Troubles proxying to ports on the machine with SSL

(Read this, then delete it before you post.) To get the best help possible, please:
First time poster, and a bit of a networking newb sometimes.

I’m currently using docker for a few webapps on a server. Each has it’s own instance of NGINX built in (specifically because it has some optimizations with the application server, Phusion Passenger for ruby). All these webapps I want to be SSL/HTTPS only. They each are already matched with their own certificates currently, but that can easily be changed if I decide to use Caddy for letsencrypt. I’m not sure how to proxy to ports while retaining HTTPS, I’ve read that using a reverse proxy causes some issues with domain name authentication? Anyways just looking for a config to make it work.

My DNS records look like this: A xxx.xx.xx.x CNAME CNAME

The Caddyfile on looks like this:

proxy localhost:xxxx

Where localhost:xxxx is the local port that the service1’s container’s port 443 is listening on.
I confirm after I start caddy it’s available on both 80 and 443 with nmap

  • include error messages and log output,
    Not even getting a 503 error, just getting page not found. But it does seem to be redirecting, then failing. I’m assuming this has something to do with certs, and Caddy not having them? Does the proxy need them to forward SSL connections?

I’ve looked at this specifically for guidance, and a few automatic reverse proxy articles but couldn’t get it working. Probably don’t understand DNS redirects well enough

Hey Jonathan, welcome!

The first argument to proxy must be a path, not a domain name.

You probably want something like this: {
    proxy / localhost:xxxx
} {
    proxy / localhost:xxxx

And then Caddy will take care of the HTTPS for you.

1 Like

Thanks Matt! Could I ask a few questions.

So when Caddy gets it request, does it:

  1. look at the host header, chooses which directive to execute (i.e. host header is, goes to the first)
  2. Then it looks at the requested URI, in this case /? What does root mean in this case? Does caddy infer that anything after the root should also be proxied to that localhost address? Does a proxy automatically return a 301, or does it need to?
  3. Does the caddy proxy need the same certs as the nginx server? Or does it just need some valid certs to establish a connection before forwarding it on?

Sorry for the questions, thank you for all this - and an awesome server!

Correct so far; although “directive” is the wrong word here. It uses both the Host header and the request path (as of 0.9) to choose which site to use. A site in Caddy’s internals is a set of configuration with its most important part, the middleware chain.

Step 2 works more like this instead: Caddy executes the middleware chain for the matched site so that each of the directives that are used get a chance to look at and handle the request or do whatever they need to do. Each handler function, then, is responsible for examining the request to see if it should handle it. Typically, this means looking at the request path and seeing if it has a prefix; thus all requests match /, the root path.

The proxy directives I’ve suggested use / as their base path, so they match all requests for their respective sites.

No, Caddy is the only one that needs certs; the backend doesn’t need certificates usually, especially if it’s on a loopback interface like localhost.

Hope that helps. :slight_smile:

This topic was automatically closed 90 days after the last reply. New replies are no longer allowed.