edit - thank you.
Thanks for the prompt response - it’s HTTP, and that seems to have resolved it after a restart. I had to remove the entire directive (transport http) and it came good. The SSL_PROTOCOL_ERROR on other sites has been resolved too.
I would have thought it would be only affecting the one site?
(Unhelpful rate limiting from the site:
An error occurred: You’re replying a bit too quickly. Please wait 22 hours before trying again.)
- The problem I’m having:
I’ve been running with caddy for a couple of months now purely for reverse proxy config for my docker deployments on my NAS - since rebooting at the weekend, I’ve been having SSL_PROTOCOL_ERROR on some sites, but more annoyingly a 502 error on Immich. This happens on multiple machines and devices, both internal to the network and external via the wan.
Very odd, as I can’t see that anything has been changed - this was a power-down/cold-boot for electrical maintenance.
curl output:
curl -v https://immich.harman.tv
TLSv1.3 (OUT), TLS handshake, Client hello (1):
TLSv1.3 (IN), TLS handshake, Server hello (2):
TLSv1.3 (IN), TLS change cipher, Change cipher spec (1):
TLSv1.3 (IN), TLS handshake, Encrypted Extensions (8):
TLSv1.3 (IN), TLS handshake, Certificate (11):
TLSv1.3 (IN), TLS handshake, CERT verify (15):
TLSv1.3 (IN), TLS handshake, Finished (20):
TLSv1.3 (OUT), TLS change cipher, Change cipher spec (1):
TLSv1.3 (OUT), TLS handshake, Finished (20):
GET / HTTP/1.1
Host: immich.harman.tv
User-Agent: curl/8.12.1
Accept: /
TLSv1.3 (IN), TLS handshake, Newsession Ticket (4):
< HTTP/1.1 502 Bad Gateway
< Alt-Svc: h3=“:443”; ma=2592000
< Server: Caddy
< Date: Wed, 10 Dec 2025 06:52:40 GMT
< Content-Length: 0
<
2. Error messages and/or full log output:
{
“level”: “error”,
“ts”: 1765348880.7951553,
“logger”: “http.log.error”,
“msg”: “tls: first record does not look like a TLS handshake”,
“request”: {
“remote_ip”: “172.17.0.1”,
“remote_port”: “63685”,
“client_ip”: “172.17.0.1”,
“proto”: “HTTP/2.0”,
“method”: “GET”,
“host”: “``immich.harman.tv``”,
“uri”: “/”,
“headers”: {
“Sec-Fetch-Site”: [
“none”
],
“Sec-Fetch-Dest”: [
“document”
],
“Accept-Encoding”: [
“gzip, deflate, br, zstd”
],
“Accept”: [
“text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7”
],
“Sec-Ch-Ua-Mobile”: [
“?0”
],
“Sec-Fetch-Mode”: [
“navigate”
],
“Dnt”: [
“1”
],
“Accept-Language”: [
“en-GB,en;q=0.9,en-US;q=0.8,en-AU;q=0.7”
],
“Priority”: [
“u=0, i”
],
“Upgrade-Insecure-Requests”: [
“1”
],
“User-Agent”: [
“Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/143.0.0.0 Safari/537.36 Edg/143.0.0.0”
],
“Sec-Ch-Ua”: [
“"Microsoft Edge";v="143", "Chromium";v="143", "Not A(Brand";v="24"”
],
“Sec-Ch-Ua-Platform”: [
“"Windows"”
],
“Sec-Fetch-User”: [
“?1”
]
},
“tls”: {
“resumed”: false,
“version”: 772,
“cipher_suite”: 4865,
“proto”: “h2”,
“server_name”: “``immich.harman.tv``”
}
},
“duration”: 0.00186471,
“status”: 502,
“err_id”: “wd7xbqqhh”,
“err_trace”: “reverseproxy.statusError (reverseproxy.go:1390)”
}
- Caddy version:
v2.10.2 h1:g/gTYjGMD0dec+UgMw8SnfmJ3I9+M2TdvoRL/Ovu6U8=
4. How I installed and ran Caddy:
Docker Compose:name: caddy
services:
caddy:
cap_add:
- NET_ADMIN
cpu_shares: 90
command:
deploy:
resources:
limits:
memory: 67156463616
reservations:
devices:
environment:
- CLOUDFLARE_API_TOKEN=/snip
image: Package caddy-cloudflare · GitHub
labels:
icon: ``https://icon.casaos.io/main/all/caddy.png
ports:
- target: 80
published: “8808”
protocol: tcp
- target: 443
published: “443”
protocol: “”
restart: unless-stopped
volumes:
- type: bind
source: /DATA/AppData/caddy/caddyconf
target: /etc/caddy
- type: bind
source: /DATA/AppData/caddy/site/
target: /srv
- type: bind
source: /DATA/AppData/caddy/data/
target: /data
- type: bind
source: /DATA/AppData/caddy/config/
target: /config
devices:
network_mode: bridge
privileged: false
container_name: “”
a. System environment:
docker compose
b. Command:
running via compose
PASTE OVER THIS, BETWEEN THE ``` LINES.
Please use the preview pane to ensure it looks nice.
c. Service/unit/compose file:
PASTE OVER THIS, BETWEEN THE ``` LINES.
Please use the preview pane to ensure it looks nice.
d. My complete Caddy config:
caddy fmt /etc/caddy/Caddyfile
{
acme_dns cloudflare {env.CLOUDFLARE_API_TOKEN}
servers {
trusted_proxies cloudflare
client_ip_headers Cf-Connecting-Ip
}
debug
}
bncs.harman.tv {
encode gzip
reverse_proxy 192.168.50.5:8081 {
flush_interval -1
}
request_body {
max_size 0
}
}
bot.harman.tv {
encode gzip
reverse_proxy 192.168.50.5:3004 {
flush_interval -1
}
request_body {
max_size 0
}
}
homeassistant.harman.tv {
encode gzip
reverse_proxy 192.168.50.5:8123 {
flush_interval -1
}
request_body {
max_size 0
}
}
git.harman.tv {
encode gzip
reverse_proxy 192.168.50.5:3010 {
flush_interval -1
}
request_body {
max_size 0
}
}
graylog.harman.tv {
encode gzip
reverse_proxy 192.168.50.5:9001 {
flush_interval -1
}
request_body {
max_size 0
}
}
immich.harman.tv {
encode gzip
reverse_proxy 192.168.50.5:2283 {
transport http {
tls_insecure_skip_verify
}
flush_interval -1
}
request_body {
max_size 0
}
}
storage.harman.tv {
encode gzip
reverse_proxy 192.168.50.5:9002
}
tybebot.harman.tv {
encode gzip
reverse_proxy 192.168.50.5:3003
}