search

arachnys / cabot

Self-hosted, easily-deployable monitoring and alerts service - like a lightweight PagerDuty
MIT License
5.59k stars 593 forks source link

Running Cabot/Caddy on 443 #620

Closed michaeldhopkins closed 6 years ago

michaeldhopkins commented 6 years ago

Hi, I'm trying to get Cabot to respond to https requests on 443. I wrote up a help request on Caddy.community as well, which I'll reproduce here. Let me know what other information I can provide!

Original post:

Hi, I have Cabot using Caddy successfully running in plain HTTP on :80 and am trying to run it as HTTPS on :443.

I am using docker-compose -f docker-compose.yml -f docker-compose-caddy.yml up -d to bring up caddy and docker-compose down to take it down. Visiting https://domain instantly failed and I could see with lsof -i:443 that nothing was listening (lsof -i:80 showed Caddy was listening.) I changed docker-compose.yml from:

    ports:
      - '80:5000'

to

    ports:
      - '80:5000'
      - '443:5000'

and now I see that something is listening on :443, but I get the same failure to connect when visiting HTTPS after a long timeout.

I think I must be missing something simple. What should I try to do to get Cabot to respond to an HTTPS request? Here are my yml files, and let me know what else I should include.

docker-compose-caddy.yml:

version: "2"

services:
  caddy:
    image: abiosoft/caddy
    ports:
      - '80:80'
      - '443:443'
    depends_on:
      - web
    volumes:
      - ./.caddy:/root/.caddy
      - ./conf/Caddyfile:/etc/Caddyfile

docker-compose.yml:

version: "2"

services:
  web:
    extends:
      file: docker-compose-base.yml
      service: base
    command: sh -c "cabot migrate && gunicorn cabot.wsgi:application -b 0.0.0.0:5000 --workers=5"
    ports:
      - '80:5000'
      - '443:5000'
    depends_on:
      - postgres
      - rabbitmq
    restart: always

  worker:
    extends:
      file: docker-compose-base.yml
      service: base
    command: celery worker -A cabot
    depends_on:
      - web
      - postgres
      - rabbitmq
    restart: always

  beat:
    extends:
      file: docker-compose-base.yml
      service: base
    command: celery beat -A cabot
    depends_on:
      - web
      - postgres
      - rabbitmq
    restart: always

  postgres:
    image: postgres:9.6-alpine
    volumes:
      - data:/var/lib/postgresql/data
    restart: always

  rabbitmq:
    image: rabbitmq:3.6-alpine
    restart: always

volumes:
  data:

lsof -i:443 docker-pr 16567 root 4u IPv6 62870 0t0 TCP *:https (LISTEN) lost -i:80 docker-pr 16530 root 4u IPv6 62825 0t0 TCP *:http (LISTEN)

lsb_release -a

Distributor ID: Ubuntu
Description:    Ubuntu 16.04.4 LTS
Release:    16.04
Codename:   xenial
hartwork commented 6 years ago

This looks more like a Caddy or Caddy-Docker question than a Cabot one to me. To be able to help, can you share your Caddyfile maybe? Do you have a domain name with DNS A record pointed to that machine's IP address in place for letsencrypt to do its work (and not just a hacked /etc/hosts)? What's the error that you get for visiting https://domain/ ? Have you checked Caddy logs (inside the container)?

frankh commented 6 years ago

If you're using caddy, your web container should not forward any ports publicly.

Caddy should expose ports 80 and 443, and proxy to web:5000

your caddyfile should be something like

cabot.example.com {
  proxy / http://web:5000 {
    header_upstream Host {host}
  }
}
frankh commented 6 years ago

I'm going to close this issue, if you still can't get it working please open a new issue at https://github.com/cabotapp/docker-cabot/issues