caddy反代443可以吗?一直提示此网站无法提供安全链接

开发调优
1

配置

{
	debug
}
xxxx.test1.xx{
	reverse_proxy localhost:8080
}

:80 {
	reverse_proxy 127.0.0.1:3180
}

:443 {
	reverse_proxy https://127.0.0.1:3443 

}

日志

2024/11/10 13:51:58.034 DEBUG   events  event   {"name": "tls_get_certificate", "id": "abe387ea-c094-4795-8b87-1f7abf9090b9", "origin": "tls", "data": {"client_hello":{"CipherSuites":[60138,4865,4866,4867,49195,49199,49196,49200,52393,52392,49171,49172,156,157,47,53],"ServerName":"hello.testdomain.site","SupportedCurves":[43690,25597,29,23,24],"SupportedPoints":"AA==","SignatureSchemes":[1027,2052,1025,1283,2053,1281,2054,1537],"SupportedProtos":["h2","http/1.1"],"SupportedVersions":[2570,772,771],"RemoteAddr":{"IP":"113.255.201.18","Port":32829,"Zone":""},"LocalAddr":{"IP":"10.0.4.45","Port":443,"Zone":""}}}}
2024/11/10 13:51:58.035 DEBUG   tls.handshake   no matching certificates and no custom selection logic  {"identifier": "hello.testdomain.site"}
2024/11/10 13:51:58.035 DEBUG   tls.handshake   no matching certificates and no custom selection logic  {"identifier": "*.testdomain.site"}
2024/11/10 13:51:58.035 DEBUG   tls.handshake   no matching certificates and no custom selection logic  {"identifier": "*.*.site"}
2024/11/10 13:51:58.035 DEBUG   tls.handshake   no matching certificates and no custom selection logic  {"identifier": "*.*.*"}
2024/11/10 13:51:58.035 DEBUG   tls.handshake   no certificate matching TLS ClientHello {"remote_ip": "113.255.201.18", "remote_port": "32829", "server_name": "hello.testdomain.site", "remote": "113.255.201.18:32829", "identifier": "hello.testdomain.site", "cipher_suites": [60138, 4865, 4866, 4867, 49195, 49199, 49196, 49200, 52393, 52392, 49171, 49172, 156, 157, 47, 53], "cert_cache_fill": 0.0001, "load_or_obtain_if_necessary": true, "on_demand": false}
2024/11/10 13:51:58.035 DEBUG   http.stdlib     http: TLS handshake error from 113.255.201.18:32829: no certificate available for 'hello.testdomain.site'
2024/11/10 13:51:58.132 DEBUG   events  event   {"name": "tls_get_certificate", "id": "f917c44c-e5af-44ce-9b57-651ebfce3762", "origin": "tls", "data": {"client_hello":{"CipherSuites":[6682,4865,4866,4867,49195,49199,49196,49200,52393,52392,49171,49172,156,157,47,53],"ServerName":"hello.testdomain.site","SupportedCurves":[23130,25597,29,23,24],"SupportedPoints":"AA==","SignatureSchemes":[1027,2052,1025,1283,2053,1281,2054,1537],"SupportedProtos":["h2","http/1.1"],"SupportedVersions":[56026,772,771],"RemoteAddr":{"IP":"113.255.201.18","Port":32830,"Zone":""},"LocalAddr":{"IP":"10.0.4.45","Port":443,"Zone":""}}}}
2024/11/10 13:51:58.132 DEBUG   tls.handshake   no matching certificates and no custom selection logic  {"identifier": "hello.testdomain.site"}
2024/11/10 13:51:58.132 DEBUG   tls.handshake   no matching certificates and no custom selection logic  {"identifier": "*.testdomain.site"}
2024/11/10 13:51:58.132 DEBUG   tls.handshake   no matching certificates and no custom selection logic  {"identifier": "*.*.site"}
2024/11/10 13:51:58.132 DEBUG   tls.handshake   no matching certificates and no custom selection logic  {"identifier": "*.*.*"}
2024/11/10 13:51:58.132 DEBUG   tls.handshake   no certificate matching TLS ClientHello {"remote_ip": "113.255.201.18", "remote_port": "32830", "server_name": "hello.testdomain.site", "remote": "113.255.201.18:32830", "identifier": "hello.testdomain.site", "cipher_suites": [6682, 4865, 4866, 4867, 49195, 49199, 49196, 49200, 52393, 52392, 49171, 49172, 156, 157, 47, 53], "cert_cache_fill": 0.0001, "load_or_obtain_if_necessary": true, "on_demand": false}
2024/11/10 13:51:58.132 DEBUG   http.stdlib     http: TLS handshake error from 113.255.201.18:32830: no certificate available for 'hello.testdomain.site'
  • 我的想法就是caddy监听80和443,其中test1的网站给8080,其他的给后面默认项
  • 首先就是3180和3443端口目前单独访问都正常.但是一旦反代后,80=>3180的正常,后面443的怎么调整都不对,后来就是加了debug日志如上
  • 搜了一圈,对于反代来说好像没有什么难度,但是我就是卡在这个443端口反代上了,我的意思就是443端口纯粹中间人,啥都不处理,直接分给其他人让其他人处理数据证书(⊙o⊙)啥的
  • 但是目前好像caddy直接给拦截抛出异常了了?连到后面的机会都没有,不知道咋搞了…
11 个赞
2

Caddy 反代 https 时默认校验证书,你可以选择跳过验证,我之前可以,现在不知道了,官方又说会删除“跳过验证证书”这个设置。官方推荐的是使用 Caddy 信任的内部自签名证书。

你可以参考以下官方论坛帖子:

1 个赞
3

感谢大佬回复,这个方案我也试过了,貌似无用
目前的配置应该是最精简了

{
	debug
}


:80 {
	reverse_proxy 127.0.0.1:3180
}

:443 {
	reverse_proxy https://127.0.0.1:3443 {
                transport http {
                        tls_insecure_skip_verify
                }
        }

}
4 
    handle @portainer {
            reverse_proxy https://172.17.0.1:9443 {
                    transport http {
                            tls_insecure_skip_verify
                    }
            }
    }

这是我的通配符域名下的某个子域名的设置,可以访问。我也不太清楚为啥你的不行,给服务添加 caddy 信任的自签名证书挺麻烦的,我也不太懂。

5

我把:443改成具体域名,能监听到了,但是现在的响应是502…

xxx.yyy.com {
	reverse_proxy https://127.0.0.1:3443 {
                transport http {
                        tls_insecure_skip_verify
                }
        }

}

http.log.error remote error: tls: internal error

6

你能直接访问 https://127.0.0.1:3443?看看 curl -v https://127.0.0.1:3443 返回的信息

7 
*   Trying 111.222.333.444:443...
* Connected to hello.testdomain.site (111.222.333.444) port 443 (#0)
* ALPN: offers h2,http/1.1
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
*  CAfile: /etc/ssl/certs/ca-certificates.crt
*  CApath: /etc/ssl/certs
* TLSv1.3 (IN), TLS handshake, Server hello (2):
* TLSv1.3 (IN), TLS handshake, Encrypted Extensions (8):
* TLSv1.3 (IN), TLS handshake, Certificate (11):
* TLSv1.3 (IN), TLS handshake, CERT verify (15):
* TLSv1.3 (IN), TLS handshake, Finished (20):
* TLSv1.3 (OUT), TLS change cipher, Change cipher spec (1):
* TLSv1.3 (OUT), TLS handshake, Finished (20):
* SSL connection using TLSv1.3 / TLS_AES_128_GCM_SHA256
* ALPN: server accepted h2
* Server certificate:
*  subject: CN=hello.testdomain.site
*  start date: Nov 10 12:28:13 2024 GMT
*  expire date: Feb  8 12:28:12 2025 GMT
*  subjectAltName: host "hello.testdomain.site" matched cert's "hello.testdomain.site"
*  issuer: C=US; O=Let's Encrypt; CN=E6
*  SSL certificate verify ok.
* using HTTP/2
* h2h3 [:method: GET]
* h2h3 [:path: /]
* h2h3 [:scheme: https]
* h2h3 [:authority: hello.testdomain.site]
* h2h3 [user-agent: curl/7.88.1]
* h2h3 [accept: */*]
* Using Stream ID: 1 (easy handle 0x55a38d619ce0)
> GET / HTTP/2
> Host: hello.testdomain.site
> user-agent: curl/7.88.1
> accept: */*
> 
* TLSv1.3 (IN), TLS handshake, Newsession Ticket (4):
< HTTP/2 502 
< alt-svc: h3=":443"; ma=2592000
< server: Caddy
< content-length: 0
< date: Sun, 10 Nov 2024 15:39:05 GMT
< 
* Connection #0 to host hello.testdomain.site left intact

如果是用上面的命令访问3443的话,就是能正常返回(nginx 的hello页面)

9

我好像知道了caddy给我的域名签了一次和我原来手动签的不一样.不知道是不是这个问题,我去找找删掉caddy签名的方法去

10

caddy 添加一下email配置,不然没办法申请证书, 或者tls internal

11

感谢.但是我不是要申请证书,而是要让他不负责证书签发,由转发后的端口负责

12

tls internal

13

还是不行.这两种都试过了还是502.我感觉就是从一个带证书的到另一个带证书的是不是两者的证书要一致?我看到这两者的证书加密格式不一样(caddy的443和自身的3443)不知道是不是这个原因

xxx.yyy.com {

tls [email protected] 
  reverse_proxy https://127.0.0.1:3443 

}
xxx.yyy.com {
        tls [email protected]
	reverse_proxy https://127.0.0.1:3443 {
                transport http {
                        tls_insecure_skip_verify
                }
        }

}
15

感谢.之前搜索到这个了,但是看起来好像比较复杂,于是跳过了 :joy:
话说大家都没这个需求吗?就是只把caddy当做一个转发工具来使用…(为啥80能随便转 443就不能来…)
另外问下大佬如果用Nginx能够避免这个问题吗?还是说也有专门的实现?

16

caddy reverse-proxy --from example.com --to https://example.com:3443 当前设置127.0.0.1 后端的域名也必须是localhost,可能是后端域名校验没有过去。如果是上述情况,你需要修改host头, `caddy reverse-proxy --from example.com\ --to https://local|host:9000 --change-host-header

此外你的理解也是错误的,默认443为https端口,反向代理会涉及两段SSL过程,两段过程都必须符合相应头之类校验。

17 
:3443 {
	tls internal
	respond "Hellow World"
}

localhost:443 {
	tls internal
	reverse_proxy https://localhost:3443  # Work
}

上面的配置文件是可以正常工作的。

1 个赞
18

感谢,我最好也发现是两段校验,于是放弃了这个方案 :joy:.
然后改headscale,监听非80端口+手动部署证书的行为
(本来就是想让headscale自动申请证书…但是转发实在太复杂了,还不如手动)