Docker Compose & CaddyFile

[yodaphone]

I use caddy as my reverse proxy to my docker. if someone is interested to deploy it using docker compose and use Caddy, you can try this

Docker Compose file: (You can add more variables as you need. I use a mariadb server thats running on another VM which i use for all my projects)

#shlink
version: '3'

services:
 shlink:
    image: shlinkio/shlink:stable
    container_name: my_shlink
    ports:
      - 8080:8080
    environment:
      SHORT_DOMAIN_HOST: 'url.foo.com'
      SHORT_DOMAIN_SCHEMA: 'https'
      GEOLITE_LICENSE_KEY: 'XXXXXXXX'
      DB_DRIVER: 'maria'
      DB_NAME: 'shlink'
      DB_USER: 'shlink'
      DB_PASSWORD: 'x12345'
      DB_HOST: '192.168.1.254'
      DB_PORT: '3306'

Caddyfile - The top few lines are useful. You can uncomment the "acme_ca" to staging & test before you ask for the real one. this may help you as you dont want to hit the cert request limits. Caddy is very easy to use

{
    # email to use on Let's Encrypt
    email johndoe@emai.com

    # Uncomment for debug
    #acme_ca https://acme-staging-v02.api.letsencrypt.org/directory
    debug
}

url.foo.com {
    reverse_proxy http://192.168.1.74:8080
}

[shurushetr]

Thank you for sharing, Time past and this config appears to be outdated. Some of the environment variables are deprecated. I've updated the config to the latest spec, and it doesn't work anyway. Caddy returns 502.

[yodaphone]

i'm on 2.9.2 at this config works fine for me. let me try to update & revert

[yodaphone]

can you please share more about your environment? its strange you;re getting a gateway error.

[shurushetr]

indeed. I'm running 3 docker containers from a single docker-compose.yml. Vaultwarden, caddy and shlink. Used your config as a start point for docker container and caddyfile. Shlink works fine via CLI, I'm able to generate links, API keys etc. But I can't get to it via app.shlink.io. Shortened links don't work either.
My current configs and caddy access log for shlink.

Caddyfile

#Vault Warden
SOMESITE:443 {
	log {
			level INFO
			format json
			#output file {$LOG_FILE} {
			output file /data/vwaccess.log {
					roll_size 10MB
					roll_keep 10
			}
	}
	tls {$EMAIL}
	encode gzip

	reverse_proxy /notifications/hub vaultwarden:SOMEPORT

	reverse_proxy vaultwarden:80 {
			# Send the true remote IP to Rocket, so that vaultwarden can put this in the
			# log, so that fail2ban can ban the correct IP.
			header_up X-Real-IP {remote_host}
	}
}

#Static onpager
SOMESITE2 {
	root * /srv/SOMEDIR
	encode zstd gzip
	file_server
	tls {$EMAIL}
	#       respond "hello adshbwetrhbs!"
}

#Shlink - URL Shortner
SOMESITE3 {
	reverse_proxy localhost:8083
	header {
			X-Robots-Tag "noindex"
	}
	tls {$EMAIL}
	log {
			output file /data/shlinkaccess.log {
					roll_size 10MB
					roll_keep 10
			}
			level debug
			#format json
	}
}

Docker-compose
`

        version: '3'
          
          services:
            vaultwarden:
              image: vaultwarden/server:latest
              container_name: vaultwarden
              restart: always
              environment:
               - WEBSOCKET_ENABLED=true  # Enable WebSocket notifications.
               - SIGNUPS_ALLOWED=false
              volumes:
                - ./vw-data:/data
          
            caddy:
              image: caddy:2
              container_name: caddy
              restart: always
              ports:
                - 80:80  # Needed for the ACME HTTP-01 challenge.
                - 443:443
              volumes:
                - ./Caddyfile:/etc/caddy/Caddyfile:ro
                - ./caddy-config:/config
                - ./caddy-data:/data
                - /var/www:/srv
              environment:
          #      - DOMAIN=http(s)://SOMESITE  # Your domain, prefixed with http or https.
                - EMAIL=SOMEEMAIL  # The email address to use for ACME registration.
                - LOG_FILE=/data/access.log
          
            shlink:
              image: shlinkio/shlink
              container_name: shlink
              restart: always
              ports:
                - 8083:8083
              volumes:
                - ./shlink:/etc/shlink/config/params
              environment:
                - DEFAULT_DOMAIN=SOMESITE3
                - USE_HTTPS=true
                - GEOLITE_LICENSE_KEY=SOMEKEY

`

Access log
{ "level": "error", "ts": 1637200151.620844, "logger": "http.log.access.log1", "msg": "handled request", "request": { "remote_addr": "SOMEIP", "proto": "HTTP/2.0", "method": "GET", "host": "SOMESITE3", "uri": "/favicon.ico", "headers": { "User-Agent": [ "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:94.0) Gecko/20100101 Firefox/94.0" ], "Accept-Language": [ "en-US,ru;q=0.5" ], "Dnt": [ "1" ], "Referer": [ "https://SOMESITE3/PXIq6" ], "Cache-Control": [ "max-age=0" ], "Te": [ "trailers" ], "Accept": [ "image/avif,image/webp,*/*" ], "Accept-Encoding": [ "gzip, deflate, br" ], "Sec-Fetch-Dest": [ "image" ], "Sec-Fetch-Mode": [ "no-cors" ], "Sec-Fetch-Site": [ "same-origin" ] }, "tls": { "resumed": false, "version": 772, "cipher_suite": 4865, "proto": "h2", "proto_mutual": true, "server_name": "SOMESITE3" } }, "common_log": "73.245.241.235 - - [18/Nov/2021:01:49:11 +0000] \"GET /favicon.ico HTTP/2.0\" 502 0", "duration": 0.000772689, "size": 0, "status": 502, "resp_headers": { "X-Robots-Tag": [ "noindex" ], "Server": [ "Caddy" ] } }

ps cool nickname, I wanted one of those back in the day. eink phones. too bad they killed the company.

[yodaphone]

OMG! i running vaultwarden, shlink and unifi controller on my docker in a proxmox vm, but run my caddy as a LXE container on proxmox. i'd like to keep my core services separate & caddy runs most of my other apps (home automation, nextcloud etc.)

BTW, upgraded to the new 2.9.3 & everything works without the change in env variables.. (need to change them thou..)

what happens when you browse the site from the network http://internal-IP.docker:8083/ ? do you see a 404 error page?

[yodaphone]

just curious, why are you defining port 443 for vaultwarden?

#Vault Warden
SOMESITE:443 {
	log {

caddy assume https by default. i think since you run all in the docker, you may want to remove this and try

have you checked if acme served up a cert for shlink?

[shurushetr]

just curious, why are you defining port 443 for vaultwarden?

#Vault Warden
SOMESITE:443 {
	log {

caddy assume https by default. i think since you run all in the docker, you may want to remove this and try

This was just a copy paste of the config from - https://github.com/dani-garcia/vaultwarden/wiki/Using-Docker-Compose
Removing the port didn't change a thing.

have you checked if acme served up a cert for shlink?

I didn't, by the looks of it, seems like everything is ok there, but I will look into it today, closely.

My current theory is something to do with firewall rules. I use the UFW to simplify my life on this home setup. While I was tinkering with vaultwarden, I discovered that docker ignores UFW rules and all my docker containers were exposed. This issue has a long trail (some don't consider it an issue) but there were some data leaks related to it in the past. So I used solution from - https://github.com/chaifeng/ufw-docker#solving-ufw-and-docker-issues to fix it.
Explicitly allowing Shlink docker in ufw didn't change anything. But I can't make a connection here, since my containers are in the same docker network , they should be able to communicate.
In other words, your config posted here, most likely not the issue, at my current state of things at least.

I will update on

what happens when you browse the site from the network http://internal-IP.docker:8083/ ? do you see a 404 error page?

[shurushetr]

Made some progress, looks like shlink container is hardwired inside to port 8080, I didn't think of that when ports: - 8083:8083 , now I at least have 404 response.

curl -IL localhost:8083

HTTP/1.1 404 Not Found
Content-Type: text/html; charset=utf-8
Server: swoole-http-server
Connection: keep-alive
Date: Fri, 19 Nov 2021 15:47:46 GMT
Content-Length: 979

[yodaphone]

i should've noticed it...

404 error means its working internally

thats good, now shlink should work...

[shurushetr]

something is still not communicating. 502 if I go to shortened URL or try app.shlink.io

[yodaphone]

where does the 443 of UFW point to? the IP of the docker machine?

[shurushetr]

where does the 443 of UFW point to? the IP of the docker machine?

IP of the caddy docker.
caddy.docker.ip 443/tcp ALLOW FWD Anywhere # allow caddy 443/tcp docker_default

[shurushetr]

I got it, Caddyfile upstream to localhost:hostport is incorrect, shlink:8080.
Late-night configs are the worst.
I'll post my configs shortly.

[shurushetr]

Working config from my setup. Shortened to take out the vaultwarden instance from focus.

cat ~/docker/Caddyfile

  #Shlink - URL Shortner
  INSERT_YOUR_DOMAIN {
          reverse_proxy shlink:8080
          header {
                  X-Robots-Tag "noindex"
          }
          tls {$EMAIL}
          log {
                  output file /data/shlinkaccess.log {
                          roll_size 10MB
                          roll_keep 10
                  }
                  level INFO
				  format json
          }
  }

cat ~/docker/docker-compose.yml

  version: '3'
  
  services:
    caddy:
      image: caddy:2
      container_name: caddy
      restart: always
      ports:
        - 80:80  # Needed for the ACME HTTP-01 challenge.
        - 443:443
      volumes:
        - ./Caddyfile:/etc/caddy/Caddyfile:ro
        - ./caddy-config:/config
        - ./caddy-data:/data
        - /var/www:/srv
      environment:
        - EMAIL=INSERT_EMAIL   # The email address to use for ACME registration.
        - LOG_FILE=/data/access.log
  
    shlink:
      image: shlinkio/shlink
      container_name: shlink
      restart: always
      ports:
        - 8083:8080  #My 8080 host port was occupied
  
      environment:
        - DEFAULT_DOMAIN=INSERT_YOUR_DOMAIN
        - USE_HTTPS=true
        - GEOLITE_LICENSE_KEY=INSERT_YOUR_KEY

[yodaphone]

can you please try to keep the caddy config really simple and try

url.foo.com {
reverse_proxy shlink:8080
}