403 on reverse proxy

1. Caddy version (caddy version):

v2.3.0 h1:fnrqJLa3G5vfxcxmOH/+kJOcunPLhSBnjgIvjXV/QTA=

2. How I run Caddy:

I am building a website that has an home page and some reverse proxies on some paths. For example palmiotto.duckdns.org/jellyfin/ is pointing to the local jellyfin port.

a. System environment:

Operating System: Ubuntu 20.10
Kernel: Linux 5.8.0-48-generic
Architecture: x86-64

b. Command:

caddy start

c. Service/unit/compose file:

# caddy.service
#
# For using Caddy with a config file.
#
# Make sure the ExecStart and ExecReload commands are correct
# for your installation.
#
# See https://caddyserver.com/docs/install for instructions.
#
# WARNING: This service does not use the --resume flag, so if you
# use the API to make changes, they will be overwritten by the
# Caddyfile next time the service is restarted. If you intend to
# use Caddy's API to configure it, add the --resume flag to the
# `caddy run` command or use the caddy-api.service file instead.

[Unit]
Description=Caddy
Documentation=https://caddyserver.com/docs/
After=network.target network-online.target
Requires=network-online.target

[Service]
User=caddy
Group=caddy
ExecStart=/usr/bin/caddy run --environ --config /etc/caddy/Caddyfile
ExecReload=/usr/bin/caddy reload --config /etc/caddy/Caddyfile
TimeoutStopSec=5s
LimitNOFILE=1048576
LimitNPROC=512
PrivateTmp=true
ProtectSystem=full
AmbientCapabilities=CAP_NET_BIND_SERVICE

[Install]
WantedBy=multi-user.target

d. My complete Caddyfile or JSON config:

palmiotto.duckdns.org
tls {
	issuer acme {
	        disable_http_challenge
        }
	issuer zerossl {
                disable_http_challenge
        }
}
#basicauth {
#	xxxxx xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
#	xxxxx xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
#	xxxxx xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
#}
file_server browse
reverse_proxy /planes/* 192.168.1.134:8754
#reverse_proxy 192.168.1.134:8754
reverse_proxy /jellyfin/* 192.168.1.199:8096
handle_errors {
	rewrite * /{http.error.status_code}
	reverse_proxy https://http.cat {
		header_up Host http.cat
	}
}

3. The problem I’m having:

If I try to access the path planes i get 403 forbidden

4. Error messages and/or full log output:

verbose curl GET request

*   Trying 188.116.61.101:443...
* TCP_NODELAY set
* Connected to palmiotto.duckdns.org (188.116.61.101) port 443 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
* successfully set certificate verify locations:
*   CAfile: /etc/ssl/certs/ca-certificates.crt
  CApath: /etc/ssl/certs
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
* TLSv1.3 (IN), TLS handshake, Server hello (2):
* TLSv1.3 (IN), TLS handshake, Encrypted Extensions (8):
* TLSv1.3 (IN), TLS handshake, Certificate (11):
* TLSv1.3 (IN), TLS handshake, CERT verify (15):
* TLSv1.3 (IN), TLS handshake, Finished (20):
* TLSv1.3 (OUT), TLS change cipher, Change cipher spec (1):
* TLSv1.3 (OUT), TLS handshake, Finished (20):
* SSL connection using TLSv1.3 / TLS_AES_128_GCM_SHA256
* ALPN, server accepted to use h2
* Server certificate:
*  subject: CN=palmiotto.duckdns.org
*  start date: Mar 27 10:25:48 2021 GMT
*  expire date: Jun 25 10:25:48 2021 GMT
*  subjectAltName: host "palmiotto.duckdns.org" matched cert's "palmiotto.duckdns.org"
*  issuer: C=US; O=Let's Encrypt; CN=R3
*  SSL certificate verify ok.
* Using HTTP2, server supports multi-use
* Connection state changed (HTTP/2 confirmed)
* Copying HTTP/2 data in stream buffer to connection buffer after upgrade: len=0
* Using Stream ID: 1 (easy handle 0x55f4e270a7e0)
> GET /planes/ HTTP/2
> Host: palmiotto.duckdns.org
> user-agent: curl/7.68.0
> accept: */*
>
* TLSv1.3 (IN), TLS handshake, Newsession Ticket (4):
* Connection state changed (MAX_CONCURRENT_STREAMS == 250)!
< HTTP/2 403
< server: Caddy
< content-type: text/plain; charset=utf-8
< content-length: 12
< date: Fri, 02 Apr 2021 18:03:39 GMT
<
* Connection #0 to host palmiotto.duckdns.org left intact
FORBIDDEN :>

5. What I already tried:

If I remove the reverse proxy path for “planes” and the file_server directive, so that the service is located on the root of the website, everything seems to work just fine. How can i solve this behaviour?

6. Links to relevant resources: