Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

caddy ssl not working correctly #152

Open
Maescool opened this issue Aug 13, 2023 · 17 comments
Open

caddy ssl not working correctly #152

Maescool opened this issue Aug 13, 2023 · 17 comments

Comments

@Maescool
Copy link

When using letsencrypt cert directly, caddy starts on 443, but assets don't load
When disabling ssl, content shows up fine

@mixman68
Copy link

I have same problem but with a regular SSL loaded by SSL_CERT and SSL_CERT_KEY

My pterodactyl is gone..

@VozDeOuro
Copy link

Is there a way to enable the --debug option on the cert creation ?
Because mine isn't working either.

@VozDeOuro
Copy link

VozDeOuro commented Aug 17, 2023

When using letsencrypt cert directly, caddy starts on 443, but assets don't load When disabling ssl, content shows up fine

How did you disable it ?
mine isn't disabling

@mixman68
Copy link

mixman68 commented Aug 17, 2023 via email

@ccarney16
Copy link
Owner

My Pterodactyl image recently moved to almalinux and caddy, however I do not fully support the new methods that are built in (and scripted) due to certain issues with caddy and pterodactyl daemon unable to share certificates. I will also be advising to move to a reverse proxy configuration such as NGINX, Traefik, or an external caddy proxy.

In regards to asset loading, that is an issue I am currently looking into since I do notice that even on non http configurations.

@VozDeOuro
Copy link

i think the good way is to do by dns
https://caddyserver.com/docs/automatic-https

@VozDeOuro
Copy link

hey @ccarney16
do you think that the ssl problem will be fix on a next build ?
using ssl on the reverse proxy is giving some error on the panel

@ccarney16
Copy link
Owner

Hey, so I am currently recommending to set SSL parameters to none on panel and daemon containers and opt to use a reverse proxy to forward traffic. At the moment caddy's built in SSL system is considered experimental until I get it ironed out. I have already pushed this image to a few production deployments using traefik as the reverse proxy, I see no issues at this moment. However if anyone can verify that their current Let's Encrypt certificates are having issues, please let me know, as during testing, the only issues I've encountered have been in regards to out-of-tree patches to pterodactyl. If anyone can also confirm if the certbot container can still get certificates, that would be great.

@VozDeOuro
Copy link

I'm using exactly that on my setup, traefik and none as caddy config.
But on some forms, it's accusing that the page is not secure.
image

@VozDeOuro
Copy link

i can try some test on the certbot container
but can you give me more info on which container is that ?
i just those containers: panel, worker, daemon, cron.

@ccarney16
Copy link
Owner

ccarney16 commented Aug 31, 2023

Hm, might want to check your APP_URL in conf.d/panel.env if its using http:// or https://, I might also suggest seeing if TRUSTED_PROXIES is set correctly. If it is not, feel free to add on TRUSTED_PROXIES= or CIDR range.

@ccarney16
Copy link
Owner

@VozDeOuro Certbot does not look to be enabled on your project, you need to pass the letsencrypt profile using the default deployment configuration to enable certbot. This is a newer docker-compose v2 feature, more information about profiles can be found here.

@VozDeOuro
Copy link

Hm, might want to check your APP_URL in conf.d/panel.env if its using http:// or https://, I might also suggest seeing if TRUSTED_PROXIES is set correctly. If it is not, feel free to add on TRUSTED_PROXIES= or CIDR range.

its on http://
how can i add the TRUSTED_PROXIES=
on the traefik or on the .env file ?

@ccarney16
Copy link
Owner

@VozDeOuro Trusted proxies need to be set in conf.d/panel.env for the panel container, Not traefik.

@VozDeOuro
Copy link

Sorry for the noob question,
but what i need to input there ?

@ccarney16
Copy link
Owner

you need to set the variable to either the IP address of the proxy, or the CIDR range of the proxy. If traefik is on the same machine as the panel container, and using docker networking, you should be free to try out the CIDR range 172.16.0.0/12. However be aware this trusts all ip addresses in this range.

@VozDeOuro
Copy link

i fixed it adding this caddy config

https://panel.foo.com :81 {
        root * /var/www/html/public
        file_server

        tls {
                dns cloudflare xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
        } 

        header {
                -Server
                -X-Powered-By
                Referrer-Policy "same-origin"
                X-Frame-Options "deny"
                X-XSS-Protection "1; mode=block"
                X-Content-Type-Options "nosniff"
        }

        encode gzip zstd

        php_fastcgi unix//var/lib/caddy/php/php-fpm.sock

        try_files {path} {path}/ /index.php?{query}
}

that need to install a module on the caddy and you need to build it

VOLUME [ "/var/lib/caddy" ]
WORKDIR /var/www/html
WORKDIR /var/

RUN rm -fr /usr/bin/caddy;\
    wget https://go.dev/dl/go1.21.0.linux-amd64.tar.gz ;\
    rm -rf /usr/local/go && tar -C /usr/local -xzf go1.21.0.linux-amd64.tar.gz ;\
    export PATH=$PATH:/usr/local/go/bin ;\
    mkdir xcaddy_install ;\
    cd /var/xcaddy_install;\
    go install github.com/caddyserver/xcaddy/cmd/xcaddy@latest ;\
    wget https://github.com/caddyserver/xcaddy/releases/download/v0.3.5/xcaddy_0.3.5_linux_amd64.tar.gz ;\
    tar -xzvf xcaddy_0.3.5_linux_amd64.tar.gz ;\
    chmod +x xcaddy ;\
    # here is the module that need to be installed 
    ./xcaddy build --with github.com/caddy-dns/cloudflare;\
    cp caddy /usr/bin/caddy;\
    chmod +x /usr/bin/caddy;\
    caddy list-modules | grep dns.;

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

4 participants