Using reverse proxy with docker image that runs through network_mode from wg-easy

swap · February 18, 2025, 4:15pm

1. The problem I’m having:

I’m trying to reverse proxy a docker image that is set up with network_mode: wg-easy.

My goal is to require a vpn tunnel for accessing certain dockers. I’ve been having some difficulties in doing that, until i discovered that I could use network_mode: wg-easy.
I can now access those services from a browser by typing 172.23.0.7:.
I found the ip by browsing through portainer.

Because I want to be able to access wg-easys gui, I’m running that on the same docker network as caddy.

I figured, since wg-easy is running on the same network as caddy, I could access the dockers running through wg-easy by adding:
example.com {
reverse_proxy memos:172.23.0.7:5230
}
In the caddyfile. However, that does not work.

Obviously, I barely know anything about linux/servers/docker, so I’m surprised I’ve gotten this far.
Hopefully there is an obvious solution to this.

I apologize for editing my domains, but I’m a bit paranoid. I really don’t see how they are relevant.

2. Error messages and/or full log output:

curl: (6) Could not resolve host: notes.domain.com

3. Caddy version:

v2.9.1 h1:OEYiZ7DbCzAWVb6TNEkjRcSCRGHVoZsJinoDR/n9oaY=

4. How I installed and ran Caddy:

docker compose

a. System environment:

Debian 12
Docker compose

b. Command:

docker compose up -d

c. Service/unit/compose file:

services:
  caddy:
    image: caddy:latest
    container_name: caddy
    hostname: caddy
    restart: unless-stopped
    env_file: .env
    ports:
      - "80:80"
      - "443:443"
      - "443:443/udp"
    volumes:
      - ./Caddyfile:/etc/caddy/Caddyfile
#      - ./site:/srv
      - caddy_data:/data
      - caddy_config:/config

networks:
  default:
    name: caddyNet
    #external: true


volumes:
  caddy_data:
  caddy_config:

d. My complete Caddy config:

navi.domain.com {
    reverse_proxy navidrome:4533
}
tandoor.domain {
    reverse_proxy web_recipes:8080
}
vpn.domain.com {
    reverse_proxy wg-easy:51821
}
d.domain.com {
    reverse_proxy homepage:3000
    basic_auth {
                # Username "Bob", password "hiccup"
                Bob $2a$14$Zkx19XLiW6VYouLHR5NmfOFU0z2GTNmpkT/5qqR7hx4IjWJPDhjvG
        }
}
p.domain.com {
    reverse_proxy portainer:9000
}
note.domain.com {
    reverse_proxy memos:172.18.0.0/16:5230
}

Benny · February 18, 2025, 10:32pm

1 .The backend address is incorrect because 172.18.0.0/16 is a subnet, not a specific host.
2. What is your resolver for your domains. External/ internal. You can use unbound.

swap · February 19, 2025, 2:47pm

Thanks for your reply!
1: Yes, sorry, I tried that ip before posting, and forgot to change it back to 172.23.0.7:5230 before posting my Caddyfile.
To clarify, I can connect to 172.23.0.7:5230 with a browser, etc. But cant reverse proxy it.
2: External.

Benny · February 19, 2025, 5:05pm

What is your directly connection to memos app? http:// or https://
General reverse proxy settings.
Caddyfile:

    domain or IP {
    # Reverse proxy to your app
    reverse_proxy http:// or https://(remote source domain or IP and port) 
     }

extended

    domain or IP {
     # Reverse proxy to your app
     reverse_proxy https://(remote source domain or IP and port) {
            header_up Host 
            header_up X-Real-IP {remote_host}
            header_up X-Forwarded-For {remote_host}
            header_up X-Forwarded-Port {server_port}

            transport http {
                    versions 2
                    keepalive 65s
            }
    } 
 }

with self signed SSL

      https://domain:ports
      {
        tls /path/to/cert.crt /path/to/cert.key {
            protocols tls1.2 tls1.3
            alpn h2 http/1.1
    }
    header -Server
    Reverse proxy to app
      https://domain:ports
    reverse_proxy https:///(remote source domain or IP and port){
            header_up Host {host}
            header_up X-Real-IP {remote_host}
            header_up X-Forwarded-For {remote_host}
            header_up X-Forwarded-Port {server_port}

            transport http {
                    versions 2
                    keepalive 65s
                    tls_client_auth  /path/to/client.crt /path/to/client.key
                    tls_trusted_ca_certs /path/to/ca_root.crt
                    tls_server_name {host}
            }
    }

    # Error handling with fallback to HTTP Cat
    handle_errors {
            rewrite * /{http.error.status_code}
            reverse_proxy https://http.cat {
                    header_up Host http.cat
            }
    }
 }

And let’s focus on Caddyfile.
You can use Caddyfile for global settings and import config for app
Global Caddyfile:

    { 
    preferable options
    }  import app.conf