Help in using caddy as reverse proxy for LXD API

LXD
1

I’m trying to setup Caddy webserver as a reverse proxy in front of LXD API.

The problem so far seems to be client authentication: Caddy terminates TLS connection, so it wont send the client certificate to LXD backend.

This is a direct connection to LXD (Port 8443, without reverse proxy):

curl -ks --cert ~/lxd.crt https://lxd-server.my-domain.org:8443/1.0 | jq .metadata.auth
"trusted"

Note: ~/lxd.crt is a concatenation of client.crt and client.key of my local LXD client, which is already added to the trusted list in the remote server.

And this is using Caddy as reverse proxy:

curl -s --cert ~/lxd.crt https://lxd-server.my-domain.org/1.0 | jq .metadata.auth
"untrusted"

For reference, this is the output of lxc config show:

config:
  core.https_address: :8443

In Caddy forum they recommend passing the certificate as a HTTP header to the backend. So this is my Caddyfile:

lxd-server.my-domain.org {
	reverse_proxy https://127.0.0.1:8443 {
		transport http {
			tls_trusted_ca_certs /var/snap/lxd/common/lxd/server.crt
		}
		header_up Client-Cert {tls_client_certificate_der_base64}
	}
}

But this is not working.

My questions: Is this actually possible?, Does LXD accept the client certificate for authentication as a HTTP header? And if so, which header?

Thank you for your time.

2

I’m not an expert on this so I could be totally wrong haha, but to my knowledge, LXD has its own self-signed certificate, so I would assume that Caddy is trying to add a certificate on top of LXD’s existing self-signed certificate it uses, which wouldn’t work. I think your best bet would be to change the certificate that LXD uses to a genuine certificate (that you can generate with lets encrypt) instead of using Caddy to get SSL on it.

3

I’m not an expert either, but I don’t think that’s the problem here.

That’s what I was trying to avoid. But at the end I think that’s my only choice.

4

I’ve tried reverse proxying with caddy before and that’s the only solution that worked for me