Caddy only gives a nop

hachi · March 7, 2025, 4:47pm

1. The problem I’m having:

I configured multiple reverse entries - however a Synology Webserver doesnt work via Caddy.
I configured the upstream https, ip address, custom port (7001).

I only get a nop returned.

# Reverse Proxy Domain: "3f737aa2-b93a-4af7-2584-7560190f0489"
file.my.domain {
	log 3f737aa2-5288-4af7-2565-7560190f0489
	tls /var/db/caddy/data/caddy/certificates/temp/65d767a6b7244.pem /var/db/caddy/data/caddy/certificates/temp/65d767a6b7244.key

	handle {
		reverse_proxy https://192.168.1.1:7001 {
			transport http {
				tls_insecure_skip_verify
			}
		}
	}
}

It works flawless for other servers, therefore I dont see any issue in the FW config.

2. Error messages and/or full log output:

07T16:27:39Z","logger":"http.log.access.3f737aa2-b93a-4af7-b72d-7560190f0489","msg":"NOP","request":{"remote_ip":"192.168.1.2","remote_port":"60993","client_ip":"192.168.1.2","proto":"HTTP/2.0","method":"GET","host":"file.my.domain","uri":"/favicon.ico","headers":{"User-Agent":["Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/133.0.0.0 Safari/537.36"],"Cookie":["REDACTED"],"Accept-Language":["en-GB,en;q=0.7"],"Sec-Fetch-Site":["same-origin"],"Sec-Ch-Ua":["\"Not(A:Brand\";v=\"99\", \"Brave\";v=\"133\", \"Chromium\";v=\"133\""],"Sec-Ch-Ua-Mobile":["?0"],"Accept-Encoding":["gzip, deflate, br, zstd"],"Sec-Fetch-Dest":["image"],"Priority":["u=1, i"],"Dnt":["1"],"Referer":["https://file.my.domain/"],"Sec-Fetch-Mode":["no-cors"],"Accept":["image/avif,image/webp,image/apng,image/svg+xml,image/*,*/*;q=0.8"],"Sec-Gpc":["1"],"Sec-Ch-Ua-Platform":["\"macOS\""]},"tls":{"resumed":false,"version":772,"cipher_suite":4865,"proto":"h2","server_name":"file.my.domain"}},"bytes_read":0,"user_id":"","duration":0.000002745,"size":0,"status":0,"resp_headers":{"Server":["Caddy"],"Alt-Svc":["h3=\":443\"; ma=2592000"]}}

3. Caddy version:

caddy version
v2.9.1 h1:OEYiZ7DbCzAWVb6TNEkjRcSCRGHVoZsJinoDR/n9oaY=

4. How I installed and ran Caddy:

Part of opnsense

a. System environment:

opnsense firewall

b. Command:

Testing with curl and manually setting the hostname to the FW LAN interface to make sure no DNS errors interfere.

curl -k --resolve file.my.domain:443:192.168.1.10 https://file.my.domain

d. My complete Caddy config:

# DO NOT EDIT THIS FILE -- OPNsense auto-generated file


# caddy_user=root

# Global Options
{
	log {
		include http.log.access.3f737aa2-b93a-4af7-b72d-7560190f0489
		output net unixgram//var/run/caddy/log.sock {
		}
		format json {
			time_format rfc3339
		}
	}

	servers {
		protocols h1 h2
	}

	auto_https off
	grace_period 10s
	import /usr/local/etc/caddy/caddy.d/*.global
}

# Reverse Proxy Configuration


# Reverse Proxy Domain: "79179cc0-6ab4-4a49-9d79-5d58cf46062a"
drive.my.domain {
	tls /var/db/caddy/data/caddy/certificates/temp/65d767a6b7244.pem /var/db/caddy/data/caddy/certificates/temp/65d767a6b7244.key

	@a20a6fb3-09f4-4765-bd5e-8b34362d52bd_drivemydomain {
		not client_ip 173.245.48.0/20 103.21.244.0/22 103.22.200.0/22 103.31.4.0/22 141.101.64.0/18 108.162.192.0/18 190.93.240.0/20 188.114.96.0/20 197.234.240.0/22 198.41.128.0/17 162.158.0.0/15 104.16.0.0/13 104.24.0.0/14 172.64.0.0/13 131.0.72.0/22 10.0.0.0/8 
	}
	handle @a20a6fb3-09f4-4765-bd5e-8b34362d52bd_drivemydomain {
		abort
	}

	handle {
		reverse_proxy https://192.168.1.1:10003 {
			transport http {
				tls_insecure_skip_verify
			}
		}
	}
}
# Reverse Proxy Domain: "cfb6ccd1-1006-453b-92f6-1d449b125935"
dsm.my.domain {
	tls /var/db/caddy/data/caddy/certificates/temp/65d767a6b7244.pem /var/db/caddy/data/caddy/certificates/temp/65d767a6b7244.key

	@a20a6fb3-09f4-4765-bd5e-8b34362d52bd_dsmmydomain {
		not client_ip 173.245.48.0/20 103.21.244.0/22 103.22.200.0/22 103.31.4.0/22 141.101.64.0/18 108.162.192.0/18 190.93.240.0/20 188.114.96.0/20 197.234.240.0/22 198.41.128.0/17 162.158.0.0/15 104.16.0.0/13 104.24.0.0/14 172.64.0.0/13 131.0.72.0/22 10.0.0.0/8 
	}
	handle @a20a6fb3-09f4-4765-bd5e-8b34362d52bd_dsmmydomain {
		abort
	}

	handle {
		reverse_proxy https://192.168.1.1:5001 {
			transport http {
				tls_insecure_skip_verify
			}
		}
	}
}
# Reverse Proxy Domain: "a76af138-0c5c-453d-80d0-e21bd176672a"
photos.kazoku.my {
	tls /var/db/caddy/data/caddy/certificates/temp/65d767a6b7244.pem /var/db/caddy/data/caddy/certificates/temp/65d767a6b7244.key

	handle {
		reverse_proxy https://192.168.1.1:5003 {
			transport http {
				tls_insecure_skip_verify
			}
		}
	}
}
# Reverse Proxy Domain: "b14eb5d4-db81-4be4-9aaa-089c6be2e465"
pve.my.domain {
	tls /var/db/caddy/data/caddy/certificates/temp/65d767a6b7244.pem /var/db/caddy/data/caddy/certificates/temp/65d767a6b7244.key

	@a20a6fb3-09f4-4765-bd5e-8b34362d52bd_pvemydomain {
		not client_ip 173.245.48.0/20 103.21.244.0/22 103.22.200.0/22 103.31.4.0/22 141.101.64.0/18 108.162.192.0/18 190.93.240.0/20 188.114.96.0/20 197.234.240.0/22 198.41.128.0/17 162.158.0.0/15 104.16.0.0/13 104.24.0.0/14 172.64.0.0/13 131.0.72.0/22 10.0.0.0/8 
	}
	handle @a20a6fb3-09f4-4765-bd5e-8b34362d52bd_pvemydomain {
		abort
	}

	handle {
		reverse_proxy https://192.168.1.111:8006 {
			transport http {
				tls_insecure_skip_verify
			}
		}
	}
}
# Reverse Proxy Domain: "ff9fe08a-f2e8-41ec-a80b-96f0a130b051"
misp.my.domain {
	tls /var/db/caddy/data/caddy/certificates/temp/65d767a6b7244.pem /var/db/caddy/data/caddy/certificates/temp/65d767a6b7244.key

	@a20a6fb3-09f4-4765-bd5e-8b34362d52bd_mispmydomain {
		not client_ip 173.245.48.0/20 103.21.244.0/22 103.22.200.0/22 103.31.4.0/22 141.101.64.0/18 108.162.192.0/18 190.93.240.0/20 188.114.96.0/20 197.234.240.0/22 198.41.128.0/17 162.158.0.0/15 104.16.0.0/13 104.24.0.0/14 172.64.0.0/13 131.0.72.0/22 10.0.0.0/8 
	}
	handle @a20a6fb3-09f4-4765-bd5e-8b34362d52bd_mispmydomain {
		abort
	}

	handle {
		reverse_proxy https://10.0.20.11:443 {
			transport http {
				tls_insecure_skip_verify
			}
		}
	}
}
# Reverse Proxy Domain: "3f737aa2-b93a-4af7-b72d-7560190f0489"
file.my.domain {
	log 3f737aa2-b93a-4af7-b72d-7560190f0489
	tls /var/db/caddy/data/caddy/certificates/temp/65d767a6b7244.pem /var/db/caddy/data/caddy/certificates/temp/65d767a6b7244.key

	handle {
		reverse_proxy https://192.168.1.1:7001 {
			transport http {
				tls_insecure_skip_verify
			}
		}
	}
}

import /usr/local/etc/caddy/caddy.d/*.conf

Any ideas are highly appreciated.

matt · March 7, 2025, 5:32pm

It’s because there is no handler/route configured for file.wicked.design, only for file.my.domain.

hachi · March 7, 2025, 5:56pm

Thx matt. Sorry, this was ment to be replaced. There is a corresponding rule for file.wicked.design aka file.my.domain

hachi · March 7, 2025, 7:12pm

PS: curl, ping, telnet etc. from the FW to the synology works as well.
Only going through caddy

PPS: Why am I replying too quickly and have to wait 35 minutes?!?

Mohammed90 · March 7, 2025, 7:21pm

We’ve been fighting aggressive spam originating from Jio and Airtel, and the rate limiter helps slowing them down.

hachi · March 8, 2025, 1:04pm

Thx for the info Mohammed

PS: I also just added a new, NPM based webservice, and it works flawless.

Is there any known issue with Synologys DSM based services?

Mohammed90 · March 19, 2025, 11:13pm

There shouldn’t. I have Synology and proxy some services over Caddy just fine.

hachi · March 20, 2025, 1:33pm

Strange. I deleted all of the rules, readded them, doesnt help.
All the other caddy entries work fine. Totally lost currently.