il/ilnmors-homelab
0
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
25e33caec96022de247bce16ae0c63cef374da7a
ilnmors-homelab/docs/services/common/caddy.md
il 6cd26eb7d8 1.1.0 Release caddy-app
2026-03-15 04:57:27 +09:00

1.4 KiB
Raw Blame History

Caddy

TLS re-encryption

This is not a perfect E2EE communication theorogically, however technically it is. The main caddy decrypt as an edge node of WAN side, and it becomes a client of side caddy with private certificate.

.com public domain

WAN - (Let's Encrypt certificate) -> Caddy (auth) - (ilnmors internal certificate) -> Caddy (app) or https services - http -> app's local service

.internal private domain

client - (ilnmors internal certificate) -> Caddy (Infra) - http -> local services

DNS record

*.app.ilnmors.internal - CNAME -> app.ilnmors.internal

X-Forwarded-Host

When caddy in app conducts TLS re-encryption, it is important to change their Host header as X-Forwarded-Host haeder for session maintainance.

Example

# Auth server
test.ilnmors.com
{
    import crowdsec_log
    route {
        crowdsec
        reverse_proxy https://test.app.ilnmors.internal {
            header_up Host {http.reverse_proxy.upstream.host}
        }
    }
}
# App server
{
    servers {
        trusted_proxies static {{ hostvars['fw']['network4']['auth']['server'] }} {{ hostvars['fw']['network6']['auth']['server'] }}
    }
}
test.app.ilnmors.internal
{
     import internal_tls
     route {
        reverse_proxy host.containers.internal:3000 {
            header_up Host {http.request.header.X-Forwarded-Host}
        }
     }
}
Reference in New Issue View Git Blame Copy Permalink