SSL made easier with a reverse proxy

[PeteGul 20]

This is completely new for me. What is RP config?

Here's is the test

Edit: removed pictures, to much info

Edited March 4, 2023 by pettergulbra

[pwhodges 1531]

4 minutes ago, pettergulbra said:

This is completely new for me. What is RP config?

RP = Reverse Proxy

Maybe show us your Caddyfile (which contains your reverse-proxy config)?

Paul

[PeteGul 20]

My caddyfile is like:

{
    acme_ca https://acme.zerossl.com/v2/DV90
    email   mail@gmail.com
}
xxx.xdns.net
reverse_proxy localhost:8096

[pwhodges 1531]

Hmm.  That looks straightforward enough.  

At this stage I'd try to be looking at the Apple TV end, but I don't know anything about it, so have no suggestions where to look.

Paul

[GrimReaper 3294]

1 hour ago, pettergulbra said:

This is completely new for me. What is RP config?

Here's is the test

You have a lot of private information publicly exposed there, edit your images. 

[PeteGul 20]

49 minutes ago, GrimReaper said:

You have a lot of private information publicly exposed there, edit your images. 

Deleted the pictures

Thanks for the info

pwhodges: I'll take a look at the Apple TV, but it works nice without RP.

Edited March 4, 2023 by pettergulbra

[atropa 8]

Hey I've read a few things now. But there's one thing I don't quite understand. With Let's Encrypt it is necessary to create a txt.record in the domain. Is that no longer necessary with caddy?

regards

 

Edited March 9, 2023 by atropa

[rbjtech 4265]

2 minutes ago, atropa said:

Hey I've read a few things now. But there's one thing I don't quite understand. With Let's Encrypt it is necessary to create a txt.record in the domain. Is that no longer necessary with caddy?

regards

 

I suspect caddy is using it's own web services (maybe via certbot?) to be the approver for any domain ownership challenges required for the TLS certificate creation ? 

An alternative way to proove domain ownership before was to use .txt DNS records - but these are probably no longer required.

[atropa 8]

29 minutes ago, rbjtech said:

I suspect caddy is using it's own web services (maybe via certbot?) to be the approver for any domain ownership challenges required for the TLS certificate creation ? 

An alternative way to proove domain ownership before was to use .txt DNS records - but these are probably no longer required.

Thank you for the explanation. Then I'll test it

[pwhodges 1531]

Caddy simply negotiates with LetsEncrypt - this negotiation requires either port 80 and port 443 to be open to LetsEncrypt.  For situations where that is not possible, or when a wildcard certificate is required, Caddy has plugins for the main registrars which use their apis and a key which the user has requested to contact them for the contents of a special TXT record.

The methods are described in more detail here:

https://caddyserver.com/docs/automatic-https#dns-challenge

Paul

[cptlores 23]

Some time ago I migrated from Caddy over to Nginx-Proxy-Manager (NPM). Does the same job, but is much simpler with a nice UI to manage everything.

You will need a linux computer with Docker to run NPM, but if you do then I highly recommend taking a look.

 

Another alternative with a proper UI that is popular is Traefik Proxy.

Edited March 10, 2023 by cptlores

[pwhodges 1531]

2 hours ago, cptlores said:

but is much simpler with a nice UI to manage everything.

Sure, Caddy has no UI (nor do you need to create a login to use it, run docker etc).  But the minimum usable Caddy configuration file for a secure reverse proxy contains just two lines - the text file required to initially set up NPM is more than that.

I'm sure NPM is perfect for some people; but it can't sensibly be described as much simpler than Caddy!

Paul

[atropa 8]

So. Now I've tested caddy and it works great. Now I have a working alternative if i get banned from cloudflare. Thanks for that However, I always get 2 errors displayed in the console. Should this concern me or can it be ignored?

2023/03/13 17:34:01.325 ←[31mERROR←[0m  http.handlers.reverse_proxy     aborting with incomplete response       {"error": "http2: stream closed"}
2023/03/13 17:34:01.868 ←[31mERROR←[0m  http.handlers.reverse_proxy     aborting with incomplete response       {"error": "context canceled"}

regards

Edited March 13, 2023 by atropa

[iPhoneMaxPro 10]

Hello thanks for sharing this amazing information, I tried to configure everything and I would like to ask if it is possible to change the default ports of caddy (443-80) because I already have a server on those ports active

Edited April 1, 2023 by iPhoneMaxPro

[seanbuff 840]

51 minutes ago, iPhoneMaxPro said:

I would like to ask if it is possible to change the default ports of caddy (443-80) because I already have a server on those ports active

You should be able to change Caddy's listening ports by adding this to your Caddyfile:
 

{
    http_port 880
    https_port 4443
}

Be sure to then update/add your routers port forwarding to these new ports, eg: External Port 443 > Internal Port 4443 and your Caddy's IP Address

[pwhodges 1531]

You will also need to configure the automatic SSL, as the default operation assumes the default posts.

Paul

[iPhoneMaxPro 10]

Thanks a lot for the answer so:

{
     http_port 8050
     https_port 8005
}
{
email mymail@gmail.com
}

media.mydomain.com {
    reverse_proxy 192.168.1.2:8050
}

 

 

emby settings:
emby local http
8050
embylocal https
8005
emby remote http
8050
remote emby https
8005

with the reverse proxy no one will ever see my ip address and therefore I'm 100% anonymous right?

on google domain I edit only
"default nameservers"
1. Manage custom name servers
2.Create a new entry and in the host name I leave blank, type "A" ttl "3600" and then I enter my public ip.
3. Add a new entry and write "media" type "cname" ttl "3600" and then enter mydomain.com

Are the steps right? because there is something wrong for me, i opened tpc/udp ports in my modem 8050 and 8005

do I have to set a "AAAA" type as well or is it not necessary?

thank you in advance for the answer

Edited April 1, 2023 by iPhoneMaxPro

[iPhoneMaxPro 10]

15 minutes ago, pwhodges said:

Sarà inoltre necessario configurare l'SSL automatico, poiché l'operazione predefinita presuppone i post predefiniti.

Paolo

could you explain me better? Do I have to do any special steps?

[iPhoneMaxPro 10]

27 minutes ago, seanbuff said:

these are exactly the steps I have performed but without success, I have a doubt if I will be able to use port 8005 instead of 443 should I enter my domain + 8005 or will it be enough to enter my domain?

[iPhoneMaxPro 10]

{
     http_port 8050
     https_port 8005
}
{
email mymail@gmail.com
}

media.mydomain.com {
    reverse_proxy 192.168.1.2:8050
}

 

with this setting I get this error

 

 

INFO    using adjacent Caddyfile
Error: adapting config using caddyfile: server block without any key is global configuration, and if used, it must be first

Edited April 1, 2023 by iPhoneMaxPro

[pwhodges 1531]

1 hour ago, iPhoneMaxPro said:

with the reverse proxy no one will ever see my ip address and therefore I'm 100% anonymous right?

No.  The reverse proxy is what answers on your address.  If you want anonymity, then you need to be looking at VPNs, for instance.

1 hour ago, iPhoneMaxPro said:

could you explain me better? Do I have to do any special steps?

I haven't done this myself, so to answer fully I'd have to read the Caddy documentation for you - but it would be easier for you to do that yourself, I guess.  Look at "DNS challenge" on this page (the other challenges still require the standard ports):

https://caddyserver.com/docs/automatic-https#acme-challenges

There are also helpful discussions in the Caddy forums.

Paul

[justinrh 174]

11 hours ago, iPhoneMaxPro said:

Error: adapting config using caddyfile: server block without any key is global configuration, and if used, it must be first

I think this is referring to the e-mail address being in its own block and not in the first block.  Move the e-mail address to be above " http_port 8050".  I don't know if "http_port*" can be in the global block.  The global block should be the first block.

BTW, you can rid the "http_port*" and use this syntax for the hostname, e.g.:

        media.mydomain.com:<listening port #> { ... }

Do whichever suits your fancy, of course.

[iPhoneMaxPro 10]

ok thanks, so this structure can fit?

{
email mymail@gmail.com
}

media.mydomain.com:8050 {
reverse_proxy 192.168.1.2:8050
}

I get error like this if I give command caddy fmt

Error: Caddyfile:2: Caddyfile input is not formatted

+ this error with I run caddy run

http.acme_client
challenge failed
{"identifier":
"media.mydomain.com
"challenge_type": "http-01" , "problem": {"type": "urn:ietf:params: acme:error: dns"
DNS problem: NXDOMAIN looking up A for media.mydomain.
com - check that a DNS record exists for this domain; DNS problem: NXDOMAIN looking up AAAA for media.mydomain.com - che
ck that a uns record exists for this domainn"
"instance":
"subproblems": [1}}
2023/04/01 23:51:40.870 ERROR nttD.acme cllent
validating authorization{"identifier": "media. mydomain.com"
"problem": {"type":
"urn:ietf:params:acme:error:dns"
puzzle:
ANKDUMAUN
PLOOKINGPUDA
for
media.mydomain.com - heck
LeXISTSTOr unisconain
DIN
S DrODLeD
NXDOMAIN looking up AAAA for media.mydomain.com
"title":
"detail": "DNS p
check that a DNS record exists
for this domain", instance"
subproblems": l, "order":
"https://acme-v02.api.letsencrypt.org/acme/order /here maybe there is a private number"
"attempt": 1,
"max_attempts":
3}
2023/04/01 23:51:48.263 INFO
trying to solve challenge
"media.mydomain.com", "challenge_type":
"ca":
g/directory"}
nttp.acme_client
{"identifier":
"tls-alpn-01"
"https://acme-v02.api.letsencrypt.or

[pwhodges 1531]

33 minutes ago, iPhoneMaxPro said:

Error: Caddyfile:2: Caddyfile input is not formatted

This is not an actual error - just a pointless warning which some people on the Caddy forum are irritated by.  It is mainly triggered by using a mix of tabs and spaces, I think.

Given the errors saying it can't find any DNS records, have you actually set up your DNS?

Paul

Edited April 2, 2023 by pwhodges

[iPhoneMaxPro 10]

1 hour ago, pwhodges said:

This is not an actual error - just a pointless warning which some people on the Caddy forum are irritated by.  It is mainly triggered by using a mix of tabs and spaces, I think.

Given the errors saying it can't find any DNS records, have you actually set up your DNS?

Paul

 

these are my settings i have never bought a domain at this point i think i have done something wrong, i hope you understand from the pictures, let me know thank you very much