[Question] Communicate between two frankenphp instance on local with tls on

[QuentinDess]

Tip

Goal :

Achieve communication with two instance of frakenphp in local with docker container and shared network

Context :

I using Frankenphp on two api , on some edge case they communicate between them . I need tls on , for both application , for sandbox with external services for example.

Caution

Problem

As docker networki i can't access with the localhost domain , for example api1.localhost when using api2.localhost can't be reached .
But when i use the container name , with external networking configuration , the tls handshake fail as Caddy has only the certificate for the api2.localhost and not the container name .

Note

Api1 configuration :

Docker compose

networks:
   network_decq_control_back:
       name: network_decq_control_back
   shared_decq_network:
       name: shared_decq_network
      external: true

services:
   php:
       container_name: decq-control-php
       image: ${IMAGES_PREFIX:-}app-php
       restart: unless-stopped
       networks:
           - shared_decq_network
           - network_decq_control_back
       environment:
           SERVER_NAME: ${SERVER_NAME:-control.localhost}, php:80
       volumes:
           - caddy_data:/data
           - caddy_config:/config
       ports:
           # HTTP
           -   target: 80
               published: ${HTTP_PORT:-80}
               protocol: tcp
           # HTTPS
           -   target: 443
               published: ${HTTPS_PORT:-443}
               protocol: tcp
           # HTTP/3
         -   target: 443
               published: ${HTTP3_PORT:-443}
               protocol: udp

Caddyfile

{
  {$CADDY_GLOBAL_OPTIONS}
  frankenphp {
  	{$FRANKENPHP_CONFIG}
  }
  debug
}

{$CADDY_EXTRA_CONFIG}

{$SERVER_NAME} {
  log {
  	{$CADDY_SERVER_LOG_OPTIONS}
  	# Redact the authorization query parameter that can be set by Mercure
  	format filter {
  		request>uri query {
  			replace authorization REDACTED
  		}
  	}
  }

  root /app/public
  encode zstd br gzip

  {$CADDY_SERVER_EXTRA_DIRECTIVES}

  # Disable Topics tracking if not enabled explicitly: https://github.com/jkarlin/topics
  header ?Permissions-Policy "browsing-topics=()"

  @phpRoute {
  	not path /.well-known/mercure*
  	not file {path}
  }
  rewrite @phpRoute index.php

  @frontController path index.php
  php @frontController

  file_server {
  	hide *.php
  }
}

Api2 configuration :

Docker compose

networks:
   network_decq_warehouse:
       name: network_decq_warehouse
   shared_decq_network:
       name: shared_decq_network
       external: true

services:
   php:
       container_name: decq-warehouse-php
       image: ${IMAGES_PREFIX:-}app-php
       restart: unless-stopped
       networks:
           - shared_decq_network
           - network_decq_warehouse
       environment:
           SERVER_NAME: ${SERVER_NAME:-warehouse.localhost}
       volumes:
           - caddy_data:/data
           - caddy_config:/config
       ports:
           # HTTP
           -  target: 80
              published: '8080'
              protocol: tcp

           # HTTPS
           -   target: 443
               published: '8001'
               protocol: tcp
          # HTTP/3
           -   target: 443
               published: '8001'
               protocol: udp

Caddyfile

{
  {$CADDY_GLOBAL_OPTIONS}
   https_port 8001
  frankenphp {
  	{$FRANKENPHP_CONFIG}
  }
  debug
}

{$CADDY_EXTRA_CONFIG}
{$SERVER_NAME}:80 {
   redir https://{$SERVER_NAME}:8001{uri}
}

{$SERVER_NAME}:443 {
  log {
  	{$CADDY_SERVER_LOG_OPTIONS}
  	# Redact the authorization query parameter that can be set by Mercure
  	format filter {
  		request>uri query {
  			replace authorization REDACTED
  		}
  	}
  }

  root /app/public
  encode zstd br gzip

  {$CADDY_SERVER_EXTRA_DIRECTIVES}

  # Disable Topics tracking if not enabled explicitly: https://github.com/jkarlin/topics
  header ?Permissions-Policy "browsing-topics=()"

  @phpRoute {
  	not path /.well-known/mercure*
  	not file {path}
  }
  rewrite @phpRoute index.php

  @frontController path index.php
  php @frontController

  file_server {
  	hide *.php
  }
}

Api1 Caddy Debbug :

tls.handshake   no matching certificates and no custom selection logic  {"identifier": "decq-control-php"}
2025-03-26 18:44:11 2025/03/26 17:44:11.083     DEBUG   tls.handshake   no matching certificates and no custom selection logic  {"identifier": "*"}
2025-03-26 18:44:11 2025/03/26 17:44:11.083     DEBUG   tls.handshake   no certificate matching TLS ClientHello {"remote_ip": "172.19.0.3", "remote_port": "56278", "server_name": "decq-control-php", "remote": "172.19.0.3:56278", "identifier": "decq-control-php", "cipher_suites": [4866, 4867, 4865, 49196, 49200, 159, 52393, 52392, 52394, 49195, 49199, 158, 49188, 49192, 107, 49187, 49191, 103, 49162, 49172, 57, 49161, 49171, 51, 157, 156, 61, 60, 53, 47, 255], "cert_cache_fill": 0.0001, "load_or_obtain_if_necessary": true, "on_demand": false}
2025-03-26 18:44:11 2025/03/26 17:44:11.084     DEBUG   http.stdlib     http: TLS handshake error from 172.19.0.3:56278: no certificate available for 'decq-control-php'

[AlliBalliBaba]

I don't know if this is possible with https locally. localhost will always refer to something else in- and outside of the container.

What you could do instead is just use a separate http port without host for internal communication.

Insert SERVER_NAME
{$SERVER_NAME}:443

To look something like this:
:8000, api1.localhost:443

And communicate on port 8000 internally.

But it's also possible that there's some kind of hack with docker networking that will make this work with just 1 https port. Might also be worth asking this in the Caddy Forum
.

[withinboredom]

You can also just generate static self-signed certificates using a shared self-signed CA-cert that is white-listed in both containers. There are some comprehensive guides out there for setting this up with Caddy.

[QuentinDess]

@withinboredom
It was the solution using mkcert to add cert for api1.localhost and decq-control-php ( container reference name ) .
Just create make file script for all the team dev to have the same setup and automated the certification.
Second step was to bind the crt to the Caddy server with
- ${MKCERT_CA_PATH}:/usr/local/share/ca-certificates/mkcert-rootCA.crt:ro
Don't even need to white-listed in both container as it was only for local dev this setup is enough