OPNsense
  • Home
  • Help
  • Search
  • Login
  • Register

  • OPNsense Forum »
  • Profile of Drakonash »
  • Show Posts »
  • Topics
  • Profile Info
    • Summary
    • Show Stats
    • Show Posts...
      • Messages
      • Topics
      • Attachments

Show Posts

This section allows you to view all posts made by this member. Note that you can only see posts made in areas you currently have access to.

  • Messages
  • Topics
  • Attachments

Topics - Drakonash

Pages: [1]
1
French - Français / [ABORT][SOLVE][CADDY] Reverse proxy page blanche / Reverse proxy blank page
« on: December 02, 2024, 10:30:06 am »
Bonjour,

Je rencontre quelque problème avec la configuration de CADDY en tant que reverse proxy.
j'ai un domaine interne, qui n'est pas géré par nous : "test.local"

Tout les éléments du sous-domaine pointe vers note passerelle opnsense, nous voulions dont effectuer des redirections vers les différents server qui sont derrière la passerelle opnsense (par exemple serveur JENKINS, GITLAB, etc). Nous avons donc configuré CADDY ainsi :

Caddyfile:
Code: [Select]
# DO NOT EDIT THIS FILE -- OPNsense auto-generated file
# caddy_user=root
# Global Options
{
log {
output net unixgram//var/run/caddy/log.sock {
}
format json {
time_format rfc3339
}
level DEBUG
}
servers {
protocols h1 h2 h3
log_credentials
}
email cicd@test.local
auto_https off
grace_period 10s
import /usr/local/etc/caddy/caddy.d/*.global
}

# Reverse Proxy Configuration
# Reverse Proxy Domain: "e544817d-abf6-4892-bce7-30865d5ba536"

proxy.test.local:443 {
tls /var/db/caddy/data/caddy/certificates/temp/67470493de394.pem /var/db/caddy/data/caddy/certificates/temp/67470493de394.key
handle  {
reverse_proxy  172.117.100.254:8443 {
transport http {
tls_insecure_skip_verify
tls_trust_pool file /var/db/caddy/data/caddy/certificates/temp/6747033d03974.pem
}
}
}
}
# Reverse Proxy Domain: "a976d706-fcde-42ec-b0c4-32781942f63f"
proxmox-4.test.local:443 {
tls /var/db/caddy/data/caddy/certificates/temp/67470493de394.pem /var/db/caddy/data/caddy/certificates/temp/67470493de394.key
handle  {
reverse_proxy 172.117.100.4:8006 {
}
}
}
import /usr/local/etc/caddy/caddy.d/*.conf

/usr/local/etc/caddy/caddy.d/01-tuned.conf:
Code: [Select]
ocsp_stappling off

Mais lorsque nous testons cette configuration nous et essayons d'atteindre un des deux noms FQDn que nous avons paramétré, nous avons une page blanche. Voici un extrait des logs :

Code: [Select]
2024-12-01T15:40:29     Debug   caddy   "debug","ts":"2024-12-01T15:40:29Z","logger":"http.auto_https","msg":"adjusted config","tls":{"automation":{"policies":[{"subjects":["ocsp_stapling","off","proxmox-4.test.local","proxy.test.local"]},{}]}},"http":{"grace_period":10000000000,"servers":{"srv0":{"listen":[":443"],"routes":[{"handle":[{"handler":"subroute","routes":[{"handle":[{"handler":"subroute","routes":[{"handle":[{"handler":"reverse_proxy","upstreams":[{"dial":"172.117.100.4:8006"}]}]}]}]}]}],"terminal":true},{"handle":[{"handler":"subroute","routes":[{"handle":[{"handler":"subroute","routes":[{"handle":[{"handler":"reverse_proxy","transport":{"protocol":"http","tls":{"ca":{"pem_files":["/var/db/caddy/data/caddy/certificates/temp/6747033d03974.pem"],"provider":"file"},"insecure_skip_verify":true}},"upstreams":[{"dial":"172.117.100.254:8443"}]}]}]}]}]}],"terminal":true},{"terminal":true}],"tls_connection_policies":[{"match":{"sni":["proxmox-4.test.local"]},"certificate_selection":{"any_tag":["cert0"]}},{"match":{"sni":["proxy.test.local"]},"certificate_selection":{"any_tag":["cert0"]}},{}],"automatic_https":{"disable":true},"logs":{"should_log_credentials":true},"protocols":["h1","h2","h3"]}}}}
2024-12-01T15:40:29     Informational   caddy   "info","ts":"2024-12-01T15:40:29Z","logger":"http.auto_https","msg":"automatic HTTPS is completely disabled for server","server_name":"srv0"}
2024-12-01T15:40:29     Debug   caddy   "debug","ts":"2024-12-01T15:40:29Z","logger":"tls.cache","msg":"added certificate to cache","subjects":["test.local","*.test.local"],"expiration":"2025-06-09T15:08:24Z","managed":false,"issuer_key":"","hash":"xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx","cache_size":1,"cache_capacity":10000}
2024-12-01T15:40:29     Debug   caddy   "debug","ts":"2024-12-01T15:40:29Z","logger":"events","msg":"event","name":"cached_unmanaged_cert","id":"7ebd454a-b7bb-45f7-8034-fe782ee1aece","origin":"tls","data":{"sans":["test.local","*.test.local"]}}
2024-12-01T15:40:29     Error   caddy   "warn","ts":"2024-12-01T15:40:29Z","logger":"tls","msg":"stapling OCSP","error":"no OCSP stapling for [test.local *.test.local]: making OCSP request: Post \"http://ocsp.pki.test.local/ocsp\": dial tcp XX.XXX.XXX.XX:80: i/o timeout"}
2024-12-01T15:39:59     Informational   caddy   "info","ts":"2024-12-01T15:39:59Z","logger":"tls.cache.maintenance","msg":"started background certificate maintenance","cache":"0x870473a00"}
2024-12-01T15:39:48     Informational   caddy   "info","ts":"2024-12-01T15:39:48Z","logger":"http.log.access","msg":"NOP","request":{"remote_ip":"XX.XXX.XXX.XX","remote_port":"59262","client_ip":"XX.XXX.XXX.XX","proto":"HTTP/2.0","method":"GET","host":"proxy.test.local","uri":"/favicon.ico","headers":{"User-Agent":["Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/130.0.0.0 Safari/537.36 Edg/130.0.0.0"],"Sec-Fetch-Mode":["no-cors"],"Accept-Encoding":["gzip, deflate, br, zstd"],"Cookie":["PHPSESSID=041ca8540ea5877502724dcd63c89a73"],"Sec-Ch-Ua":["\"Chromium\";v=\"130\", \"Microsoft Edge\";v=\"130\", \"Not?A_Brand\";v=\"99\""],"Sec-Fetch-Site":["same-origin"],"Referer":["https://proxy.test.local/"],"Accept-Language":["fr,fr-FR;q=0.9,en;q=0.8,en-GB;q=0.7,en-US;q=0.6"],"Priority":["u=1, i"],"Sec-Ch-Ua-Platform":["\"Windows\""],"Dnt":["1"],"Sec-Ch-Ua-Mobile":["?0"],"Accept":["image/avif,image/webp,image/apng,image/svg+xml,image/*,*/*;q=0.8"],"Sec-Fetch-Dest":["image"]},"tls":{"resumed":false,"version":772,"cipher_suite":4867,"proto":"h2","server_name":"proxy.test.local"}},"bytes_read":0,"user_id":"","duration":0.000005539,"size":0,"status":0,"resp_headers":{"Server":["Caddy"],"Alt-Svc":["h3=\":443\"; ma=2592000"]}}

Est-ce quelqu'un pourrait m'aiguiller et/ou m'aider ? D'avance merci.
Hello,

I'm having some trouble configuring CADDY as a reverse proxy.
I have an internal domain, which is not managed by us: “test.local”.

All the elements of the sub-domain point to our opnsense gateway, so we wanted to redirect to the different servers behind the opnsense gateway (e.g. JENKINS server, GITLAB, etc). This is how we configured CADDY:

Caddyfile:
Code: [Select]
# DO NOT EDIT THIS FILE -- OPNsense auto-generated file
# caddy_user=root
# Global Options
{
log {
output net unixgram//var/run/caddy/log.sock {
}
format json {
time_format rfc3339
}
level DEBUG
}
servers {
protocols h1 h2 h3
log_credentials
}
email cicd@test.local
auto_https off
grace_period 10s
import /usr/local/etc/caddy/caddy.d/*.global
}

# Reverse Proxy Configuration
# Reverse Proxy Domain: "e544817d-abf6-4892-bce7-30865d5ba536"

proxy.test.local:443 {
tls /var/db/caddy/data/caddy/certificates/temp/67470493de394.pem /var/db/caddy/data/caddy/certificates/temp/67470493de394.key
handle  {
reverse_proxy  172.117.100.254:8443 {
transport http {
tls_insecure_skip_verify
tls_trust_pool file /var/db/caddy/data/caddy/certificates/temp/6747033d03974.pem
}
}
}
}
# Reverse Proxy Domain: "a976d706-fcde-42ec-b0c4-32781942f63f"
proxmox-4.test.local:443 {
tls /var/db/caddy/data/caddy/certificates/temp/67470493de394.pem /var/db/caddy/data/caddy/certificates/temp/67470493de394.key
handle  {
reverse_proxy 172.117.100.4:8006 {
}
}
}
import /usr/local/etc/caddy/caddy.d/*.conf

/usr/local/etc/caddy/caddy.d/01-tuned.conf:
Code: [Select]
ocsp_stappling off

But when we test this configuration and try to reach one of the two FQDn names we've set up, we get a blank page. Here's an extract from the logs:

Code: [Select]
2024-12-01T15:40:29     Debug   caddy   "debug","ts":"2024-12-01T15:40:29Z","logger":"http.auto_https","msg":"adjusted config","tls":{"automation":{"policies":[{"subjects":["ocsp_stapling","off","proxmox-4.test.local","proxy.test.local"]},{}]}},"http":{"grace_period":10000000000,"servers":{"srv0":{"listen":[":443"],"routes":[{"handle":[{"handler":"subroute","routes":[{"handle":[{"handler":"subroute","routes":[{"handle":[{"handler":"reverse_proxy","upstreams":[{"dial":"172.117.100.4:8006"}]}]}]}]}]}],"terminal":true},{"handle":[{"handler":"subroute","routes":[{"handle":[{"handler":"subroute","routes":[{"handle":[{"handler":"reverse_proxy","transport":{"protocol":"http","tls":{"ca":{"pem_files":["/var/db/caddy/data/caddy/certificates/temp/6747033d03974.pem"],"provider":"file"},"insecure_skip_verify":true}},"upstreams":[{"dial":"172.117.100.254:8443"}]}]}]}]}]}],"terminal":true},{"terminal":true}],"tls_connection_policies":[{"match":{"sni":["proxmox-4.test.local"]},"certificate_selection":{"any_tag":["cert0"]}},{"match":{"sni":["proxy.test.local"]},"certificate_selection":{"any_tag":["cert0"]}},{}],"automatic_https":{"disable":true},"logs":{"should_log_credentials":true},"protocols":["h1","h2","h3"]}}}}
2024-12-01T15:40:29     Informational   caddy   "info","ts":"2024-12-01T15:40:29Z","logger":"http.auto_https","msg":"automatic HTTPS is completely disabled for server","server_name":"srv0"}
2024-12-01T15:40:29     Debug   caddy   "debug","ts":"2024-12-01T15:40:29Z","logger":"tls.cache","msg":"added certificate to cache","subjects":["test.local","*.test.local"],"expiration":"2025-06-09T15:08:24Z","managed":false,"issuer_key":"","hash":"xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx","cache_size":1,"cache_capacity":10000}
2024-12-01T15:40:29     Debug   caddy   "debug","ts":"2024-12-01T15:40:29Z","logger":"events","msg":"event","name":"cached_unmanaged_cert","id":"7ebd454a-b7bb-45f7-8034-fe782ee1aece","origin":"tls","data":{"sans":["test.local","*.test.local"]}}
2024-12-01T15:40:29     Error   caddy   "warn","ts":"2024-12-01T15:40:29Z","logger":"tls","msg":"stapling OCSP","error":"no OCSP stapling for [test.local *.test.local]: making OCSP request: Post \"http://ocsp.pki.test.local/ocsp\": dial tcp XX.XXX.XXX.XX:80: i/o timeout"}
2024-12-01T15:39:59     Informational   caddy   "info","ts":"2024-12-01T15:39:59Z","logger":"tls.cache.maintenance","msg":"started background certificate maintenance","cache":"0x870473a00"}
2024-12-01T15:39:48     Informational   caddy   "info","ts":"2024-12-01T15:39:48Z","logger":"http.log.access","msg":"NOP","request":{"remote_ip":"XX.XXX.XXX.XX","remote_port":"59262","client_ip":"XX.XXX.XXX.XX","proto":"HTTP/2.0","method":"GET","host":"proxy.test.local","uri":"/favicon.ico","headers":{"User-Agent":["Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/130.0.0.0 Safari/537.36 Edg/130.0.0.0"],"Sec-Fetch-Mode":["no-cors"],"Accept-Encoding":["gzip, deflate, br, zstd"],"Cookie":["PHPSESSID=041ca8540ea5877502724dcd63c89a73"],"Sec-Ch-Ua":["\"Chromium\";v=\"130\", \"Microsoft Edge\";v=\"130\", \"Not?A_Brand\";v=\"99\""],"Sec-Fetch-Site":["same-origin"],"Referer":["https://proxy.test.local/"],"Accept-Language":["fr,fr-FR;q=0.9,en;q=0.8,en-GB;q=0.7,en-US;q=0.6"],"Priority":["u=1, i"],"Sec-Ch-Ua-Platform":["\"Windows\""],"Dnt":["1"],"Sec-Ch-Ua-Mobile":["?0"],"Accept":["image/avif,image/webp,image/apng,image/svg+xml,image/*,*/*;q=0.8"],"Sec-Fetch-Dest":["image"]},"tls":{"resumed":false,"version":772,"cipher_suite":4867,"proto":"h2","server_name":"proxy.test.local"}},"bytes_read":0,"user_id":"","duration":0.000005539,"size":0,"status":0,"resp_headers":{"Server":["Caddy"],"Alt-Svc":["h3=\":443\"; ma=2592000"]}}

Can anyone help me? Thanks.

Pages: [1]
OPNsense is an OSS project © Deciso B.V. 2015 - 2024 All rights reserved
  • SMF 2.0.19 | SMF © 2021, Simple Machines
    Privacy Policy     | XHTML | RSS | WAP2