1. The problem I’m having:
I’m trying to reverse-proxy to a backend app with an AWS load balancer in front of Caddy, like this:
Internet -> AWS Load Balancer:443 -> Caddy:443 -> http://localhost:1337
A user will request https://myservice.example.com
, which points to the AWS Load Balancer. The AWS Load Balancer will terminate TLS, then will open a new HTTPS request to Caddy, Caddy will terminate TLS again, Caddy will proxy to http://localhost:1337, then Caddy will return the request to the AWS Load Balancer and the AWS Load Balancer will return to the user.
The problem I’m having is that the AWS Load Balancer will healthcheck Caddy using the private IP address of the Caddy container, without any context of the domain name. Caddy fails these health checks because it has no HTTPS certificate for its own private IP address, so the load balancer sees Caddy as being unhealthy.
Is there any way to allow Caddy to accept HTTPS requests to its own private IP, without hardcoding that IP or knowing its own private IP ahead of time?
Thanks.
2. Error messages and/or full log output:
{
"level": "debug",
"ts": 1712674878.363298,
"logger": "tls.handshake",
"msg": "no matching certificates and no custom selection logic",
"identifier": "172.30.6.242"
}
{
"level": "debug",
"ts": 1712674878.3633108,
"logger": "tls.handshake",
"msg": "no certificate matching TLS ClientHello",
"remote_ip": "172.30.5.206",
"remote_port": "47752",
"server_name": "",
"remote": "172.30.5.206:47752",
"identifier": "172.30.6.242",
"cipher_suites": [
49195,
49199,
49187,
49191,
49161,
49171,
49196,
49200,
49188,
49192,
49172,
49162,
156,
60,
47,
157,
61,
53,
255
],
"cert_cache_fill": 0.0001,
"load_or_obtain_if_necessary": true,
"on_demand": false
}
{
"level": "debug",
"ts": 1712674878.3633814,
"logger": "http.stdlib",
"msg": "http: TLS handshake error from 172.30.5.206:47752: no certificate available for '172.30.6.242'"
}
3. Caddy version:
caddy:2.7-alpine
4. How I installed and ran Caddy:
a. System environment:
Running in AWS Fargate, where Caddy runs in one container and my backend service runs in another container, both on the same host. Caddy will proxy from :443
to http://localhost:1337
. The Caddy “installation” is just the vanilla Docker image listed above, with no custom Caddyfile.
b. Command:
command = [
# https://caddyserver.com/docs/command-line#caddy-reverse-proxy
"caddy", "reverse-proxy",
"--to", "http://localhost:1337",
"--disable-redirects", # Don't bind to an HTTP port, the ALB already handles HTTP redirects
"--internal-certs", # Self-signed certificates are good enough for internal communication
"--insecure",
"--debug",
]
c. Service/unit/compose file:
Not really relevant as I'm using Docker without any Caddyfile
d. My complete Caddy config:
Not really relevant as I'm using Docker without any Caddyfile