Setting up Cloudflare for caddy 2

Question

Hello, I’ve been trying to find information regarding this question but didn’t find anything useful, except how to configure Caddy.

My question is “How do I setup Cloudlflare and Caddy to work together?”

How I run Caddy

config

Here’s my Caddyfile config:

v1rtl.site

reverse_proxy :3000

tls {
        dns cloudflare AUTH_TOKEN
}

command

I have compiled caddy with cloudflare DNS module using xcaddy and then moved caddy executable to /usr/bin

sudo caddy run -config ~/Caddyfile

Caddy logs

2020/07/05 17:32:48.630 INFO    using provided configuration    {"config_file": "/home/v1rtl/Caddyfile", "config_adapter": ""}
2020/07/05 17:32:48.635 INFO    admin   admin endpoint started  {"address": "tcp/localhost:2019", "enforce_origin": false, "origins": ["localhost:2019", "[::1]:2019", "127.0.0.1:2019"]}
2020/07/05 17:32:48.636 INFO    http    server is listening only on the HTTPS port but has no TLS connection policies; adding one to enable TLS     {"server_name": "srv0", "https_port": 443}
2020/07/05 17:32:48.637 INFO    http    enabling automatic HTTP->HTTPS redirects        {"server_name": "srv0"}
2020/07/05 17:32:48.637 INFO    http    enabling automatic TLS certificate management   {"domains": ["example.com"]}
2020/07/05 17:32:48.651 INFO    tls     cleaned up storage units
2020/07/05 17:32:48.652 INFO    autosaved config        {"file": "/root/.config/caddy/autosave.json"}
2020/07/05 17:32:48.652 INFO    serving initial configuration
2020/07/05 17:32:48 [INFO][cache:0xc0007fa600] Started certificate maintenance routine

Cloudflare info

I have an A record for a domain pointing on my VPS IP address.

I have set TLS/SSL encryption mode to Full Strict.

I have “Always Use HTTPS” enabled in Cloudflare.

Result

When I try to access the site it loads for a long time and returns 522.

I suppose something is wrong with Cloudflare config. Any ideas of how to set it properly?

Check out the README here, in case you used the wrong auth token:

Otherwise, I’ll need to delegate to someone else for this, I don’t have any experience with Cloudflare.

I used the correct token:

the caddy file looks like this:

example.com

reverse_proxy :3000

tls {
        dns cloudflare <token>
}

Still returns the timout error. Probably something needs to be set in Cloudflare settings?

My mode is set to Strict, on Flexible it returns “too many redirects”:

➜ curl -L https://v1rtl.site
curl: (47) Maximum (50) redirects followed

Status 522 is a Cloudflare-specific HTTP status that indicates Cloudflare could not make a connection to your server. Firewalls or incorrect origin IP addresses are common causes here. This is basically a dead stop, go straight to jail, do not pass go, do not collect $200 situation; if Cloudflare is issuing this status, we’re nowhere near a recursive redirect situation.

Maximum redirects followed is another issue entirely. You’ve got Full (Strict) mode enabled in Cloudflare, which is great - that eliminates one possible source of recursive HTTPS redirects. There may be one occurring between the origin server and the upstream server, though.

That said, I checked the same site and got Status 200 from a server: Vercel, rather than a Caddy server, so I’m not entirely sure.

Hello, I switched my site to Vercel after 2 days of trying to make Caddy work with Cloudflare…

I still didn’t figure out why it returned 522 on Full mode and Maximum redirects on Flexible mode.

I had :80 and :443 enabled in ufw and tried disabling Cloudflare Proxy

nothing of that worked

I’d suggest simplifying.

Remove Cloudflare from the equation (grey-cloud your domain) and then test directly against your origin server for HTTPS.

Cloudflare is saying (with the 522) that it’s the origin server not playing nice. The fact it works in flexible mode (where Cloudflare connects to HTTP instead of HTTPS) implies that your origin server is talking to Cloudflare on port 80 but not 443. Testing directly against the origin server without Cloudflare in the way might expose the underlying issues.

2 Likes

This topic was automatically closed after 30 days. New replies are no longer allowed.