mholt/caddy-l4

https terminating proxy as http to backend (443=>80) example

di-rect opened this issue · 8 comments

Hi,

I have a very simple question:

Do you have an example that makes it possible to terminate SSL (443) on Caddy L4 and forward unencrypted to Non-SSL Caddy L4 http port 80?

I'm not able to get that working; proxy works fine.

Thanks!

What's your current config?

Actuallly the examples of the readme.

Https termination is what I'm doing like this at the moment (No L4 sadly) but for IMAP SSL tot non SSL is what seems to be more complex.

"http": {
            "servers": {
                "webserver": {
                    "listen": [
                        ":443"
                    ],
                    "routes": [
                        {
                            "match": [
                                {
                                    "host": [
                                        "mydomain.tld"
                                    ]
                                }
                            ],
                            "handle": [
                                {
                                    "handler": "subroute",
                                    "routes": [
                                        {
                                            "handle": [
                                                {
                                                    "handler": "reverse_proxy",
                                                    "upstreams": [
                                                        {
                                                            "dial": "nginx:80"
                                                        }
                                                    ]
                                                }
                                            ]
                                        }
                                    ]
                                }
                            ],
                            "terminal": true
                        }
                    ]
                }
            }
        },
        "layer4": {
            "servers": {
                "secure-imap": {
                    "listen": [
                        ":993"
                    ],
                    "routes": [
                        {
                            "handle": [
                                {
                                    "handler": "tls"
                                },
                                {
                                    "handler": "proxy",
                                    "proxy_protocol": "v1",
                                    "upstreams": [
                                        {
                                            "dial": [
                                                "mailserver:143"
                                            ]
                                        }
                                    ]
                                }
                            ]
                        }
                    ]
                }
            }
        }
    }

@mohammed90 Any suggestion ?

@mohammed90 Any suggestion ?

Sorry, I got distracted. You're trying to proxy IMAP, which has specific requirements about its TLS termination. It doesn't like it when another server handles TLS in front of it. See:

@mohammed90

OK no problem, thanks for your reply!

But why does the example here show 993 to 143 forward ? I have seen lots of issues with imap indeed, does the same go for SMTP ?

But is it true I don't see any example for SSL to non SSL (so actual termination) what I do in my example for http without using L4 app ?

why does the example here show 993 to 143 forward ?

It's just an example. I guess we didn't do the research I just did 🤷🏻‍♂️

does the same go for SMTP ?

I don't know for sure, but I assume yes. From prior research, email protocols tend to be finicky.

But is it true I don't see any example for SSL to non SSL (so actual termination) what I do in my example for http without using L4 app ?

It can be as simple as this:

{
	"apps": {
		"layer4": {
			"servers": {
				"tls_terminator": {
					"listen": ["0.0.0.0:443"],
					"routes": [
						{
							"handle": [
								{
									"handler": "tls"
								},
								{
									"handler": "proxy",
									"upstreams": [
										{"dial": ["localhost:80"]}
									]
								}
							]
						}
					]
				}
			}
		}
	}
}

I believe this question has been answered, so I'll close the issue.

I believe this question has been answered, so I'll close the issue.

Sorry for the delay; you can't always steer life :)

But you are right, the example is not that good and I think we made things clear; mailservers do need the certs themselves.

Happy Christmas!