API under caddy reverse proxy : necessary to disable SSL VERIFICATION to reach api with Postman (and another low code tool)

1. The problem I’m having:

I have an API self hosted behind a reverse proxy Caddy in charge of serving the necessary for ssl certificates and HTTPS

The app is online, accesible with curl everything is working in HTTPS

If I try on postman it is working only if I m disabling the option called:
“Enable SSL certificate verification”
With the option activated → Tiemout.

With CURL from terminal → no problem getting the endpoints and retrieving the data
Certificates are correctly checked and accepted as I checked curl -v to have verbose information.

2. Error messages and/or full log output:

Timeout nothing happens

3. Caddy version:


4. How I installed and ran Caddy:

Brew install

a. System environment:

MAC OS Ventura 13.5

b. Command:

Using a Caddyfile

Caddy start

c. Service/unit/compose file:

d. My complete Caddy config:

           revese-proxy: myhost : myport

5. Links to relevant resources:

Not enough information to go on here. I can’t help you debug tools like Postman

Try making requests with curl -v and show what you get. Show Caddy’s logs (enable the debug global option for detailed logs).

This isn’t a valid config, there’s many syntax errors:

  • You must have a space after your domain name
  • The directive name is misspelled, and should use _ and not -
  • Directives cannot have a :
  • Proxy host:port may not have spaces between them.

Please actually share the config you used. Caddy would not have started successfully with this config.

1 Like

Hi thanks for your reply

regarding the Caddyfile my bad I effectively added : after the directive reverse-proxy.
I had troubles with redirection since then and now those redirect problems are solved with your feedbacks on this.
(regarding the exact sentence this was the old Caddyfile=

lmdsm-api.com {
     reverse-proxy: <myip>:<myport>

changed it for

lmdsm-api.com {
     reverse-proxy <myip>:<myport>

Curl verbose command returns:

  Trying ***hidden***
* Connected to ***hidden*** (***hidden***) port 443 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
* successfully set certificate verify locations:
*  CAfile: /Users/***hidden***/cacert.pem
*  CApath: none
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
* TLSv1.3 (IN), TLS handshake, Server hello (2):
* TLSv1.3 (IN), TLS handshake, Encrypted Extensions (8):
* TLSv1.3 (IN), TLS handshake, Certificate (11):
* TLSv1.3 (IN), TLS handshake, CERT verify (15):
* TLSv1.3 (IN), TLS handshake, Finished (20):
* TLSv1.3 (OUT), TLS change cipher, Change cipher spec (1):
* TLSv1.3 (OUT), TLS handshake, Finished (20):
* SSL connection using TLSv1.3 / TLS_AES_128_GCM_SHA256
* ALPN, server accepted to use h2
* Server certificate:
*  subject: CN=***hidden***
*  start date: Nov 30 13:34:57 2023 GMT
*  expire date: Feb 28 13:34:56 2024 GMT
*  subjectAltName: host "lmdsm-api.com" matched cert's "***hidden***"
*  issuer: C=US; O=Let's Encrypt; CN=R3
*  SSL certificate verify ok.
* Using HTTP2, server supports multiplexing
* Connection state changed (HTTP/2 confirmed)
* Copying HTTP/2 data in stream buffer to connection buffer after upgrade: len=0
* Using Stream ID: 1 (easy handle 0x7fe36a812c00)
> GET /***hidden*** HTTP/2
> Host: ***hidden***
> user-agent: curl/7.78.0
> accept: */*
> authorization: Bearer ***hidden***
* TLSv1.3 (IN), TLS handshake, Newsession Ticket (4):
* Connection state changed (MAX_CONCURRENT_STREAMS == 250)!
< HTTP/2 200 
< alt-svc: h3=":443"; ma=2592000
< content-type: application/json
< date: Tue, 05 Dec 2023 09:48:11 GMT
< server: Caddy
< server: ***hidden***
< content-length: 821616

The problem is solved on the low-code API tools.
Postman same issue → disabling ssl verification works but seems that it’s a constant issue on postman

Solved at this point thanks for your help!

This is still invalid, the directive is reverse_proxy not reverse-proxy.

Are you sure you’re actually running Caddy with the config you think you are? Show your Caddy logs.

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.