Looking to understand what is needed from a firewall perspective to expose ports 80 and 443 so I may use my Cloudflare domain within my docker network and various docker containers. My current approach is to use this project, caddy-docker-proxy, with some additional plugins found here.
The ultimate goal is to use the domain with wildcards so that any container connected to this "caddy" network would be able to resolve urls, like app1.mydomain.com. I've asked this question on the caddy-docker-proxy github repo, and was provided a response to expose port 80 and 443. I tried altering my firewall rules and port forwarding as follows. The internal 192.x.x.x is the internal machine hosting all the various docker containers, and networks.
config redirect
option name 'HTTP-Forward'
option src 'wan'
option src_dport '80'
option dest 'lan'
option dest_ip '192.x.x.x'
option dest_port '80'
option target 'lan'
option proto 'tcp'
option enabled '1'
config redirect
option name 'HTTPS-Forward'
option src 'wan'
option src_dport '443'
option dest 'lan'
option dest_ip '192.x.x.x'
option dest_port '443'
option target 'lan'
option proto 'tcp'
option enabled '1'
Even after making these changes, lets debug dot net was still reporting errors and any attempts connecting to a url resulted in connection refused errors.
I changed the redirect and added two rules for each HTTP and HTTPS. Now with my docker-compose.yml labels updated, I can land on the page, but it says 'not secure'. However, inspecting the certificate in the browser says it's valid. Mobile browser shows as valid as well.
I guess I'm still a little unsure of how secure this is. Debug test with TLS-ALPN-01 is green with an All OK!
test with HTTP-01 shows 403 which makes sense because we need to provide authentication.
UnexpectedHttpResponse
Warning
Sending an ACME HTTP validation request to app1.mydomain.com results in unexpected HTTP response 403 Forbidden. This indicates that the webserver is misconfigured or misbehaving.
403 Forbidden
Forbidden
Trace:
@0ms: Making a request to http://app1.mydomain.com/.well-known/acme-challenge/letsdebug-test (using initial my public IP)
@0ms: Dialing my public IP
@275ms: Server response: HTTP 308 Permanent Redirect
@275ms: Received redirect to app1.mydomain.com/.well-known/acme-challenge/letsdebug-test
@275ms: Dialing my public IP
@692ms: Server response: HTTP 403 Forbidden
test with TLS-ALPN-01
All OK!
OK
No issues were found with adguard.itsacomputer.com. If you are having problems with creating an SSL certificate, please visit the Let's Encrypt Community forums and post a question there.
Common Name (CN) app1.mydomain.com
Organization (O) <Not Part Of Certificate>
Organizational Unit (OU) <Not Part Of Certificate>
Common Name (CN) E5
Organization (O) Let's Encrypt
Organizational Unit (OU) <Not Part Of Certificate>
/etc/config/firewall
config redirect
option name 'HTTP-Forward'
option src 'wan'
option src_dport '80'
option dest 'lan'
option dest_ip '192.x.x.x'
option dest_port '80'
option target 'DNAT'
option proto 'tcp'
config redirect
option name 'HTTPS-Forward'
option src 'wan'
option src_dport '443'
option dest 'lan'
option dest_ip '192.x.x.x'
option dest_port '443'
option target 'DNAT'
option proto 'tcp'
config rule
option name 'Allow-HTTP-openwrt-help'
option src 'wan'
option proto 'tcp'
option dest_port '80'
option target 'ACCEPT'
config rule
option name 'Allow-HTTPS-openwrt-help'
option src 'wan'
option proto 'tcp'
option dest_port '443'
option target 'ACCEPT'
Seems it was. Before I only had the mydomain.com *. We we don't have the "Not Secure" warning. I think my last question would be if there is a way to modify the OpenWRT firewall rules or redirects just to allow the acme dns challenge to be successful, but restrict the ports from being open and accessible from the internet? I guess that's where I was before, but I'm curious.
dynamic_dns {
provider cloudflare {env.api_token}
domains {
mydomain.com *
mydomain.com @ //added as per the suggestion from support at caddy-docker-proxy
}