(SOLVED) Reverse proxy is redirecting to local ip in remote browser

Relik_Link · May 13, 2017, 2:00am

Brand new to Caddy, I have been using the reverse proxy built into my synology (based on nginx) just fine, but for technical reasons I cant use it anymore.

I am trying to reverse proxy several different home servers to different sub domains i have. Below are the first two I have setup, one works just fine and other other when accessed in any web browser, remote or local, tries to send me to the local ip of the server i am trying to proxy to.

mydomain.com {
    root /var/www
    gzip
    tls name@email.com
}

sub1.mydomain.com {
    gzip
    tls name@email.com
    proxy / 192.168.1.245:8866
}

sub2.mydomain.com {
    gzip
    tls name@email.com
    proxy / https://192.168.1.208:443
    transparent
}

The server that works is actually my nextPVR backend (the first proxy listed), and it seems to work fine so far, although I haven’t actually tried streaming any video yet. The second server is ONLYOFFICE and thats the one that keeps redirecting me to its local ip, even remotely. I do not understand whats wrong, this setup worked fine on my synology using nginx. However I dont know allot of the technical details because synology provides a GUI to interface with it.

I am new to this if you cant tell, but im learning pretty quick considering I didn’t know what a reverse proxy was until a few weeks ago. Caddy seemed like the easiest option, especially considering its integration with letsencrypt. This issue is probably something simple that I overlooked, probably because I dont know what all the terminology means, despite having read the entire documentation section on how to use caddy.

Small Update:
Of course im still over here pulling my hair out…errr…I mean tinkering, and I have so far setup 4 of my servers, nextPVR, Synology DSM, unRAID, and ONLYOFFICE, and they all work except ONLYOFFICE…I do not understand. Im going to make the same post over in thier forums as well, I know that onlyoffice is configured correctly becauser ive been using it for weeks just fine, in fact i was using it earlier today until I tried switching over to caddy, so I have a strong feeling that it has something to do with how caddy is handling something.

matt · May 13, 2017, 3:11pm

Hi @Relik_Link - welcome to Caddy.

Your Caddyfile has an error, you should be seeing an error message when it starts. transparent is not a valid directive. It must go inside the proxy directive:

proxy ... {
    transparent
}

^ something like that.

If a backend is redirecting then maybe you want the transparent preset on its proxy too.

Relik_Link · May 13, 2017, 4:05pm

Ok so I changed my caddyfile to:

sub2.mydomain.com {
proxy / https://192.168.1.208:443 {
transparent
}
}

On an remote computer in chrome, I still attempt to get redirected to the local ip, in Internet Explorer on the same computer im getting 502 Bad Gateway.

Relik_Link · May 13, 2017, 5:30pm

little bit of an update. I started over, so the lines in my caddt file for onlyoffice now look like this;

office.mydomain.com {
gzip
tls name@myemail.com
proxy / https://192.168.1.208:443
}

Now, if I leave the https:// on the proxy line (which is how i always did it throguh my synology, then when i try to access the domain remotely I get “502 Bad Gateway”, however (and this is how i know something is finally working), if i remove the https:// but leave the :443 and try to connect I get an NGINX error stating “400 Bad Request The plain HTTP request was sent to HTTPS port”. This is atleast a sign that I AM connecting remotely, because afaik OnlyOffice uses NGINX internally to communicate between the two docker containers that makeup the server.

Relik_Link · May 13, 2017, 5:46pm

I GOT IT!!! (sorry for yelling, but im excited)

Ok so here is what I did.

office.mydomain.com {
gzip
tls name@myemail.com
proxy / https://192.168.1.208:443 {
transparent
insecure_skip_verify
}
}

all seems to be well so far fingers crossed

Whitestrake · May 13, 2017, 6:48pm

Chrome caches redirects - you’d need to clear these (or use an incognito session) to avoid using the old redirect.

Excellent! Yeah, you basically won’t ever be able to get a trusted certificate for a private IP address (unless you have your own trusted certificate authority), and this will have been tripping Caddy up when trying to validate the HTTPS connection. Over a local network I’d usually just use HTTP - it’s pretty rare to need your communications encrypted over LAN but also not be concerned about MITM.

system · August 11, 2017, 6:49pm

This topic was automatically closed 90 days after the last reply. New replies are no longer allowed.