Caddy: Difference between revisions

Caddy (view source)

Revision as of 14:51, 8 July 2023

595 bytes added , 8 July 2023

Simplify curl check and add explanation for https

VisualWikitext

Anonymous user

imported>Malteneuss

@@ Line 17: / Line 17: @@
 This snippet will let Caddy respond on <code>http://localhost</code> and <code>https://localhost</code> with a dummy text "Hello world!". When no port is mentioned on virtualhost like just <code>localhost</code> instead of <code>localhost:8080</code>, Caddy listens on <code>80</code> and <code>443</code> by default and redirects requests from port 80 (unsecured) to 443 (secured).
-==== Check connection ====
+==== Check http connection ====
-You can use <code>curl</code> to test the http(s) connections:
+You can use <code>curl</code> to test the http connections:
 <syntaxhighlight lang="bash">
 $ curl localhost -i -L -k
 HTTP/1.1 308 Permanent Redirect
-Connection: close
 Location: https://localhost/
-Server: Caddy
+..
-date: Sat, 08 Jul 2023 11:56:05 GMT
-Content-Length: 0
 HTTP/2 200
 alt-svc: h3=":443"; ma=2592000
 content-type: text/plain; charset=utf-8
-server: Caddy
+...
-content-length: 15
-date: Sat, 08 Jul 2023 11:56:05 GMT
 Hello, world!
@@ Line 42: / Line 37: @@
 Here you can see that Caddy automatically redirects from an unsecure http://localhost to a secure https://localhost call.
 For local addresses like "localhost" Caddy always generates and uses a self-signed certificate, which curl correctly doesn't trust; use the <code>-k</code> flag to ignore that.
+==== Check http(s) connection ====
+When virtualhost and "real" host aren't the same it gets complicated with HTTPS, so the following curl command works:
+<syntaxhighlight lang="bash">
+$ curl --connect-to <virtualhost>:443:<realhost>:443 https://<virtualhost> -k
+Hello, world!
+</syntaxhighlight>
+Curl will set <code>Host</code> header and TLS <code>SNI</> in the request to <code><virtualhost></code> as desired by Caddy, but will make the actual request against the <code><realhost></code>, e.g. a load-balancer or ingress-controller.
+Alternatively with http and automatic redirects to https you can extend that call:
+<syntaxhighlight lang="bash">
+$ curl --connect-to <virtualhost>:80:<realhost>:80 --connect-to <virtualhost>:443:<realhost>:443 https://<virtualhost> -k -L
+Hello, world!
+</syntaxhighlight>
+* [https://curl.se/docs/manpage.html#--connect-to curl connect-to documentation]
+* [https://www.claudiokuenzler.com/blog/693/curious-case-of-curl-ssl-tls-sni-http-host-header Curl on HTTPS, SNI, Host]
+* [https://github.com/caddyserver/caddy/issues/2656#issuecomment-1627342466 curl to Caddy over HTTPS]
 == Typical configurations ==
@@ Line 133: / Line 150: @@
 The tcp6 (an ipv6 socket that also listens on ipv4) socket on port 80 (HTTP) and 443 (HTTPS) indicate that our virtualhost config was used.
-=== Virtualhost and connection host not the same ====
+=== Virtualhost and real host not identical ===
 When you connect to Caddy must ensure that the "Host" header matches the virtualhost entry of Caddy. For example, when testing locally a config like
@@ Line 158: / Line 175: @@
 Above you also see the redirect from http://localhost to https://example.org; Caddy always redirects from the unsecure to the secure port of your virtualhost.
-Altenatively, you can run it with curl's <code>--connnect-to</code> option
-<syntaxhighlight lang="bash">
-$ curl --connect-to localhost:443:example.org:443 https://localhost -i -k
-HTTP/2 200
-alt-svc: h3=":443"; ma=2592000
-content-type: text/plain; charset=utf-8
-server: Caddy
-content-length: 15
-date: Sat, 08 Jul 2023 13:54:22 GMT
-Hello, world!
-</syntaxhighlight>
 If the response is empty, try setting a port number like 80 and/or try a local TLS security certificate instead of global LetsEncrypt: