1. The problem I’m having:
Using caddy as reverse proxy on server1 failed to serve nextcloudaio on server2:
no connection to port 11000 on server2. Port 1880 (for node-red) on server1 is successfull. Docker installation is used for both services.
2. Error messages and/or full log output:
dial tcp 192.168.0.93:11000: connect: connection refused
[+] Running 1/1
✔ Container caddy-caddy-1 Created 0.1s
Attaching to caddy-1
caddy-1 | {"level":"info","ts":1753456389.5231357,"msg":"maxprocs: Leaving GOMAXPROCS=4: CPU quota undefined"}
caddy-1 | {"level":"info","ts":1753456389.5237172,"msg":"GOMEMLIMIT is updated","package":"github.com/KimMachineGun/automemlimit/memlimit","GOMEMLIMIT":3583704268,"previous":9223372036854775807}
caddy-1 | {"level":"info","ts":1753456389.523903,"msg":"using config from file","file":"/etc/caddy/Caddyfile"}
caddy-1 | {"level":"info","ts":1753456389.5268323,"msg":"adapted config to JSON","adapter":"caddyfile"}
caddy-1 | {"level":"info","ts":1753456389.530692,"logger":"admin","msg":"admin endpoint started","address":"localhost:2019","enforce_origin":false,"origins":["//localhost:2019","//[::1]:2019","//127.0.0.1:2019"]}
caddy-1 | {"level":"info","ts":1753456389.5312476,"logger":"http.auto_https","msg":"enabling automatic HTTP->HTTPS redirects","server_name":"srv0"}
caddy-1 | {"level":"info","ts":1753456389.5313275,"logger":"http.auto_https","msg":"server is listening only on the HTTPS port but has no TLS connection policies; adding one to enable TLS","server_name":"srv1","https_port":443}
caddy-1 | {"level":"info","ts":1753456389.5313528,"logger":"http.auto_https","msg":"enabling automatic HTTP->HTTPS redirects","server_name":"srv1"}
caddy-1 | {"level":"debug","ts":1753456389.5314608,"logger":"http.auto_https","msg":"adjusted config","tls":{"automation":{"policies":[{}]}},"http":{"servers":{"remaining_auto_https_redirects":{"listen":[":80"],"routes":[{},{},{}]},"srv0":{"listen":[":1880"],"routes":[{"handle":[{"handler":"subroute","routes":[{"handle":[{"handler":"reverse_proxy","upstreams":[{"dial":"192.168.0.14:1880"}]}]}]}],"terminal":true}],"tls_connection_policies":[{}],"automatic_https":{}},"srv1":{"listen":[":443"],"routes":[{"handle":[{"handler":"subroute","routes":[{"handle":[{"handler":"reverse_proxy","upstreams":[{"dial":"192.168.0.93:11000"}]}]}]}],"terminal":true}],"tls_connection_policies":[{}],"automatic_https":{}}}}}
caddy-1 | {"level":"info","ts":1753456389.5350697,"logger":"tls.cache.maintenance","msg":"started background certificate maintenance","cache":"0x400060c380"}
caddy-1 | {"level":"debug","ts":1753456389.5459056,"logger":"http","msg":"starting server loop","address":"[::]:1880","tls":true,"http3":false}
caddy-1 | {"level":"info","ts":1753456389.5459957,"logger":"http","msg":"enabling HTTP/3 listener","addr":":1880"}
caddy-1 | {"level":"info","ts":1753456389.5477989,"logger":"http.log","msg":"server running","name":"srv0","protocols":["h1","h2","h3"]}
caddy-1 | {"level":"debug","ts":1753456389.5620995,"logger":"http","msg":"starting server loop","address":"[::]:443","tls":true,"http3":false}
caddy-1 | {"level":"info","ts":1753456389.5621684,"logger":"http","msg":"enabling HTTP/3 listener","addr":":443"}
caddy-1 | {"level":"info","ts":1753456389.5630224,"logger":"http.log","msg":"server running","name":"srv1","protocols":["h1","h2","h3"]}
caddy-1 | {"level":"debug","ts":1753456389.5744505,"logger":"http","msg":"starting server loop","address":"[::]:80","tls":false,"http3":false}
caddy-1 | {"level":"warn","ts":1753456389.5745242,"logger":"http","msg":"HTTP/2 skipped because it requires TLS","network":"tcp","addr":":80"}
caddy-1 | {"level":"warn","ts":1753456389.574535,"logger":"http","msg":"HTTP/3 skipped because it requires TLS","network":"tcp","addr":":80"}
caddy-1 | {"level":"info","ts":1753456389.5745435,"logger":"http.log","msg":"server running","name":"remaining_auto_https_redirects","protocols":["h1","h2","h3"]}
caddy-1 | {"level":"info","ts":1753456389.574558,"logger":"http","msg":"enabling automatic TLS certificate management","domains":["mydomain.ddns.net"]}
caddy-1 | {"level":"warn","ts":1753456389.5763597,"logger":"tls","msg":"stapling OCSP","error":"no OCSP stapling for [mydomain.ddns.net]: no OCSP server specified in certificate","identifiers":["mydomain.ddns.net"]}
caddy-1 | {"level":"debug","ts":1753456389.5766845,"logger":"tls.cache","msg":"added certificate to cache","subjects":["mydomain.ddns.net"],"expiration":1761206189,"managed":true,"issuer_key":"acme-v02.api.letsencrypt.org-directory","hash":"213ad28d29977852438b5c0bd92554da4f0f7822bc1dad1ff9deb983d3b5d64f","cache_size":1,"cache_capacity":10000}
caddy-1 | {"level":"debug","ts":1753456389.576764,"logger":"events","msg":"event","name":"cached_managed_cert","id":"7fabba8e-395d-4dca-b3c2-02a6f7b0939e","origin":"tls","data":{"sans":["mydomain.ddns.net"]}}
caddy-1 | {"level":"debug","ts":1753456389.5769715,"logger":"events","msg":"event","name":"started","id":"7c73ad3c-e55a-46f0-9c27-42157eb8e621","origin":"","data":null}
caddy-1 | {"level":"info","ts":1753456389.5782452,"msg":"autosaved config (load with --resume flag)","file":"/config/caddy/autosave.json"}
caddy-1 | {"level":"info","ts":1753456389.5784826,"msg":"serving initial configuration"}
caddy-1 | {"level":"info","ts":1753456389.5842605,"logger":"tls","msg":"storage cleaning happened too recently; skipping for now","storage":"FileStorage:/data/caddy","instance":"02250a9c-3d83-4b7b-9a82-6438972013bf","try_again":1753542789.5842545,"try_again_in":86399.999997703}
caddy-1 | {"level":"info","ts":1753456389.5845222,"logger":"tls","msg":"finished cleaning storage units"}
caddy-1 | {"level":"debug","ts":1753456390.333207,"logger":"events","msg":"event","name":"tls_get_certificate","id":"4868632b-a947-4285-b683-698cf90393b9","origin":"tls","data":{"client_hello":{"CipherSuites":[4866,4867,4865,49196,49200,159,52393,52392,52394,49195,49199,158,49188,49192,107,49187,49191,103,49162,49172,57,49161,49171,51,173,171,52398,52397,52396,157,169,52395,172,170,156,168,61,60,49208,49206,183,179,149,145,53,175,141,49207,49205,182,178,148,144,47,174,140],"ServerName":"mydomain.ddns.net","SupportedCurves":[29,23,30,25,24,256,257,258,259,260],"SupportedPoints":"AAEC","SignatureSchemes":[1027,1283,1539,2055,2056,2074,2075,2076,2057,2058,2059,2052,2053,2054,1025,1281,1537,771,769,770,1026,1282,1538],"SupportedProtos":null,"SupportedVersions":[772,771],"RemoteAddr":{"IP":"82.212.15.135","Port":53140,"Zone":""},"LocalAddr":{"IP":"172.23.0.2","Port":443,"Zone":""}}}}
caddy-1 | {"level":"debug","ts":1753456390.333464,"logger":"tls.handshake","msg":"choosing certificate","identifier":"mydomain.ddns.net","num_choices":1}
caddy-1 | {"level":"debug","ts":1753456390.3334796,"logger":"tls.handshake","msg":"default certificate selection results","identifier":"mydomain.ddns.net","subjects":["mydomain.ddns.net"],"managed":true,"issuer_key":"acme-v02.api.letsencrypt.org-directory","hash":"213ad28d29977852438b5c0bd92554da4f0f7822bc1dad1ff9deb983d3b5d64f"}
caddy-1 | {"level":"debug","ts":1753456390.3334992,"logger":"tls.handshake","msg":"matched certificate in cache","remote_ip":"82.212.15.135","remote_port":"53140","subjects":["mydomain.ddns.net"],"managed":true,"expiration":1761206189,"hash":"213ad28d29977852438b5c0bd92554da4f0f7822bc1dad1ff9deb983d3b5d64f"}
caddy-1 | {"level":"debug","ts":1753456390.3972504,"logger":"http.handlers.reverse_proxy","msg":"selected upstream","dial":"192.168.0.93:11000","total_upstreams":1}
caddy-1 | {"level":"debug","ts":1753456390.4519954,"logger":"http.handlers.reverse_proxy","msg":"upstream roundtrip","upstream":"192.168.0.93:11000","duration":0.05457977,"request":{"remote_ip":"82.212.15.135","remote_port":"53140","client_ip":"82.212.15.135","proto":"HTTP/1.1","method":"GET","host":"mydomain.ddns.net","uri":"/index.php/204","headers":{"X-Forwarded-For":["82.212.15.135"],"Accept-Encoding":["zstd, gzip, deflate"],"Accept-Language":["de-DE,en,*"],"Accept":["*/*"],"X-Forwarded-Host":["mydomain.ddns.net"],"Via":["1.1 Caddy"],"X-Request-Id":["ed85486f-3095-4e08-8bc7-1714788ffc8e"],"User-Agent":["Mozilla/5.0 (Linux) mirall/3.16.6 (build 31593) (Nextcloud, linuxmint-6.8.0-64-generic ClientArchitecture: x86_64 OsArchitecture: x86_64)"],"X-Forwarded-Proto":["https"]},"tls":{"resumed":false,"version":772,"cipher_suite":4867,"proto":"","server_name":"mydomain.ddns.net"}},"error":"dial tcp 192.168.0.93:11000: connect: connection refused"}
caddy-1 | {"level":"error","ts":1753456390.4521844,"logger":"http.log.error","msg":"dial tcp 192.168.0.93:11000: connect: connection refused","request":{"remote_ip":"82.212.15.135","remote_port":"53140","client_ip":"82.212.15.135","proto":"HTTP/1.1","method":"GET","host":"mydomain.ddns.net","uri":"/index.php/204","headers":{"Accept-Encoding":["zstd, gzip, deflate"],"Accept-Language":["de-DE,en,*"],"User-Agent":["Mozilla/5.0 (Linux) mirall/3.16.6 (build 31593) (Nextcloud, linuxmint-6.8.0-64-generic ClientArchitecture: x86_64 OsArchitecture: x86_64)"],"Accept":["*/*"],"X-Request-Id":["ed85486f-3095-4e08-8bc7-1714788ffc8e"],"Connection":["Keep-Alive"]},"tls":{"resumed":false,"version":772,"cipher_suite":4867,"proto":"","server_name":"mydomain.ddns.net"}},"duration":0.054950284,"status":502,"err_id":"p42wvje1q","err_trace":"reverseproxy.statusError (reverseproxy.go:1390)"}
caddy-1 | {"level":"debug","ts":1753456396.0087905,"logger":"events","msg":"event","name":"tls_get_certificate","id":"1f703030-8e77-4060-9831-8b848d602a87","origin":"tls","data":{"client_hello":{"CipherSuites":[4866,4867,4865,4868,49196,52393,49325,49162,49195,49324,49161,49200,52392,49172,49199,49171,157,49309,53,156,49308,47,159,52394,49311,57,158,49310,51],"ServerName":"mydomain.ddns.net","SupportedCurves":[23,24,25,29,30,256,257,258,259,260],"SupportedPoints":"AA==","SignatureSchemes":[1025,2057,2052,1027,2055,1281,2058,2053,1283,2056,1537,2059,2054,1539,513,515],"SupportedProtos":["h2","http/1.1","http/1.0"],"SupportedVersions":[772,771,770,769],"RemoteAddr":{"IP":"82.212.15.135","Port":53146,"Zone":""},"LocalAddr":{"IP":"172.23.0.2","Port":443,"Zone":""}}}}
caddy-1 | {"level":"debug","ts":1753456396.0090222,"logger":"tls.handshake","msg":"choosing certificate","identifier":"mydomain.ddns.net","num_choices":1}
caddy-1 | {"level":"debug","ts":1753456396.0090728,"logger":"tls.handshake","msg":"default certificate selection results","identifier":"mydomain.ddns.net","subjects":["mydomain.ddns.net"],"managed":true,"issuer_key":"acme-v02.api.letsencrypt.org-directory","hash":"213ad28d29977852438b5c0bd92554da4f0f7822bc1dad1ff9deb983d3b5d64f"}
caddy-1 | {"level":"debug","ts":1753456396.0091124,"logger":"tls.handshake","msg":"matched certificate in cache","remote_ip":"82.212.15.135","remote_port":"53146","subjects":["mydomain.ddns.net"],"managed":true,"expiration":1761206189,"hash":"213ad28d29977852438b5c0bd92554da4f0f7822bc1dad1ff9deb983d3b5d64f"}
caddy-1 | {"level":"debug","ts":1753456396.0408027,"logger":"http.handlers.reverse_proxy","msg":"selected upstream","dial":"192.168.0.93:11000","total_upstreams":1}
caddy-1 | {"level":"debug","ts":1753456396.0559578,"logger":"http.handlers.reverse_proxy","msg":"upstream roundtrip","upstream":"192.168.0.93:11000","duration":0.014777333,"request":{"remote_ip":"82.212.15.135","remote_port":"53146","client_ip":"82.212.15.135","proto":"HTTP/2.0","method":"REPORT","host":"mydomain.ddns.net","uri":"/remote.php/dav/calendars/andi/testaio/","headers":{"Accept-Encoding":["gzip, deflate, br"],"Accept-Language":["de-de, de;q=0.9"],"Depth":["1"],"User-Agent":["Evolution/3.56.2"],"Cache-Control":["no-cache"],"Pragma":["no-cache"],"X-Forwarded-For":["82.212.15.135"],"X-Forwarded-Proto":["https"],"X-Forwarded-Host":["mydomain.ddns.net"],"Via":["2.0 Caddy"],"Content-Type":["application/xml; charset=\"utf-8\""],"Content-Length":["318"]},"tls":{"resumed":false,"version":772,"cipher_suite":4867,"proto":"h2","server_name":"mydomain.ddns.net"}},"error":"dial tcp 192.168.0.93:11000: connect: connection refused"}
caddy-1 | {"level":"error","ts":1753456396.0565417,"logger":"http.log.error","msg":"dial tcp 192.168.0.93:11000: connect: connection refused","request":{"remote_ip":"82.212.15.135","remote_port":"53146","client_ip":"82.212.15.135","proto":"HTTP/2.0","method":"REPORT","host":"mydomain.ddns.net","uri":"/remote.php/dav/calendars/andi/testaio/","headers":{"Accept-Encoding":["gzip, deflate, br"],"Accept-Language":["de-de, de;q=0.9"],"Depth":["1"],"User-Agent":["Evolution/3.56.2"],"Cache-Control":["no-cache"],"Pragma":["no-cache"],"Content-Type":["application/xml; charset=\"utf-8\""],"Content-Length":["318"]},"tls":{"resumed":false,"version":772,"cipher_suite":4867,"proto":"h2","server_name":"mydomain.ddns.net"}},"duration":0.015549732,"status":502,"err_id":"cgrafpg0g","err_trace":"reverseproxy.statusError (reverseproxy.go:1390)"}
caddy-1 | {"level":"debug","ts":1753456452.387643,"logger":"http.handlers.reverse_proxy","msg":"selected upstream","dial":"192.168.0.93:11000","total_upstreams":1}
caddy-1 | {"level":"debug","ts":1753456452.397915,"logger":"http.handlers.reverse_proxy","msg":"upstream roundtrip","upstream":"192.168.0.93:11000","duration":0.010132355,"request":{"remote_ip":"82.212.15.135","remote_port":"53140","client_ip":"82.212.15.135","proto":"HTTP/1.1","method":"GET","host":"mydomain.ddns.net","uri":"/index.php/204","headers":{"User-Agent":["Mozilla/5.0 (Linux) mirall/3.16.6 (build 31593) (Nextcloud, linuxmint-6.8.0-64-generic ClientArchitecture: x86_64 OsArchitecture: x86_64)"],"Accept":["*/*"],"X-Request-Id":["fa6ade79-b46d-4e9a-bb80-d83f6c7fd687"],"X-Forwarded-For":["82.212.15.135"],"Accept-Encoding":["zstd, gzip, deflate"],"Accept-Language":["de-DE,en,*"],"X-Forwarded-Host":["mydomain.ddns.net"],"Via":["1.1 Caddy"],"X-Forwarded-Proto":["https"]},"tls":{"resumed":false,"version":772,"cipher_suite":4867,"proto":"","server_name":"mydomain.ddns.net"}},"error":"dial tcp 192.168.0.93:11000: connect: connection refused"}
caddy-1 | {"level":"error","ts":1753456452.398081,"logger":"http.log.error","msg":"dial tcp 192.168.0.93:11000: connect: connection refused","request":{"remote_ip":"82.212.15.135","remote_port":"53140","client_ip":"82.212.15.135","proto":"HTTP/1.1","method":"GET","host":"mydomain.ddns.net","uri":"/index.php/204","headers":{"User-Agent":["Mozilla/5.0 (Linux) mirall/3.16.6 (build 31593) (Nextcloud, linuxmint-6.8.0-64-generic ClientArchitecture: x86_64 OsArchitecture: x86_64)"],"Accept":["*/*"],"X-Request-Id":["fa6ade79-b46d-4e9a-bb80-d83f6c7fd687"],"Connection":["Keep-Alive"],"Accept-Encoding":["zstd, gzip, deflate"],"Accept-Language":["de-DE,en,*"]},"tls":{"resumed":false,"version":772,"cipher_suite":4867,"proto":"","server_name":"mydomain.ddns.net"}},"duration":0.010465536,"status":502,"err_id":"mmsmy58e3","err_trace":"reverseproxy.statusError (reverseproxy.go:1390)"}
3. Caddy version:
v2.10.0 h1
4. How I installed and ran Caddy:
Caddy run with docker:
a. System environment:
Docker version 28.3.2 running on raspberrypi (Linux smarthome4 6.12.25+rpt-rpi-v8 #1 SMP PREEMPT Debian 1:6.12.25-1+rpt1 (2025-04-30) aarch64 GNU/Linux)
b. Command:
docker compose up
c. Service/unit/compose file:
caddy:
services:
caddy:
image: caddy:latest
restart: unless-stopped
ports:
- "80:80"
- "443:443"
- "443:443/udp"
volumes:
- ./conf:/etc/caddy
- ./certs:/certs
- ./site:/srv
- caddy_data:/data
- caddy_config:/config
volumes:
caddy_data:
caddy_config:
nextcloudaio:
services:
nextcloud-aio-mastercontainer:
image: ghcr.io/nextcloud-releases/all-in-one:latest
init: true
restart: always
container_name: nextcloud-aio-mastercontainer # This line is not allowed to be changed as otherwise AIO will not work correctly
volumes:
- nextcloud_aio_mastercontainer:/mnt/docker-aio-config # This line is not allowed to be changed as otherwise the built-in backup solution will not work
- /var/run/docker.sock:/var/run/docker.sock:ro # May be changed on macOS, Windows or docker rootless. See the applicable documentation. If adjusting, don't forget to also set 'WATCHTOWER_DOCKER_SOCKET_PATH'!
network_mode: bridge # add to the same network as docker run would do
ports:
# - 80:80 # Can be removed when running behind a web server or reverse proxy (like Apache, Nginx, Caddy, Cloudflare Tunnel and else). See https://github.com/nextcloud/all-in-one/blob/main/reverse-proxy.md
- 8080:8080
- 11000:11000
# - 8443:8443 # Can be removed when running behind a web server or reverse proxy (like Apache, Nginx, Caddy, Cloudflare Tunnel and else). See https://github.com/nextcloud/all-in-one/blob/main/reverse-proxy.md
environment:
NEXTCLOUD_DATADIR: /media/docker/nextcloud/data_dir
SKIP_DOMAIN_VALIDATION: true
APACHE_PORT: 11000
APACHE_IP_BINDING: 0.0.0.0
APACHE_ADDITIONAL_NETWORK=""
volumes: # If you want to store the data on a different drive, see https://github.com/nextcloud/all-in-one#how-to-store-the-filesinstallation-on-a-separate-drive
nextcloud_aio_mastercontainer:
name: nextcloud_aio_mastercontainer # This line is not allowed to be changed as otherwise the built-in backup solution will not work
d. My complete Caddy config:
{
debug
}
mydomain.ddns.net:1880 {
reverse_proxy 192.168.0.14:1880
}
mydomain.ddns.net:443 {
reverse_proxy 192.168.0.93:11000
}