Example 4: also listen for HTTPS on custom network

[bertmelis]

Thank you for this repo. I switched from nginx to caddy and got my setup up and running in less than 1 hour.

One thing that I didn't quite get right is to have Caddy listen on the local network for HTTPS. I have some services that insist on communicating through TLS even for local connections.

I solved this by copying the blocks of all the different (sub)domains in the caddyfile so both http and https are there:

http://whoami.example.com {
	bind 0.0.0.0 [::1] {
		protocols h1
	}
	reverse_proxy whoami:80
	log
}
https://whoami.example.com {
	bind 0.0.0.0 [::1] {
		protocols h1
	}
	reverse_proxy whoami:80
	log
}

I was wondering if there is a more elegant way of doing this.

Also, you only specify h1 on the custom network. Could you enlighten me why this is?

[bertmelis]

WARNING: Completely untested configuration!

I will report later.

{
	default_bind fd/4 {
		protocols h1 h2
	}
	default_bind fdgram/5 {
		protocols h3
	}
	admin unix//run/admin.sock
}

http:// {
	bind fd/3 {
		protocols h1
	}
	redir https://{host}{uri}
	log
}

# also redirect on custom network
http:// {
	bind 0.0.0.0 [::1] {
		protocols h1
	}
	redir https://{host}{uri}
	log
}

whoami.example.com {
	reverse_proxy whoami:80
	log
}

static.example.com {
	root * /static
	file_server
	log
}

# listen on custom network
whoami.example.com {
	bind 0.0.0.0 [::1]  # default protocols are h1, h2 and h3
	reverse_proxy whoami:80
	log
}

# listen on custom network
static.example.com {
	bind 0.0.0.0 [::1] # default protocols are h1, h2 and h3
	root * /static
	file_server
	log
}

[eriksjolund]

Nice. Yes, letting caddy listen HTTP/3 on the custom network in Example 4 would be an improvement.
I didn't get it to work when I tried it myself a few months ago. I haven't tried your configuration yet but it looks promising!

[bertmelis]

So my attempts to simplify the Caddyfile failed. I'm going to leave it as is. It might be verbose but it works.

The reason I want to have https on the custom network is because my ownCLoud instance (ocis) needs to be able to reach Authelia and it does this through regular (secure!) TCP sockets. So https needs to be served on the custom network.

In example 4 this then becomes:

{
	default_bind fd/4 {
		protocols h1 h2
	}
	default_bind fdgram/5 {
		protocols h3
	}
	admin unix//run/admin.sock
}

http:// {
	bind fd/3 {
		protocols h1
	}
	redir https://{host}{uri}
	log
}

whoami.example.com {
	reverse_proxy whoami:80
	log
}

static.example.com {
	root * /static
	file_server
	log
}

# listen on custom network
http://whoami.example.com {
	bind 0.0.0.0 [::1] {
		protocols h1
	}
	reverse_proxy whoami:80
	log
}
https://whoami.example.com {
	bind 0.0.0.0 [::1] {
		protocols h1
	}
	reverse_proxy whoami:80
	log
}


# listen on custom network
http://static.example.com {
	bind 0.0.0.0 [::1] {
		protocols h1
	}
	root * /static
	file_server
	log
}
https://static.example.com {
	bind 0.0.0.0 [::1] {
		protocols h1
	}
	root * /static
	file_server
	log
}

the difference: on the custom network, all entries are doubled: one for http and one for https. Is this elegant? no. does it work? for me it does.

[eriksjolund]

Thanks for the investigation.
It also seems to work when using

	protocols h1 h2 h3

I added it here #57