1. The problem I’m having:
I’m trying to setup a simple reverse proxy using two servers.
My Caddy server is setup with only Ubuntu and Caddy. I have Caddy installed as a service on the Ubuntu server and it seems to be running correctly.
The reverse proxy is for surething.com connecting to the upstream server at sites.surething.com. sites.surething.com is directly accessible through a browser. But when I try to reverse proxy to it through surething.com I get a 400 error.
Both surething.com and site.surething.com point to the same IP address. Both also are setup as Virtual Hosts on Apache2.
I have a second reverse proxy in my Caddyfile using surethingtickets.com that goes directly to surething.com rather than going through sites.surething.com. This seems to be working as expected.
At this time, I can’t leave surething.com pointing to my Caddy server indefinitely, so the problem can’t be seen. I can enable it for short periods if/when it is helpful. I have attached a log showing the last time it was attempted.
The certificate on surething.com is a wildcard certificate, so it should cover both surething.com and sites.surething.com. When using the latest version of Chrome, going to surething.com fails with ERR_SSL_PROTOCOL_ERROR. Firefox works for both.
2. Error messages and/or full log output:
I think the following logs will show the problem. If you
have tips for formatting the logs for better readability, I'll use them.
Dec 12 22:12:30 Dig-Ocean04-Caddy caddy[372582]: {"level":"debug","ts":1702419150.9345016,"logger":"events","msg":"event","name":"tls_get_certificate","id":"d724d391-11ae-4c45-8280-152382f0a9f1","origin":"tls","data":{"client_hello":{"CipherSuites":[49196,49195,49200,49199,49188,49187,49192,49191,49162,49161,49172,49171,157,156,61,60,53,47,10],"ServerName":"www.surething.com","SupportedCurves":[29,23,24],"SupportedPoints":"AA==","SignatureSchemes":[2052,2053,2054,1025,1281,513,1027,1283,515,514,1537,1539],"SupportedProtos":null,"SupportedVersions":[771,770,769],"Conn":{}}}}
Dec 12 22:12:30 Dig-Ocean04-Caddy caddy[372582]: {"level":"debug","ts":1702419150.9356413,"logger":"tls.handshake","msg":"choosing certificate","identifier":"www.surething.com","num_choices":1}
Dec 12 22:12:30 Dig-Ocean04-Caddy caddy[372582]: {"level":"debug","ts":1702419150.9357986,"logger":"tls.handshake","msg":"default certificate selection results","identifier":"www.surething.com","subjects":["www.surething.com"],"managed":true,"issuer_key":"acme-v02.api.letsencrypt.org-directory","hash":"7feb11d1748e00468863db01cbfaa458c15bc73766c869b3e93cdc13e8580026"}
Dec 12 22:12:30 Dig-Ocean04-Caddy caddy[372582]: {"level":"debug","ts":1702419150.936006,"logger":"tls.handshake","msg":"matched certificate in cache","remote_ip":"73.153.0.57","remote_port":"57313","subjects":["www.surething.com"],"managed":true,"expiration":1708357534,"hash":"7feb11d1748e00468863db01cbfaa458c15bc73766c869b3e93cdc13e8580026"}
Dec 12 22:12:31 Dig-Ocean04-Caddy caddy[372582]: {"level":"debug","ts":1702419151.1238923,"logger":"http.handlers.reverse_proxy","msg":"selected upstream","dial":"sites.surething.com:443","total_upstreams":1}
Dec 12 22:12:31 Dig-Ocean04-Caddy caddy[372582]: {"level":"debug","ts":1702419151.2190392,"logger":"http.handlers.reverse_proxy","msg":"upstream roundtrip","upstream":"sites.surething.com:443","duration":0.094498856,"request":{"remote_ip":"73.153.0.57","remote_port":"57313","client_ip":"73.153.0.57","proto":"HTTP/1.1","method":"GET","host":"surething.com","uri":"/assets/ajax/stajaxrequest.php?callback=jQuery17208629798286774354_1702419151258&request=appConfig&appdesc=stl7&lang=enu&country=USA&version=7.0.95.0&promo=DiscDeluxeGold7&token=YA7Y7224Y7H41F3K&_=1702419151455","headers":{"X-Forwarded-Proto":["https"],"X-Forwarded-Host":["www.surething.com"],"Accept":["*/*"],"Accept-Language":["en-US"],"Accept-Encoding":["gzip, deflate"],"User-Agent":["Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729; IPH 1.1.21.4019)"],"X-Forwarded-For":["73.153.0.57"]},"tls":{"resumed":false,"version":771,"cipher_suite":49195,"proto":"","server_name":"www.surething.com"}},"headers":{"Server":["Apache/2.4.10 (Ubuntu)"],"Content-Length":["306"],"Content-Type":["text/html; charset=iso-8859-1"],"Date":["Tue, 12 Dec 2023 22:12:31 GMT"]},"status":400}
Dec 12 22:12:34 Dig-Ocean04-Caddy caddy[372582]: {"level":"debug","ts":1702419154.0945315,"logger":"events","msg":"event","name":"tls_get_certificate","id":"6158f42a-388e-47a0-bd54-1be979c8186b","origin":"tls","data":{"client_hello":{"CipherSuites":[49196,49195,49200,49199,49188,49187,49192,49191,49162,49161,49172,49171,157,156,61,60,53,47,10],"ServerName":"www.surething.com","SupportedCurves":[29,23,24],"SupportedPoints":"AA==","SignatureSchemes":[2052,2053,2054,1025,1281,513,1027,1283,515,514,1537,1539],"SupportedProtos":null,"SupportedVersions":[771,770,769],"Conn":{}}}}
Dec 12 22:12:34 Dig-Ocean04-Caddy caddy[372582]: {"level":"debug","ts":1702419154.0955908,"logger":"tls.handshake","msg":"choosing certificate","identifier":"www.surething.com","num_choices":1}
Dec 12 22:12:34 Dig-Ocean04-Caddy caddy[372582]: {"level":"debug","ts":1702419154.095854,"logger":"tls.handshake","msg":"default certificate selection results","identifier":"www.surething.com","subjects":["www.surething.com"],"managed":true,"issuer_key":"acme-v02.api.letsencrypt.org-directory","hash":"7feb11d1748e00468863db01cbfaa458c15bc73766c869b3e93cdc13e8580026"}
Dec 12 22:12:34 Dig-Ocean04-Caddy caddy[372582]: {"level":"debug","ts":1702419154.0960155,"logger":"tls.handshake","msg":"matched certificate in cache","remote_ip":"73.153.0.57","remote_port":"57320","subjects":["www.surething.com"],"managed":true,"expiration":1708357534,"hash":"7feb11d1748e00468863db01cbfaa458c15bc73766c869b3e93cdc13e8580026"}
Dec 12 22:12:34 Dig-Ocean04-Caddy caddy[372582]: {"level":"debug","ts":1702419154.1967027,"logger":"http.handlers.reverse_proxy","msg":"selected upstream","dial":"sites.surething.com:443","total_upstreams":1}
Dec 12 22:12:34 Dig-Ocean04-Caddy caddy[372582]: {"level":"debug","ts":1702419154.2987998,"logger":"http.handlers.reverse_proxy","msg":"upstream roundtrip","upstream":"sites.surething.com:443","duration":0.101521251,"request":{"remote_ip":"73.153.0.57","remote_port":"57320","client_ip":"73.153.0.57","proto":"HTTP/1.1","method":"GET","host":"surething.com","uri":"/swlinks/links.php?appdesc=stl7&base=billboards&lang=enu&country=USA&version=7.0.95.0&promo=DiscDeluxeGold7&token=YA7Y7224Y7H41F3K","headers":{"X-Forwarded-For":["73.153.0.57"],"User-Agent":["Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; .NET CLR 1.0.3705)"],"X-Forwarded-Proto":["https"],"X-Forwarded-Host":["www.surething.com"]},"tls":{"resumed":false,"version":771,"cipher_suite":49195,"proto":"","server_name":"www.surething.com"}},"headers":{"Content-Length":["306"],"Content-Type":["text/html; charset=iso-8859-1"],"Date":["Tue, 12 Dec 2023 22:12:34 GMT"],"Server":["Apache/2.4.10 (Ubuntu)"]},"status":400}
3. Caddy version:
v2.7.5 h1:HoysvZkLcN2xJExEepaFHK92Qgs7xAiCFydN5x5Hs6Q=
4. How I installed and ran Caddy:
I installed Caddy on our Ubuntu server using the instructions for Debian, Ubuntu, Raspbian found on your site. Everything went quite smoothly and Caddy seems to be running as a service.
a. System environment:
1 GB Memory / 25 GB Disk / SFO3 - Ubuntu 23.10 x64
Very plain Ubuntu server with nothing else installed. systems yes, docker no.
b. Command:
Not currently using any commands, running Caddy as a service. Using a Caddyfile for config.
c. Service/unit/compose file:
Using systems but nothing else.
d. My complete Caddy config:
Very simple at this point:
{
debug
}
https://surething.com, https://www.surething.com {
reverse_proxy https://sites.surething.com {
header_up Host surething.com
}
}
https://surethingtickets.com https://www.surethingtickets.com {
reverse_proxy https://surething.com {
header_up Host surething.com
}
}
5. Links to relevant resources:
None currently.