Docker-compose.yaml with ziti simple start and caddy for reverse proxy https

1

I wanted to share the small changes I made in the 'docker-compose.yaml' for the simplified quickstart. I add a reverse proxy for the ZAC... I hate (HATE) typing thisisunsafe almost as much as I hate clicking to continue. Caddy is a dead simple HTTP server with automatic encryption, and it works great as a quick reverse proxy.

Hopefully, this helps someone looking for OpenZiti and reverse proxy or Caddy (or even Traefik and NGINX in the interest of keyword stuffing).

  1. First, I want all the docker volumes in the same folder as the docker-compose.yaml file. To that end, I run :%s/ziti-fs:/.\/ziti-fs:/g in vi|vim|nvim to redirect all filesystems to a common folder. (I think it's all one folder already).
  2. I then chmod 777 ziti-fs (currently 777 until I figure out what permissions it actually needs) to make it writable to the containers.
  3. I then mkdir caddy and upload a Caddyfile with the contents below.
  • Note that Caddy is looking at the docker network, so 127.0.0.1 is Caddy itself, not the docker host, so use the container names.
  1. I then add the following block of code to the docker-compose.yaml file to add the caddy container.
  caddy:
    image: caddy:latest
    container_name: caddy
    restart: unless-stopped
    ports:
      - "80:80"
      - "443:443"
    volumes:
      - ./caddy/data/:/data/
      - ./caddy/config/:/config/
      - ./caddy/Caddyfile:/etc/caddy/Caddyfile
    networks:
      - ziti
...


{
  email me@mydomain.com
}
ziti.mydomain.com {
  reverse_proxy https://ziti-ziti-console-1:8443 {
    transport http {
      tls
      tls_insecure_skip_verify
    }
  }
}
1 Like
2

I use the following permissions. This is working > v0.29.0. Looks like the user inside the container changed with 0.29.0.

- name: Creates directory
  file:
    path: {{ ziti_home_dir }}/ziti-fs
    state: directory
    owner: 2171
    group: 2171
1 Like
3

Thanks so much for sharing. Is caddy somehow obtaining or using a cert from something like LetsEncrypt? How are you avoiding the dreaded scary browser messages (thisisunsafe/continue) otherwise? I feel like I'm missing something. :slight_smile:

Another option we often use as a demo is to use http ZAC (non tls) but only surface the ZAC http port (which defaults to 1408) via an OpenZiti service. That's another avenue that's potentially acceptable. I'm interested in what and how you're using Caddy though. We also have a "zitified caddy" out there if that sounds interesting.

4

Caddy isn't that different from other HTTP servers, they use ACME for certs from ZeroSSL. I believe ZeroSSL, which supports ACME, doesn't have rate-limits like LetsEncrypt does. It's written in Go, so it's fast!

image

Caddy isn't designed as a reverse-proxy, it is an HTTP server first, but has solid proxy capabilities. It works inside the docker network... so your backend can be completely dark.

My workflow is this:

  1. I get the backend service working with whatever port it specifies
  2. I add the caddy container and the simplest possible Caddyfile
  3. Once the service is working over Caddy, I remove the port exposure on the container (or close the port in the security group).
5

Yep, gotcha. Makes perfect sense. I filed an issue for us to support ACME v2 as well. It's just another of the long list of features to get to! :slight_smile:

Thanks for confirming your process.

6

It's so simple to do, even their binary has a one-liner to setup a reverse proxy.
caddy reverse-proxy --from :80 --to :443 will do it in a one-liner according to their docs.