Using named matcher for tls configuration for each website

LeNuageux · January 1, 2021, 12:05pm

1. Caddy version (`caddy version`):

v2.3.0 h1:fnrqJLa3G5vfxcxmOH/+kJOcunPLhSBnjgIvjXV/QTA=

2. How I run Caddy:

Caddy is runned via a systemd service. Caddy was installed via the official repo ( https://apt.fury.io/caddy/ )

a. System environment:

Debian 11 Bullseye

b. Command:

caddy service restart

c. Service/unit/compose file:

[Unit]
Description=Caddy
Documentation=https://caddyserver.com/docs/
After=network.target network-online.target
Requires=network-online.target

[Service]
User=caddy
Group=caddy
ExecStart=/usr/bin/caddy run --environ --config /etc/caddy/Caddyfile
ExecReload=/usr/bin/caddy reload --config /etc/caddy/Caddyfile
TimeoutStopSec=5s
LimitNOFILE=1048576
LimitNPROC=512
PrivateTmp=true
ProtectSystem=full
AmbientCapabilities=CAP_NET_BIND_SERVICE

[Install]
WantedBy=multi-user.target

d. My complete Caddyfile or JSON config:

{
	# General Options
	admin   off
	# TLS Options
	email mail@gmail.com
}

@tls
tls{
	protocols tls1.3
}

# Config reverse Proxy
hyperviseur.domaine.fr {
        reverse_proxy 192.168.1.50:80
	@tls
}

bitwarden.domaine.fr {
	reverse_proxy 192.168.1.50:8080
        @tls
}

zabbix.domaine.fr {
	reverse_proxy 192.168.1.120:80
       @tls
}

fog.domaine.fr {
        reverse_proxy 192.168.1.140:80
       @tls
}

wiki.domaine.fr {
	reverse_proxy 192.168.1.170:80
       @tls
}

3. The problem I’m having:

I want to not repeat the tls directive, i tried with a named matcher like this:

@tls1.3 {
tls {
     protocols tls1.3
}

4. Error messages and/or full log output:

service caddy status
● caddy.service - Caddy
     Loaded: loaded (/lib/systemd/system/caddy.service; enabled; vendor preset: enabled)
     Active: failed (Result: exit-code) since Fri 2021-01-01 12:58:23 CET; 31s ago
       Docs: https://caddyserver.com/docs/
    Process: 21793 ExecStart=/usr/bin/caddy run --environ --config /etc/caddy/Caddyfile (code=exited, status=1/FAILURE)
   Main PID: 21793 (code=exited, status=1/FAILURE)

janv. 01 12:58:23 debian-reverse caddy[21793]: PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
janv. 01 12:58:23 debian-reverse caddy[21793]: HOME=/var/lib/caddy
janv. 01 12:58:23 debian-reverse caddy[21793]: LOGNAME=caddy
janv. 01 12:58:23 debian-reverse caddy[21793]: USER=caddy
janv. 01 12:58:23 debian-reverse caddy[21793]: INVOCATION_ID=8b05406d37d64793b5503e88d015ab1a
janv. 01 12:58:23 debian-reverse caddy[21793]: JOURNAL_STREAM=8:279619
janv. 01 12:58:23 debian-reverse caddy[21793]: {"level":"info","ts":1609502303.9332616,"msg":"using provided configuration","config_file":"/etc/caddy/Caddyfile","config_adapter":""}
janv. 01 12:58:23 debian-reverse caddy[21793]: run: adapting config using caddyfile: cannot define a matcher outside of a site block: '@tls'
janv. 01 12:58:23 debian-reverse systemd[1]: caddy.service: Main process exited, code=exited, status=1/FAILURE
janv. 01 12:58:23 debian-reverse systemd[1]: caddy.service: Failed with result 'exit-code'.

5. What I already tried:

I’ve added the tls directive in each website block

6. Links to relevant resources:

I looked here maybe i’m wrong

Serneum · January 1, 2021, 2:31pm

I do something similar in my Caddyfile using import:

(cloudflare-tls) {
  tls {
    dns cloudflare {env.CLOUDFLARE_API_KEY}
  }
}

dozzle.chrisrees.dev {
  import cloudflare-tls
  reverse_proxy 192.168.128.8:8080
}

francislavoie · January 1, 2021, 5:23pm

You can’t have matchers outside of site blocks.

Also, you must have a space before all { tokens, for it to be correctly parsed by the Caddyfile adapter.

I’m not sure what you’re trying to do here. Do you mean to limit all your sites to tls1.3 (and exclude tls1.2 clients)?

If so you should be using snippets to copy the configuration to each site, as @Serneum suggested. Matchers are not the right tool for this.

LeNuageux · January 2, 2021, 10:22pm

what i’m trying to do is to use only TLS v1.3 for all my website.

Here my config file with snippets inside :

	{
	# General Options
	admin   off
	# TLS Options
	email mail@gmail.com
}

(tls1.3) {
  tls {
	protocols tls1.3
  }
}


# Config reverse Proxy
hyperviseur.domain.fr {
	import tls1.3
        reverse_proxy 192.168.1.50:80

}

bitwarden.domain.fr {
	import tls1.3
	reverse_proxy 192.168.1.50:8080
}

zabbix.domain.fr {
	import tls1.3
	reverse_proxy 192.168.1.120:80

}

fog.domain.fr {
	import tls1.3
        reverse_proxy 192.168.1.140:80
}

wiki.domain.fr {
	import tls1.3
	reverse_proxy 192.168.1.170:80
}

The config file look better thanks !

system · January 31, 2021, 12:05pm

This topic was automatically closed after 30 days. New replies are no longer allowed.