search

caddyserver / caddy

Fast and extensible multi-platform HTTP/1-2-3 web server with automatic HTTPS
https://caddyserver.com
Apache License 2.0
57.96k stars 4.02k forks source link

Caddy behind caddy, serving mixed content #1033

Closed dfiel closed 8 years ago

dfiel commented 8 years ago

(moved to forum)

dfiel commented 8 years ago

slightly adjusting my caddyfile on external yields ERR-SSL_PROTOCOL_ERROR

*
proxy / 10.1.1.42 {
        header_upstream Host {host}
        header_upstream X-Real-IP {remote}
        header_upstream X-Forwarded-For {remote}
        header_upstream X-Forwarded-Proto {scheme}
        header_upstream Connection {>Connection}
        header_upstream Upgrade {>Upgrade}
        }

tls {
        max_certs 100
}
mholt commented 8 years ago

What does your -log (process log) show?

Also, you can replace all those header_upstream lines with simply websocket and transparent.

Finally, could you try building from source with the latest that is on master? We've fixed some significant proxy bugs that wiggled into the 0.9 release since then.

dfiel commented 8 years ago

Well I dun goofed, removed the original post to move it to the forum, as I hadn't noticed that you responded.

Building from source with the same caddyfile in my second post still gives ERR_SSL_PROTOCOL_ERROR

mholt commented 8 years ago

What's in your process log though? (Use -log stderr to print it to stderr, for instance.)

Any chance you could put your original post back here? I don't see it on the forum so all the context is pretty much missing now. :(

dfiel commented 8 years ago 
Activating privacy features... done.
http://*
https://*
WARNING: File descriptor limit 1024 is too low for production servers. At least 8192 is recommended. Fix with "ulimit -n 8192".
2016/08/13 11:38:49 [INFO] Obtaining new certificate for sriplylrhnllvgz
2016/08/13 11:38:49 [INFO] Obtaining new certificate for kxkmfosl
2016/08/13 11:38:49 [INFO] Obtaining new certificate for sgdwxvsdtdmqe
2016/08/13 11:38:50 [INFO][sriplylrhnllvgz] acme: Obtaining bundled SAN certificate
2016/08/13 11:38:50 http: TLS handshake error from 100.14.33.84:33525: [sriplylrhnllvgz] failed to get certificate: acme: Error 400 - urn:acme:error:malformed - DNS name does not have enough labels
2016/08/13 11:38:50 [INFO][sgdwxvsdtdmqe] acme: Obtaining bundled SAN certificate
2016/08/13 11:38:50 http: TLS handshake error from 100.14.33.84:29363: [sgdwxvsdtdmqe] failed to get certificate: acme: Error 400 - urn:acme:error:malformed - DNS name does not have enough labels
2016/08/13 11:38:50 [INFO][kxkmfosl] acme: Obtaining bundled SAN certificate
2016/08/13 11:38:50 http: TLS handshake error from 100.14.33.84:49258: [kxkmfosl] failed to get certificate: acme: Error 400 - urn:acme:error:malformed - DNS name does not have enough labels
2016/08/13 11:38:52 http: TLS handshake error from 100.14.33.84:25371: kxkmfosl: throttled; refusing to issue cert since last attempt on 2016-08-13 11:38:50.36826814 -0400 EDT failed
2016/08/13 11:38:52 http: TLS handshake error from 100.14.33.84:35952: sriplylrhnllvgz: throttled; refusing to issue cert since last attempt on 2016-08-13 11:38:50.145942464 -0400 EDT failed
2016/08/13 11:38:52 http: TLS handshake error from 100.14.33.84:30957: sgdwxvsdtdmqe: throttled; refusing to issue cert since last attempt on 2016-08-13 11:38:50.26155399 -0400 EDT failed
2016/08/13 11:39:11 [INFO] Obtaining new certificate for cmkhsio
2016/08/13 11:39:11 [INFO] Obtaining new certificate for pnzawugjc
2016/08/13 11:39:11 [INFO] Obtaining new certificate for chojihtdpamoadg
2016/08/13 11:39:11 [INFO][pnzawugjc] acme: Obtaining bundled SAN certificate
2016/08/13 11:39:11 http: TLS handshake error from 100.14.33.84:27370: [pnzawugjc] failed to get certificate: acme: Error 400 - urn:acme:error:malformed - DNS name does not have enough labels
2016/08/13 11:39:11 [INFO][chojihtdpamoadg] acme: Obtaining bundled SAN certificate
2016/08/13 11:39:11 http: TLS handshake error from 100.14.33.84:10522: [chojihtdpamoadg] failed to get certificate: acme: Error 400 - urn:acme:error:malformed - DNS name does not have enough labels
2016/08/13 11:39:11 [INFO][cmkhsio] acme: Obtaining bundled SAN certificate
2016/08/13 11:39:12 http: TLS handshake error from 100.14.33.84:59717: [cmkhsio] failed to get certificate: acme: Error 400 - urn:acme:error:malformed - DNS name does not have enough labels
2016/08/13 11:39:12 [INFO] Obtaining new certificate for bkoimtviemq
2016/08/13 11:39:12 [INFO] Obtaining new certificate for nkvfizicxzvweus
2016/08/13 11:39:12 [INFO][bkoimtviemq] acme: Obtaining bundled SAN certificate
2016/08/13 11:39:12 [INFO] Obtaining new certificate for tvwhhzntqwawvl
2016/08/13 11:39:12 http: TLS handshake error from 100.14.33.84:25461: [bkoimtviemq] failed to get certificate: acme: Error 400 - urn:acme:error:malformed - DNS name does not have enough labels
2016/08/13 11:39:12 [INFO][nkvfizicxzvweus] acme: Obtaining bundled SAN certificate
2016/08/13 11:39:12 http: TLS handshake error from 100.14.33.84:27744: [nkvfizicxzvweus] failed to get certificate: acme: Error 400 - urn:acme:error:malformed - DNS name does not have enough labels
2016/08/13 11:39:12 [INFO][tvwhhzntqwawvl] acme: Obtaining bundled SAN certificate
2016/08/13 11:39:13 http: TLS handshake error from 100.14.33.84:20514: [tvwhhzntqwawvl] failed to get certificate: acme: Error 400 - urn:acme:error:malformed - DNS name does not have enough labels
2016/08/13 11:39:13 http: TLS handshake error from 100.14.33.84:2401: cmkhsio: throttled; refusing to issue cert since last attempt on 2016-08-13 11:39:12.094371163 -0400 EDT failed
2016/08/13 11:39:13 http: TLS handshake error from 100.14.33.84:31561: pnzawugjc: throttled; refusing to issue cert since last attempt on 2016-08-13 11:39:11.70476325 -0400 EDT failed
2016/08/13 11:39:13 http: TLS handshake error from 100.14.33.84:60338: chojihtdpamoadg: throttled; refusing to issue cert since last attempt on 2016-08-13 11:39:11.860980194 -0400 EDT failed
2016/08/13 11:39:15 http: TLS handshake error from 100.14.33.84:12216: bkoimtviemq: throttled; refusing to issue cert since last attempt on 2016-08-13 11:39:12.842225722 -0400 EDT failed
2016/08/13 11:39:15 http: TLS handshake error from 100.14.33.84:17885: nkvfizicxzvweus: throttled; refusing to issue cert since last attempt on 2016-08-13 11:39:12.991877936 -0400 EDT failed
2016/08/13 11:39:15 http: TLS handshake error from 100.14.33.84:5686: tvwhhzntqwawvl: throttled; refusing to issue cert since last attempt on 2016-08-13 11:39:13.157786017 -0400 EDT failed
2016/08/13 11:39:17 http: TLS handshake error from 100.14.33.84:51142: read tcp 104.223.72.6:443->100.14.33.84:51142: read: connection reset by peer
2016/08/13 11:39:24 http: TLS handshake error from 100.14.33.84:5085: no certificate available for mydomain.com
2016/08/13 11:39:24 http: TLS handshake error from 100.14.33.84:21823: no certificate available for mydomain.com
2016/08/13 11:39:24 http: TLS handshake error from 100.14.33.84:61962: no certificate available for mydomain.com
2016/08/13 11:39:24 http: TLS handshake error from 100.14.33.84:43982: no certificate available for mydomain.com
2016/08/13 11:39:24 http: TLS handshake error from 100.14.33.84:53767: no certificate available for mydomain.com
2016/08/13 11:39:24 http: TLS handshake error from 100.14.33.84:18576: no certificate available for mydomain.com
2016/08/13 11:39:28 [INFO] Obtaining new certificate for bzuvyak
2016/08/13 11:39:28 [INFO] Obtaining new certificate for wwdrbfjwfexhfb
2016/08/13 11:39:28 [INFO] Obtaining new certificate for qydjfgbiutwypj
2016/08/13 11:39:29 [INFO][bzuvyak] acme: Obtaining bundled SAN certificate
2016/08/13 11:39:29 http: TLS handshake error from 100.14.33.84:11913: [bzuvyak] failed to get certificate: acme: Error 400 - urn:acme:error:malformed - DNS name does not have enough labels
2016/08/13 11:39:29 [INFO][wwdrbfjwfexhfb] acme: Obtaining bundled SAN certificate
2016/08/13 11:39:29 http: TLS handshake error from 100.14.33.84:42483: [wwdrbfjwfexhfb] failed to get certificate: acme: Error 400 - urn:acme:error:malformed - DNS name does not have enough labels
2016/08/13 11:39:29 [INFO][qydjfgbiutwypj] acme: Obtaining bundled SAN certificate
2016/08/13 11:39:29 http: TLS handshake error from 100.14.33.84:31350: [qydjfgbiutwypj] failed to get certificate: acme: Error 400 - urn:acme:error:malformed - DNS name does not have enough labels
2016/08/13 11:39:31 http: TLS handshake error from 100.14.33.84:61980: bzuvyak: throttled; refusing to issue cert since last attempt on 2016-08-13 11:39:29.17787122 -0400 EDT failed
2016/08/13 11:39:31 http: TLS handshake error from 100.14.33.84:5181: wwdrbfjwfexhfb: throttled; refusing to issue cert since last attempt on 2016-08-13 11:39:29.30299667 -0400 EDT failed
2016/08/13 11:39:31 http: TLS handshake error from 100.14.33.84:64710: qydjfgbiutwypj: throttled; refusing to issue cert since last attempt on 2016-08-13 11:39:29.485779145 -0400 EDT failed
2016/08/13 11:39:35 http: TLS handshake error from 100.14.33.84:54242: no certificate available for mysql.mydomain.com
2016/08/13 11:39:35 http: TLS handshake error from 100.14.33.84:27126: no certificate available for mysql.mydomain.com
2016/08/13 11:39:35 http: TLS handshake error from 100.14.33.84:49772: no certificate available for mydomain.com
2016/08/13 11:39:36 http: TLS handshake error from 100.14.33.84:51753: no certificate available for mydomain.com
2016/08/13 11:39:36 http: TLS handshake error from 100.14.33.84:21600: no certificate available for mydomain.com
2016/08/13 11:39:36 http: TLS handshake error from 100.14.33.84:8039: no certificate available for mydomain.com
2016/08/13 11:39:38 http: TLS handshake error from 100.14.33.84:35416: read tcp 104.223.72.6:443->100.14.33.84:35416: read: connection reset by peer
^C2016/08/13 11:39:41 [INFO] SIGINT: Shutting down
mholt commented 8 years ago

Well I can see why you're having SSL_PROTOCOL errors. sgdwxvsdtdmqe is not a valid domain name that Let's Encrypt can verify. :smile: On-demand TLS has to be rate limited to prevent abuse, so when a cert request fails it has to wait a while before trying another.

dfiel commented 8 years ago

I have it rate limited to 100 certificates, but when I try to use my own domain (mydomain.com in the logs) I get the SSL_PROTOCOL error.

mholt commented 8 years ago

Yes, but if you read the logs you'll see why. Closing as this isn't an actionable Caddy issue.

Rate limits are described here: https://caddyserver.com/docs/automatic-https#on-demand

dfiel commented 8 years ago

I'm now very confused, those random strings of letters have nothing to do with my domains. Why are those attempting to go through, and not my actual mydomain.com

mholt commented 8 years ago

Apparently some client is making requests to your server with those names. It's the DNS resolver's and CA's job to verify a hostname, that's not Caddy's job. I don't know what those names are either but you might want to fix that / figure it out... :confused:

dfiel commented 8 years ago

I figured out the issues with those random strings, and now my original issue still stands. Some content (notably javascript and css) is served over HTTP. My otherwise working configs are:

External: 

*.*.* {
        proxy / 10.1.1.42 {
                header_upstream Host {host}
                header_upstream X-Real-IP {remote}
                header_upstream X-Forwarded-For {remote}
                header_upstream X-Forwarded-Proto {scheme}
                header_upstream Connection {>Connection}
                header_upstream Upgrade {>Upgrade}
         }

        tls {
                max_certs 1000
        }
}

*.* {
        proxy / 10.1.1.42 {
                header_upstream Host {host}
                header_upstream X-Real-IP {remote}
                header_upstream X-Forwarded-For {remote}
                header_upstream X-Forwarded-Proto {scheme}
                header_upstream Connection {>Connection}
                header_upstream Upgrade {>Upgrade}
         }

        tls {
                max_certs 1000
        }
}

Internal:

mydomain.com:80 {
        fastcgi / 127.0.0.1:9000 php
        root /home/caddy/WebHost/mydomain.com
        header /wp-content/ Cache-Control "max-age=2592000"
        header /wp-includes/js Cache-Control "max-age=2592000"

        rewrite {
                if {path} not_match ^\/wp-admin
                to {path} {path}/ /index.php?url={uri}
        }
}

mysql.mydomain.com:80 {
        fastcgi / 127.0.0.1:9000 php
        root /home/caddy/WebHost/phpMyAdmin
}

invoice.mydomain.com:80 {
        fastcgi / 127.0.0.1:9000 php
        root /home/caddy/WebHost/InvoicePlane
                rewrite {
                if {path} not_match ^\/wp-admin
                to {path} {path}/ /index.php?url={uri}
        }
}

mydomain.org:80 {
        fastcgi / 127.0.0.1:9000 php
        root /home/caddy/WebHost/mydomain.org
}

firefly.mydomain.com:80 {
        proxy / 10.0.1.46
}

mydomain.xyz:80 {
        proxy / 192.168.1.116
}

cloud.otherdomain.xyz:80 {
        proxy / 10.0.1.43
        header / {
                Strict-Transport-Security "max-age=31536000;"
        }
}

office.otherdomain.xyz:80 {
        proxy / https://10.0.1.43:443 {
                insecure_skip_verify
                transparent
                websocket
        }
}

relationships.mydomain.org:80 {
        proxy / 10.0.1.45
}

Browsing to mydomain.com in the browser shows the page, but Chrome blocks the loading of CSS and Javascript, due to being served over HTTP, so the page appears broken. Do I need rewrite rules? I assumed that all HTTP requests were redirected to HTTPS if I used automatic TLS?

Also, accessing /wp-admin/ gives me an endless loop of redirects, like this:

--2016-08-13 22:19:23--  https://dfiel.com/wp-admin
Resolving dfiel.com (dfiel.com)... 104.223.72.6
Connecting to dfiel.com (dfiel.com)|104.223.72.6|:443... connected.
HTTP request sent, awaiting response... 302 Found
Location: https://dfiel.com/wp-admin [following]
--2016-08-13 22:19:24--  https://dfiel.com/wp-admin
Reusing existing connection to dfiel.com:443.
HTTP request sent, awaiting response... 302 Found
Location: https://dfiel.com/wp-admin [following]
--2016-08-13 22:19:24--  https://dfiel.com/wp-admin
Reusing existing connection to dfiel.com:443.
HTTP request sent, awaiting response... 302 Found
Location: https://dfiel.com/wp-admin [following]
--2016-08-13 22:19:24--  https://dfiel.com/wp-admin
Reusing existing connection to dfiel.com:443.
HTTP request sent, awaiting response... 302 Found
Location: https://dfiel.com/wp-admin [following]
--2016-08-13 22:19:24--  https://dfiel.com/wp-admin
Reusing existing connection to dfiel.com:443.
HTTP request sent, awaiting response... 302 Found
Location: https://dfiel.com/wp-admin [following]
--2016-08-13 22:19:24--  https://dfiel.com/wp-admin
Reusing existing connection to dfiel.com:443.
HTTP request sent, awaiting response... 302 Found
Location: https://dfiel.com/wp-admin [following]
--2016-08-13 22:19:24--  https://dfiel.com/wp-admin
Reusing existing connection to dfiel.com:443.
HTTP request sent, awaiting response... 302 Found
Location: https://dfiel.com/wp-admin [following]
--2016-08-13 22:19:25--  https://dfiel.com/wp-admin
Reusing existing connection to dfiel.com:443.
HTTP request sent, awaiting response... 302 Found
Location: https://dfiel.com/wp-admin [following]
--2016-08-13 22:19:25--  https://dfiel.com/wp-admin
Reusing existing connection to dfiel.com:443.
HTTP request sent, awaiting response... 302 Found
Location: https://dfiel.com/wp-admin [following]
--2016-08-13 22:19:25--  https://dfiel.com/wp-admin
Reusing existing connection to dfiel.com:443.
HTTP request sent, awaiting response... 302 Found
Location: https://dfiel.com/wp-admin [following]
--2016-08-13 22:19:25--  https://dfiel.com/wp-admin
Reusing existing connection to dfiel.com:443.
HTTP request sent, awaiting response... 302 Found
Location: https://dfiel.com/wp-admin [following]
--2016-08-13 22:19:25--  https://dfiel.com/wp-admin
Reusing existing connection to dfiel.com:443.
HTTP request sent, awaiting response... 302 Found
Location: https://dfiel.com/wp-admin [following]
--2016-08-13 22:19:25--  https://dfiel.com/wp-admin
Reusing existing connection to dfiel.com:443.
HTTP request sent, awaiting response... 302 Found
Location: https://dfiel.com/wp-admin [following]
--2016-08-13 22:19:26--  https://dfiel.com/wp-admin
Reusing existing connection to dfiel.com:443.
HTTP request sent, awaiting response... 302 Found
Location: https://dfiel.com/wp-admin [following]
--2016-08-13 22:19:26--  https://dfiel.com/wp-admin
Reusing existing connection to dfiel.com:443.
HTTP request sent, awaiting response... 302 Found
Location: https://dfiel.com/wp-admin [following]
--2016-08-13 22:19:26--  https://dfiel.com/wp-admin
Reusing existing connection to dfiel.com:443.
HTTP request sent, awaiting response... 302 Found
Location: https://dfiel.com/wp-admin [following]
--2016-08-13 22:19:26--  https://dfiel.com/wp-admin
Reusing existing connection to dfiel.com:443.
HTTP request sent, awaiting response... 302 Found
Location: https://dfiel.com/wp-admin [following]
--2016-08-13 22:19:26--  https://dfiel.com/wp-admin
Reusing existing connection to dfiel.com:443.
HTTP request sent, awaiting response... 302 Found
Location: https://dfiel.com/wp-admin [following]
--2016-08-13 22:19:26--  https://dfiel.com/wp-admin
Reusing existing connection to dfiel.com:443.
HTTP request sent, awaiting response... 302 Found
Location: https://dfiel.com/wp-admin [following]
--2016-08-13 22:19:27--  https://dfiel.com/wp-admin
Reusing existing connection to dfiel.com:443.
HTTP request sent, awaiting response... 302 Found
Location: https://dfiel.com/wp-admin [following]
--2016-08-13 22:19:27--  https://dfiel.com/wp-admin
Reusing existing connection to dfiel.com:443.
HTTP request sent, awaiting response... 302 Found
Location: https://dfiel.com/wp-admin [following]
20 redirections exceeded.

Seems similar to #212

mholt commented 8 years ago

Your whole external Caddyfile can become:

*.*, *.*.*  # I don't recommend such lazy use of wildcards with on-demand TLS

proxy / 10.1.1.42 {
    transparent
    websocket
}
tls {
   max_certs 1000  # this is too high, you should lower it
}

As for your HTTP/HTTPS problems it's probably in your backend web apps, make sure they are not configured to do extra redirects, etc. Good luck!

dfiel commented 8 years ago

The thing is, they worked perfectly before adding the external server. If I port forward my internal server, everything was served over HTTPS, no errors

mholt commented 8 years ago

Try proxying to http://10.1.1.42 instead of just 10.1.1.42.

mholt commented 8 years ago

@dfiel See #1040 for a similar question as yours.

dfiel commented 8 years ago

I got it working, Wordpress wasn't respecting the HTTPS in settings :/