Using Caddy for HTTP Connect

1. Caddy version (caddy version):

v2.4.0-beta.1 => /src/caddy

2. How I run Caddy:

a. System environment:

Host OS: Linux SMP Debian 4.19.132-1 (2020-07-24) x86_64 GNU/Linux
Docker Base Image: caddy:2.0.0-builder along with GitHub - caddy-dns/cloudflare: Caddy module: dns.providers.cloudflare

b. Command:

sudo docker-compose -f caddy-compose.yml up -d

c. Service/unit/compose file:

caddy-compose.yml

version: "3.7"
services:

  caddy:
    build: ./dns-dockerfile
    container_name: caddy
    hostname: caddy
    restart: unless-stopped
    ports:
      - "80:80"
      - "443:443"
    environment:
      - MY_DOMAIN=$MY_DOMAIN
      - CLOUDFLARE_API_TOKEN=$CLOUDFLARE_API_TOKEN
    volumes:
      - ./Caddyfile:/etc/caddy/Caddyfile:ro
      - /data/caddy/data:/data
      - /data/caddy/config:/config

networks:
  default:
    external:
      name: $DOCKER_MY_NETWORK

Dockerfile

FROM caddy:2.0.0-builder AS builder

RUN caddy-builder \
    github.com/caddy-dns/cloudflare

FROM caddy:2.0.0

COPY --from=builder /usr/bin/caddy /usr/bin/caddy

d. My complete Caddyfile or JSON config:

{
    # acme_ca https://acme-staging-v02.api.letsencrypt.org/directory
    key_type rsa4096
}

(proxy_template) {
    tls {
        dns cloudflare {env.CLOUDFLARE_API_TOKEN}
    }
}

www.{$MY_DOMAIN} {$MY_DOMAIN} {
    reverse_proxy /.well-known/matrix/* https://matrix.{$MY_DOMAIN} {
        header_up Host {http.reverse_proxy.upstream.hostport}
    }
    import proxy_template
}

matrix.{$MY_DOMAIN}, dimension.{$MY_DOMAIN}, element.{$MY_DOMAIN}, jitsi.{$MY_DOMAIN} {
    import proxy_template
    
    reverse_proxy matrix-nginx-proxy:8080
}

matrix.{$MY_DOMAIN}:8448 {
    reverse_proxy matrix-nginx-proxy:8448
}

3. The problem I’m having:

The way my setup works is is that a request that goes through my caddy server will be redirected to an nginx server (the reasoning for this is complicated) and then it is forwarded to my matrix server (which is just a normal server).

What I ideally want is the connection between the client and caddy to be protected with SSL. However, I don’t care about encrpyting the connection between caddy and nginx. Now when caddy is forwarding the request to nginx, it is throwing an error since caddy is making an https request when nginx expects http.
Nginx throws the following error to me:

error:1408F10B:SSL routines:ssl3_get_record:wrong version number

Looking at this answer on stackoverflow curl: (35) error:1408F10B:SSL routines:ssl3_get_record:wrong version number - Stack Overflow, it looks like the solution is that the proxy should use HTTP CONNECT to make sure that it is not using SSL when proxying to nginx.

Basically sending an http request to caddy works. Since caddy just forwards an http request to nginx and it doesn’t throw an error. But I want to connection between caddy and client to be https but connection between caddy and nginx to be http.

And for some reason I am not facing this problem when requesting matrix.mydomain. The problem only happens when requesting matrix.mydomain:8448. So the problem only occurs on port 8448 and not on port 80.

Is there anyway to do this with Caddy?

4. Error messages and/or full log output:

Here’s the error from nginx: error:1408F10B:SSL routines:ssl3_get_record:wrong version number
I don’t get any new logs in Caddy when I make this request so nothing to add there

5. What I already tried:

6. Links to relevant resources:

You’re using an outdated Dockerfile. Please use at least v2.3.0 and use the new instructions using xcaddy to build. See Docker Hub

The issue is here, remove the https:// on this line, this is what’s telling Caddy to connect over HTTPS.

Sorry, I should have clarified.
Here’s the curl command that is causing me problems:
curl https://matrix.domain:8448/_matrix/federation/v1/version

Changing the above to http works but https doesn’t work. So the issue isn’t in www handler. But in the matrix.domain:8448 handler.

Ah, you didn’t expose that port:

Thanks a lot! That was exactly the issue.

1 Like

This topic was automatically closed after 30 days. New replies are no longer allowed.