stackoom
  简体   繁体   中英

How do I use the host machine's PKI certificates in podman or docker from a caddy reverse proxy to HTTPS upstream services?

 原文  2022-12-16 00:12:18       docker/ podman/ caddy/ caddyfile

Question

In caddy, when I disable auto_https and set the tls cert and key to those on the host machine, and have my upstream app(s) use the same certificates, I keep getting an error that says tls: bad certificate . This works in NGINX, and I have attempted to replicate what I am doing in NGINX, but to no avail. Please note that I do not have the authority to change the way the certificates are managed. We are on a corporate enclave, and we need to use their official PKI. Even if I could get permission to use the certs on the overlay services network, where they would be isolated, the services still have to call out to other services on the enclave network, and there is no way that I could get the other services to trust certificates that my Caddy instance manages. So, if you would, please focus the discussion on what I might be doing wrong with my provided certs and configuration.

I have tried all of the options I could find in the documentation that I thought might possibly alter the behavior. My current approach can be cloned from my github repository and you can run it if you have a machine with podman running. The Caddy file shows my approach: 

{
    debug
    auto_https off
    ocsp_stapling off
}

:8443 {
    tls /certs/test.crt /certs/test.key
    handle /greeting-service/* {
        reverse_proxy https://greeting-service:8443 {
            header_up Host                   {env.OUTER_HOST}
            transport http {
                tls_insecure_skip_verify
                tls_server_name              {env.OUTER_HOST}
                tls_trusted_ca_certs         /certs/trust.pem
                tls_client_auth              /certs/test.crt /certs/test.key
            }
        }
    }
}

I have also tried to set the host header to {upstream_hostport} , but my results were the same. Thanks in advance for anyone who can point me in a better direction.

1 answers

solution1
 0  2022-12-17 00:40:04

It turns out that I was signing the cert with the CA cert, and then immediately overwriting it by self-signing it. When I fixed that, things appeared to work better. Then I played around with some options, and found the winning/working configuration:

{
    debug
    auto_https off
    ocsp_stapling off
}

:8443 {
    tls /certs/test.crt /certs/test.key {
        client_auth {
            mode                   require_and_verify
            trusted_ca_cert_file   /certs/trust.pem
        }
    }
    handle /greeting-service/* {
        reverse_proxy https://greeting-service:8443 {
            header_up Host                   {$OUTER_HOST}
            transport http {
                tls_server_name              {$OUTER_HOST}
                tls_trusted_ca_certs         /certs/trust.pem
                tls_client_auth              /certs/test.crt /certs/test.key
            }
        }
    }
}

暂无
暂无

The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.

Related Question How do I connect to the host machine's Postgres from Docker? How to make host CA certificates known to podman/Docker containers? get real ip from wsl, docker and caddy reverse proxy How do I make Eureka client to use host machine's IP instead of Docker container's IP? With docker reverse proxy [emerg] 1#1: host not found in upstream WSL2 Caddy Reverse Proxy In Docker How can I use Apache2 on my host machine (Lamp install) and run Traefik (Reverse proxy Docker) since both are using ports 80 & 443? Unable to deploy create-react-app in Docker -- caddy reverse_proxy and auto https How do I access my docker host machine's IP from within an angular app that is containerized Docker- nginx -Reverse proxy : host not found in upstream when building with docker-compose
Related Tags
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM