Simple setup not working

as a second pass to a much belaboured and failed attempt at making caddy work (see here: The key authorization file from the server did not match this challenge), I’m going to try to scale back and describe here what I’m trying to make work.

I have an apache server configured as such:

<VirtualHost *:80>
        ServerName safe.arix.com
        ProxyPass / http://192.168.1.67:80/
        ProxyPassReverse / http://192.168.1.67:80/
</VirtualHost>

<VirtualHost *:443>
        ServerName safe.arix.com
        ProxyPass / http://192.168.1.67:443/
        ProxyPassReverse / http://192.168.1.67:443/
        SSLEngine on
        SSLCertificateFile /var/www/ssl/safe.arix.com.crt
        SSLCertificateKeyFile /var/www/ssl/safe.arix.com.key
</VirtualHost>

and am working on a laptop with IP address 192.168.1.67. on this laptop I have a small listener on port 80. here’s what happens if I query it from my laptop:

$ printf "GET / HTTP/1.1\nHOST: safe.arix.com\n\n" |nc localhost 80

HTTP/1.1 200 OK
X-Powered-By: Express
Content-Type: text/html; charset=utf-8
Content-Length: 20
ETag: W/“14-e+HIZsKbJi8RmnN5tgP/tOfxHEE”
Date: Thu, 16 Mar 2017 00:07:09 GMT
Connection: keep-alive

– listener: [/] –

if I make this query from the outside world (a ubuntu box), it works equally well. this means that my apache virtual host is working as expected

$ echo -e "GET / HTTP/1.1\nHOST: safe.arix.com\n\n" |nc safe.arix.com 80

HTTP/1.1 200 OK
Date: Thu, 16 Mar 2017 00:07:56 GMT
Server: Apache
X-Powered-By: Express
Content-Type: text/html; charset=utf-8
Content-Length: 20
ETag: W/“14-e+HIZsKbJi8RmnN5tgP/tOfxHEE”

– listener: [/] –

now, if I kill my listener (on the laptop) and restart it on port 8000, then with this Caddyfile:

safe.arix.com:80 {
  proxy / localhost:8000 {
    transparent
  }
}

I start up caddy like this:

$ ~/Desktop/caddy_darwin_amd64_custom/caddy -conf $PWD/caddy.conf -agree -email x@x.com -log stdout

Activating privacy features… done.
2017/03/15 17:11:13 listen tcp :80: bind: permission denied
aprilis:tmp ekkis$ sudo ~/Desktop/caddy_darwin_amd64_custom/caddy -conf $PWD/caddy.conf -agree -email x@x.com -log stdout
Activating privacy features… done.
http://safe.arix.com
WARNING: File descriptor limit 256 is too low for production servers. At least 8192 is recommended. Fix with “ulimit -n 8192”.

then I make my request from the external ubuntu box again (notice the host name this time includes the port so that it’s an identical match to the declaration in the Caddyfile):

$ echo -e "GET / HTTP/1.1\nHOST: safe.arix.com:80\n\n" |nc safe.arix.com 80

HTTP/1.1 404 Not Found
Date: Thu, 16 Mar 2017 00:20:13 GMT
Server: Caddy
Content-Type: text/plain; charset=utf-8
X-Content-Type-Options: nosniff
Content-Length: 19

No such site at :80

and on Caddy’s log output I see:

2017/03/15 17:13:33 [INFO] 192.168.1.67 - No such site at :80 (Remote: 192.168.1.4, Referer: )

now, to make sure my listener is working on port 8000 (run on the laptop):

$ printf "GET / HTTP/1.1\nHOST: safe.arix.com:80\n\n" |nc localhost 8000

HTTP/1.1 200 OK
X-Powered-By: Express
Content-Type: text/html; charset=utf-8
Content-Length: 20
ETag: W/“14-e+HIZsKbJi8RmnN5tgP/tOfxHEE”
Date: Thu, 16 Mar 2017 00:25:33 GMT
Connection: keep-alive

– listener: [/] –

AND… if I query the proxy on the laptop (notice the query is on port 80 where Caddy is listening):

$ printf "GET / HTTP/1.1\nHOST: safe.arix.com:80\n\n" |nc localhost 80

HTTP/1.1 200 OK
Content-Length: 20
Content-Type: text/html; charset=utf-8
Date: Thu, 16 Mar 2017 00:26:55 GMT
Etag: W/“14-e+HIZsKbJi8RmnN5tgP/tOfxHEE”
Server: Caddy
X-Powered-By: Express

– listener: [/] –

it works! so… why doesn’t it work from the external host given that we’ve proven Apache is correctly forwarding requests?

as an addendum, if I query it from the Apache server, it works:

# echo -e "GET / HTTP/1.1\nHOST: safe.arix.com:80\n\n" |nc safe.arix.com 80

HTTP/1.1 200 OK
Content-Length: 20
Content-Type: text/html; charset=utf-8
Date: Thu, 16 Mar 2017 00:46:25 GMT
Etag: W/“14-e+HIZsKbJi8RmnN5tgP/tOfxHEE”
Server: Caddy
X-Powered-By: Express

– listener: [/] –
HTTP/1.1 400 Bad Request
Content-Type: text/plain
Connection: close

400 Bad Request

though as can be seen from the last stanza, something is messed up (bad request??)

here’s the output of curl, from the Apache server:

# curl -I safe.arix.com 80

HTTP/1.1 200 OK
Content-Length: 20
Content-Type: text/html; charset=utf-8
Date: Thu, 16 Mar 2017 00:49:17 GMT
Etag: W/“14-e+HIZsKbJi8RmnN5tgP/tOfxHEE”
Server: Caddy
X-Powered-By: Express

curl: (7) Couldn’t connect to server

and I get the same from my remote host

one more thing: as per No such site at :80 - #3 by Whitestrake I changed my Caddyfile to this:

safe.arix.com:80 {
  browse
}

but I still get the same responses

Here, Caddy is telling you that it received a request for 192.168.1.67 (and the client that made the request was 192.168.1.4, your Apache server) - which is exactly how you’ve configured Apache:

        ProxyPass / http://192.168.1.67:80/
        ProxyPassReverse / http://192.168.1.67:80/

However, you haven’t told Caddy what to serve when a request comes in for 192.168.1.67 - it only knows how to handle requests for safe.arix.com. You’ve got two options:

1. Tell Apache to forward the host header so that Caddy knows what site the request is for
   At a glance, it looks like Apache’s ProxyPreserveHost directive would be perfect for this purpose.
2. OR Tell Caddy how to handle requests for 192.168.1.67
   You could do this by substituting it for safe.arix.com in your Caddyfile.

ok. that nailed the issue. ProxyPreserveHost now passes on the host name and I also enhanced the listener to display the host headers so now it all works:

$ echo -e "GET / HTTP/1.1\nHOST: safe.arix.com:80\n\n" |nc safe.arix.com 80

HTTP/1.1 200 OK
Date: Thu, 16 Mar 2017 03:13:50 GMT
Server: Caddy
Content-Length: 36
Content-Type: text/html; charset=utf-8
Etag: W/“24-UHh4Rb4KMH6ofgR34LN8fd9ryiY”
X-Powered-By: Express

– listener: [safe.arix.com:80/] –

I will next attempt the 443. stand by…

here’s a first pass at the SSL version (from the ubuntu remote host):

$ openssl s_client -connect safe.arix.com:443

CONNECTED(00000003)
depth=0 C = US, ST = LaLaLandS, L = LaLaLand, O = Arix International, OU = IT Dept, CN = mail.arix.com, emailAddress = admin@arix.com
verify error:num=18:self signed certificate
verify return:1
depth=0 C = US, ST = LaLaLandS, L = LaLaLand, O = Arix International, OU = IT Dept, CN = mail.arix.com, emailAddress = admin@arix.com
verify return:1
---
Certificate chain
 0 s:/C=US/ST=LaLaLandS/L=LaLaLand/O=Arix International/OU=IT Dept/CN=mail.arix.com/emailAddress=admin@arix.com
   i:/C=US/ST=LaLaLandS/L=LaLaLand/O=Arix International/OU=IT Dept/CN=mail.arix.com/emailAddress=admin@arix.com
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIDsjCCApoCCQDLuQgCzbfDBjANBgkqhkiG9w0BAQUFADCBmjELMAkGA1UEBhMC
VVMxEjAQBgNVBAgMCUxhTGFMYW5kUzERMA8GA1UEBwwITGFMYUxhbmQxGzAZBgNV
BAoMEkFyaXggSW50ZXJuYXRpb25hbDEQMA4GA1UECwwHSVQgRGVwdDEWMBQGA1UE
AwwNbWFpbC5hcml4LmNvbTEdMBsGCSqGSIb3DQEJARYOYWRtaW5AYXJpeC5jb20w
HhcNMTQwNDA3MDMxMDA5WhcNMjQwNDA0MDMxMDA5WjCBmjELMAkGA1UEBhMCVVMx
EjAQBgNVBAgMCUxhTGFMYW5kUzERMA8GA1UEBwwITGFMYUxhbmQxGzAZBgNVBAoM
EkFyaXggSW50ZXJuYXRpb25hbDEQMA4GA1UECwwHSVQgRGVwdDEWMBQGA1UEAwwN
bWFpbC5hcml4LmNvbTEdMBsGCSqGSIb3DQEJARYOYWRtaW5AYXJpeC5jb20wggEi
MA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDEpytnBOroma7Ukf6Z7nLezFtO
QgZAcNTCY/r0Y0NWMAlcW/4hGPYFy0wPlfgpW1V9TPHuprDPVyXHh8jgtfgD0xlf
x22rYP/GmkKoVWJ7k4fNArLn7ENduy/kVhbVAIrUhRI/oqvskslqnW5aP7NoIgMA
B453o/1LBLAKuKIZrMv4X3dYxbmUnihB7QSEGCLrydJAJHh72KZbqhCpMZEuKFuW
2OAJ65DADbB+lFPf5yfRe6cHWgauoBlU6Stx5MpJRViJlGtZDb+Gzx/5duHFxOw5
QZzm+QdAOnwoc6q6tk7GV8kIGCJylWjg2N5yXKhfmlnVYjdNIkgKmfzXD6DFAgMB
AAEwDQYJKoZIhvcNAQEFBQADggEBAHAjHKm3iKYejqeKRMlPBIM7RMAmPFvUQP4v
agwsYDFBspV94Tpiuv9VoeuRvAhuVy0yMP5s1av82AvfB/6xxZ4wGBzGyhlGiZLG
78YILxrxeft456rPo0vwbM3fAH6steQLIl4PK2QOCjQLAk31B9RPnIOfWGe2jVwz
PXL8hLM9zYCFLyPEipJNfAGSYBO6a+ESTXpc7KHVdbzWeNmMurtyKUZdC9GUKjNM
XTMjHSGiTvSp2wCuX+ymjzWSbHiA82hcmI3DKxPPOxGP4ZrZT8n5Dr/z/luHsyPD
J1fP4NwvBHjqWwwTgaxH/Vbxuj1Mvh9cj0ARLKyutK8Y7dYd/Hc=
-----END CERTIFICATE-----
subject=/C=US/ST=LaLaLandS/L=LaLaLand/O=Arix International/OU=IT Dept/CN=mail.arix.com/emailAddress=admin@arix.com
issuer=/C=US/ST=LaLaLandS/L=LaLaLand/O=Arix International/OU=IT Dept/CN=mail.arix.com/emailAddress=admin@arix.com
---
No client certificate CA names sent
Peer signing digest: SHA512
Server Temp Key: ECDH, P-256, 256 bits
---
SSL handshake has read 1641 bytes and written 431 bytes
---
New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES256-GCM-SHA384
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
    Protocol  : TLSv1.2
    Cipher    : ECDHE-RSA-AES256-GCM-SHA384
    Session-ID: CE810C211A6704180ED959278CA8C80B90B4872BBF57FDF97C3724C038A6FD62
    Session-ID-ctx: 
    Master-Key: 01B6BE80DC999C154BD745C0672F1E8D39F43326EB3B6ABAA05D493076B95BA3058FF226CA091DCD87CB185562FAE899
    Key-Arg   : None
    PSK identity: None
    PSK identity hint: None
    SRP username: None
    TLS session ticket lifetime hint: 300 (seconds)
    TLS session ticket:
    0000 - b6 b7 95 7a d2 cc c9 98-3c 5f dc 80 a4 70 fe 63   ...z....<_...p.c
    0010 - a1 fa 50 35 8c 52 b6 b3-f5 a5 24 b2 0a 25 f3 90   ..P5.R....$..%..
    0020 - 22 e9 52 ab 03 53 4a 18-e5 de 2c 3d 05 2e 43 6d   ".R..SJ...,=..Cm
    0030 - 3a 40 6b b7 39 fb 70 36-59 ca 57 7f a5 6d d9 45   :@k.9.p6Y.W..m.E
    0040 - 0c 7d d3 72 34 fc 55 4b-5a d8 fc 2c 00 4b c5 f8   .}.r4.UKZ..,.K..
    0050 - 1a 17 97 37 66 ac b5 76-f1 22 6a f5 ea 23 b2 51   ...7f..v."j..#.Q
    0060 - a2 26 fe 38 80 e2 54 37-62 64 9d 66 bd 8d dc 36   .&.8..T7bd.f...6
    0070 - fa 1d 11 40 4a dc ec 45-ee 56 31 7f 5c b5 ee a5   ...@J..E.V1.\...
    0080 - ac e8 cc cc 85 69 88 56-d4 60 86 9b 6d 6b f2 03   .....i.V.`..mk..
    0090 - f3 7f e5 1e 6d c4 f3 21-73 70 f4 71 0a 5c 6d 6f   ....m..!sp.q.\mo
    00a0 - ba 25 af 42 e8 6f 6f f8-57 7e fd a3 1a 49 fc f4   .%.B.oo.W~...I..
    00b0 - a8 ee 3a 93 86 b8 1d 83-a4 00 74 da 67 50 8c c6   ..:.......t.gP..

    Start Time: 1489634745
    Timeout   : 300 (sec)
    Verify return code: 18 (self signed certificate)
---
GET / HTTP/1.1
HOST: safe.arix.com

HTTP/1.1 503 Service Unavailable
Date: Thu, 16 Mar 2017 03:25:50 GMT
Server: Apache
Content-Length: 299
Connection: close
Content-Type: text/html; charset=iso-8859-1

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>503 Service Unavailable</title>
</head><body>
<h1>Service Unavailable</h1>
<p>The server is temporarily unable to service your
request due to maintenance downtime or capacity
problems. Please try again later.</p>
</body></html>
closed

you’ll notice the certificate sent back seems to be for mail.arix.com. also, the GET / I typed in manually and returned a 503. my virtual host declaration looks like this:

<VirtualHost *:443>
ServerName safe.arix.com
ProxyPass / http://192.168.1.67:443/
ProxyPassReverse / http://192.168.1.67:443/
ProxyPreserveHost On
SSLEngine on
SSLCertificateFile /var/www/ssl/safe.arix.com.crt
SSLCertificateKeyFile /var/www/ssl/safe.arix.com.key

and if I look at the .crt, it looks right (CN=safe.arix.com):

# cat /var/www/ssl/safe.arix.com.crt

Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number: 5 (0x5)
        Signature Algorithm: sha1WithRSAEncryption
        Issuer: CN=arix.com, C=US, ST=California, L=LalaLand, O=Arix International/emailAddress=admin@arix.com
        Validity
            Not Before: Nov 12 02:23:01 2009 GMT
            Not After : Nov 10 02:23:01 2019 GMT
        Subject: C=US, ST=California, O=Arix International, OU=IT, CN=safe.arix.com/emailAddress=admin@arix.com
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
            RSA Public Key: (1024 bit)
                Modulus (1024 bit):
                    00:dd:92:89:90:7b:cc:8c:3a:ae:5b:10:49:14:91:
                    2c:d5:66:a7:c1:13:70:1c:85:c7:c1:c3:29:e8:71:
                    73:28:39:d7:5d:af:89:c3:7a:96:66:e3:01:71:7f:
                    6a:be:b3:b2:11:bf:bb:de:78:07:c5:0a:6e:b5:2a:
                    00:a9:01:ba:09:50:0f:c5:32:08:67:78:3e:24:73:
                    7e:55:6a:56:34:30:9e:b4:3a:72:b9:1c:d0:b7:b3:
                    48:e2:dc:d9:8d:41:d7:18:72:76:16:7f:f8:fb:b6:
                    13:04:a4:b5:95:f1:0a:1f:65:17:74:18:a6:69:0a:
                    52:28:d1:f1:17:47:16:5f:7d
                Exponent: 65537 (0x10001)
        X509v3 extensions:
            X509v3 Basic Constraints:
                CA:FALSE
            X509v3 Subject Key Identifier:
                FB:39:89:D0:15:90:22:34:D8:59:49:B0:DA:BD:86:04:04:62:F6:2B
            X509v3 Authority Key Identifier:
                keyid:18:61:74:5B:4E:1C:12:ED:F7:97:EF:5E:33:D1:CE:D7:51:8A:FB:18
                DirName:/CN=arix.com/C=US/ST=California/L=LalaLand/O=Arix International/emailAddress=admin@arix.com
                serial:ED:3E:B5:97:4F:DB:E3:42

            Netscape CA Revocation Url:
                https://www.arix.com/ca-crl.pem
    Signature Algorithm: sha1WithRSAEncryption
        25:31:90:4c:58:f5:82:69:c2:f0:c7:c8:12:99:28:ef:d3:45:
        be:b4:8e:12:de:ed:69:9f:84:22:ae:d5:af:61:52:a0:f5:1a:
        cf:db:b2:65:2c:28:19:99:d7:09:4e:5b:c1:e2:7c:22:a7:33:
        4d:4f:82:bf:3b:ae:87:4b:bb:43:b2:4e:a1:02:24:0a:cb:68:
        e4:68:07:93:41:4c:4f:ee:ff:71:77:54:b2:92:aa:72:04:28:
        88:86:a6:c6:67:2d:32:4c:94:cf:90:a2:fc:c8:d0:1a:c8:80:
        b7:ec:ad:62:ff:31:97:48:4d:70:f1:be:a4:d8:1e:a7:d3:ae:
        4f:2a:4c:f4:5c:74:c6:d7:93:20:2a:90:44:e2:6f:fb:e2:5f:
        2b:17:1e:05:54:84:e6:8a:f5:44:3f:40:11:73:fa:91:dc:cd:
        1c:6a:70:a0:4d:6a:75:d5:a8:62:db:5a:db:6f:8a:45:66:b7:
        89:9c:eb:d5:85:f2:84:2e:ac:e6:42:3c:f5:07:b0:49:0b:c9:
        c5:59:9d:5e:39:72:5a:83:66:45:9a:34:9a:56:de:c8:ae:c1:
        e7:cd:a3:8f:a2:7c:ab:5d:98:48:60:bc:40:40:98:9b:00:2b:
        01:9a:cb:6e:22:a0:ba:e3:1c:5c:bb:78:46:a4:2f:2b:be:e2:
        85:91:29:7a
-----BEGIN CERTIFICATE-----
MIIEHDCCAwSgAwIBAgIBBTANBgkqhkiG9w0BAQUFADCBhDERMA8GA1UEAxMIYXJp
eC5jb20xCzAJBgNVBAYTAlVTMRMwEQYDVQQIEwpDYWxpZm9ybmlhMREwDwYDVQQH
EwhMYWxhTGFuZDEbMBkGA1UEChMSQXJpeCBJbnRlcm5hdGlvbmFsMR0wGwYJKoZI
hvcNAQkBFg5hZG1pbkBhcml4LmNvbTAeFw0wOTExMTIwMjIzMDFaFw0xOTExMTAw
MjIzMDFaMIGDMQswCQYDVQQGEwJVUzETMBEGA1UECBMKQ2FsaWZvcm5pYTEbMBkG
A1UEChMSQXJpeCBJbnRlcm5hdGlvbmFsMQswCQYDVQQLEwJJVDEWMBQGA1UEAxMN
c2FmZS5hcml4LmNvbTEdMBsGCSqGSIb3DQEJARYOYWRtaW5AYXJpeC5jb20wgZ8w
DQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBAN2SiZB7zIw6rlsQSRSRLNVmp8ETcByF
x8HDKehxcyg5112vicN6lmbjAXF/ar6zshG/u954B8UKbrUqAKkBuglQD8UyCGd4
PiRzflVqVjQwnrQ6crkc0LezSOLc2Y1B1xhydhZ/+Pu2EwSktZXxCh9lF3QYpmkK
UijR8RdHFl99AgMBAAGjggEaMIIBFjAJBgNVHRMEAjAAMB0GA1UdDgQWBBT7OYnQ
FZAiNNhZSbDavYYEBGL2KzCBuQYDVR0jBIGxMIGugBQYYXRbThwS7feX714z0c7X
UYr7GKGBiqSBhzCBhDERMA8GA1UEAxMIYXJpeC5jb20xCzAJBgNVBAYTAlVTMRMw
EQYDVQQIEwpDYWxpZm9ybmlhMREwDwYDVQQHEwhMYWxhTGFuZDEbMBkGA1UEChMS
QXJpeCBJbnRlcm5hdGlvbmFsMR0wGwYJKoZIhvcNAQkBFg5hZG1pbkBhcml4LmNv
bYIJAO0+tZdP2+NCMC4GCWCGSAGG+EIBBAQhFh9odHRwczovL3d3dy5hcml4LmNv
bS9jYS1jcmwucGVtMA0GCSqGSIb3DQEBBQUAA4IBAQAlMZBMWPWCacLwx8gSmSjv
00W+tI4S3u1pn4QirtWvYVKg9RrP27JlLCgZmdcJTlvB4nwipzNNT4K/O66HS7tD
sk6hAiQKy2jkaAeTQUxP7v9xd1SykqpyBCiIhqbGZy0yTJTPkKL8yNAayIC37K1i
/zGXSE1w8b6k2B6n065PKkz0XHTG15MgKpBE4m/74l8rFx4FVITmivVEP0ARc/qR
3M0canCgTWp11ahi21rbb4pFZreJnOvVhfKELqzmQjz1B7BJC8nFWZ1eOXJag2ZF
mjSaVt7IrsHnzaOPonyrXZhIYLxAQJibACsBmstuIqC64xxcu3hGpC8rvuKFkSl6
-----END CERTIFICATE-----

but… shouldn’t the certificate returned to the client be the one that Caddy generates, not the one sent by Apache?

what else is missing?

You can’t proxy TLS the same way HTTP proxying works. I’m guessing that when you put Apache in front it’s doing TLS termination.

By the way, if you really want to test a simple setup, why are you using Apache at all?

Nope, unfortunately. To elaborate on what @matt’s said, Caddy’s certificate only works between itself and its clients; the only client for Caddy here is Apache. Apache’s certificate is used for its clients - that would be everyone connecting to Apache and asking for safe.arix.com.

for development I don’t have a public IP address that I can use. what I do have is a domain that’s currently pointing at an Apache server and I can tweak that. with @Whitestrake’s patient help I’ve managed to at least get the http working. in actual deployment I will have a public IP so this business of the virtual hosts won’t be in the middle

my actual goal is more complicated. I want to run caddy from a Docker container. there’s a container that BlackGlory put together that does a bit of magic: when new containers come up, it looks to see if they’re labelled in a certain way and automatically rewrites the Caddyfile. it turns out that Caddy running inside of a container means it cannot (easily) reroute to the host. it reroutes within the network the container belongs to.

but my first step was making caddy work on its own, which now it does

@Whitestrake, thank you so very much for walking me through this painful path. I owe you a dinner. please reach out to me privately e at arix dot com

Got a link to that one? Does it work anything like jwilder/docker-gen? I’ve used that in the past but had issues where it would fail to properly signal Caddy to reload after rewriting the Caddyfile.

I’ve previously had success by referring to {$DOCKER_HOST_IP} inside the Caddyfile and running export DOCKER_HOST_IP=$(route -n | awk '/UG[ \t]/{print $2}') within the container during init. This works for standard Docker networking setups, and will usually resolve to something like 172.18.0.1, i.e. the IP of the host on the docker0 interface.

You’re welcome! I’m doing my best to collect meal offers from people on these forums, it seems.

yes, you can read about my travails here: https://github.com/BlackGlory/caddy-proxy/issues/9#issuecomment-286026558 but I’ve given it up. it turns out that this GitHub - nginx-proxy/nginx-proxy: Automated nginx proxy for Docker containers using docker-gen works out of the box and I’ve already burnt waaaay too much time on this

I may however, give Caddy another try because in reading about nginx I see that the SSL support is a bit more complicated to make work

that is interesting and I may explore it further later

Ahh, yep. nginx-proxy is how I got on to docker-gen, but when approached as a black box, there’s functionally no difference between docker-gen+caddy and nginx-proxy. I just enjoyed tinkering with it to try and get it going with Caddy at the heart.