Example Caddy Reverse proxy not working

Hello, I’m quite new to self-hosting things and tried to set vaultwarden up with SSL and Caddy as a reverse proxy as outlined here and here.

When checking the logs for the caddy container, everything seems fine, however my browser shows this message when trying to connect:

What am I doing wrong here?

Pleas let me know which of the logs or config files you need, as I am not sure which would be relevant here.

Can you please post your caddy configuration? And which caddy version you use? Doe sit run in its own docker container?

This is my Caddy file:

{$DOMAIN}:443 {
  log {
    level INFO
    output file {$LOG_FILE} {
      roll_size 10MB
      roll_keep 10
    }
  }

  # Uncomment this if you want to get a cert via ACME (Let's Encrypt or ZeroSSL).
  # tls {$EMAIL}

  # Or uncomment this if you're providing your own cert. You would also use this option
  # if you're running behind Cloudflare.
  tls {$SSL_CERT_PATH} {$SSL_KEY_PATH}

  # This setting may have compatibility issues with some browsers
  # (e.g., attachment downloading on Firefox). Try disabling this
  # if you encounter issues.
  encode gzip

  # Uncomment to improve security (WARNING: only use if you understand the implications!)
  # header {
  #      # Enable HTTP Strict Transport Security (HSTS)
  #      Strict-Transport-Security "max-age=31536000;"
  #      # Enable cross-site filter (XSS) and tell browser to block detected attacks
  #      X-XSS-Protection "1; mode=block"
  #      # Disallow the site to be rendered within a frame (clickjacking protection)
  #      X-Frame-Options "DENY"
  #      # Prevent search engines from indexing (optional)
  #      X-Robots-Tag "none"
  #      # Server name removing
  #      -Server
  # }

  # Uncomment to allow access to the admin interface only from local networks
  # @insecureadmin {
  #   not remote_ip 192.168.0.0/16 172.16.0.0/12 10.0.0.0/8
  #   path /admin*
  # }
  # redir @insecureadmin /

  # Notifications redirected to the websockets server
  reverse_proxy /notifications/hub localhost:3012

  # Proxy everything else to Rocket
  reverse_proxy localhost:80 {
       # Send the true remote IP to Rocket, so that vaultwarden can put this in the
       # log, so that fail2ban can ban the correct IP.
       header_up X-Real-IP {remote_host}
  }
}

Caddy runs in its own container as shown here. I will add my docker-compose file below.

version: '3'

services:
  vaultwarden:
    image: vaultwarden/server:latest
    container_name: vaultwarden
    restart: always
    environment:
      - WEBSOCKET_ENABLED=true  # Enable WebSocket notifications.
    volumes:
      - ./vw-data:/data

  caddy:
    image: caddy:2
    container_name: caddy
    restart: always
    ports:
      - 80:80  # Needed for the ACME HTTP-01 challenge.
      - 443:443
    volumes:
      - ./Caddyfile:/etc/caddy/Caddyfile:ro
      - ./caddy-config:/config
      - ./caddy-data:/data
      - /etc/letsencrypt/archive/<myDomainIsHereToo>:/certs
    environment:
      - DOMAIN=<I did put my domain here>  # Your domain, prefixed with http or https.
      - EMAIL=<I did put my email here>       # The email address to use for ACME registration.
      - LOG_FILE=/data/access.log
      - SSL_CERT_PATH=/certs/fullchain1.pem
      - SSL_KEY_PATH=/certs/privkey1.pem

I have my let’s encrypt certificates in /etc/letsencryp/live/<myDomain>/ on the host, however caddy was failing to read the simlinked files. When I mounted the volume to /etc/letsencrypt/archive/<mydomain>/ I could get it to start without any warning/error logs.

Thank you very much for your help in advance

I think your problem is with the line

reverse_proxy localhost:80

because you are telling Caddy to reverse proxy the traffic it received for https://${DOMAIN} it its own localhost (where there is no VW).

try to change that to

reverse_proxy  vaultwarden:3012

It should work because docker will allow vaultwarden to be resolved to the IP of the VW container. Same goes for the notifications redirect.

You are awesome! Thank you so much!

I had figured it was with those lines and tried providing the IP of the host device, but obviously that didn’t work through docker. I have to remember this neat trick with the docker names → IP

You are welcome, glad I could help.

There are a few more things you may want to consider (I am not sure what your exact setup is but if that can be useful I would be glad)

You mention “your LE certificates”, that you place them in specific places. Have you considered just letting caddy manage them? One of the many awesome things with this web server is that it is LE enabled by default. I have about 30 services at home that I reverse proxy through caddy and I just configured them in Caddyfile to be stored somewhere in /data so that they are on a persistent volume. Caddy updates them when needed.

The other thing is the {$DOMAIN} line. Is it specific to vaulwarden? Have you considered having subdomains for all your services?. In that case the line in Caddyfile would be

https://vaultwarden.yourdomain.com {
...

and Caddy would manage the certificates on its own, for each domain separately

Hey, thanks to your last reply I tried the certificate manager caddy comes with, however it seems like it gets stuck in a loop of failing to create the certificates.

image1517×851 362 KB

It seems that the DNS resolution fails in the container (it is to zerossl.com, I expected it to be to LE)