Coder behind Reverse Proxy and Port Forwarding
Good evening everyone, just a quick question since I'm kinda Stuck: Does Coder Server need any open Ports besides 443 by default? 80 should only be used for Let's Encrypt but since I'm using DNS Challenge it shouldn't matter. Or am I missing something?
To clarify, my current setup is as follows:
Router with Port Forwarding -> Reverse Proxy -> Coder Server
I'm forwarding port 443 currently but I either get certificate errors or bad Gateway. According to my browser the certificate is issued by localhost in case of a certificate error.
Caddy Logs show it has succesfully generated new certificates for the domain and wildcard subdomain.
Bad Gateway usually happens when I try to generate the certificate on my reverse proxy already, while a straight passthrough gives me the cert error. Probably because it's forwarding using http instead?
Hope somebody has an Idea.
68 Replies
what port is coder listening to ?
I think you should just proxy coder via http and let caddy handle the certs
Coder is listening to 3000 iirc, from the coder docs, then caddy maps it to 443.
I did try to proxy via http only, but then I get an invalid Certificate, despite Caddy logs saying it got the requested certificates.
can you show me your caddy conf
http or https ?
This is the caddy file:
`
Just removed the token and domains
Now that's a good question, I'd have to check but iirc it is https. In my first test server I blocked all traffic despite 22 and 443 and it worked just fine. So I'm kind of at a loss here
here's your issue then
this config scares me
I don't think it can work
It's with caddy DNS Challenge, it works just like that on my other dev system
this would work
but the
file_server
is likely what's breaking it allhm, that's from the coder docs and what is also working on the other system. But I'll try commenting that out
can you link me to that docs page ?
cause I don't see a way this is working
in that case I think the
file_server
directive takes over your reverse_proxy
oneIt's linked here: https://coder.com/docs/coder-oss/latest/admin/configure#system-packages
to: https://github.com/coder/coder/tree/main/examples/web-server/caddy
GitHub
coder/examples/web-server/caddy at main · coder/coder
A tool that provisions remote development environments via Terraform - coder/examples/web-server/caddy at main · coder/coder
Configuration - Coder OSS main docs
Learn how to configure Coder
😶
oh no wait, it's not, lol
i think you just pasted it into your example caddy host
Guess it's residue from the base caddyfile then 🫠
for the record here's mine
btw, if you're using a fresh domain and it won't fetch the certs then
resolvers 1.1.1.1
is a nice tip
they update almost instantlythat's good to know, thanks.
Now let's see if it works now..
Mh, still certificate error
can you show me ?
While caddy showing
Just says
And this is the "certificate":
So it def. doesn't see the proper cert caddy just optained
what
yeah, that's what I thought as well 😄
yeah, but ofc replaces with the proper domain
yeah
what's your conf now ?
like, the whole file
you mean coder or caddy?
Either way. Coder:
Caddy:
`
(I'm lazy so all the comments are still in there ^^
oh
OOOOOOOOOH
nervermind
i got too hyped
😄
try setting only this
my idea here was that you didn't add https at the beginning of the host
but I think caddy defaults to that anyways
I'm thinking maybe since you have env variables related to TLS, coder thinks it should run in HTTP/s
Hm, unchanged.
The SSL/Cert error relates to HSTS (full message is in german, so probably no use for you ^^), so I guess it's maybe down to caddy not trusting my proxy? But I'm not sure.
nah
it only means that the given cert doesn't match your HSTS policy
are you sure caddy is the server on 443 ?
waait a second...
either that or you're getting firewalled
All I see is
`
No IPv4 listening...
same here though
hm yeah it's the same on the other system as well
I think even if it's listening to
[::]:80
that's fine
can you try creating a syntax error in your caddy conf and restart caddy ?
i'm not even sure caddy is loading your config at this pointNope, instant error when trying to restart with a syntax error:
It does list my domains in the log as well as it get's the CF certificates according to the logs.
idk wtf is going on then
what's the full caddy logs (with no syntax error) ?
This is after a restart
what's in
/var/lib/caddy/.config/caddy/autosave.json
?how
i don't get it
Me neither... it's just so weird
are your DNS records pointing to the right server ?
actually, you can check that easily by checking if the error still occurs when you stop caddy
make sure to ctrl+shift+r
Yeah I doublechecked Cloudflare.
But wait a minute, let me clear the CF cache, I did not try that yet. who knows
are you proxying via CF ?
meh, doesn't matter
nah, not yet.
Well, same error with caddy stopped. So it has to be nginx... at least in my mind
wait
hold on
are you reverse proxying a reverse proxy
It is behind a nginx reverse proxy, yes. It's in the title even 😄
well no
cause
I thought the "reverse proxy" was caddy
port forwarding is just letting some port open
so
I assumed there was only one web server
oh well ok, I see how that can be misunderstood
and you never specified nginx
so i didn't get it
okay so
show me your nginx conf then
well yeah no
that defo can't work
you have to let nginx handle the certs
So basically point nginx to :3000 on coder and let it get the certs
yes
or use caddy instead of nginx because that's less of a hassle
I've already tried forwarding https-enabled hosts (while letting their cert through) and to my knowledge it isn't possible
Haven't done much with caddy tbh, this is the first time, usually I just use nginx.
you'd need to have nginx act as a TCP proxy while still being able to see the host, notice the issue here ?
how would it know what server to ship the request to without being able to read the request
yeah, true
well, you actually made it clearer for me too as to why I couldn't do that last time
idk caddy is less hassle on the eyes imo
I'm back to bad gateway now btw 😄 Pointing nginx to :3000, no matter if http or https
but you can't have global configs, so it might be annoying
you can't just define headers for all sites
neither can you use
include
hmm
can you show me your nginx conf thenoh wait a sec, I have it only listen on localhost:3000
Scratch that, I don't ^^
Oh F me, I got it
It was really listening to itself on :3000. So I changed it to in the coder.env file and now it works
yay!!!
Now don't forget to disable caddy 😄 Thank you for the time. This gave me a headache for far to long ^^
Marked the thread as resolved.
Marked the thread as unresolved.
rly
I guess this was resolved too early …🫠
I can login just fine and create a user, basically do everything in the WebUI, yer when I run I get So it hit's my firewall somehow? It shouldn't do that, unless I missed something... Opening https://my.domain.dev/api/v2/buildinfo opens the correct page I assume. At least the output is Same goes for /api/v2/users/first which returns Ok wait, I think I know what this is. I can login from my local system so probably down to hairpin nat or something like that. Edit: Yuuup, Hairpin NAT issues. I even answered a related question in this discord just recently. 🤦♂️
I can login just fine and create a user, basically do everything in the WebUI, yer when I run I get So it hit's my firewall somehow? It shouldn't do that, unless I missed something... Opening https://my.domain.dev/api/v2/buildinfo opens the correct page I assume. At least the output is Same goes for /api/v2/users/first which returns Ok wait, I think I know what this is. I can login from my local system so probably down to hairpin nat or something like that. Edit: Yuuup, Hairpin NAT issues. I even answered a related question in this discord just recently. 🤦♂️
Marked the thread as resolved.