Bad Gateway Converting working nginx config to caddy

1. The problem I’m having:

exec summary: When I access the site with domain I get a 502 error.

This is from edge. Firefox just gives a blank page.

This page isn’t working right now

**files.localtest.live** can't currently handle this request.

HTTP ERROR 502

2. Error messages and/or full log output:

Oct 09 13:05:47 rp caddy[2406]: {"level":"debug","ts":1696874747.837024,"logger":"events","msg":"event","name":"tls_get_certificate","id":"744831ca-89ec-4233-850e-428934c84875","origin":"tls","data":{"client_hello":{"CipherSuites":[4866,4867,4865,49196,49200,49195,49199,52393,52392,163,159,162,158,52394,49327,49325,49188,49192,49162,49172,49315,49311,107,106,57,56,49326,49324,49187,49191,49161,49171,49314,49310,103,64,51,50,49245,49249,49244,49248,49267,49271,49266,49270,49239,49235,49238,49234,196,195,190,189,136,135,69,68,157,156,49313,49309,49312,49308,61,60,53,47,49233,49232,192,186,132,65,255],"ServerName":"","SupportedCurves":[29,23,30,25,24],"SupportedPoints":"AAEC","SignatureSchemes":[1027,1283,1539,2055,2056,2057,2058,2059,2052,2053,2054,1025,1281,1537,771,515,769,513,770,514,1026,1282,1538],"SupportedProtos":null,"SupportedVersions":[772,771,770,769],"Conn":{}}}}
Oct 09 13:05:47 rp caddy[2406]: {"level":"debug","ts":1696874747.8370938,"logger":"tls.handshake","msg":"no matching certificates and no custom selection logic","identifier":"192.168.2.40"}
Oct 09 13:05:47 rp caddy[2406]: {"level":"debug","ts":1696874747.8371043,"logger":"tls.handshake","msg":"no certificate matching TLS ClientHello","remote_ip":"93.119.227.91","remote_port":"57556","server_name":"","remote":"93.119.227.91:57556","identifier":"192.168.2.40","cipher_suites":[4866,4867,4865,49196,49200,49195,49199,52393,52392,163,159,162,158,52394,49327,49325,49188,49192,49162,49172,49315,49311,107,106,57,56,49326,49324,49187,49191,49161,49171,49314,49310,103,64,51,50,49245,49249,49244,49248,49267,49271,49266,49270,49239,49235,49238,49234,196,195,190,189,136,135,69,68,157,156,49313,49309,49312,49308,61,60,53,47,49233,49232,192,186,132,65,255],"cert_cache_fill":0.0003,"load_or_obtain_if_necessary":true,"on_demand":false}
Oct 09 13:05:47 rp caddy[2406]: {"level":"debug","ts":1696874747.8371556,"logger":"http.stdlib","msg":"http: TLS handshake error from 93.119.227.91:57556: no certificate available for '192.168.2.40'"}
Oct 09 13:06:57 rp caddy[2406]: {"level":"debug","ts":1696874817.6617768,"logger":"events","msg":"event","name":"tls_get_certificate","id":"ee62c7e3-beb6-494a-a95a-0e5a5e4dd0eb","origin":"tls","data":{"client_hello":{"CipherSuites":[39578,4865,4866,4867,49195,49199,49196,49200,52393,52392,49171,49172,156,157,47,53],"ServerName":"files.localtest.live","SupportedCurves":[2570,29,23,24],"SupportedPoints":"AA==","SignatureSchemes":[1027,2052,1025,1283,2053,1281,2054,1537],"SupportedProtos":["h2","http/1.1"],"SupportedVersions":[60138,772,771],"Conn":{}}}}
Oct 09 13:06:57 rp caddy[2406]: {"level":"debug","ts":1696874817.662014,"logger":"tls.handshake","msg":"choosing certificate","identifier":"files.localtest.live","num_choices":1}
Oct 09 13:06:57 rp caddy[2406]: {"level":"debug","ts":1696874817.662041,"logger":"tls.handshake","msg":"default certificate selection results","identifier":"files.localtest.live","subjects":["files.localtest.live"],"managed":true,"issuer_key":"acme-v02.api.letsencrypt.org-directory","hash":"af36ea92587abc3272fbdc10033617bec6947b2e99ddfb73fccfa4566315ebdc"}
Oct 09 13:06:57 rp caddy[2406]: {"level":"debug","ts":1696874817.662067,"logger":"tls.handshake","msg":"matched certificate in cache","remote_ip":"76.76.236.102","remote_port":"44906","subjects":["files.localtest.live"],"managed":true,"expiration":1704644739,"hash":"af36ea92587abc3272fbdc10033617bec6947b2e99ddfb73fccfa4566315ebdc"}
Oct 09 13:06:57 rp caddy[2406]: {"level":"debug","ts":1696874817.6735723,"logger":"http.handlers.reverse_proxy","msg":"selected upstream","dial":"filevista:80","total_upstreams":1}
Oct 09 13:06:57 rp caddy[2406]: {"level":"debug","ts":1696874817.6744752,"logger":"http.handlers.reverse_proxy","msg":"upstream roundtrip","upstream":"192.168.2.178:6060/filevista:80","duration":0.000834773,"request":{"remote_ip":"76.76.236.102","remote_port":"44906","client_ip":"76.76.236.102","proto":"HTTP/2.0","method":"GET","host":"files.localtest.live","uri":"/","headers":{"Dnt":["1"],"Sec-Ch-Ua-Mobile":["?0"],"Sec-Ch-Ua-Platform":["\"Windows\""],"X-Forwarded-For":["76.76.236.102"],"X-Forwarded-Host":["files.localtest.live"],"Sec-Ch-Ua":["\"Microsoft Edge\";v=\"117\", \"Not;A=Brand\";v=\"8\", \"Chromium\";v=\"117\""],"User-Agent":["Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Edg/117.0.2045.60"],"Sec-Fetch-Mode":["navigate"],"Sec-Fetch-Dest":["document"],"Accept":["text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7"],"Upgrade-Insecure-Requests":["1"],"Sec-Fetch-User":["?1"],"Accept-Language":["en-US,en;q=0.9"],"X-Forwarded-Proto":["https"],"Sec-Fetch-Site":["none"],"Accept-Encoding":["gzip, deflate, br"]},"tls":{"resumed":false,"version":772,"cipher_suite":4865,"proto":"h2","server_name":"files.localtest.live"}},"error":"dial tcp: lookup filevista on 127.0.0.53:53: server misbehaving"}
Oct 09 13:06:57 rp caddy[2406]: {"level":"error","ts":1696874817.674566,"logger":"http.log.error","msg":"dial tcp: lookup filevista on 127.0.0.53:53: server misbehaving","request":{"remote_ip":"76.76.236.102","remote_port":"44906","client_ip":"76.76.236.102","proto":"HTTP/2.0","method":"GET","host":"files.localtest.live","uri":"/","headers":{"Sec-Ch-Ua-Mobile":["?0"],"Sec-Fetch-Site":["none"],"Upgrade-Insecure-Requests":["1"],"User-Agent":["Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Edg/117.0.2045.60"],"Sec-Fetch-Mode":["navigate"],"Sec-Fetch-User":["?1"],"Sec-Fetch-Dest":["document"],"Sec-Ch-Ua-Platform":["\"Windows\""],"Accept-Language":["en-US,en;q=0.9"],"Sec-Ch-Ua":["\"Microsoft Edge\";v=\"117\", \"Not;A=Brand\";v=\"8\", \"Chromium\";v=\"117\""],"Dnt":["1"],"Accept":["text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7"],"Accept-Encoding":["gzip, deflate, br"]},"tls":{"resumed":false,"version":772,"cipher_suite":4865,"proto":"h2","server_name":"files.localtest.live"}},"duration":0.001039221,"status":502,"err_id":"ftxtben8d","err_trace":"reverseproxy.statusError (reverseproxy.go:1248)"}

3. Caddy version:

v2.7.4 h1:J8nisjdOxnYHXlorUKXY75Gr6iBfudfoGhrJ8t7/flI=

4. How I installed and ran Caddy:

techrepublic for ubuntu 22.04

a. System environment:

ubuntu 2022
systemd
Caddyfile in /etc/caddy

b. Command:

sudo systemctl start caddy

c. Service/unit/compose file:

NONE

d. My complete Caddy config:

{
	debug
}
#this works
localtest.live {
	reverse_proxy 192.168.2.177:80
}
#this works
www.localtest.live {
	reverse_proxy 192.168.2.177:80
}
#bad gateway here
files.localtest.live {
	reverse_proxy 192.168.2.178:6060/filevista
}

5. Links to relevant resources:

this is the nginx setup that works.
I just slammed stuff into it until it started working.
Resources for which headers to try were Microsoft since the server is IIS.

		server_name files.localtest.live;
		location / {
			proxy_pass http://192.168.2.178:6060;
			proxy_http_version 1.1;
			proxy_headers_hash_max_size 512;
			proxy_headers_hash_bucket_size 128;
			proxy_connect_timeout 120s;
			proxy_set_header X-Accel-Expires 0;
			proxy_set_header X-Real-IP $remote_addr;
			proxy_read_timeout 86400;
			proxy_set_header Upgrade $http_upgrade;
			proxy_set_header Connection keep-alive;
			proxy_cache_bypass $http_upgrade;
			proxy_set_header X-Forwarded-Proto $scheme;
			proxy_set_header X-Forwarded-For $remote_addr;
			proxy_set_header Host $host;
		}

The filevista there isn’t valid upstream address.

Here, Caddy thinks the entire 192.168.2.178:6060/filevista is the upstream dial address, so it sticks the missing port :80 there. See the result of adapting the file to JSON (Caddy’s native config language):

{
  "apps": {
    "http": {
      "servers": {
        "srv0": {
          "listen": [
            ":443"
          ],
          "routes": [
            {
              "match": [
                {
                  "host": [
                    "files.localtest.live"
                  ]
                }
              ],
              "handle": [
                {
                  "handler": "subroute",
                  "routes": [
                    {
                      "handle": [
                        {
                          "handler": "reverse_proxy",
                          "upstreams": [
                            {
                              "dial": "192.168.2.178:6060/filevista:80"
                            }
                          ]
                        }
                      ]
                    }
                  ]
                }
              ],
              "terminal": true
            }
          ]
        }
      }
    }
  }
}

If you need to proxy to a sub-path, you will have to do rewrite first. That said, you NGINX config doesn’t have the /filevista. Are you sure you need it?

That is totally on me. I knew supplying the subfolder on the URI wouldn’t work did it anyway.

Removing the subfolder worked.

I was just looking at the last line of the journal dump. Should had looked up above that I may - maybe - have figured it out myself.

Thanks for waking me up.

p

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.