reverse_proxy | Terraform demo - incrementally replace | Infrastructure Automation library

What I'm trying to do

Host a Taskwarrior Server on an AWS EC2 instance, and connect to it via a subdomain (e.g. task.mydomain.dev).

Taskwarrior server operates on port 53589.

Tech involved

• AWS EC2: the server (Ubuntu)
• Caddy Server: for creating a reverse proxy for each app on the EC2 instance
• Docker (docker-compose): for launching apps, including the Caddy Server and the Taskwarrior server
• Cloudflare: DNS hosting and SSL certificates

How I've tried to do this

I have:

• allowed incoming connections for ports 22, 80, 443 and 53589 in the instance's security policy
• given the EC2 instance an elastic IP
• setup the DNS records (task.mydomain.dev is CNAME'd to mydomain.dev, mydomain.dev has an A record pointing to the elastic IP)
• used Caddy server to setup a reverse proxy on port 53589 for task.mydomain.dev
• setup the Taskwarrior server as per instructions (i.e. certificates created; user and organisation created; taskrc file updated with cert, auth and server info; etc)

Config files

/opt/task/docker-compose.yml

I am trying an experiment to bring up a Drupal 7 installation in Repo authoritative mode under HHVM 3.21 (which still supported PHP - latest version does not). (May sound crazy, but bear with me here.) Server is Ubuntu 18.04 running apache2 with mod_proxy, mod_proxy_fcgi. I am new to HHVM, so I have probably made an obvious mistake.

I started with an index.php "hello world" to ensure that I had the general configuration working. That works fine, regardless of the contents of /var/www/html/index.php (per https://docs.hhvm.com/hhvm/advanced-usage/repo-authoritative)

I am using hhvm --hphp -thhbc -o /var/cache/hhvm file_list.txt to create the repo, which is then chown'ed to www-data. (The same file I copy to /var/www/.hhvm.hhbc, since it seems that the server wants a copy there... this question I will solve later...)

Problem #1: I have left the entire file tree in place in /var/www/html, but mod_rewrite is not working correctly. I can use the site without problems if I use the "unpretty" URLs (?q=admin/config), but not rewritten URLs.

Problem #2: In principle HHVM in repo authoritative mode should be able to serve the entire image from the repo file if only the index.php is in place or if I specify hhvm.server.allowed_files[] = index.php, but when I try this, the server 404's.

What follows is a ton of relevant info from config files. I am happy to add more information as needed to assist with finding my error/omission, in case I have forgotten anything here. Thank you for reading this far!

/etc/hhvm/server.ini:

I have been trying to setup custom CDN using Caddy and varnish. The idea is to generate on demand SSL certificate and then pass it to varnish which further sends it to the backend server which is a nodejs application. If the request matches then varnish returns the cache results otherwise fetches new data. The working is described in the diagram flow diagram

Here are the respective files: docker-compose.yml

I have three Docker containers: a backend, a frontend and an nginx container that handle requests. When I run it on my computer (windows laptop with docker engine), everything works perfectly. I can see the call are made in the logs of the containers:

I know this question has been asked many times:

1. Caddy - How to disable https only for one domain
2. Disable caddy ssl to enable a deploy to Cloud Run through Gitlab CI
3. Caddy - Setting HTTPS on local domain
4. How can I disable TLS when running from Docker?
5. How to serve both http and https with Caddy?

but here is my problem.

I created a new Api Platform project following their documentation.

The easiest and most powerful way to get started is to download the API Platform distribution

I downloaded the release 2.5.6 in which we can find:

• a docker-compose
• a Dockerfile
• a Caddyfile
• and many others files.

I slightly change the docker compose file by removing the pwa service and PostgreSQL:

I am running an identity server from duende behind a caddy reverse proxy and both are running in a docer container. I also run a blazor server app in another container where I want to authenticate. Locally this is working fine, but when I run them behind the proxy, the .well-known/openid-configuration delivers http:// endpoints and therefore the blazor app can not authenticate, because it does not allow authentication through http. The http is between caddy and the identity server. As this is running on a machine and is not crossing the evil net, I thought that might be ok. I think what I need to do is, generate a certificate for the identityserver and proxy via https instead of http. But I also do not want to generate certs by hand all the time or keep an eye out for that. A UseHttpsRedirect() in the startup made my service unavailable for caddy and just simply running it on 443 without a certificate also broke the call between caddy and the indentity server. I also found a tip where I could set the IssuerUri to https in the options, but this does not affect the other endpoints and therefore I still can not authenticate, because in the openid config there are still http endpoints (except the issuer)

Does anybody have an idea how I could do that and not create the certs by hand?

caddyfile:

I wanted to try out Caddy in a docker environment but it does not seem to be able to connect to other containers. I created a network "caddy" and want to run a portainer alongside it. If I go into the volume of caddy, I can see, that there are certs generated, so that seems to work. Also portainer is running and accessible via the Server IP (http://65.21.139.246:1000/). But when I access via the url: https://smallhetzi.fading-flame.com/ I get a 502 and in the log of caddy I can see this message:

I got trouble using Caddy v2, while in v1 I never have such trouble

I want to prioritize:

I am trying to deploy a web app with two podman containers. One is running gunicorn and the other runs a web server as a reverse proxy.

However, the communication between the containers is only successfull if I run them on the host with root. Is there a way around this?

Here is an example without root (which returns an empty IP Address):