search

lucaslorentz / caddy-docker-proxy

Caddy as a reverse proxy for Docker
MIT License
3.05k stars 174 forks source link

Cannot get setup running on localhost #529

Open trilin6 opened 1 year ago

trilin6 commented 1 year ago

Have been having trouble getting caddy-docker-proxy to work on local network. Have a larger docker-compose.yml with quite a few services running, but created a basic whoami to try diagnose the issue.

Whatever I try, the result in browser is either DNS_PROBE_POSSIBLE or REFUSED TO CONNECT

Here's my whoami docker-compose.yml:

services:
  caddy:
    image: lucaslorentz/caddy-docker-proxy:latest
    ports:
      - 80:80
      - 443:443
    environment:
      - CADDY_INGRESS_NETWORKS=caddy-ingress
    networks:
      - caddy-ingress
    volumes:
      - /var/run/docker.sock:/var/run/docker.sock
      - caddy_data:/data
    restart: unless-stopped

  whoami:
    image: traefik/whoami
    networks:
      - caddy-ingress
    labels:
      caddy: whoami.pi.local
      caddy.reverse_proxy: "{{upstreams 80}}"
      caddy.tls: "internal"

networks:
  caddy-ingress:
    external: true

volumes:
  caddy_data: {}

whoami logs >

❯ sudo docker logs docker_test-whoami-1
2023/09/02 22:19:30 Starting up on port 80

caddy logs >

❯ sudo docker logs docker_test-caddy-1
{"level":"info","ts":1693693172.4557014,"logger":"docker-proxy","msg":"Running caddy proxy server"}
{"level":"info","ts":1693693172.4867477,"logger":"admin","msg":"admin endpoint started","address":"localhost:2019","enforce_origin":false,"origins":["//localhost:2019","//[::1]:2019","//127.0.0.1:2019"]}
{"level":"info","ts":1693693172.4905915,"msg":"autosaved config (load with --resume flag)","file":"/config/caddy/autosave.json"}
{"level":"info","ts":1693693172.4908419,"logger":"docker-proxy","msg":"Running caddy proxy controller"}
{"level":"info","ts":1693693172.50254,"logger":"docker-proxy","msg":"Start","CaddyfilePath":"","LabelPrefix":"caddy","PollingInterval":30,"ProcessCaddyfile":true,"ProxyServiceTasks":true,"IngressNetworks":"[caddy-ingress]","DockerSockets":[""],"DockerCertsPath":[""],"DockerAPIsVersion":[""]}
{"level":"info","ts":1693693172.5231981,"logger":"docker-proxy","msg":"Connecting to docker events","DockerSocket":""}
{"level":"info","ts":1693693172.532176,"logger":"docker-proxy","msg":"IngressNetworksMap","ingres":"map[8c0a2894f4441419b74c744610902dbd2b974581eca947d35650e720ffc73b50:true caddy-ingress:true]"}
{"level":"info","ts":1693693172.5941017,"logger":"docker-proxy","msg":"Swarm is available","new":false}
{"level":"info","ts":1693693172.631701,"logger":"docker-proxy","msg":"New Caddyfile","caddyfile":"whoami.pi.local {\n\treverse_proxy 172.23.0.3:80\n\ttls internal\n}\n"}
{"level":"info","ts":1693693172.6373224,"logger":"docker-proxy","msg":"New Config JSON","json":"{\"apps\":{\"http\":{\"servers\":{\"srv0\":{\"listen\":[\":443\"],\"routes\":[{\"match\":[{\"host\":[\"whoami.pi.local\"]}],\"handle\":[{\"handler\":\"subroute\",\"routes\":[{\"handle\":[{\"handler\":\"reverse_proxy\",\"upstreams\":[{\"dial\":\"172.23.0.3:80\"}]}]}]}],\"terminal\":true}]}}},\"tls\":{\"automation\":{\"policies\":[{\"subjects\":[\"whoami.pi.local\"],\"issuers\":[{\"module\":\"internal\"}]}]}}}}"}
{"level":"info","ts":1693693172.6382973,"logger":"docker-proxy","msg":"Sending configuration to","server":"localhost"}
{"level":"info","ts":1693693172.646079,"logger":"admin.api","msg":"received request","method":"POST","host":"localhost:2019","uri":"/load","remote_ip":"127.0.0.1","remote_port":"42314","headers":{"Accept-Encoding":["gzip"],"Content-Length":["394"],"Content-Type":["application/json"],"User-Agent":["Go-http-client/1.1"]}}
{"level":"info","ts":1693693172.6536055,"logger":"admin","msg":"admin endpoint started","address":"localhost:2019","enforce_origin":false,"origins":["//localhost:2019","//[::1]:2019","//127.0.0.1:2019"]}
{"level":"info","ts":1693693172.6564155,"logger":"tls.cache.maintenance","msg":"started background certificate maintenance","cache":"0x44a0000"}
{"level":"info","ts":1693693172.887182,"logger":"http.auto_https","msg":"server is listening only on the HTTPS port but has no TLS connection policies; adding one to enable TLS","server_name":"srv0","https_port":443}
{"level":"info","ts":1693693172.8873677,"logger":"http.auto_https","msg":"enabling automatic HTTP->HTTPS redirects","server_name":"srv0"}
{"level":"warn","ts":1693693173.4208796,"logger":"pki.ca.local","msg":"installing root certificate (you might be prompted for password)","path":"storage:pki/authorities/local/root.crt"}
{"level":"info","ts":1693693173.4290075,"msg":"warning: \"certutil\" is not available, install \"certutil\" with \"apt install libnss3-tools\" or \"yum install nss-tools\" and try again"}
{"level":"info","ts":1693693173.4291596,"msg":"define JAVA_HOME environment variable to use the Java trust"}
{"level":"info","ts":1693693174.168301,"msg":"certificate installed properly in linux trusts"}
{"level":"info","ts":1693693174.1703465,"logger":"tls","msg":"cleaning storage unit","description":"FileStorage:/data/caddy"}
{"level":"info","ts":1693693174.1711428,"logger":"tls","msg":"finished cleaning storage units"}
{"level":"info","ts":1693693174.1720808,"logger":"http","msg":"enabling HTTP/3 listener","addr":":443"}
{"level":"info","ts":1693693174.1736915,"msg":"failed to sufficiently increase receive buffer size (was: 176 kiB, wanted: 2048 kiB, got: 352 kiB). See https://github.com/quic-go/quic-go/wiki/UDP-Buffer-Sizes for details."}
{"level":"info","ts":1693693174.176551,"logger":"http.log","msg":"server running","name":"srv0","protocols":["h1","h2","h3"]}
{"level":"info","ts":1693693174.178523,"logger":"http.log","msg":"server running","name":"remaining_auto_https_redirects","protocols":["h1","h2","h3"]}
{"level":"info","ts":1693693174.178922,"logger":"http","msg":"enabling automatic TLS certificate management","domains":["whoami.pi.local"]}
{"level":"info","ts":1693693174.1821268,"msg":"autosaved config (load with --resume flag)","file":"/config/caddy/autosave.json"}
{"level":"info","ts":1693693174.1827815,"logger":"admin.api","msg":"load complete"}
{"level":"info","ts":1693693174.1840875,"logger":"tls.obtain","msg":"acquiring lock","identifier":"whoami.pi.local"}
{"level":"info","ts":1693693174.1859202,"logger":"docker-proxy","msg":"Successfully configured","server":"localhost"}
{"level":"info","ts":1693693174.199074,"logger":"tls.obtain","msg":"lock acquired","identifier":"whoami.pi.local"}
{"level":"info","ts":1693693174.2002263,"logger":"tls.obtain","msg":"obtaining certificate","identifier":"whoami.pi.local"}
{"level":"info","ts":1693693174.27427,"logger":"admin","msg":"stopped previous server","address":"localhost:2019"}
{"level":"info","ts":1693693174.321272,"logger":"tls.obtain","msg":"certificate obtained successfully","identifier":"whoami.pi.local"}
{"level":"info","ts":1693693174.322054,"logger":"tls.obtain","msg":"releasing lock","identifier":"whoami.pi.local"}
{"level":"warn","ts":1693693174.330875,"logger":"tls","msg":"stapling OCSP","error":"no OCSP stapling for [whoami.pi.local]: no OCSP server specified in certificate","identifiers":["whoami.pi.local"]}
lucaslorentz commented 11 months ago

Hey, everything looks fine in logs and your config. This is probably an issue with your docker setup or your DNS setup for the domain you're using.

Is whoami.pi.local properly resolving to docker host IP?

polarathene commented 1 month ago

whoami.pi.local should not use .local as that is reserved for mDNS.

Try with .localhost.

.local shouldn't resolve by default, so if you have that configured somewhere else it might be contributing to the issue. Especially if you've got a custom DNS client / router config that has DNS rebind protection enabled IIRC, which can flag private range IPs returned as a security risk.

Try keep it simple first. .localhost should resolve like localhost automatically for you in the browser.