Using Caddy as reverse proxy for a subdomain

ironalloy · March 20, 2024, 7:47pm

Hi,
fyi I’m very new to Caddy (and networking) and I did try to read docs, still got lost.

1. The problem I’m having:

I’m trying to install Nextcloud-AIO on Ubuntu server jammy and using Caddy as a reverse-proxy. Caddy is installed with apt.
My site is aronkvh.hu running on web storage.
I’m trying to port forward 192.168.10.114 in my local network to a subdomain (felho.aronkvh.hu).
Nameservers are Cloudflare.
The Nextcloud container and subdomain itself probably works, before setting up the proxy it was reachable without TLS.

2. Error messages and/or full log output:

Logs from nextcloud docker:


{"level":"info","ts":1710954842.9967988,"msg":"using provided configuration","config_file":"/Caddyfile","config_adapter":""}
[Wed Mar 20 17:14:03.039106 2024] [mpm_event:notice] [pid 135:tid 140501328452360] AH00489: Apache/2.4.58 (Unix) OpenSSL/3.1.4 configured -- resuming normal operations
[Wed Mar 20 17:14:03.039147 2024] [core:notice] [pid 135:tid 140501328452360] AH00094: Command line: 'httpd -D FOREGROUND'
[20-Mar-2024 17:14:03] NOTICE: fpm is running, pid 145
[20-Mar-2024 17:14:03] NOTICE: ready to handle connections
NOTICE: PHP message: The response of the connection attempt to "https://felho.aronkvh.hu:443" was: 
NOTICE: PHP message: Expected was: 2e008d30c124f5baa061a3f7cc236d4b7db360e917911a1b
NOTICE: PHP message: The error message was: Operation timed out after 10002 milliseconds with 0 bytes received
NOTICE: PHP message: Please follow https://github.com/nextcloud/all-in-one/blob/main/reverse-proxy.md#6-how-to-debug-things in order to debug things!
Deleting duplicate sessions

Caddy logs: Bepasty
(I exceeded the post limit when pasting)

3. Caddy version:

4. How I installed and ran Caddy:

Following the docs,

sudo apt install -y debian-keyring debian-archive-keyring apt-transport-https curl
curl -1sLf 'https://dl.cloudsmith.io/public/caddy/stable/gpg.key' | sudo gpg --dearmor -o /usr/share/keyrings/caddy-stable-archive-keyring.gpg
curl -1sLf 'https://dl.cloudsmith.io/public/caddy/stable/debian.deb.txt' | sudo tee /etc/apt/sources.list.d/caddy-stable.list
sudo apt update
sudo apt install caddy

a. System environment:

Ubuntu server 22.04 LTS, x86 (5.15.0-101-generic #111-Ubuntu SMP )
Caddy v2.7.6 h1:w0NymbG2m9PcvKWsrXO6EEkY9Ru4FJK8uQbYcev1p3A=
nextcloud is running in docker engine 25.0.5

systemd 249 (249.11-0ubuntu3.12)
+PAM +AUDIT +SELINUX +APPARMOR +IMA +SMACK +SECCOMP +GCRYPT +GNUTLS +OPENSSL +ACL +BLKID +CURL +ELFUTILS +FIDO2 +IDN2 -IDN +IPTC +KMO
D +LIBCRYPTSETUP +LIBFDISK +PCRE2 -PWQUALITY -P11KIT -QRENCODE +BZIP2 +LZ4 +XZ +ZLIB +ZSTD -XKBCOMMON +UTMP +SYSVINIT default-hierarc
hy=unifie

b. Command:

autostarted by systemd

d. My complete Caddy config:

{
    debug
}

felho.aronkvh.hu:443 {
    reverse_proxy 192.168.10.114:11000
}

5. Links to relevant resources:

github.com

nextcloud/all-in-one/blob/main/reverse-proxy.md#caddy-recommended

# Reverse Proxy Documentation

A [reverse proxy](https://en.wikipedia.org/wiki/Reverse_proxy) is basically a web server that enables computers on the internet to access a service in a [private subnet](https://en.wikipedia.org/wiki/Private_network).

**Please note:** Publishing the AIO interface with a valid certificate to the public internet is **not** the goal of this documentation! Instead, the main goal is to publish Nextcloud with a valid certificate to the public internet which is **not** running inside the mastercontainer but in a different container! If you need a valid certificate for the AIO interface, see [point 5](#5-optional-get-a-valid-certificate-for-the-aio-interface).

In order to run Nextcloud behind a web server or reverse proxy (like Apache, Nginx, Cloudflare Tunnel and else), you need to specify the port that AIO's Apache container shall use, add a specific config to your web server or reverse proxy and modify the startup command a bit. All examples below will use port `11000` as example `APACHE_PORT` which will be exposed on the host to receive unencrypted HTTP traffic from the reverse proxy. **Advice:** If you need https between Nextcloud and the reverse proxy because it is running on a different server in the same network, simply add another reverse proxy to the chain that runs on the same server like AIO and takes care of https proxying (most likely via self-signed cert). Another option is to create a VPN between the server that runs AIO and the server that runs the reverse proxy which takes care of encrypting the connection.

**Attention:** The process to run Nextcloud behind a reverse proxy consists of at least steps 1, 2 and 4:
1. **Configure the reverse proxy! See [point 1](#1-configure-the-reverse-proxy)**
1. **Use this startup command! See [point 2](#2-use-this-startup-command)**
1. Optional: If the reverse proxy is installed on the same host and in the host network, you should limit the apache container to only listen on localhost. See [point 3](#3-limit-the-access-to-the-apache-container)
1. **Open the AIO interface. See [point 4](#4-open-the-aio-interface)**
1. Optional: Get a valid certificate for the AIO interface! See [point 5](#5-optional-get-a-valid-certificate-for-the-aio-interface)
1. Optional: How to debug things? See [point 6](#6-how-to-debug-things)

**Please note:** Since the Apache container gets created by the mastercontainer, there is **NO** way to provide custom docker labels or custom environmental variables for the Apache container. So please do not attempt to do this because you will fail! Only the documented way will work!

## 1. Configure the reverse proxy

This file has been truncated. show original

Port forwarding router settings:

Thanks in advance for your help.

victor · March 20, 2024, 7:52pm

You will need to forward ports 80 and 443 to your caddyserver IP. Caddy will handle port 11000 for you on the backend.

ironalloy · March 20, 2024, 8:01pm

Thanks, so like this?

victor · March 20, 2024, 8:02pm

Yes. That should work.

ironalloy · March 20, 2024, 8:03pm

Nextcloud still says:
Domain does not point to this server or the reverse proxy is not configured correctly. See the mastercontainer logs for more details. ('sudo docker logs -f nextcloud-aio-mastercontainer')
If I try to check in the browser, I either get ERR_CONNECTION_TIMED_OUT or ERR_SSL_PROTOCOL_ERROR

victor · March 20, 2024, 8:07pm

Did you restart caddy?

Did you also edit your Nextcloud config file to trust caddy as the proxy?

victor · March 20, 2024, 8:13pm

I can’t help much with the Nextcloud end, but if you forward those ports to the IP that is serving caddy, then caddy will work.

ironalloy · March 20, 2024, 8:17pm

I forgot to restart. the all-in-one image apparently sets up trusted proxies automatically. Now everything seems to work,
Thanks very much for the help

system · April 19, 2024, 8:17pm

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.