Use Caddy to reverse proxy a service already using HTTPS

1. My Caddy version (caddy -version):

Caddy 1.0.4

2. How I run Caddy:

gaps.domain.com {
import gzipconf
import addheader
log /share/Public/caddy-gaps.log
proxy / https://192.168.1.221:8484 {
keepalive 32
transparent
websocket }
}

3. The problem I’m having:

I am trying to set up “gaps”[1] with Caddy, but the landing configuration page already uses TLS (I am not sure how the certificate is created and in any case it is invalid) to access within the LAN.

I wanted to use Caddy to access this page, but I receive the following error: 502 Bad Gateway

Shall I simply use the TLS option to point to the certificate (which I have to find where it is, probably in the config directory of this app)? However doing so, I expect that the certificate would still be invalid.

Moreover, it seems that the app is made out of jar, so it does not seems easy to customize.

Maybe it is not even a question for Caddy, but just in case there is a workaround…

Thanks

[1] https://github.com/JasonHHouse/Gaps

Hey @giopas, does your upstream server have a valid certificate (i.e. not self-signed)?

If not, you’ll need to tell Caddy to skip certificate validation. By default it’ll fail out if the cert isn’t trusted, just like a browser would.

  • insecure_skip_verify overrides verification of the backend TLS certificate, essentially disabling security features over HTTPS.

https://caddyserver.com/v1/docs/proxy

Hi Matthew!

Thanks for the quick reply. It is a self-signed certificate.

Does it means that I have just to add insecure_skip_verify to the proxy config block, as below?

gaps.domain.com {
    import gzipconf
    import addheader
    log /share/Public/caddy-gaps.log
    proxy / https://192.168.1.221:8484 {
        keepalive 32
        transparent
        websocket
        insecure_skip_verify
    }
}

Thanks!

Yep. But doing so mostly defeats the purpose of using TLS.

Correct! Indeed, it is a quick and dirty workaround, but which may temporarily serve the purpose (waiting for a better implementation on the app side).