localhost:9190
	}

5. Links to relevant resources:

none

What stands out to me here is that you aren’t connecting to the configured site. You configured https://chasmash.fritz.box but tried connecting to https://chasmash/ instead, so Caddy is probably trying to serve that plaintext file server you’ve also configured as a wildcard domain and failing because it’s not an SSL site. It would be a lot clearer from the logs, but either way whatever domain you are using to connect should be part of the site directive, if you want to be able to use either domain you could do something like:

https://chasmash.fritz.box, https://chasmash {
	# Insert site block here
}

You’ve configured Caddy for https://chasmash.fritz.box/:

# my kivitendo.caddyfile
https://chasmash.fritz.box {
    handle_path /kivitendo/* {
        reverse_proxy localhost:9190
    }
}

But you’re trying to access https://chasmash/kivitendo, which isn’t configured. That won’t work.

Either use https://chasmash.fritz.box/kivitendo/ or configure Caddy to also serve https://chasmash.

Also, in this setup the trailing / after kivitendo matters. Without it, handle_path won’t match. If you want /kivitendo to work as well, add a redir rule that redirects it to /kivitendo/.

Salut timelordx,

thank your for your answer. So i tried:

$ curl -vL  https://chasmash.fritz.box/kivitendo/
Host chasmash.fritz.box:443 was resolved.
IPv6: (none)
IPv4: 192.168.170.121
Trying 192.168.170.121:443…
ALPN: curl offers h2,http/1.1
TLSv1.3 (OUT), TLS handshake, Client hello (1):
SSL Trust Anchors:
CAfile: /etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem
TLSv1.3 (IN), TLS alert, internal error (592):
TLS connect error: error:0A000438:SSL routines::tlsv1 alert internal error
closing connection #0
curl: (35) TLS connect error: error:0A000438:SSL routines::tlsv1 alert internal error

that end up in a similar problem.

chasmash.fritz.box doesn’t seem to resolve from the Internet. How are you getting the TLS certificate for the site? Static certificate or DNS challenge?

Can you enable debug mode and share the log?