Trouble set up reverse proxy

giacomolanzi · November 1, 2024, 9:51am

1. The problem I’m having:

I am trying to set up Caddy in order to have different third level domain to point at different container on my VPS. So far I used Caddy to reverse proxy a couple of services: Baserow, N8N, Portainer… In all of them, I used Caddy to be able to connect through SSL in a third level domain.

Now I want to connect another service, on another third level, but I am having trouble. To be noted, this one (LinkStack) is the only one that, as default setting, has ports 80 and 443 exposed. The same ports Caddy uses.

2. Error messages and/or full log output:

I got no error, simply, the service is unreachable.

3. Caddy version:

v2.8.4

4. The stack now (working)

services:
  caddy:
    image: caddy:latest
    restart: unless-stopped
    container_name: caddy
    ports:
      - "80:80"
      - "443:443"
    volumes:
      - caddy_data:/data
      - ${DATA_FOLDER}/caddy_config:/config
      - ${DATA_FOLDER}/caddy_config/Caddyfile:/etc/caddy/Caddyfile

  n8n:
    image: docker.n8n.io/n8nio/n8n
    container_name: n8n
    restart: always
    environment:
      - N8N_HOST=${N8N_SUBDOMAIN}.${DOMAIN_NAME}
      - N8N_PORT=5678
      - N8N_PROTOCOL=https
      - NODE_ENV=production
      - WEBHOOK_URL=https://${N8N_SUBDOMAIN}.${DOMAIN_NAME}/
      - GENERIC_TIMEZONE=${GENERIC_TIMEZONE}
      - N8N_LOG_OUTPUT=console
      - N8N_LOG_LEVEL=debug
    volumes:
      - n8n_data:/home/node/.n8n
      - ${DATA_FOLDER}/local_files:/files

  portainer:
    image: portainer/portainer-ce:latest
    container_name: portainer
    ports:
      - "9000:9000"
    volumes:
      - /var/run/docker.sock:/var/run/docker.sock
      - portainer_data:/data
    restart: unless-stopped

volumes:
  caddy_data:
    external: true
  n8n_data:
    external: true
  portainer_data:

Caddy config

n8n.***.it {
    reverse_proxy n8n:5678 {
      flush_interval -1
    }
}
portainer.***.it {
	reverse_proxy portainer:9000
}

Addition to the yml file

linkstack:
    container_name: linkstack
    hostname: linkstack
    environment:
      - HTTP_SERVER_NAME=links.planbproject.it
      - HTTPS_SERVER_NAME=links.planbproject.it
      - SERVER_ADMIN=g.lanzi@planbproject.it
      - TZ=Europe/Rome
      - PHP_MEMORY_LIMIT=512M
      - UPLOAD_MAX_FILESIZE=8M
    ports:
      - "8000:8000"
      # - "4431:4431"
    restart: unless-stopped
    volumes:
      - linkstack:/htdocs
    image: linkstackorg/linkstack:latest

volumes:
  linkstack:
    external: true

Addition to the caddy config file

links. *** .it {
	reverse_proxy linkstack:8000
}

I am not sure how to deal with the port in the compose file and in the caddy config.

Can you help?
Thank you

Strunck · November 1, 2024, 11:02am

    # ports:
      - "8000:8000"

If I take your code literally, it means that the port directive is commented out.

giacomolanzi · November 1, 2024, 3:35pm

You are definitely right! I uncommented the line and the problem is still the same, the service is unreachable, the error I got when navigating to links.***.it is:

This site can’t provide a secure connection

**links. *** .it** sent an invalid response.

ERR_SSL_PROTOCOL_ERROR

skip2networks · November 4, 2024, 3:32pm

Hello.

Was Caddy able to successfully provision and deploy the SSL certificate for links.***.it?

I also checked the Linkstack Docs and they recommend using additional configuration for Caddy, see below:

# Make sure to use HTTPS for redirection to avoid mixed content errors.

# Add this to your Caddyfile:

links.example.com {
  reverse_proxy https://localhost:443 {
    transport http {
      tls_insecure_skip_verify
    }
  }
}

You may have to uncomment the "4431:4431" line in your Dockerfile and use that port instead.

francislavoie · November 7, 2024, 11:31am

If Caddy is running in Docker, you don’t needs ports: at all in any of your containers (except Caddy itself for 80/443). In fact, you probably want to remove them for all other containers. You typically want all access to those apps to be through Caddy, to make sure it’s only accessible over HTTPS. By adding ports, you’re opening a “back door” to those containers through which connections could go directly, skipping past Caddy.

Remember you want to use the port internal to the Docker container when proxying from container to container, not the port you bound on the host.

system · December 7, 2024, 11:31am

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.