Thanks a lot Matt, for your great help. Unfortunately I have not gotten it to work yet.
This is because Caddy 2 passes the Host header thru by default. It also adds X-Forwarded-For automatically. (I’ve updated the linked post to clarify that. It was quite old.) So you do not need a “transparent” keyword; but if you really need the other headers set like X-Real-IP (is set to same thing as X-Forwarded-For, but whatever) you will need to add that yourself.
I am definitely not knowledgable when it comes to cors. I simply copied these X-Forwarded-
settings from someone else who posted them. From my current experiments it seems that you are right and they make no difference.
When figuring out proxy configs, I recommend setting debug in your global options to enable debug-level logging
Thanks, that is a great help.
This is the command you are running. Like, caddy
I think docker-compose.yml is doing that for me. Which would explain why I am not aware of it. Blissfull noobness
the reverse_proxy uses a matcher /bb/* which the earlier one does not
That is because I am proxying to CouchDB. To a database called bb
. CouchDB connects to /bb/* on the CouchDB server. And also while authorizing to /_sessions
which explaines that proxy. Both proxies are covered by reverse_proxy bb_db:5984
when serving from the sub-domain.
These have to be explicit when on the main domain because all other requests should be passed to the file_server.
and it doesn’t do any header_down with CORS headers. Why are CORS headers gone, how does it work without them?
In my understanding this is not cross domain: blue-borders.ch is requesting a ressource from blue-borders.ch/bb. Not from api.blue-borders.ch/bb.
Are you by chance stopping and restarting Caddy instead of using caddy reload? How are you running Caddy?
As mentioned above, I am (was) not even aware of the caddy
command. And I still don’t know how I would use it.
I am reloading using:
docker-compose up -d --no-deps --build caddy
docker-compose up -d --force-recreate
See how the space is necessary?
Yes, thank you!
Did you use their staging endpoint for testing? https://caddyserver.com/v1/docs/automatic-https#testing
Yes. But that was exactly what caused the issues: I did not work, using staged, so I was forced to use non-staged.
Unfortunately I could not find the issue where this was elaborated again. But that is what I remember. Beware of my horrible memory and general confusedness though…
Have you checked out our upgrade guide?
Yes, but not very thoroughly. As I have never actually used v1 beyond trying to get this here to work. So I don’t grasp v1 concepts as well as v2 (with the caveat of v2 still changing…).
What I realized just now: Isn’t the matcher missing when I am reverse proxying my subdomains?
I now changed:
api.blue-borders.ch {
reverse_proxy bb_db:5984 {
...cors settings
}
}
to:
api.blue-borders.ch {
reverse_proxy * bb_db:5984 {
...cors settings
}
}
which is giving me other error messages:
- With:
header_down Access-Control-Allow-Origin *
:
Access to fetch at 'https://api.blue-borders.ch/bb/' from origin 'https://blue-borders.ch' has been blocked by CORS policy: Response to preflight request doesn't pass access control check: The value of the 'Access-Control-Allow-Origin' header in the response must not be the wildcard '*' when the request's credentials mode is 'include'.
- With:
header_down Access-Control-Allow-Origin https://blue-borders.ch
:
Access to fetch at 'https://api.blue-borders.ch/bb/' from origin 'https://blue-borders.ch' has been blocked by CORS policy: Response to preflight request doesn't pass access control check: It does not have HTTP ok status.
What may be missing in the cors settings is Access-Control-Allow-Methods
but I could not figure out how to set them:
header_down Access-Control-Allow-Methods: POST, GET, OPTIONS
errored out:
Error during parsing: Wrong argument count or unexpected line ending after 'OPTIONS'
I then changed it to:
header_down Access-Control-Allow-Methods: POST,GET,OPTIONS
Which did not error out. But still did not work.
I then set them to:
header_down Access-Control-Allow-Methods: OPTIONS,DELETE,GET,HEAD,POST
which gives this error:
Access to fetch at 'https://api.blue-borders.ch/bb/' from origin 'https://blue-borders.ch' has been blocked by CORS policy: Response to preflight request doesn't pass access control check: It does not have HTTP ok status.