Caddy causes http error 502 (connect: connection refused)

sraduco · February 17, 2024, 10:11pm

1. The problem I’m having:

I have a small test setup: a VPS with 3 docker containers: nginx, php8-fpm and caddy. I have a domain name that points to the VPS IP with an A record and a CNAME record for the www subdomain.

I want the Caddy container to send all requests from 80 and 443 to the nginx container. Requests for both the naked domain and www subdomain reach Caddy but the browser page and logs show status 502 and connection refused.

2. Error messages and/or full log output:

Error for www:
{"level":"error","ts":1708205138.2808132,"logger":"http.log.error","msg":"dial tcp 172.25.0.3:9999: connect: connection refused","request":{"remote_ip":"86.125.245.170","remote_port":"58418","client_ip":"86.125.245.170","proto":"HTTP/2.0","method":"GET","host":"www.mapq.org","uri":"/","headers":{"Accept-Language":["ro,en-US;q=0.7,en;q=0.3"],"Sec-Fetch-Dest":["document"],"Sec-Fetch-User":["?1"],"Accept":["text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8"],"Accept-Encoding":["gzip, deflate, br"],"Upgrade-Insecure-Requests":["1"],"Sec-Fetch-Mode":["navigate"],"Sec-Fetch-Site":["none"],"Te":["trailers"],"User-Agent":["Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:122.0) Gecko/20100101 Firefox/122.0"]},"tls":{"resumed":false,"version":772,"cipher_suite":4865,"proto":"h2","server_name":"www.mapq.org"}},"duration":0.004002846,"status":502,"err_id":"g6tgn343s","err_trace":"reverseproxy.statusError (reverseproxy.go:1267)"}

Error for naked domain:
{"level":"error","ts":1708205271.8090503,"logger":"http.log.error","msg":"dial tcp 172.25.0.3:9999: connect: connection refused","request":{"remote_ip":"86.125.245.170","remote_port":"20819","client_ip":"86.125.245.170","proto":"HTTP/2.0","method":"GET","host":"mapq.org","uri":"/","headers":{"User-Agent":["Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:122.0) Gecko/20100101 Firefox/122.0"],"Accept":["text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8"],"Upgrade-Insecure-Requests":["1"],"Sec-Fetch-Mode":["navigate"],"Sec-Fetch-Site":["none"],"Te":["trailers"],"Accept-Language":["ro,en-US;q=0.7,en;q=0.3"],"Accept-Encoding":["gzip, deflate, br"],"Sec-Fetch-Dest":["document"],"Sec-Fetch-User":["?1"]},"tls":{"resumed":false,"version":772,"cipher_suite":4865,"proto":"h2","server_name":"mapq.org"}},"duration":0.002894735,"status":502,"err_id":"jgaxjq4i0","err_trace":"reverseproxy.statusError (reverseproxy.go:1267)"}

Full debug for www::
{"level":"debug","ts":1708205138.2291155,"logger":"events","msg":"event","name":"tls_get_certificate","id":"14fb1c4f-ad2a-48dd-a3fe-c5300ce321f3","origin":"tls","data":{"client_hello":{"CipherSuites":[4865,4867,4866,49195,49199,52393,52392,49196,49200,49162,49161,49171,49172,156,157,47,53],"ServerName":"www.mapq.org","SupportedCurves":[29,23,24,25,256,257],"SupportedPoints":"AA==","SignatureSchemes":[1027,1283,1539,2052,2053,2054,1025,1281,1537,515,513],"SupportedProtos":["h2","http/1.1"],"SupportedVersions":[772,771],"RemoteAddr":{"IP":"86.125.245.170","Port":58418,"Zone":""},"LocalAddr":{"IP":"172.25.0.2","Port":443,"Zone":""}}}}
{"level":"debug","ts":1708205138.2296107,"logger":"tls.handshake","msg":"choosing certificate","identifier":"www.mapq.org","num_choices":1}
{"level":"debug","ts":1708205138.2296846,"logger":"tls.handshake","msg":"default certificate selection results","identifier":"www.mapq.org","subjects":["www.mapq.org"],"managed":true,"issuer_key":"acme-v02.api.letsencrypt.org-directory","hash":"cfb0e8661cb491e7b6fa8b8029f52d7d08192306b9c10894887a0f8da73bfa81"}
{"level":"debug","ts":1708205138.2297025,"logger":"tls.handshake","msg":"matched certificate in cache","remote_ip":"86.125.245.170","remote_port":"58418","subjects":["www.mapq.org"],"managed":true,"expiration":1715971578,"hash":"cfb0e8661cb491e7b6fa8b8029f52d7d08192306b9c10894887a0f8da73bfa81"}
{"level":"debug","ts":1708205138.276901,"logger":"http.handlers.reverse_proxy","msg":"selected upstream","dial":"test-php-nginx-web-server-1:9999","total_upstreams":1}
{"level":"debug","ts":1708205138.279826,"logger":"http.handlers.reverse_proxy","msg":"upstream roundtrip","upstream":"test-php-nginx-web-server-1:9999","duration":0.001933431,"request":{"remote_ip":"86.125.245.170","remote_port":"58418","client_ip":"86.125.245.170","proto":"HTTP/2.0","method":"GET","host":"www.mapq.org","uri":"/","headers":{"User-Agent":["Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:122.0) Gecko/20100101 Firefox/122.0"],"Accept":["text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8"],"Accept-Encoding":["gzip, deflate, br"],"Sec-Fetch-Mode":["navigate"],"Sec-Fetch-User":["?1"],"X-Forwarded-Host":["www.mapq.org"],"Te":["trailers"],"Upgrade-Insecure-Requests":["1"],"X-Forwarded-For":["86.125.245.170"],"X-Forwarded-Proto":["https"],"Sec-Fetch-Site":["none"],"Accept-Language":["ro,en-US;q=0.7,en;q=0.3"],"Sec-Fetch-Dest":["document"]},"tls":{"resumed":false,"version":772,"cipher_suite":4865,"proto":"h2","server_name":"www.mapq.org"}},"error":"dial tcp 172.25.0.3:9999: connect: connection refused"}
{"level":"error","ts":1708205138.2808132,"logger":"http.log.error","msg":"dial tcp 172.25.0.3:9999: connect: connection refused","request":{"remote_ip":"86.125.245.170","remote_port":"58418","client_ip":"86.125.245.170","proto":"HTTP/2.0","method":"GET","host":"www.mapq.org","uri":"/","headers":{"Accept-Language":["ro,en-US;q=0.7,en;q=0.3"],"Sec-Fetch-Dest":["document"],"Sec-Fetch-User":["?1"],"Accept":["text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8"],"Accept-Encoding":["gzip, deflate, br"],"Upgrade-Insecure-Requests":["1"],"Sec-Fetch-Mode":["navigate"],"Sec-Fetch-Site":["none"],"Te":["trailers"],"User-Agent":["Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:122.0) Gecko/20100101 Firefox/122.0"]},"tls":{"resumed":false,"version":772,"cipher_suite":4865,"proto":"h2","server_name":"www.mapq.org"}},"duration":0.004002846,"status":502,"err_id":"g6tgn343s","err_trace":"reverseproxy.statusError (reverseproxy.go:1267)"}
{"level":"debug","ts":1708205138.699084,"logger":"http.handlers.reverse_proxy","msg":"selected upstream","dial":"test-php-nginx-web-server-1:9999","total_upstreams":1}
{"level":"debug","ts":1708205138.699791,"logger":"http.handlers.reverse_proxy","msg":"upstream roundtrip","upstream":"test-php-nginx-web-server-1:9999","duration":0.000015286,"request":{"remote_ip":"86.125.245.170","remote_port":"58418","client_ip":"86.125.245.170","proto":"HTTP/2.0","method":"GET","host":"www.mapq.org","uri":"/favicon.ico","headers":{"X-Forwarded-For":["86.125.245.170"],"X-Forwarded-Proto":["https"],"Te":["trailers"],"Accept":["image/avif,image/webp,*/*"],"Referer":["https://www.mapq.org/"],"Accept-Language":["ro,en-US;q=0.7,en;q=0.3"],"Accept-Encoding":["gzip, deflate, br"],"Sec-Fetch-Mode":["no-cors"],"X-Forwarded-Host":["www.mapq.org"],"Sec-Fetch-Dest":["image"],"Sec-Fetch-Site":["same-origin"],"User-Agent":["Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:122.0) Gecko/20100101 Firefox/122.0"]},"tls":{"resumed":false,"version":772,"cipher_suite":4865,"proto":"h2","server_name":"www.mapq.org"}},"error":"context canceled"}

Full debug for naked domain:
{"level":"debug","ts":1708205271.7507212,"logger":"events","msg":"event","name":"tls_get_certificate","id":"eb3fbe6c-927c-42cb-b7c4-c68c1029069d","origin":"tls","data":{"client_hello":{"CipherSuites":[4865,4867,4866,49195,49199,52393,52392,49196,49200,49162,49161,49171,49172,156,157,47,53],"ServerName":"mapq.org","SupportedCurves":[29,23,24,25,256,257],"SupportedPoints":"AA==","SignatureSchemes":[1027,1283,1539,2052,2053,2054,1025,1281,1537,515,513],"SupportedProtos":["h2","http/1.1"],"SupportedVersions":[772,771],"RemoteAddr":{"IP":"86.125.245.170","Port":20819,"Zone":""},"LocalAddr":{"IP":"172.25.0.2","Port":443,"Zone":""}}}}
{"level":"debug","ts":1708205271.7512536,"logger":"tls.handshake","msg":"choosing certificate","identifier":"mapq.org","num_choices":1}
{"level":"debug","ts":1708205271.7513387,"logger":"tls.handshake","msg":"default certificate selection results","identifier":"mapq.org","subjects":["mapq.org"],"managed":true,"issuer_key":"acme-v02.api.letsencrypt.org-directory","hash":"d715bf065d9d0cc1ad435eb6e062ad76c3081146e374dbb531ece85b6b5a9784"}
{"level":"debug","ts":1708205271.7513757,"logger":"tls.handshake","msg":"matched certificate in cache","remote_ip":"86.125.245.170","remote_port":"20819","subjects":["mapq.org"],"managed":true,"expiration":1715954471,"hash":"d715bf065d9d0cc1ad435eb6e062ad76c3081146e374dbb531ece85b6b5a9784"}
{"level":"debug","ts":1708205271.8063219,"logger":"http.handlers.reverse_proxy","msg":"selected upstream","dial":"test-php-nginx-web-server-1:9999","total_upstreams":1}
{"level":"debug","ts":1708205271.8084307,"logger":"http.handlers.reverse_proxy","msg":"upstream roundtrip","upstream":"test-php-nginx-web-server-1:9999","duration":0.001445347,"request":{"remote_ip":"86.125.245.170","remote_port":"20819","client_ip":"86.125.245.170","proto":"HTTP/2.0","method":"GET","host":"mapq.org","uri":"/","headers":{"Sec-Fetch-Dest":["document"],"User-Agent":["Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:122.0) Gecko/20100101 Firefox/122.0"],"Accept":["text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8"],"X-Forwarded-For":["86.125.245.170"],"X-Forwarded-Host":["mapq.org"],"Accept-Language":["ro,en-US;q=0.7,en;q=0.3"],"Accept-Encoding":["gzip, deflate, br"],"Sec-Fetch-User":["?1"],"Upgrade-Insecure-Requests":["1"],"Te":["trailers"],"Sec-Fetch-Site":["none"],"Sec-Fetch-Mode":["navigate"],"X-Forwarded-Proto":["https"]},"tls":{"resumed":false,"version":772,"cipher_suite":4865,"proto":"h2","server_name":"mapq.org"}},"error":"dial tcp 172.25.0.3:9999: connect: connection refused"}
{"level":"error","ts":1708205271.8090503,"logger":"http.log.error","msg":"dial tcp 172.25.0.3:9999: connect: connection refused","request":{"remote_ip":"86.125.245.170","remote_port":"20819","client_ip":"86.125.245.170","proto":"HTTP/2.0","method":"GET","host":"mapq.org","uri":"/","headers":{"User-Agent":["Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:122.0) Gecko/20100101 Firefox/122.0"],"Accept":["text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8"],"Upgrade-Insecure-Requests":["1"],"Sec-Fetch-Mode":["navigate"],"Sec-Fetch-Site":["none"],"Te":["trailers"],"Accept-Language":["ro,en-US;q=0.7,en;q=0.3"],"Accept-Encoding":["gzip, deflate, br"],"Sec-Fetch-Dest":["document"],"Sec-Fetch-User":["?1"]},"tls":{"resumed":false,"version":772,"cipher_suite":4865,"proto":"h2","server_name":"mapq.org"}},"duration":0.002894735,"status":502,"err_id":"jgaxjq4i0","err_trace":"reverseproxy.statusError (reverseproxy.go:1267)"}
{"level":"debug","ts":1708205272.2034175,"logger":"http.handlers.reverse_proxy","msg":"selected upstream","dial":"test-php-nginx-web-server-1:9999","total_upstreams":1}
{"level":"debug","ts":1708205272.2043493,"logger":"http.handlers.reverse_proxy","msg":"upstream roundtrip","upstream":"test-php-nginx-web-server-1:9999","duration":0.000013632,"request":{"remote_ip":"86.125.245.170","remote_port":"20819","client_ip":"86.125.245.170","proto":"HTTP/2.0","method":"GET","host":"mapq.org","uri":"/favicon.ico","headers":{"Referer":["https://mapq.org/"],"Accept-Language":["ro,en-US;q=0.7,en;q=0.3"],"X-Forwarded-Proto":["https"],"User-Agent":["Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:122.0) Gecko/20100101 Firefox/122.0"],"Accept":["image/avif,image/webp,*/*"],"Accept-Encoding":["gzip, deflate, br"],"Sec-Fetch-Mode":["no-cors"],"X-Forwarded-For":["86.125.245.170"],"Sec-Fetch-Dest":["image"],"Sec-Fetch-Site":["same-origin"],"Te":["trailers"],"X-Forwarded-Host":["mapq.org"]},"tls":{"resumed":false,"version":772,"cipher_suite":4865,"proto":"h2","server_name":"mapq.org"}},"error":"context canceled"}

curl command for http:

radu@winubuntu:/mnt/c/Cloud/Projects/php/caddy-proxy$ curl -vL mapq.org
*   Trying 162.19.226.144:80...
* Connected to mapq.org (162.19.226.144) port 80 (#0)
> GET / HTTP/1.1
> Host: mapq.org
> User-Agent: curl/7.81.0
> Accept: */*
>
* Mark bundle as not supporting multiuse
< HTTP/1.1 308 Permanent Redirect
< Connection: close
< Location: https://mapq.org/
< Server: Caddy
< Date: Sat, 17 Feb 2024 21:45:57 GMT
< Content-Length: 0
<
* Closing connection 0
* Clear auth, redirects to port from 80 to 443
* Issue another request to this URL: 'https://mapq.org/'
*   Trying 162.19.226.144:443...
* Connected to mapq.org (162.19.226.144) port 443 (#1)
* ALPN, offering h2
* ALPN, offering http/1.1
*  CAfile: /etc/ssl/certs/ca-certificates.crt
*  CApath: /etc/ssl/certs
* TLSv1.0 (OUT), TLS header, Certificate Status (22):
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
* TLSv1.2 (IN), TLS header, Certificate Status (22):
* TLSv1.3 (IN), TLS handshake, Server hello (2):
* TLSv1.2 (IN), TLS header, Finished (20):
* TLSv1.2 (IN), TLS header, Supplemental data (23):
* TLSv1.3 (IN), TLS handshake, Encrypted Extensions (8):
* TLSv1.2 (IN), TLS header, Supplemental data (23):
* TLSv1.3 (IN), TLS handshake, Certificate (11):
* TLSv1.2 (IN), TLS header, Supplemental data (23):
* TLSv1.3 (IN), TLS handshake, CERT verify (15):
* TLSv1.2 (IN), TLS header, Supplemental data (23):
* TLSv1.3 (IN), TLS handshake, Finished (20):
* TLSv1.2 (OUT), TLS header, Finished (20):
* TLSv1.3 (OUT), TLS change cipher, Change cipher spec (1):
* TLSv1.2 (OUT), TLS header, Supplemental data (23):
* TLSv1.3 (OUT), TLS handshake, Finished (20):
* SSL connection using TLSv1.3 / TLS_AES_128_GCM_SHA256
* ALPN, server accepted to use h2
* Server certificate:
*  subject: CN=mapq.org
*  start date: Feb 17 14:01:11 2024 GMT
*  expire date: May 17 14:01:10 2024 GMT
*  subjectAltName: host "mapq.org" matched cert's "mapq.org"
*  issuer: C=US; O=Let's Encrypt; CN=R3
*  SSL certificate verify ok.
* Using HTTP2, server supports multiplexing
* Connection state changed (HTTP/2 confirmed)
* Copying HTTP/2 data in stream buffer to connection buffer after upgrade: len=0
* TLSv1.2 (OUT), TLS header, Supplemental data (23):
* TLSv1.2 (OUT), TLS header, Supplemental data (23):
* TLSv1.2 (OUT), TLS header, Supplemental data (23):
* Using Stream ID: 1 (easy handle 0x55cd0248aeb0)
* TLSv1.2 (OUT), TLS header, Supplemental data (23):
> GET / HTTP/2
> Host: mapq.org
> user-agent: curl/7.81.0
> accept: */*
>
* TLSv1.2 (IN), TLS header, Supplemental data (23):
* TLSv1.3 (IN), TLS handshake, Newsession Ticket (4):
* TLSv1.2 (IN), TLS header, Supplemental data (23):
* Connection state changed (MAX_CONCURRENT_STREAMS == 250)!
* TLSv1.2 (OUT), TLS header, Supplemental data (23):
* TLSv1.2 (IN), TLS header, Supplemental data (23):
* TLSv1.2 (IN), TLS header, Supplemental data (23):
* TLSv1.2 (IN), TLS header, Supplemental data (23):
< HTTP/2 502
< alt-svc: h3=":443"; ma=2592000
< server: Caddy
< content-length: 0
< date: Sat, 17 Feb 2024 21:45:57 GMT
<
* Connection #1 to host mapq.org left intact

curl command for https:

radu@winubuntu:/mnt/c/Cloud/Projects/php/caddy-proxy$ curl -vL https://mapq.org
*   Trying 162.19.226.144:443...
* Connected to mapq.org (162.19.226.144) port 443 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
*  CAfile: /etc/ssl/certs/ca-certificates.crt
*  CApath: /etc/ssl/certs
* TLSv1.0 (OUT), TLS header, Certificate Status (22):
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
* TLSv1.2 (IN), TLS header, Certificate Status (22):
* TLSv1.3 (IN), TLS handshake, Server hello (2):
* TLSv1.2 (IN), TLS header, Finished (20):
* TLSv1.2 (IN), TLS header, Supplemental data (23):
* TLSv1.3 (IN), TLS handshake, Encrypted Extensions (8):
* TLSv1.2 (IN), TLS header, Supplemental data (23):
* TLSv1.3 (IN), TLS handshake, Certificate (11):
* TLSv1.2 (IN), TLS header, Supplemental data (23):
* TLSv1.3 (IN), TLS handshake, CERT verify (15):
* TLSv1.2 (IN), TLS header, Supplemental data (23):
* TLSv1.3 (IN), TLS handshake, Finished (20):
* TLSv1.2 (OUT), TLS header, Finished (20):
* TLSv1.3 (OUT), TLS change cipher, Change cipher spec (1):
* TLSv1.2 (OUT), TLS header, Supplemental data (23):
* TLSv1.3 (OUT), TLS handshake, Finished (20):
* SSL connection using TLSv1.3 / TLS_AES_128_GCM_SHA256
* ALPN, server accepted to use h2
* Server certificate:
*  subject: CN=mapq.org
*  start date: Feb 17 14:01:11 2024 GMT
*  expire date: May 17 14:01:10 2024 GMT
*  subjectAltName: host "mapq.org" matched cert's "mapq.org"
*  issuer: C=US; O=Let's Encrypt; CN=R3
*  SSL certificate verify ok.
* Using HTTP2, server supports multiplexing
* Connection state changed (HTTP/2 confirmed)
* Copying HTTP/2 data in stream buffer to connection buffer after upgrade: len=0
* TLSv1.2 (OUT), TLS header, Supplemental data (23):
* TLSv1.2 (OUT), TLS header, Supplemental data (23):
* TLSv1.2 (OUT), TLS header, Supplemental data (23):
* Using Stream ID: 1 (easy handle 0x55775e732eb0)
* TLSv1.2 (OUT), TLS header, Supplemental data (23):
> GET / HTTP/2
> Host: mapq.org
> user-agent: curl/7.81.0
> accept: */*
>
* TLSv1.2 (IN), TLS header, Supplemental data (23):
* TLSv1.3 (IN), TLS handshake, Newsession Ticket (4):
* TLSv1.2 (IN), TLS header, Supplemental data (23):
* Connection state changed (MAX_CONCURRENT_STREAMS == 250)!
* TLSv1.2 (OUT), TLS header, Supplemental data (23):
* TLSv1.2 (IN), TLS header, Supplemental data (23):
* TLSv1.2 (IN), TLS header, Supplemental data (23):
< HTTP/2 502
< alt-svc: h3=":443"; ma=2592000
< server: Caddy
< content-length: 0
< date: Sat, 17 Feb 2024 21:46:43 GMT
<
* Connection #0 to host mapq.org left intact

3. Caddy version:

v2.7.6

4. How I installed and ran Caddy:

First I installed nginx and php from the official images with docker compose:

default.conf

server {
    index index.php index.html;
    server_name localhost;
    error_log  /var/log/nginx/error.log;
    access_log /var/log/nginx/access.log;
    root /var/www/html;
    location ~ \.php$ {
        try_files $uri =404;
        fastcgi_split_path_info ^(.+\.php)(/.+)$;
        fastcgi_pass php:9000;
        fastcgi_index index.php;
        include fastcgi_params;
        fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
        fastcgi_param PATH_INFO $fastcgi_path_info;
    }
}

docker-compose.yml

version: '3.9'

services:
  web-server:
    image: nginx:latest
    ports:
      - '9998:80'
      - '9999:433'
    volumes:
      - ./app:/var/www/html
      - ./default.conf:/etc/nginx/conf.d/default.conf
    depends_on:
      - php
  php:
    image: php:8-fpm
    volumes:
      - ./app:/var/www/html

./app folder contains just an index.php file with the phpinfo() function.

Then I installed Caddy.
Caddyfile

{
    debug
    email aaa@bbb.ccc
}

mapq.org, www.mapq.org {
    reverse_proxy https://test-php-nginx-web-server-1:9999
}

and I tried also with http (but the same result):

{
    debug
    email aaa@bbb.ccc
}

mapq.org, www.mapq.org {
    reverse_proxy http://test-php-nginx-web-server-1:9998
}

docker-compose.yml

version: '3'
name: 'caddy'
services:
  proxy:
    image: caddy
    ports:
      - "80:80"
      - "443:443"
    networks:
      - web-apps-network
    volumes:
      - ./data/:/data/
      - ./config/:/config/
      - ./Caddyfile:/etc/caddy/Caddyfile

networks:
  web-apps-network:

I added the nginx and php containers to the same network as caddy.

These are the containers:

CONTAINER ID   IMAGE                           COMMAND                  CREATED             STATUS          PORTS                                                                                            NAMES
cc37f9b0c3bb   nginx:latest                    "/docker-entrypoint.…"   About an hour ago   Up 46 minutes   0.0.0.0:9998->80/tcp, :::9998->80/tcp, 0.0.0.0:9999->443/tcp, :::9999->443/tcp                   test-php-nginx-web-server-1
1379dc63f359   caddy                           "caddy run --config …"   7 hours ago         Up 37 minutes   0.0.0.0:80->80/tcp, :::80->80/tcp, 0.0.0.0:443->443/tcp, :::443->443/tcp, 443/udp, 2019/tcp      caddy-proxy-1
28b82d164850   php:8-fpm                       "docker-php-entrypoi…"   8 hours ago         Up 46 minutes   9000/tcp                                                                                         test-php-nginx-php-1

This is the common network:

[
    {
        "Name": "caddy_web-apps-network",
        "Id": "0a9607eb6a5854d33b7e8964ebf52bff14cb4b39b10e7e62c7d4954fa8661df0",
        "Created": "2024-02-17T13:39:00.302830467Z",
        "Scope": "local",
        "Driver": "bridge",
        "EnableIPv6": false,
        "IPAM": {
            "Driver": "default",
            "Options": null,
            "Config": [
                {
                    "Subnet": "172.25.0.0/16",
                    "Gateway": "172.25.0.1"
                }
            ]
        },
        "Internal": false,
        "Attachable": false,
        "Ingress": false,
        "ConfigFrom": {
            "Network": ""
        },
        "ConfigOnly": false,
        "Containers": {
            "1379dc63f3593d15c40f5e2985ab6280fefe716e0c693576bf47f38550ad7508": {
                "Name": "caddy-proxy-1",
                "EndpointID": "c714ca58b39da002ecb6bbe83244d97eb4e2c2bebf21e83ed17ac0c37f3e3887",
                "MacAddress": "02:42:ac:19:00:02",
                "IPv4Address": "172.25.0.2/16",
                "IPv6Address": ""
            },
            "28b82d164850e9577f0248b8cb9052c57be4a81c0cb57436946b0f137021cd9d": {
                "Name": "test-php-nginx-php-1",
                "EndpointID": "074069d701e8f85121065080c53b7445b7ef1640d6e02b031cccebe335d77291",
                "MacAddress": "02:42:ac:19:00:04",
                "IPv4Address": "172.25.0.4/16",
                "IPv6Address": ""
            },
            "cc37f9b0c3bba4efccb5fca2ded68de4730f431ec6775aa44f7ba54acafbb666": {
                "Name": "test-php-nginx-web-server-1",
                "EndpointID": "4f782eb232a87311bbc6082f51a9283c80223611899b1de43a0307fb079cb24d",
                "MacAddress": "02:42:ac:19:00:03",
                "IPv4Address": "172.25.0.3/16",
                "IPv6Address": ""
            }
        },
        "Options": {},
        "Labels": {
            "com.docker.compose.network": "web-apps-network",
            "com.docker.compose.project": "caddy",
            "com.docker.compose.version": "2.24.5"
        }
    }
]

a. System environment:

OS: Ubuntu 23.04
Docker version: 25.0.2, build 29cf629

b. Command:

See above.

c. Service/unit/compose file:

See above.

d. My complete Caddy config:

{
    debug
    email aaa@bbb.ccc
}

mapq.org, www.mapq.org {
    reverse_proxy http://test-php-nginx-web-server-1:9998
}

and

{
    debug
    email aaa@bbb.ccc
}

mapq.org, www.mapq.org {
    reverse_proxy https://test-php-nginx-web-server-1:9999
}

5. Links to relevant resources:

francislavoie · February 17, 2024, 10:59pm

Why are you using nginx? You can serve PHP from Caddy:

But anyway, your problem is that you’re trying to proxy to the port you published to the host. Networking between Docker containers uses the internal ports. So you’d need to proxy to port 80, not 9999.

sraduco · February 17, 2024, 11:22pm

Thanks for the tip about Caddy serving PHP files, I will check that, I’m new to both Caddy and Docker. I thought Caddy is just a proxy server.

I reloaded Caddy with the changed port:

mapq.org, www.mapq.org {
    reverse_proxy https://test-php-nginx-web-server-1:443
}

However the problem persists:

{"level":"debug","ts":1708211724.3816175,"logger":"http.handlers.reverse_proxy","msg":"selected upstream","dial":"test-php-nginx-web-server-1:443","total_upstreams":1}
{"level":"debug","ts":1708211724.3837872,"logger":"http.handlers.reverse_proxy","msg":"upstream roundtrip","upstream":"test-php-nginx-web-server-1:443","duration":0.002070624,"request":{"remote_ip":"86.125.245.170","remote_port":"21995","client_ip":"86.125.245.170","proto":"HTTP/2.0","method":"GET","host":"mapq.org","uri":"/","headers":{"Sec-Fetch-Site":["none"],"Upgrade-Insecure-Requests":["1"],"X-Forwarded-For":["86.125.245.170"],"X-Forwarded-Proto":["https"],"Sec-Fetch-User":["?1"],"User-Agent":["Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:122.0) Gecko/20100101 Firefox/122.0"],"Accept-Encoding":["gzip, deflate, br"],"Accept":["text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8"],"Accept-Language":["ro,en-US;q=0.7,en;q=0.3"],"X-Forwarded-Host":["mapq.org"],"Sec-Fetch-Dest":["document"],"Sec-Fetch-Mode":["navigate"],"Te":["trailers"]},"tls":{"resumed":false,"version":772,"cipher_suite":4865,"proto":"h2","server_name":"mapq.org"}},"error":"dial tcp 172.25.0.3:443: connect: connection refused"}
{"level":"error","ts":1708211724.3838663,"logger":"http.log.error","msg":"dial tcp 172.25.0.3:443: connect: connection refused","request":{"remote_ip":"86.125.245.170","remote_port":"21995","client_ip":"86.125.245.170","proto":"HTTP/2.0","method":"GET","host":"mapq.org","uri":"/","headers":{"User-Agent":["Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:122.0) Gecko/20100101 Firefox/122.0"],"Accept-Encoding":["gzip, deflate, br"],"Sec-Fetch-Site":["none"],"Sec-Fetch-User":["?1"],"Sec-Fetch-Mode":["navigate"],"Te":["trailers"],"Accept":["text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8"],"Accept-Language":["ro,en-US;q=0.7,en;q=0.3"],"Upgrade-Insecure-Requests":["1"],"Sec-Fetch-Dest":["document"]},"tls":{"resumed":false,"version":772,"cipher_suite":4865,"proto":"h2","server_name":"mapq.org"}},"duration":0.002369192,"status":502,"err_id":"z8xkrdt32","err_trace":"reverseproxy.statusError (reverseproxy.go:1267)"}

sraduco · February 17, 2024, 11:44pm

I tried again with port 80 and http instead of port 443 and http:

mapq.org, www.mapq.org {
    reverse_proxy http://test-php-nginx-web-server-1:80
}

And it works, the problem is solved.
Thank you!

If possible, can you tell me why https and 443 didn’t work? From what I read, I should use https because if I specifically set http it will not redirect to 443 (but it still does redirect now with http).

francislavoie · February 17, 2024, 11:49pm

For HTTPS to work between servers, the upstream needs a valid, trusted TLS certificate. Setting that up is complicated, and has no benefit. Caddy can’t trust the cert from nginx, so the connection fails.

You only need HTTPS over public networks (i.e. over the public internet). There’s no reason to use HTTPS between docker containers. The point is to encrypt traffic over networks that you don’t trust, but you do trust the connection between your containers. Also HTTPS adds overhead because it needs to perform a TLS handshake which is wasteful between containers.

Caddy is a general purpose HTTP server. It can do anything you need with HTTP, including serving static files and proxying to php-fpm.

system · March 18, 2024, 11:50pm

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.