search

mholt / caddy-l4

Layer 4 (TCP/UDP) app for Caddy
Apache License 2.0
939 stars 72 forks source link

RDP server on web subdomain with reverse proxy does not work #237

Closed sawa-ko closed 1 month ago

sawa-ko commented 1 month ago

I am trying to connect a domain to a windows virtual machine, but I can't get it to work, because when I try to connect to the domain it does not work. The domain simply does not work.

This is my entire caddy configuration file:

# The Caddyfile is an easy way to configure your Caddy web server.
#
# Unless the file starts with a global options block, the first
# uncommented line is always the address of your site.
#
# To use your own domain name (with automatic HTTPS), first make
# sure your domain's A/AAAA DNS records are properly pointed to
# this machine's public IP, then replace ":80" below with your
# domain name.

{
        admin 0.0.0.0:81
        layer4 {
                win.x.x {
                        route {
                                tls
                                proxy {
                                        proxy_protocol v1
                                        upstream 10.10.10.3:3389
                                }
                        }
                }
        }

}

The port as you can see is working properly (host machine):

image

The virtual machine is on a nat network, which the virtual machine that has the caddy has access to.

image

sawa-ko commented 1 month ago

Update: I have opted for a json configuration, but when I try to connect through port 82, in this example, it just doesn't work.

root@x ~ # telnet x.x.xx.xx 82
Trying x.x.xx.xx...
Connected to x.x.xx.xx.
Escape character is '^]'.
Connection closed by foreign host.
root@madoka ~ # curl x.x.xx.xx:82
curl: (56) Recv failure: Connection reset by peer
{
    "apps": {
        "http": {
            "servers": {
                "example_server": {
                    "listen": [":80"],
                    "routes": [
                        {
                            "match": [
                              {
                                "host": ["subdomain.example.com"]
                              }
                            ],
                            "handle": [
                                {
                                    "handler": "reverse_proxy",
                                    "upstreams": [
                                        {
                                            "dial": "10.10.10.2:8000"
                                        }
                                    ]
                                }
                            ]
                        }
                    ]
                }
            }
        },
        "layer4": {
            "servers": {
                "rdp_server": {
                    "listen": [":82"],
                    "routes": [
                        {
                            "match": [
                                {
                                    "rdp": {}
                                }
                            ],
                            "handle": [
                                {
                                    "handler": "proxy",
                                    "upstreams": [
                                        {
                                            "dial": ["10.10.10.3:3389"]
                                        }
                                    ]
                                }
                            ]
                        }
                    ]
                }
            }
        },
        "tls": {
            "certificates": {
                "automate": ["subdomain.example.com"]
            },
            "automation": {
                "policies": [
                    {
                        "issuers": [{"module": "internal"}]
                    }
                ]
            }
        }
    },
    "admin": {
        "listen": ":81"
    }
}
vnxme commented 1 month ago

@sawa-ko I can see two problems in your config:

  1. You don't have to use tls handler before proxy handler while multiplexing RDP, because RDP is encrypted itself.
  2. You can't match RDP by domain name, since it's not HTTP or TLS.

A working config example:

{
    layer4 {
        :443 {
            @rdp rdp
            route @rdp {
                proxy 10.10.10.3:3389
            }
            @tls tls
            route @tls {
                tls
                proxy localhost:80
            }
        }
    }
}