Caddy Forward Proxy tls: first record does not look like a TLS handshake

1. My Caddy version (caddy -version): Caddy v1.0.4

2. How I run Caddy:

sudo service caddy start

a. System environment:

Ubuntu 18.04

d. My complete Caddyfile: {
    root /var/www/
    log /var/log/caddy_log
    forwardproxy {
            basicauth       boss G8H!a6i*T2h)
            ports           443
            response_timeout 30
            dial_timeout     30


    function FindProxyForURL(url, host)
            var myServers = ['', '', etc...];

            if (myServers.indexOf(host) >= 0){
                    return "HTTPS";
                    return "DIRECT";
  1. The problem I’m having:

Im using Caddy as a forward proxy, which links to a proxy.pac file as seen above, everything works fine when i try using it to access our internal network, but for some reason everytime anyone uses caddy it fills the syslog with the exact same message:

Feb 6 16:45:52 ip-1xx-xx-xx-xxx caddy[10498]: 2020/02/06 16:45:52 http: TLS handshake error from tls: first record does not look like a TLS handshake

and the only difference in the messages is the port number eg: [42995] and there’s like a billion requests per second!
The thing is im trying to use fail2ban to ban ip’s which try to get unauthorized access to the servers but with all these error msgs fail2ban will think everyone is a hacker! and plus my syslog file is getting REALLY BIG!

Why is Caddy doing this and how can i stop it from happening, it seems that it thinks that all the requests from the ip that’s using it is supposed to go thru HTTPS when its only supposed to serve HTTPS proxy ONLY if the host/url match any of our internal servers, eg: “”, etc…

Any help or guidance is greatly appreciated!

Just to confirm, when an external client attempts to access your server and you see this flood of messages, does the IP address stay the same for all of these attempts and does the IP address correspond to the actual client’s public IP address?

i.e. Is the client which is trying to proxy through your Caddy instance actually the one flooding your Caddy?

If so, the question is - why is that client blasting Caddy with all these requests?

This topic was automatically closed 90 days after the last reply. New replies are no longer allowed.