Understanding Caddy - Avoiding tls_insecure_skip_verify and 502 Errors

francislavoie · March 19, 2024, 11:50pm

That’s from Caddy v1, it’s not relevant.

Correct, tls goes outside/above reverse_proxy.

wdpronovost:

This is where I am struggling the most to understand and why I came here to post. I got a basic understanding through my troubleshooting Plex, but what I am stuck on is why it doesn’t work with requiring HTTPS port? It worked under Nginx Proxy Manager. Granted, not the same application. But what I am trying to get to is, if I say:
plex.wdpronovost.com {
    reverse_proxy https://IP:PORT
}
Why does this just not work as is? Even if I don’t need to force HTTPS, why can’t I? What if it was a system where I couldn’t change it to just use HTTP and I had to use HTTPS, are we saying Caddy is unable to support that?

What is the solution for when HTTPS is required?

The issue is trust. TLS requires trust to be secure. The client needs to be able to trust that the server’s TLS certificate was issued by a trusted authority (a CA, Certificate Authority). If there’s no trust, then it would be possible for some attacker to get in between the client and server and perform a man-in-the-middle attack, using its own TLS cert and “adding a link in the chain” reading and/or manipulating the traffic.

When you use tls_insecure_skip_verify you’re basically saying “don’t do any trust checks”, so you’re turning off all the security that HTTPS offers. The data’s still encrypted, but nothing stops an attacker from “acting” like they’re the server even though they put themselves in front of the actual server.

The reason ACME is a thing is to provide an automated way for a CA (like Let’s Encrypt) to verify that you have control of the domain and that nobody else does. You prove that by showing Let’s Encrypt “look at this one URL, yes it matches the thing you told me to show you” which is proof that “yes you were able to change the contents you served, so you must control the domain”.

Like I said earlier, HTTPS over private networks is not necessary and wasteful, because the risk of someone getting in between Caddy (the client in this case) and your upstream app (the server) is extremely unlikely (unless you run untrusted software or allow access to untrusted users).

But if you absolutely must use HTTPS, the “correct” thing is to configure trust, and you can do that by configuring tls_trusted_ca_certs to point to the root CA cert that signed the upstream’s certificate. If the upstream is using a self-signed cert, then it would just be that cert.

No app that you can proxy to requires HTTPS, it just might be configured to only serve HTTPS by default. There’s no technical reason that HTTPS must be used. Even HTTPS over the internet is optional, but very very strongly recommended because of the privacy and tamper-resistance that it provides. And obviously Caddy makes that easy via ACME automation.