kamal icon indicating copy to clipboard operation
kamal copied to clipboard
verified publisher icon basecamp

Bad Gateway for 'Caddy' Dockerfile

Open ksylvest opened this issue 1 year ago • 3 comments

I'm attempting to use Caddy to host some static HTML / files, but running into issues 'Bad Gateway' on every request.

This is the Dockerfile / Caddyfile being used:

# syntax = docker/dockerfile:1

FROM caddy:2.7.6

RUN apk --no-cache add curl

COPY Caddyfile /etc/caddy/Caddyfile

EXPOSE 4567

:4567

respond "Hello!"

Locally the image appears to build / run just fine:

docker build -t test . && docker run -t -p 4567:4567 test
curl localhost:4567 # Hello
curl localhost:4567/up # Hello

Deploying the image passes all health checks as expected:

kamal deploy

...
  INFO [34aad7e6] Running docker container ls --all --filter name=^frontend-web-...$ --quiet | xargs docker inspect --format '{{if .State.Health}}{{.State.Health.Status}}{{else}}{{.State.Status}}{{end}}' on ...
  INFO [34aad7e6] Finished in 0.191 seconds with exit status 0 (successful).
  INFO Container is healthy!
...
Releasing the deploy lock...
  Finished all in 37.2 seconds

Attempting to access the service through Traefik fails (even when connected via SSH to the host) with 'Bad Gateway':

curl localhost:80 # Bad Gateway

If I run docker ps then grab the container IP I am able to curl and get back the result from Caddy:

docker ps
docker inspect -f '{{range .NetworkSettings.Networks}}{{.IPAddress}}{{end}}' 123...
curl 172.17.0.3:4567 # Hello

Swapping over to a very basic Sinatra app instead of a Caddy image and the deploys works fine. It seems to for some reason be tied to using a caddy image.

ksylvest avatar Mar 10 '24 01:03 ksylvest

How does your deploy.yml look like?

wenderjean avatar Mar 13 '24 02:03 wenderjean

Hi Wender,

I'm using the following:

service: frontend
image: REDACTED

registry:
  username: REDACTED
  password:
    - KAMAL_REGISTRY_PASSWORD

ssh:
  user: REDACTED

servers:
  web:
    hosts:
      - REDACTED
    labels:
      traefik.http.routers.frontend.rule: Host(`REDACTED`)
      traefik.http.routers.frontend.entrypoints: websecure
      traefik.http.routers.frontend.tls.certresolver: letsencrypt

healthcheck:
  port: 4567

traefik:
  options:
    publish:
      - "443:443"
    volume:
      - "/letsencrypt/acme.json:/letsencrypt/acme.json"
  args:
    entryPoints.web.address: ":80"
    entryPoints.websecure.address: ":443"
    entryPoints.web.http.redirections.entryPoint.to: websecure
    entryPoints.web.http.redirections.entryPoint.scheme: https
    entryPoints.web.http.redirections.entrypoint.permanent: true
    certificatesResolvers.letsencrypt.acme.email: "REDACTED"
    certificatesResolvers.letsencrypt.acme.storage: "/letsencrypt/acme.json"
    certificatesResolvers.letsencrypt.acme.httpchallenge: true
    certificatesResolvers.letsencrypt.acme.httpchallenge.entrypoint: web

Just as a callout, changing to run on port 80 (via Dockerfile / Caddyfile / healthcheck swap) is a workaround for the above issue. Very puzzled why though...

ksylvest avatar Mar 13 '24 18:03 ksylvest

@ksylvest - there might be something useful in the Traefik container's logs (run docker logs traefik)

djmb avatar May 02 '24 12:05 djmb