Expose caddy admin 2019

[alber70g]

I'm using a random domain that I want to get configured locally with https: *.local.co. I have been using http for everything, but I see that I can use locally signed certificates for it, and that seems nice with Chrome and other browsers that usually redirect to https unless the address is specifically written with http://.

To get this working so far I have this in my docker containers:

labels:
  caddy: "myserver.local.co"
  caddy.reverse_proxy: "192.168.1.3:8096"
  caddy.tls: "internal"

or

docker run -d ...
  -l 'caddy'='speedtest.local.co'
  -l 'caddy.reverse_proxy'='{{upstreams 80}}'
  -l 'caddy.tls'='internal'
...

This works nicely. I do get https connections, but at this moment it's with a banner of chrome that this is an unsafe HTTPS connection.

I found that you can add the local authority certificate to the local trust store with the caddy commandline tool

caddy trust --address <my-server>:2019

However, when exec-ing into the container, and running curl -L localhost:2019/config, I can see that it's only exposed to tcp/localhost:2019 and not to tcp/<my-server>:2019.

This is supposed to be set with CADDY_ADMIN env var, but when set, this doesn't apply to the config settings.

What can we do here?

[amosbastian]

I'm also curious about this. @alber70g did you figure out something?

[francislavoie]

You can pipe through connections to the admin endpoint using a reverse_proxy localhost:2019. For example, you could add these labels:

  caddy: ":2020"
  caddy.reverse_proxy: "localhost:2019"

Then you can expose the :2020 port and call that. It's a hack, so keep in mind you should set up protections to avoid untrusted access on whatever port you end up re-exposing it on. Also keep in mind that you should not push any config changes otherwise you'll cause contention with the config CDP is generating (you should only have read-only access).