Blank page with Caddy but not other proxy

DJKatastrof · May 30, 2025, 8:44am

1. The problem I’m having:

My router webpage is blank with Caddy but not with Nginx Proxy Manager

Caddy

NPM

2. Error messages and/or full log output:

No error

3. Caddy version:

2.10.0

4. How I installed and ran Caddy:

a. System environment:

Proxmox LXC

b. Command:

https://community-scripts.github.io/ProxmoxVE/scripts?id=caddy

And xCaddy with these modules that i have in a bash file

#!/bin/bash
xcaddy build \
    --with github.com/caddy-dns/cloudflare \
    --with github.com/greenpau/caddy-security \
    --with github.com/hslatman/caddy-crowdsec-bouncer \
    --output ./caddy

c. Service/unit/compose file:

d. My complete Caddy config:

{
	order authenticate before respond
	security {
		oauth identity provider generic {
			delay_start 3
			realm generic
			driver generic
			client_id client-id-from-pocket-id
			client_secret client-secret-from-pocket-id
			scopes openid email profile
			base_auth_url https://id.redacted.com
			metadata_url https://id.redacted.com/.well-known/openid-configuration
		}
		authentication portal myportal {
			crypto default token lifetime 3600 # 1 hour
			enable identity provider generic
			cookie insecure off
			transform user {
				match realm generic
				action add role user
			}
		}
		authentication portal shortportal {
			crypto default token lifetime 300    # 5 minutes
			enable identity provider generic
			cookie insecure off
			transform user {
				match realm generic
				action add role user
			}
		}
		authorization policy mypolicy {
			set auth url /caddy-security/oauth2/generic
			allow roles user
			inject headers with claims
		}
		authorization policy shortpolicy {
			set auth url /caddy-security/oauth2/generic
			allow roles user
			inject headers with claims
		}
	}
}

# IP restriction snippet
(local-ips-only) {
	@allowed_ips remote_ip 192.168.1.0/24 192.168.67.0/24
	@not_allowed not remote_ip 192.168.1.0/24 192.168.67.0/24
	
	# Block access from non-allowed IPs
	handle @not_allowed {
		respond "Access denied from your IP" 403
	}
}

# Standard auth snippet
(auth-standard) {
	@auth path /caddy-security/*
	route @auth {
		authenticate with myportal
	}
	route /* {
		authorize with mypolicy
	}
}

# Short session auth snippet
(auth-short) {
	@auth path /caddy-security/*
	route @auth {
		authenticate with shortportal
	}
	route /* {
		authorize with shortpolicy
	}
}

*.redacted.com {
	tls {
		dns cloudflare redacted
		resolvers 1.1.1.1
	}
	
	# Pocket-ID server (no auth needed)
	@pocketid host id.redacted.com
	handle @pocketid {
		import crowdsec-protection
		reverse_proxy @pocketid http://192.168.1.57:1411
	}
		
	@ldap host ldap.redacted.com
	handle @ldap {
		import crowdsec-protection
		import auth-short
		reverse_proxy @ldap http://192.168.1.18:1717
	}

	# Routing/Network
	@router host router.redacted.com
	handle @router {
		import crowdsec-protection
		import local-ips-only
		reverse_proxy @router https://192.168.1.1:443
	}
	
	# Fallback
	handle {
		import crowdsec-protection
		respond "Service not configured for {host}" 404
	}
}

5. Links to relevant resources:

DJKatastrof · May 30, 2025, 11:44am

I see this in the network section on brave

and curl

Mohammed90 · May 30, 2025, 3:50pm

You don’t need the @router here. And the issue is that the certificate presented by upstream isn’t trusted by default. If you can’t get the CA certificate of upstream, use tls_trust_pool so Caddy trusts it. Otherwise, use tls_insecure_skip_verify.

DJKatastrof · May 30, 2025, 7:42pm

Oh okey.
May I ask what the @ does in this case?

Mohammed90 · May 30, 2025, 8:06pm

In that particular location, it’s useless. Redundant. It’s already inside a handle block guarded by the same matcher.

DJKatastrof · May 30, 2025, 8:17pm

So in all my examples, I don’t need it then?

Mohammed90 · May 31, 2025, 12:54am

Nope. You just need them with the handle.

DJKatastrof · May 31, 2025, 6:02pm

Thank you so much. Anything else I can do better?

One other question, is there any way I can reload my config without restarting caddy? Everytime my uptime-kuma alerts when I try to reload my config

DJKatastrof · May 31, 2025, 6:14pm

hmm, not working for me here.

    @router host router.domain.com
    handle @router {
            reverse_proxy https://192.168.1.1:443 {
                    transport http {
                            tls_insecure_skip_verify
                    }
            }
    }

Mohammed90 · May 31, 2025, 7:25pm

There’s a redirect coming from your router to 192.168.1.1, which fails to load (blocked by orb). That’s something on your router, not Caddy.

Mohammed90 · June 1, 2025, 12:48am

Well, you skipped section C, so I cannot answer, but simple caddy reload suffices.