Doesn't work when reverse proxy Windows Admin Center

hez2010 commented 4 years ago

1. Which version of Caddy are you using (`caddy -version`)?

Caddy v1.0.3 (h1:i9gRhBgvc5ifchwWtSe7pDpsdS9+Q0Rw9oYQmYUTw1w=)

2. What are you trying to do?

I'm trying to setup a reverse proxy for Windows Admin Center

3. What is your Caddyfile?

(tls-wildcard) {
    # tls off
    tls {
        dns dnspod
        wildcard
        alpn http/1.1
    }
    errors stderr
    # log stdout
}

(tls) {
    tls {
        dns dnspod
        alpn http/1.1
    }
}

(proxy) {
    websocket
    transparent
}

# import idrac.Caddyfile

******* {
    proxy / https://***********:1080 {
        import proxy
        insecure_skip_verify
        keepalive 64
    }
    import tls-wildcard
}

4. How did you run Caddy (give the full command and describe the execution environment)?

caddy -http-port 80 -https-port 443 -log stdout -agree=true -conf=~/Caddyfile -root=/var/www/html -email *****@*****.com

5. Please paste any relevant HTTP request(s) here.

Access Windows Admin Center directly:

Request:
GET / HTTP/1.1
:authority: ********:1080
:method: GET
:path: /
:scheme: https
accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3
accept-encoding: gzip, deflate, br
accept-language: en-US,en;q=0.9
cache-control: no-cache
dnt: 1
pragma: no-cache
sec-fetch-mode: navigate
sec-fetch-site: none
sec-fetch-user: ?1
upgrade-insecure-requests: 1
user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/79.0.3919.0 Safari/537.36 Edg/79.0.294.1
-----------------------
Response:
content-length: 0
date: Tue, 15 Oct 2019 18:03:29 GMT
server: Microsoft-HTTPAPI/2.0
status: 401
www-authenticate: Negotiate
www-authenticate: NTLM
-----------------------
Here I input my credentials 
-----------------------
Request:
GET / HTTP/1.1
:method: GET
:authority: *********:1080
:scheme: https
:path: /
pragma: no-cache
cache-control: no-cache
dnt: 1
upgrade-insecure-requests: 1
user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/79.0.3919.0 Safari/537.36 Edg/79.0.294.1
sec-fetch-user: ?1
accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3
sec-fetch-site: none
sec-fetch-mode: navigate
accept-encoding: gzip, deflate, br
accept-language: en-US,en;q=0.9
-----------------------
Response:
HTTP/1.1 200 OK
Cache-Control: no-cache,no-store,must-revalidate
Pragma: no-cache
Content-Length: 6559
Content-Type: text/html
Expires: 0
Last-Modified: Thu, 16 May 2019 18:20:40 GMT
ETag: "1d50bd102c7959f"
Server: Microsoft-HTTPAPI/2.0
X-Frame-Options: sameorigin
Set-Cookie: XSRF-TOKEN=9cca0fcf-e1a9-4186-9bc1-4860fb9d934e; path=/; secure
Date: Tue, 15 Oct 2019 18:03:31 GMT

Use caddy as a reverse proxy:

Request:
GET / HTTP/1.1
Host: ***********
Connection: keep-alive
Pragma: no-cache
Cache-Control: no-cache
DNT: 1
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/79.0.3919.0 Safari/537.36 Edg/79.0.294.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3
Sec-Fetch-Site: none
Sec-Fetch-Mode: navigate
Accept-Encoding: gzip, deflate, br
Accept-Language: en-US,en;q=0.9
-----------------------
Response:
HTTP/1.1 401 Unauthorized
Content-Length: 0
Date: Tue, 15 Oct 2019 18:06:55 GMT
Server: Caddy
Server: Microsoft-HTTPAPI/2.0
Www-Authenticate: Negotiate
Www-Authenticate: NTLM
-----------------------
Here I input my credentials 
-----------------------
Request:
GET / HTTP/1.1
Host: ***********
Connection: keep-alive
Pragma: no-cache
Cache-Control: no-cache
DNT: 1
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/79.0.3919.0 Safari/537.36 Edg/79.0.294.1
Sec-Fetch-User: ?1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3
Sec-Fetch-Site: none
Sec-Fetch-Mode: navigate
Accept-Encoding: gzip, deflate, br
Accept-Language: en-US,en;q=0.9
-----------------------
Response:
HTTP/1.1 502 Bad Gateway
Content-Type: text/plain; charset=utf-8
Server: Caddy
X-Content-Type-Options: nosniff
Date: Tue, 15 Oct 2019 18:07:05 GMT
Content-Length: 16

6. What did you expect to see?

All things work well.

7. What did you see instead (give full error messages and/or log)?

After authentication, I got a 502 Bad Gateway. Output from caddy server:

Oct 16 02:10:16 mypc caddy[71188]: 16/Oct/2019:02:10:16 +0800 [ERROR 502 /] stream error: stream ID 13; HTTP_1_1_REQUIRED
Oct 16 02:10:16 mypc caddy[71188]: 16/Oct/2019:02:10:16 +0800 [ERROR 502 /favicon.ico] stream error: stream ID 17; HTTP_1_1_REQUIRED

8. Why is this a bug, and how do you think this should be fixed?

I used to use nginx and it did work. I don't know why caddy has this problem.

9. What are you doing to work around the problem in the meantime?

No work around currently.

10. Please link to any related issues, pull requests, and/or discussion.

Discussion: https://caddy.community/t/windows-admin-center-portainer-as-subdirectory/4024 Windows Admin Center downloads: https://docs.microsoft.com/en-us/windows-server/manage/windows-admin-center/understand/windows-admin-center

Bonus: What do you use Caddy for? Why did you choose Caddy?

It's fast and convenient.

hez2010 commented 4 years ago

Any response or updates on it?

tobya commented 4 years ago

Hi @hez2010 . It is worth creating a new thread on https://caddy.community to see if anyone can help you.

We need a lot more information to be able to see if we can solve this issue.

Please do not sensor domain names, they are in Transparancy logs anyway.
What does https://***********:1080 repond with via curl or browser?
What do Windows admin logs show
Is this your full caddyfile?
Have you tried the simplest possible caddyfile you can?

There is a long long thread on caddy.community, do you know if it is the same issue you are having?

hez2010 commented 4 years ago

@tobya I created a temporary test server and deployed Windows Admin Center on it. I will delete it after several days.

Access caddy reverse proxy to windows admin center: http://test.hez2010.com/ Access windows admin center directly: https://test.hez2010.com:1080/

username: hez2010, password: hez2010!hez2010 you can also use above credentials to access the server using RDP.

Caddyfile:

(proxy) {
    websocket
    transparent
}

0.0.0.0:80 {
    proxy / https://localhost:1080 {
        import proxy
        insecure_skip_verify
        keepalive 64
    }
}

While accessing the caddy reverse proxy, it will return a '502 bad gateway' after authorized.

tobya commented 4 years ago

Thanks for the setup, I took a quick look but couldnt find anything obvious.

Try posting this to https://caddy.community there are great people there who can help you, particurily while you have this VM setup.

mholt commented 4 years ago

I got this working in Caddy 2.

NGINX has a directive for this but it's commercial/proprietary: https://nginx.org/en/docs/http/ngx_http_upstream_module.html#ntlm

Ours is open source.

Have a lot of cleanup to do but will be pushing the code after that.

More details in this thread: https://caddy.community/t/doesnt-work-when-reverse-proxy-windows-admin-center/6408/41?u=matt

mholt commented 4 years ago

This works now (Caddy 2).

Scroll down from here and you'll see how to use the http_ntlm transport module: https://github.com/caddyserver/caddy/wiki/v2:-Documentation#httphandlersreverse_proxy

Here's my config, for example:

{
    "handler": "reverse_proxy",
    "transport": {
        "protocol": "http_ntlm",
        "tls": {
            "insecure_skip_verify": true
        }
    },
    "upstreams": [
        {"dial": "wac:1080"}
    ]
}

mvthul commented 3 years ago

Im kinda new to caddy I'm coming from nginx atm. I'm running caddy-gen for automated ssl docker container. But I'm still not sure how my config should look like. I need ntlm support to my iis server on :443

So how should my config look if I wanna define the sub.domain.com to ntlm to localip:443 iis?

hez2010 commented 3 years ago

@mvthul You need to build caddy2 with nltm-transport module manually and then use http_ntlm protocol for your proxy.

mvthul commented 3 years ago

So I'm just wondering should this work:

I got ntlm module added in caddy

But im wondering how I should setup the Caddyfile to route to this iis host with ntlm parameters.

Caddyfile:

wac.domain.com { "handler": "reverse_proxy", "transport": { "protocol": "http_ntlm", "tls": { "insecure_skip_verify": true } }, "upstreams": [ {"dial": "192.168.1.100:433"} ] }

francislavoie commented 3 years ago

@mvthul please ask on the community forums, it's a better place to ask than an old closed issue. https://caddy.community

But that said, you can't mix JSON and Caddyfile syntax. Please go through these pages in the docs:

https://caddyserver.com/docs/caddyfile/concepts

https://caddyserver.com/docs/caddyfile/directives/reverse_proxy

You need to configure the reverse_proxy directive with the http_ntlm transport (instead of http).

caddyserver / caddy