Category Archives: caddy

Caddy reverse proxy

caddy, Geekiness, pihole, proxmox, Raspberry Pi

I was using Caddy with no problems but it suddenly stopped working after I switched my pihole 6 installation from a proxmox lxc (where it was lagging horribly) to a bare metal Pi3. I put it down to the DNS, and maybe that was the cause but the solution was to remove the wildcard at the top of the Caddyfile.

I was using a wildcard *.local certificate but Firefox rejected it because it didn’t match dns.local.

Removing the *.local section from the Caddyfile fixed it once I had installed the root.crt in Firefox. I use a proxmox script for the caddy installation and it puts the certificates in 

/var/lib/caddy/.local/share/caddy/pki/authorities/local/

Caddy, SEC_ERROR_UNKNOWN_ISSUER and TLS Internal

caddy, docker

I have solved this before but forgot how. Maybe typing something will help me remember the next time.

I use Caddy in a docker container to reverse proxy around my docker box and other computers in my network. Something like this:

# test subdomain
test.mydomain.net {

        reverse_proxy http://10.10.10.15:8010
        tls internal
}

It always gives SEC_ERROR_UNKNOWN_ISSUER error and I can just accept this, which works for a while. Ideally you want it to just work, especially if you are setting up a site your 83 year old mum might access.

I had forgotten that if you want it to work, you need to add the subdomain to your DNS as an A record – and then remove TLS internal. Job done.

This does mean that anyone can hit that domain – which is fine in some cases and not fine in others. So I updated the internal only domains to this:

fileserver.mydomain.net {

        @denied not client_ip 10.10.10.0/16 172.26.0.0/12

        handle @denied {
                 abort
        }

        reverse_proxy http://10.10.10.15:8081
}

The 172.26 address comes from docker and I think it fails without it from memory.