Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Caddy to Caddy reverse proxy with self-signed SSL? #5220

Closed
IngwiePhoenix opened this issue Nov 25, 2022 · 2 comments
Closed

Caddy to Caddy reverse proxy with self-signed SSL? #5220

IngwiePhoenix opened this issue Nov 25, 2022 · 2 comments
Labels
question ❔ Help is being requested

Comments

@IngwiePhoenix
Copy link

Hello!

After switching my server, I decided to go with Caddy to configure my HTTP/S endpoints and I really enjoy the Caddyfile syntax; much easier than the fumbling I had to do with NGINX and I can ditch Certbot!

However, I will be setting up a new home network soon (ordered a NanoPi R6s from FriendlyElec) and am planning to host a few services from home, linking my home network to my remote server via VPN to not expose anything outside into the wild. My question is: How can I tell Caddy to completely trust the SSL certificate sent by my Caddy at home?

The connection flow is basically this: Internet -> *.home.example.com -> VPN <- NanoPi

The domain is already set to my VPS' IP. So far, I know that all I need to do on my VPS is basically:

*.home.example.com {
  reverse_proxy * $nanopi_vpn_address
}

But when I specify something like jellyfin.home.example.com in my Caddyfile on the NanoPi, Caddy won't be able to properly resolve the address as being the same server it runs on, as it will instead encounter my VPS' IP, so in theory it would fall back to a self-signed certificate. And said certificate would somehow need to be trusted by the VPS' Caddy.

How do I set this up properly?

Basically I will be running a few things like Paperless, Jellyfin, Grocy and such and would like to access them outside, a few of those at least, for when I am traveling - all orchestrated by using Jellyfin to proxy incomming requests to where they need to go. And I would like to use HTTPS to encrypt my traffic properly (you never know who else is on the same public WiFi than you...).

Thanks in advance and have a great day!

Kind regards,
Ingwie
@francislavoie
Copy link
Member

Hi! Thanks for trying Caddy!

Use the transport http option tls_trusted_ca_certs to point to the root CA certificate that signed the certs on the remote server. See the docs https://caddyserver.com/docs/caddyfile/directives/reverse_proxy#the-http-transport

For next time, please ask your usage questions on the Caddy community forums. We prefer to keep the GitHub issue board for bugs and feature requests. Don't forget to fill out the thread template so we can help you!

@francislavoie francislavoie closed this as not planned Won't fix, can't repro, duplicate, stale Nov 25, 2022
@francislavoie francislavoie added the question ❔ Help is being requested label Nov 25, 2022
@IngwiePhoenix
Copy link
Author

Ah shoot, must've overlooked that - I am very sorry!

Thanks for the hint. Will just have to find out which root CA Caddy uses by default so I can copy it from the NanoPi to the VPS and specify it. Thanks! Ill ask other questions on the forum now. ^^

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
question ❔ Help is being requested
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@francislavoie @IngwiePhoenix