Caddy Behind F5 ASM Web Access Firewall (WAF)

1. Caddy version (caddy version): 2.4.0

2. How I run Caddy:

caddy start

c. Service/unit/compose file:


#### Generic HTTS reverse proxy configuration for public hosting; GoDaddy SSL certificate

4. Error messages and/or full log output:

No log written, log level : Debug

We just bought an F5 ASM Web Access Firewall (4600). We have a public website written in GO and Vuejs, reversed proxied from caddy. After configuring WAF for the webserver; It is sending 
an empty response. Before this our app was perfectly working TLS 1.3 (GoDaddy  SHA256 wildcard certificate). Firewall configuration works for non caddy server (IIS, Apache).
Server side SSL handshake between WAF and Caddy not happening. I analysed the traffic using wireshark and found that I was recieving 
SSL handshake failure Server [FIN, ACK]. Secured TCP connection is not completing and client is recieving empty response. Firewall is configured in TLS termination mode with same SSL certificate ( public cert, private key, certificate chain ) for client side encryption and server side encryption.

5. What I already tried:

I enabled SSL offloading on WAF disableing server side encryption . Now my client side traffic is encrypted and WAF to server side traffic is http.

When you run with caddy start, you’re throwing away all your logs. That command is meant for quick-and-dirty spinning up of Caddy, and isn’t recommended for production.

Please use caddy run instead. It’s strongly recommended to run Caddy as a service, to ensure it’s started along with your system’s startup.

You’ve deleted entire sections of the help topic template. Please don’t do that. We need all that information to properly help you. Please fill out the help template completely.

We need to know your config, what type of system you’re running on, how you installed Caddy, your logs, example requests with curl -v, etc.


This topic was automatically closed after 30 days. New replies are no longer allowed.