Function Domains not triggering Executions

Hi, I'm new to the project and got really interested thanks to the Open-Runtimes work.

All my server deployments have a custom Caddy deployment as the main reverse proxy with host port binding (80 and 443), while also being all Docker Swarms, even for single nodes. Thus, the main composable provided isn't suitable for me. Docs and repo in hand, I started writing my own composable based on the official one (and yes I'm aware that this will require manual verification for each update). Here is the current `docker-compose`

Everything looks to be working as intended (well, I didn't test websockets, yet. But since I'm not fully interested in I'm delaying that verification), both Appwrite interface and API.

What is not working are Functions, nor via API nor via Domains (both auto generated and custom ones), but if I manually trigger them via the Execute Now button in the interface they do work.

While checking the Caddy's log I see that no services are responding when it tries to forward the request for that particular domain, and the API returns a generic 500 general_unknown if I try to do a POST request to /v1/functions/{ID}/executions after setting the permission of that particular function to any.

I've noticed I was still with the _APP_ENV=production. switching to dev this is the full log from the API response.

Are there any logs confirming the traffic is going through caddy?

What exactly is the error you're seeing?

when doing a fetch to my appwrite domain I get a response from Server: Caddy, Appwrite

while doing a fetch onto a function domain I see the generic:

https: error: SSLError: HTTPSConnectionPool(host='6623c88596f80fff8c39.functions.exmaple.com', port=443): Max retries exceeded with url: / (Caused by SSLError(SSLError(1, '[SSL: TLSV1_ALERT_INTERNAL_ERROR] tlsv1 alert internal error (_ssl.c:1006)'))) while doing a GET request to URL: https://6623c88596f80fff8c39.functions.example.com/

That usually appears when caddy is not able to find an upstream response

I've restored the traefik service in the compose file, while doing so I've understood what was causing my problems to websockets (I wasn't passing their headers), but also noticed that I can only communicate with port 443, since in my Caddy configuration I automatically redirect any 80 connection to a secure 443. Could this be an issue for functions?

But I wouldn't understand why, since traefik itself is routing everything through port 80 of the main appwrite and realtime services

Possibly...but I'm surprised the main domain works with the same setup

ok yes, I might have found the issue: functions only expect http and not https connections. I don't understand why since this could easily be a security issue in regard of payments and such

the main domains both accept http and https, while functions only http

🧐 is this on the caddy side?

for now I've used caddy to force a http call and make it https to traefik, a Frankenstein thing I'm surely not going to use in production

If you try on Appwrite cloud, you'll see auto generated function domains are https

You should definitely route to traefik using https. If not, Appwrite will see http and try to redirect to https

you didn't reply to this earlier: I've seen somewhere saying that self-hosted doesn't support https functions

Not really true. It's just we haven't documented how to set up certificates because it's complicated (requires traefik DNS resolver certificates or something and I think it's different per DNS provider)

mh ok

I'll do some more investigation to see where in my configuration I'm missunderstanding something

[...] and I think it's different per DNS provider

completely different

are certificates issues by appwrite or traefik?

For auto generated function domains, it's traefik. Otherwise, appwrite uses certbot for the others. I think it's because certbot doesn't support wildcard... 🤷‍♂️

is there a way to disable appwrite's certbot? Since I'm always handling my certificates before even reaching the services (this greatly simplifies wildcards, defining them once per ingress)

You can stop the certificates worker

oh, about this topic, could I simply stop various appwrite services that I don't need? Or do I have to set some env variables to tell appwrite not to look for that specific service?