Using Caddy with Cloudflared Argo tunnel and DNS wildcard

1. Caddy version (caddy version):

docker image: slothcroissant/caddy-cloudflaredns:2.4.6
https://hub.docker.com/r/slothcroissant/caddy-cloudflaredns

2. How I run Caddy:

using docker-compose, see below

a. System environment:

using docker

b. Command:

c. compose file:

my docker compose using a caddy version with cloudfare dns for DNS challenge

version: "3.7"
services:
  caddy:
    #image: caddy:latest
    image: slothcroissant/caddy-cloudflaredns:2.4.6
    container_name: caddy
    restart: unless-stopped
    ports:
      - "80:80"
      - "443:443"
    volumes:
      - /volume1/docker/caddy/Caddyfile:/etc/caddy/Caddyfile
      - /volume1/docker/caddy/data:/data
      - /volume1/docker/caddy:/config
    environment:
      - TLD=domain.xyz
      - CLOUDFLARE_EMAIL=me@example.com
      - CLOUDFLARE_API_TOKEN=mytoken
      - DOMAIN=192.168.0.101
      - TZ=Europe/Berlin

d. My complete Caddyfile or JSON config:

{
    acme_dns cloudflare mytoken
}


*.domain.xyz {

  @ha host ha.domain.xyz
  reverse_proxy @ha 192.168.0.12:8123
	
  @jellyfin host jellyfin.domain.xyz
  reverse_proxy @jellyfin 192.168.0.101:8096

}

3. The problem I’m having:

Cloudfare tunnel is configured with a CNAME wildcard *.domain.xyz

If I connect through the tunnel and set a the service directly, then it works. So I assume the tunnel is working properly with this config.yaml. Since I use a wildcard DNS, any subdomain goes to the same host at http://192.168.0.12:8123

tunnel: UUID
credentials-file: /etc/cloudflared/UUID.json

ingress:
  - hostname: '*.domain.xyz'
    service: http://192.168.0.12:8123
  - service: http_status:404

However, if I direct the hostname to my caddy server I expect it to work as a reverse proxy to all configured subdomains. Unfortunately I get Error 502 Bad Gateway. Here is the config.yaml

tunnel: UUID
credentials-file: /etc/cloudflared/UUID.json

ingress:
  - hostname: '*.domain.xyz'
    https://192.168.0.101:443
  - service: http_status:404

4. Error messages and/or full log output:

Here is the log on the cloudflared docker container:

07T16:00:52Z ERR  error="Unable to reach the origin service. The service may be down or it may not be responding to traffic from cloudflared: remote error: tls: internal error" cfRay=6f83fa88eb569be2-FRA ingressRule=0 originService=https://192.168.0.101:443,
2022-04-07T16:00:52Z ERR Failed to handle QUIC stream error="Unable to reach the origin service. The service may be down or it may not be responding to traffic from cloudflared: remote error: tls: internal error" connIndex=1

5. What I already tried:

I tried different instructions from different forums, but could not get the right way to use Caddy reverse proxy with a wildcard. I think I went far enough to make cloudflared work, but not with Caddy.

These are some of the links I tried, besides searching in Caddy and Cloudflare community, reddit and google:

6. Links to relevant resources:

• Wildcard Certificates in Caddy Server :: reinhardt.dev
• How-To Guide: Caddy V2 & Cloudflare DNS-01 via Docker

to use a reverse proxy with a CNAME wildvard DNS, hostname and originServerName need to have the same value of *.domain.xyz

working config.yaml:

tunnel: UUID
credentials-file: /etc/cloudflared/UUID.json

ingress:
  - hostname: '*.domain.xyz'
    service: https://192.168.0.101:443
    originRequest:
      originServerName: '*.domain.xyz'
  - service: http_status:404

then just use caddyfile:

{
    acme_dns cloudflare mytoken
}

*.domain.xyz {

  @service1 host service1.domain.xyz
  reverse_proxy @service1 192.168.0.101:1234

  @service2 host service2.domain.xyz
  reverse_proxy @service2 192.168.0.101:5678
	
}

This topic was automatically closed after 30 days. New replies are no longer allowed.