Accessible on local network but not on anything not on local network

Help
1

1. The problem I’m having:

im running caddy on ubuntu linux, i have a domain name and i have gotten caddy working (when i type the domain it takes me to the “next step” page) but i cant access it if im not on my local network, only if im connected to my network directly

2. Error messages and/or full log output:

Jun 28 17:00:27 server1.sargtv.com systemd[1]: Starting Caddy...
Jun 28 17:00:27 server1.sargtv.com caddy[3617]: caddy.HomeDir=/var/lib/caddy
Jun 28 17:00:27 server1.sargtv.com caddy[3617]: caddy.AppDataDir=/var/lib/caddy
/.local/share/caddy
Jun 28 17:00:27 server1.sargtv.com caddy[3617]: caddy.AppConfigDir=/var/lib/cad
dy/.config/caddy
Jun 28 17:00:27 server1.sargtv.com caddy[3617]: caddy.ConfigAutosavePath=/var/l
ib/caddy/.config/caddy/autosave.json
Jun 28 17:00:27 server1.sargtv.com caddy[3617]: caddy.Version=v2.6.4 h1:2hwYqiR
wk1tf3VruhMpLcYTg+11fCdr8S3jhNAdnPy8=
Jun 28 17:00:27 server1.sargtv.com caddy[3617]: runtime.GOOS=linux
Jun 28 17:00:27 server1.sargtv.com caddy[3617]: runtime.GOARCH=amd64
Jun 28 17:00:27 server1.sargtv.com caddy[3617]: runtime.Compiler=gc
Jun 28 17:00:27 server1.sargtv.com caddy[3617]: runtime.NumCPU=4
Jun 28 17:00:27 server1.sargtv.com caddy[3617]: runtime.GOMAXPROCS=4
Jun 28 17:00:27 server1.sargtv.com caddy[3617]: runtime.Version=go1.20
Jun 28 17:00:27 server1.sargtv.com caddy[3617]: os.Getwd=/
Jun 28 17:00:27 server1.sargtv.com caddy[3617]: LANG=en_CA.UTF-8
Jun 28 17:00:27 server1.sargtv.com caddy[3617]: LANGUAGE=en_CA:en
Jun 28 17:00:27 server1.sargtv.com caddy[3617]: PATH=/usr/local/sbin:/usr/local
/bin:/usr/sbin:/usr/bin:/sbin:/bin:/snap/bin
Jun 28 17:00:27 server1.sargtv.com caddy[3617]: NOTIFY_SOCKET=/run/systemd/noti
fy
Jun 28 17:00:27 server1.sargtv.com caddy[3617]: HOME=/var/lib/caddy
Jun 28 17:00:27 server1.sargtv.com caddy[3617]: LOGNAME=caddy
Jun 28 17:00:27 server1.sargtv.com caddy[3617]: USER=caddy
Jun 28 17:00:27 server1.sargtv.com caddy[3617]: INVOCATION_ID=7d1d75e7dd5941feb2d6e4e7eb467111
Jun 28 17:00:27 server1.sargtv.com caddy[3617]: JOURNAL_STREAM=8:35209
Jun 28 17:00:27 server1.sargtv.com caddy[3617]: SYSTEMD_EXEC_PID=3617
Jun 28 17:00:27 server1.sargtv.com caddy[3617]: {"level":"info","ts":1687986027.237841,"msg":"using provided configuration","config_file":"/etc/caddy/Caddyfile","config_adapter":""}
Jun 28 17:00:27 server1.sargtv.com caddy[3617]: {"level":"warn","ts":1687986027.2384462,"msg":"Caddyfile input is not formatted; run the 'caddy fmt' command to fix inconsistencies","adapter":"caddyfile","file":"/etc/caddy/Caddyfile","line":1}
Jun 28 17:00:27 server1.sargtv.com caddy[3617]: {"level":"info","ts":1687986027.2389266,"logger":"admin","msg":"admin endpoint started","address":"localhost:2019","enforce_origin":false,"origins":["//localhost:2019","//[::1]:2019","//127.0.0.1:2019"]}
Jun 28 17:00:27 server1.sargtv.com caddy[3617]: {"level":"info","ts":1687986027.2396538,"logger":"http","msg":"server is listening only on the HTTPS port but has no TLS connection policies; adding one to enable TLS","server_name":"srv0","https_port":443}
Jun 28 17:00:27 server1.sargtv.com caddy[3617]: {"level":"info","ts":1687986027.2396681,"logger":"http","msg":"enabling automatic HTTP->HTTPS redirects","server_name":"srv0"}
Jun 28 17:00:27 server1.sargtv.com caddy[3617]: {"level":"info","ts":1687986027.2397215,"logger":"tls.cache.maintenance","msg":"started background certificate maintenance","cache":"0xc000446620"}
Jun 28 17:00:27 server1.sargtv.com caddy[3617]: {"level":"debug","ts":168798602
7.2398047,"logger":"http","msg":"starting server loop","address":"[::]:80","tls
":false,"http3":false}
Jun 28 17:00:27 server1.sargtv.com caddy[3617]: {"level":"info","ts":1687986027
.2398827,"logger":"http.log","msg":"server running","name":"remaining_auto_http
s_redirects","protocols":["h1","h2","h3"]}
Jun 28 17:00:27 server1.sargtv.com caddy[3617]: {"level":"info","ts":1687986027
.2398045,"logger":"tls","msg":"cleaning storage unit","description":"FileStorag
e:/var/lib/caddy/.local/share/caddy"}
Jun 28 17:00:27 server1.sargtv.com caddy[3617]: {"level":"info","ts":1687986027.2400107,"logger":"http","msg":"enabling HTTP/3 listener","addr":":443"}
Jun 28 17:00:27 server1.sargtv.com caddy[3617]: {"level":"info","ts":1687986027.2400951,"msg":"failed to sufficiently increase receive buffer size (was: 208 kiB, wanted: 2048 kiB, got: 416 kiB). See https://github.com/quic-go/quic-go/wiki/UDP-Receive-Buffer-Size for details."}
Jun 28 17:00:27 server1.sargtv.com caddy[3617]: {"level":"info","ts":1687986027.240192,"logger":"tls","msg":"finished cleaning storage units"}
Jun 28 17:00:27 server1.sargtv.com caddy[3617]: {"level":"debug","ts":1687986027.240289,"logger":"http","msg":"starting server loop","address":"[::]:443","tls":true,"http3":true}
Jun 28 17:00:27 server1.sargtv.com caddy[3617]: {"level":"info","ts":1687986027.240345,"logger":"http.log","msg":"server running","name":"srv0","protocols":["h1","h2","h3"]}
Jun 28 17:00:27 server1.sargtv.com caddy[3617]: {"level":"info","ts":1687986027.2403986,"logger":"http","msg":"enabling automatic TLS certificate management","domains":["stream.sargtv.com"]}
Jun 28 17:00:27 server1.sargtv.com caddy[3617]: {"level":"debug","ts":1687986027.2406454,"logger":"tls","msg":"loading managed certificate","domain":"stream.sargtv.com","expiration":1695742581,"issuer_key":"acme-v02.api.letsencrypt.org-directory","storage":"FileStorage:/var/lib/caddy/.local/share/caddy"}
Jun 28 17:00:27 server1.sargtv.com caddy[3617]: {"level":"debug","ts":1687986027.2408764,"logger":"tls.cache","msg":"added certificate to cache","subjects":["stream.sargtv.com"],"expiration":1695742581,"managed":true,"issuer_key":"acme-v02.api.letsencrypt.org-directory","hash":"96500c8b5d898a76ddbd1d0d7b95434582a0b42878261562283e50c529a0a513","cache_size":1,"cache_capacity":10000}
Jun 28 17:00:27 server1.sargtv.com caddy[3617]: {"level":"debug","ts":1687986027.2409477,"logger":"events","msg":"event","name":"cached_managed_cert","id":"45c29823-edfe-4732-9563-ce1164c8c07c","origin":"tls","data":{"sans":["stream.sargtv.com"]}}
Jun 28 17:00:27 server1.sargtv.com caddy[3617]: {"level":"info","ts":1687986027.241309,"msg":"autosaved config (load with --resume flag)","file":"/var/lib/caddy/.config/caddy/autosave.json"}
Jun 28 17:00:27 server1.sargtv.com systemd[1]: Started Caddy.
Jun 28 17:00:27 server1.sargtv.com caddy[3617]: {"level":"info","ts":1687986027.2417886,"msg":"serving initial configuration"}
Jun 28 17:00:37 server1.sargtv.com caddy[3617]: {"level":"debug","ts":168798603
7.9729075,"logger":"events","msg":"event","name":"tls_get_certificate","id":"e0
c92ab2-7f27-43c5-9dd9-8ab9f031d763","origin":"tls","data":{"client_hello":{"CipherSuites":[47802,4865,4866,4867,49195,49199,49196,49200,52393,52392,49171,49172,156,157,47,53],"ServerName":"stream.sargtv.com","SupportedCurves":[10794,29,23,24],"SupportedPoints":"AA==","SignatureSchemes":[1027,2052,1025,1283,2053,1281,2054,1537],"SupportedProtos":["h2","http/1.1"],"SupportedVersions":[47802,772,771],"Conn":{}}}}
Jun 28 17:00:37 server1.sargtv.com caddy[3617]: {"level":"debug","ts":1687986037.9729927,"logger":"tls.handshake","msg":"choosing certificate","identifier":"stream.sargtv.com","num_choices":1}
Jun 28 17:00:37 server1.sargtv.com caddy[3617]: {"level":"debug","ts":1687986037.9730036,"logger":"tls.handshake","msg":"default certificate selection results","identifier":"stream.sargtv.com","subjects":["stream.sargtv.com"],"managed":true,"issuer_key":"acme-v02.api.letsencrypt.org-directory","hash":"96500c8b5d898a76ddbd1d0d7b95434582a0b42878261562283e50c529a0a513"}
Jun 28 17:00:37 server1.sargtv.com caddy[3617]: {"level":"debug","ts":1687986037.973009,"logger":"tls.handshake","msg":"matched certificate in cache","remote_ip":"192.168.2.14","remote_port":"61290","subjects":["stream.sargtv.com"],"managed":true,"expiration":1695742581,"hash":"96500c8b5d898a76ddbd1d0d7b95434582a0b42878261562283e50c529a0a513"}
Jun 28 17:00:37 server1.sargtv.com caddy[3617]: {"level":"debug","ts":1687986037.975079,"logger":"http.handlers.file_server","msg":"sanitized path join","site_root":"/usr/share/caddy","request_path":"/","result":"/usr/share/caddy"}
Jun 28 17:00:37 server1.sargtv.com caddy[3617]: {"level":"debug","ts":1687986037.9751062,"logger":"http.handlers.file_server","msg":"located index file","filename":"/usr/share/caddy/index.html"}
Jun 28 17:02:46 server1.sargtv.com caddy[3617]: {"level":"debug","ts":1687986166.614389,"logger":"events","msg":"event","name":"tls_get_certificate","id":"3d66d01d-df4f-407c-bf9d-12f8c63e1528","origin":"tls","data":{"client_hello":{"CipherSuites":[52392,52393,49199,49200,49195,49196,49171,49161,49172,49162,156,157,47,53,49170,10,4867,4865,4866],"ServerName":"","SupportedCurves":[29,23,24,25],"SupportedPoints":"AA==","SignatureSchemes":[2052,1027,2055,2053,2054,1025,1281,1537,1283,1539,513,515],"SupportedProtos":null,"SupportedVersions":[772,771,770,769],"Conn":{}}}}
Jun 28 17:02:46 server1.sargtv.com caddy[3617]: {"level":"debug","ts":1687986166.61444,"logger":"tls.handshake","msg":"no matching certificates and no custom selection logic","identifier":"192.168.2.104"}
Jun 28 17:02:46 server1.sargtv.com caddy[3617]: {"level":"debug","ts":1687986166.6144466,"logger":"tls.handshake","msg":"all external certificate managers yielded no certificates and no errors","remote_ip":"162.142.125.13","remote_port":"35014","sni":""}
Jun 28 17:02:46 server1.sargtv.com caddy[3617]: {"level":"debug","ts":1687986166.614451,"logger":"tls.handshake","msg":"no certificate matching TLS ClientHello","remote_ip":"162.142.125.13","remote_port":"35014","server_name":"","remote":"162.142.125.13:35014","identifier":"192.168.2.104","cipher_suites":[52392,52393,49199,49200,49195,49196,49171,49161,49172,49162,156,157,47,53,49170,10,4867,4865,4866],"cert_cache_fill":0.0001,"load_if_necessary":true,"obtain_if_necessary":true,"on_demand":false}
Jun 28 17:02:46 server1.sargtv.com caddy[3617]: {"level":"debug","ts":1687986166.6144938,"logger":"http.stdlib","msg":"http: TLS handshake error from 162.142.125.13:35014: no certificate available for '192.168.2.104'"}
Jun 28 17:02:57 server1.sargtv.com caddy[3617]: {"level":"debug","ts":1687986177.3304822,"logger":"events","msg":"event","name":"tls_get_certificate","id":"4b20a4fc-e61f-4d87-94f7-f1c789492688","origin":"tls","data":{"client_hello":{"CipherSuites":[4865,4866,4867],"ServerName":"stream.sargtv.com","SupportedCurves":[29,23,24],"SupportedPoints":null,"SignatureSchemes":[1027,2052,1025,1283,2053,1281,2054,1537,513],"SupportedProtos":["h3"],"SupportedVersions":[772],"Conn":{}}}}
Jun 28 17:02:57 server1.sargtv.com caddy[3617]: {"level":"debug","ts":1687986177.3305461,"logger":"tls.handshake","msg":"choosing certificate","identifier":"stream.sargtv.com","num_choices":1}
Jun 28 17:02:57 server1.sargtv.com caddy[3617]: {"level":"debug","ts":1687986177.3305588,"logger":"tls.handshake","msg":"default certificate selection results","identifier":"stream.sargtv.com","subjects":["stream.sargtv.com"],"managed":true,"issuer_key":"acme-v02.api.letsencrypt.org-directory","hash":"96500c8b5d898a76ddbd1d0d7b95434582a0b42878261562283e50c529a0a513"}
Jun 28 17:02:57 server1.sargtv.com caddy[3617]: {"level":"debug","ts":1687986177.3305638,"logger":"tls.handshake","msg":"matched certificate in cache","remote_ip":"192.168.2.14","remote_port":"57168","subjects":["stream.sargtv.com"],"managed":true,"expiration":1695742581,"hash":"96500c8b5d898a76ddbd1d0d7b95434582a0b42878261562283e50c529a0a513"}
Jun 28 17:02:57 server1.sargtv.com caddy[3617]: {"level":"debug","ts":1687986177.3307815,"logger":"http.handlers.file_server","msg":"sanitized path join","site_root":"/usr/share/caddy","request_path":"/","result":"/usr/share/caddy"}
Jun 28 17:02:57 server1.sargtv.com caddy[3617]: {"level":"debug","ts":1687986177.330828,"logger":"http.handlers.file_server","msg":"opening file","filename":"/usr/share/caddy/index.html"}
Jun 28 17:06:57 server1.sargtv.com caddy[3617]: {"level":"debug","ts":1687986417.3347414,"logger":"http.handlers.file_server","msg":"sanitized path join","site_root":"/usr/share/caddy","request_path":"/","result":"/usr/share/caddy"}
Jun 28 17:06:57 server1.sargtv.com caddy[3617]: {"level":"debug","ts":1687986417.334786,"logger":"http.handlers.file_server","msg":"located index file","filename":"/usr/share/caddy/index.html"}
Jun 28 17:06:57 server1.sargtv.com caddy[3617]: {"level":"debug","ts":1687986417.334798,"logger":"http.handlers.file_server","msg":"opening file","filename":"/usr/share/caddy/index.html"}

3. Caddy version:

v2.6.4 h1:2hwYqiRwk1tf3VruhMpLcYTg+11fCdr8S3jhNAdnPy8=

4. How I installed and ran Caddy:

installed the script provided for ubuntu and it just worked.

a. System environment:

ubuntu 22.04.2 desktop

b. Command:

cd etc/caddy 
caddy run

c. Service/unit/compose file:

d. My complete Caddy config:

{
	debug
}

# The Caddyfile is an easy way to configure your Caddy web server.
#
# Unless the file starts with a global options block, the first
# uncommented line is always the address of your site.
#
# To use your own domain name (with automatic HTTPS), first make
# sure your domain's A/AAAA DNS records are properly pointed to
# this machine's public IP, then replace ":80" below with your
# domain name.

stream.sargtv.com {
	# Set this path to your site's directory.
	root * /usr/share/caddy

	# Enable the static file server.
	file_server

	# Another common task is to set up a reverse proxy:
	# reverse_proxy localhost:8080

	# Or serve a PHP site through php-fpm:
	# php_fastcgi localhost:9000
}

# Refer to the Caddy docs for more information:
# https://caddyserver.com/docs/caddyfile
Error: Caddyfile:1: Caddyfile input is not formatted

5. Links to relevant resources:

2

That’s really weird.

I don’t know how you got a certificate (your logs imply you did successfully get one in a previous run, because there’s no issuance errors and it shows it loaded a cert) if your server isn’t accessible on ports 80 or 443.

Did you make any changes to your router’s port forwarding or to your firewall after having run Caddy and added your domain to the config? You need to make sure Caddy is accessible on ports 80 and 443.

4

managed to fix by setting server as dmz using my wan i.p address, only issue left is i cannot access the domain if im connected to my network, only if not connected to my network

5

That could be a hairpin NAT situation…

6

is there an easy way to fix that?

7

I have the same predicament in my home network. I guess modern routers don’t like going out to the Internet to resolve a name only to find that it resolves to its own public IP. :stuck_out_tongue:

I’m not expert at this particular situation yet, but I think you can set up a DNS resolver on your home network to resolve just your name to an internal IP.

I kind of hate that solution though, I don’t know what other ones there are.

Might be worth confirming first that it is hairpin NAT.

8

Yeah the usual solution to your router not supporting NAT hairpinning is to run a DNS server in your LAN which resolves your domain to your LAN IP instead of your WAN IP, for devices in your network. Or you could override it in your /etc/hosts file on the relevant machines if that’s sufficient for you.

1 Like
9

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.