Messages

1

24.7 Production Series / Re: Caddy Layer4 Route TLS (SNI)

« on: October 10, 2024, 01:42:28 am »

Sorry for the delay getting back to this thread.

I tested with the latest release today, and everything is working as expected.  I have a dozen layer4 routes configured that all connect successfully to their correct sites.  Another layer4 route passes through an SSH connection.  I also added a domain & HTTP handler combo for one specific site, so I could add basic authentication in front of it, but only when it's accessed remotely.

Thanks for all of your work on this.  I really appreciate it!
Alan

2

24.7 Production Series / Re: Caddy Layer4 Route TLS (SNI)

« on: September 22, 2024, 03:55:13 pm »

SNI was working with HA Proxy, so my browser should be sending the SNI.  Caddy also seems to be getting the right name when using a domain + HTTP handler.  When I don't have the domain configured, I get log entries when it tries to match the domain with a certificate, and the domain matches what I've been using in layer4.

Is there any way to log what layer4 is attempting to match on like it does when Caddy searches for a certificate?

I don't know if this matters, but my OPNSense does list the os-caddy version as 1.7.0_1.

3

24.7 Production Series / Re: Caddy Layer4 Route TLS (SNI)

« on: September 22, 2024, 12:25:56 am »

Thanks for taking a look at this.  I'm getting the same error with the OPNsense Webgui following the example from the video..

I removed my DNS API key and disabled all of the domains except the OPNsense Webgui domain.  My current Caddy file is attached.

Thanks again,
Alan

4

24.7 Production Series / Caddy Layer4 Route TLS (SNI)

« on: September 21, 2024, 06:09:36 pm »

Hello,

I've been using HA Proxy on OPNsense 24.7.4_1-amd64 to route HTTPS traffic to about a dozen internal web servers running different applications.  All of the internal servers run HTTPS with signed certs from Let's Encrypt.  I configured HA Proxy to route based on SNI, so it didn't need any certificates of its own.  The configuration was fairly convoluted, and it was difficult to add new servers.  I switched to Caddy, because it looks like it should be easier to setup and maintain.

I currently have Caddy running successfully with Domains and HTTP handlers configured for each server.  As I understand it Caddy is terminating TLS and establishing new TLS connections to each internal server.  I'd like to switch these to Layer4 routes using TLS (SNI), but I'm getting an error.

I've removed the domain and HTTP handler for a test site, and added it to Layer4 instead.  I've configured the domain, set the matcher to TLS (SNI), set the upstream domain, and set the upstream port.  In the log I get the following error:

Error caddy   "debug","ts":"2024-09-21T15:03:27Z","logger":"caddy.listeners.layer4", "msg":"matching","remote":"217.111.222.33:21026","error":"consumed all prefetched bytes","matcher":"layer4.matchers.tls","matched":false

After this it goes on to try to find a certificate for the website that's listed in the domain.  It doesn't find one, so the request fails.  Running tcpdump on the test server shows that Caddy never tries to establish a connection to it.

I haven't been able to find any mention of the error "consumed all prefetched bytes" online.  Since it works when Caddy terminates the TLS connection, I assume my firewall rules are OK.  Are there any other config changes I need to make to get the Layer4 TLS (SNI) matcher to work in Caddy?

Thanks,
Alan