502 error in Caddy, nothing logged at server

1. The problem I’m having:

I’m trying to use Caddy on a local windows machine as a reverse proxy to serve https traffic to a Docker container running Windows/IIS. I’ve mapped port 80 to 8086 and 443 to 8087 in Docker. I’ve added an entry in my hosts file to point sub.acme.com to

From my machine, if I browse to http://sub.acme.com, it works.
If I browse to https://sub.acme.com:8087, it works.
If I enter an interactive session on my container, add a host value that maps to sub.acme.com and curl it, it returns content.
However, if I browse https://sub.acme.com from my local machine, I get an error in the Caddy logs (see next section).

I’ve enabled Failed Request Tracing in IIS for the container and I’m not seeing anything logged from these requests.

The cert installed in IIS is a PFX cert. Caddy is using a PEM and KEY. I pulled both the PFX and the PEM/KEY from Digicert. The PEM is the full cert with root and intermediate. I’ve tried to omit the cert but then it spins trying to pull a cert from LetsEncrypt.

I got this working using the native Windows netsh service using the following command. I’d still like to get it working with Caddy (it bugs me when things don’t work).

netsh interface portproxy add v4tov4 listenport=443 listenaddress= connectport=8087 connectaddress=

2. Error messages and/or full log output:

2023/08/24 15:42:12.904 ←[31mERROR←[0m  http.log.error  read tcp> wsarecv: An existing connection was forcibly closed by the remote host.     

  "request": {
    "remote_ip": "",
    "remote_port": "60769",
    "client_ip": "",
    "proto": "HTTP/2.0",
    "method": "GET",
    "host": "sub.acme.com",
    "uri": "/",
    "headers": {
      "Sec-Ch-Ua": [
        "\"Not/A)Brand\";v=\"99\", \"Google Chrome\";v=\"115\", \"Chromium\";v=\"115\""
      "Sec-Fetch-Mode": [
      "Cookie": [],
      "Sec-Fetch-User": [
      "Sec-Ch-Ua-Platform": [
      "User-Agent": [
        "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/ Safari/537.36"
      "Sec-Fetch-Site": [
      "Accept-Language": [
      "Dnt": [
      "Upgrade-Insecure-Requests": [
      "Accept-Encoding": [
        "gzip, deflate, br"
      "Accept": [
      "Sec-Fetch-Dest": [
      "Pragma": [
      "Cache-Control": [
      "Sec-Ch-Ua-Mobile": [
    "tls": {
      "resumed": true,
      "version": 772,
      "cipher_suite": 4865,
      "proto": "h2",
      "server_name": "sub.acme.com"
  "duration": 0.0029005,
  "status": 502,
  "err_id": "33f68vmy0",
  "err_trace": "reverseproxy.statusError (reverseproxy.go:1248)"

3. Caddy version:

version v2.7.4 h1:J8nisjdOxnYHXlorUKXY75Gr6iBfudfoGhrJ8t7/flI=

4. How I installed and ran Caddy:

a. System environment:

I downloaded the AMD64 executable for Windows from the Caddy download page and installed it. My machine is Windows 7. My Docker is Docker version 24.0.5, build ced0996. I am running Windows containers and not Unix containers. Caddy is not running inside of Docker but directly on my computer.

b. Command:

.\caddy_windows_amd64.exe run

Ran from Powershell. This might look weird, but that’s the name of the executable and I never changed it.

c. Service/unit/compose file:


d. My complete Caddy config:

sub.acme.com:80 {

sub.acme.com:443 {
	tls star_site_com.pem wildcard_site_com.key

5. Links to relevant resources:

I’m not sure why you did this – Caddy will be listening to port 80/443 in Docker, so mapping to those ports doesn’t make sense because that’s not what Caddy is listening for.

Do you mean the inverse?

This config is making an HTTP request to the upstream. Is that upstream listening for HTTPS requests? If so you need to configure Caddy to make HTTPS requests instead. See the docs:

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.