The following JSON configuration is how to configure Caddyfile

Help
1

1. The problem I’m having:

The following JSON configuration is how to configure Caddyfile.

          "tls_connection_policies": [{
            "match": {
              "sni": ["z1.xx.yy"]
            },
            "protocol_max": "tls1.2",
            "cipher_suites": ["TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256"]
          },
          {
            "match": {
              "sni": ["h3.xx.yy","z2.xx.yy"]
            },
            "cipher_suites": ["TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384","TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256","TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256"],
            "curves": ["x25519","secp521r1","secp384r1","secp256r1"],
            "alpn": ["h3","h2","http/1.1"]
          }],

2. Error messages and/or full log output:

None.

3. Caddy version:

Caddy v2.8.4

4. How I installed and ran Caddy:

Not relevant.

a. System environment:

Not relevant.

b. Command:

None.

c. Service/unit/compose file:

Not relevant.

d. My complete Caddy config:

{
  "admin": {
    "disabled": true,
    "config": {
      "persist": false
    }
  },
  "logging": {
    "logs": {
      "default": {
        "writer": {
          "output": "file",
          "filename": "/var/log/caddy/error.log"
        },
        "encoder": {
          "format": "console"
        },
        "level": "ERROR",
        "exclude": ["http.log.access.log0"]
      },
      "log0": {
        "writer": {
          "output": "file",
          "filename": "/var/log/caddy/access.log"
        },
        "encoder": {
          "format": "console"
        },
        "include": ["http.log.access.log0"]
      }
    }
  },
  "apps": {
    "http": {
      "servers": {
        "srvh3": {
          "listen": [":443"],
          "routes": [{
            "match": [{
              "path": ["/SeuW56Es"]
            }],
            "handle": [{
              "handler": "reverse_proxy",
              "transport": {
                "protocol": "http",
                "versions": ["h2c","2"]
              },
              "upstreams": [{
                "dial": "127.0.0.1:2005"
              }]
            }]
          },
          {
            "handle": [{
              "handler": "forward_proxy",
              "auth_credentials": ["ZFhObGNqcHdZWE56"],
              "hide_ip": true,
              "hide_via": true,
              "probe_resistance": {}
            }]
          },
          {
            "handle": [{
              "handler": "headers",
              "response": {
                "set": {
                  "Strict-Transport-Security": ["max-age=31536000; includeSubDomains; preload"]
                }
              }
            },
            {
              "handler": "file_server",
              "root": "/var/www/html"
            }]
          }],
          "tls_connection_policies": [{
            "match": {
              "sni": ["z1.xx.yy"]
            },
            "protocol_max": "tls1.2",
            "cipher_suites": ["TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256"]
          },
          {
            "match": {
              "sni": ["h3.xx.yy","z2.xx.yy"]
            },
            "cipher_suites": ["TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384","TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256","TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256"],
            "curves": ["x25519","secp521r1","secp384r1","secp256r1"],
            "alpn": ["h3","h2","http/1.1"]
          }],
          "logs": {
            "default_logger_name": "log0"
          },
          "protocols": ["h1","h2","h3"]
        }
      }
    },
    "tls": {
      "certificates": {
        "automate": ["h3.xx.yy","z1.xx.yy","z2.xx.yy"]
      },
      "automation": {
        "policies": [{
          "issuers": [{
            "module": "acme",
            "email": "your@email.com"
          },
          {
            "module": "acme",
            "ca": "https://acme.zerossl.com/v2/DV90",
            "email": "your@email.com"
          }]
        }]
      }
    }
  }
}

5. Links to relevant resources:

None.

2

What? I don’t see a question here. What are you trying to say?

1 Like
3

How to convert it to Caddyfile configuration?
Incomplete Caddyfile configuration:

{
	order forward_proxy before header
	order reverse_proxy before forward_proxy
	admin off
	persist_config off
	log {
		output file /var/log/caddy/error.log
		format console
		level ERROR
	}
	log log0 {
		output file /var/log/caddy/access.log
		format console
		include http.log.access.log0
	}

	email your@email.com
}

:443, h3.xx.yy, z1.xx.yy, z2.xx.yy {

# <How to configure the TLS part?>

	log log0

	reverse_proxy /teuW56Es unix/@uds2005.sock {
		transport http {
			versions h2c 2
		}
	}

  forward_proxy {
    basic_auth user pass
    hide_ip
    hide_via
    probe_resistance
  }

	header {
		Strict-Transport-Security "max-age=31536000; includeSubDomains; preload"
	}
	file_server {
		root /var/www/html
	}
}
4

Does that Caddyfile not work? What’s the problem?

1 Like
5 
          "tls_connection_policies": [{
            "match": {
              "sni": ["z1.xx.yy"]
            },
            "protocol_max": "tls1.2",
            "cipher_suites": ["TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256"]
          },
          {
            "match": {
              "sni": ["h3.xx.yy","z2.xx.yy"]
            },
            "cipher_suites": ["TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384","TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256","TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256"],
            "curves": ["x25519","secp521r1","secp384r1","secp256r1"],
            "alpn": ["h3","h2","http/1.1"]
          }],

Wow! Master, how do I convert the above JSON configuration to Caddyfile configuration?
I tried the following configuration but it doesn’t work.

	tls z1.xx.yy {
		protocols tls1.2 tls1.2
		ciphers TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256
	}

	tls h3.xx.yy z2.xx.yy {
		ciphers TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256 TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
		curves x25519 secp521r1 secp384r1 secp256r1
		alpn h3 h2 http/1.1
	}
6

If you have different TLS config per domain, then you need to split it up into separate site blocks. You can’t just have one big site block.

But why do you need this? Caddy’s defaults are modern and secure. You don’t need to touch ciphers and curves. And turning off TLS 1.3 seems like a bad idea. It gets negotiated by the client anyway, if the client doesn’t support TLS 1.3 then it won’t get chosen anyway.

1 Like
8

It cannot be split into multiple site blocks, and the NaiveProxy(forwardproxy) configuration exists in multiple site blocks. Using :443, z1.xx.yy and :443, h3.xx.yy, z2.xx.yy to configure the site block cannot be started; using z1.xx.yy and h3.xx.yy, z2.xx.yy to configure the site block NaiveProxy cannot be used.

The purpose of my JSON configuration above is to solve the TLS in TLS problem of NaiveProxy’s HTTPS proxy (z1.xx.yy).

9

I still don’t quite understand what you’re trying to say.

Do you realize you can use snippets to deduplicate config? Caddyfile Concepts — Caddy Documentation Just use snippets and import the common parts into the multiple site blocks.

1 Like
10

Wow! Master, how come you don’t know? Then convert the JSON configuration into the Caddyfile configuration and write it out in full (split into multiple site blocks according to your method as follows):

{
	order forward_proxy before header
	order reverse_proxy before forward_proxy
	admin off
	persist_config off
	log {
		output file /var/log/caddy/error.log
		format console
		level ERROR
	}
	log log0 {
		output file /var/log/caddy/access.log
		format console
		include http.log.access.log0
	}

	email your@email.com
}

(NaiveProxy) {
  forward_proxy {
    basic_auth user pass
    hide_ip
    hide_via
    probe_resistance
  }
}

(WEB) {
	header {
		Strict-Transport-Security "max-age=31536000; includeSubDomains; preload"
	}
	file_server {
		root /var/www/html
	}
}

:443, z1.xx.yy {
	tls {
		protocols tls1.2 tls1.2
		ciphers TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256
	}

	log log0

	reverse_proxy /teuW56Es unix/@uds2005.sock {
		transport http {
			versions h2c 2
		}
	}

	import NaiveProxy

	import WEB
}

:443, h3.xx.yy, z2.xx.yy {
	tls {
		ciphers TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256
		curves x25519 secp521r1 secp384r1 secp256r1
		alpn h3 h2 http/1.1
	}

	log log0

	import NaiveProxy

	import WEB
}

The above configuration cannot be started, how to solve it?

{
	order forward_proxy before header
	order reverse_proxy before forward_proxy
	admin off
	persist_config off
	log {
		output file /var/log/caddy/error.log
		format console
		level ERROR
	}
	log log0 {
		output file /var/log/caddy/access.log
		format console
		include http.log.access.log0
	}

	email your@email.com
}

(NaiveProxy) {
  forward_proxy {
    basic_auth user pass
    hide_ip
    hide_via
    probe_resistance
  }
}

(WEB) {
	header {
		Strict-Transport-Security "max-age=31536000; includeSubDomains; preload"
	}
	file_server {
		root /var/www/html
	}
}

z1.xx.yy {
	tls {
		protocols tls1.2 tls1.2
		ciphers TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256
	}

	log log0

	reverse_proxy /teuW56Es unix/@uds2005.sock {
		transport http {
			versions h2c 2
		}
	}

	import NaiveProxy

	import WEB
}

h3.xx.yy, z2.xx.yy {
	tls {
		ciphers TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256
		curves x25519 secp521r1 secp384r1 secp256r1
		alpn h3 h2 http/1.1
	}

	log log0

	import NaiveProxy

	import WEB
}

The above configuration NaiveProxy cannot be used, how to solve it?

11

Probably because of the language barrier. But I don’t understand what your goal is. You haven’t explained it clearly.

What error do you get? I don’t use the plugins you’re using, I can’t try that config.

Same here, what error do you get? Show your logs.

Please explain in detail.

1 Like
12

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.