Reverse Proxy¶

Because we can only expose one port 80 and 443 on our one IP, we need a proxy to direct all the https traffic to their respective applications. We accomplish this using a reverse proxy. It is run by caddy as a webserver, which makes the whole thing laughably easy.

The reverse proxy needs only one directive in the Caddyfile:

reverse_proxy {host}:{port}

Adding a new domain¶

Adding a new domain/service to the reverse proxy is just as simple as adding a new paragraph to the Caddyfile. Open the Caddyfile (usually located at /root/Caddyfile) and add the following template (or something similar):

{subdomain}.falken-niedersachsen.de {
    reverse-proxy https://{IP of the the VM the service is running on}:{port}
    # Optional: Add logging for this serivce. Be sure to log as few as possible and mention this in the privacy policy.
    log {
        output file /var/log/caddy/{subdomain}.log {
            roll_keep_for 2d
        }
        format json
        level WARN
    }
    handle_errors {
        respond "{http.error.status_code} {http.error.status_text}"
    }
}

Note

This should work out of the box for *.falken-niedersachsen.de, because there is a wildcard entry in the DNS zone. For other domains you might need to create a new entry for the subdomain in the zone, pointing to the servers IP (or DynDNS name).

Also, if you want to use https on the upstream, make sure to import any self-signed certificates the service might use.

Apply the new config by running:

root@reverse-proxy: ~] $ caddy reload

Warning

Make sure the Caddyfile you apply contains all currently running reverse proxies, since loading it will overwrite the complete config of caddy. In case you are unsure, check via the API, which proxies are running: curl "https://localhost:2019".

Caddy Setup¶

This is to document the setup of the reverse proxy container. First, install caddy via apt according to the documentation:

[root@reverse-proxy: ~] $ apt install -y debian-keyring debian-archive-keyring apt-transport-https curl
[root@reverse-proxy: ~] $ curl -1sLf 'https://dl.cloudsmith.io/public/caddy/stable/cfg/gpg/gpg.155B6D79CA56EA34.key' | sudo apt-key add -
[root@reverse-proxy: ~] $ curl -1sLf 'https://dl.cloudsmith.io/public/caddy/stable/cfg/setup/config.deb.txt?distro=debian&version=any-version' | tee -a /etc/apt/sources.list.d/caddy-stable.list
[root@reverse-proxy: ~] $ apt update
[root@reverse-proxy: ~] $ apt install caddy jq # jq is just a useful tool for analysing json in the console

Since we configure caddy via the api only, switch the caddy service to the API only service:

[root@reverse-proxy: ~] $ systemctl disable caddy
[root@reverse-proxy: ~] $ systemctl enable caddy-api
[root@reverse-proxy: ~] $ systemctl stop caddy
[root@reverse-proxy: ~] $ systemctl start caddy-api

Then, create the Caddyfile (where doesn’t matter, currently we use /root/Caddyfile for convenience) and reload the config:

[root@reverse-proxy: ~] $ caddy reload