Caddy responds properly to LAN NET addresses but not WAN NET

1. The problem I’m having:

Hi all,
I have a strange issue caddy on OPNSense. I started with the OPNSense forum, thought I’d see if anyone recognizes these symptoms. I apologize if I failed to include any infromation.

I have an pair of OPNSense VMs (25.1.8_1) configured with CARP for a LAN and WAN addresses. Due to the nature of this network segmentation, both devices on the WAN and LAN side are using the OPNsense appliances for DNS. In this case I’m fairly certain it’s not DNS (since ya know, “it’s always DNS”). I have all DNS records that caddy will servicing pointing to the WAN CARP address (I have tried the WAN IP of the appliance too). I am brand new to caddy so I really am not sure if I’ve missed something in the documentation or if this is a bug.

Any clients hitting HTTPS/443 on the WAN CARP IP (192.168.2.254) from the WAN Interface (192.168.2.2) dies at caddy. When VPN (192.168.100.x/24) and LAN NET (192.168.5.0/24) tmake the same request caddy responds as expected, auto https and all.

I have tried access lists for my domains and handlers. The OPNSense firewall logs show the connection happening on 80 and then after redirect on 443, but the connection times out, or on occasion is reset by server.

No logs show in the caddy logs for the OPNSense plugin.

Any help would be greatly appreciated.

2. Error messages and/or full log output:

curl -L https://images.strayt.info
curl: (35) OpenSSL SSL_connect: Connection reset by peer in connection to images.strayt.info:443


3. Caddy version:

2.0.1 OPNSense plugin on 25.1.9_2
FreeBSD 14.2-RELEASE-p3

4. How I installed and ran Caddy:

OPNSense plugin Web Gui

a. System environment:

OPNSense 25.1.9_2
FreeBSD 14.2-RELEASE-p3

b. Command:

c. Service/unit/compose file:

curl -L https://images.strayt.info
curl: (35) OpenSSL SSL_connect: Connection reset by peer in connection to images.strayt.info:443

d. My complete Caddy config:

# DO NOT EDIT THIS FILE -- OPNsense auto-generated file


# caddy_user=root

# Global Options
{
	log {
		include http.log.access.1dc5ae0b-e131-4fa4-bf1b-1f456e91fb68
		include http.log.access.400f436b-afe3-4ef1-9790-d041f1501e13
		include http.log.access.d5dbf9f8-d409-4cd1-b028-008f7ec8bd4e
		include http.log.access.ceba6fca-4173-4598-95b8-d4498449b283
		output net unixgram//var/run/caddy/log.sock {
		}
		format json {
			time_format rfc3339
		}
		level DEBUG
	}

	servers {
		protocols h1 h2
	}

	email jsutton@strayt.info
	grace_period 10s
	import /usr/local/etc/caddy/caddy.d/*.global
}

# Reverse Proxy Configuration


images.strayt.info {
	log 1dc5ae0b-e131-4fa4-bf1b-1f456e91fb68
	tls {
		issuer acme {
			dns cloudflare H6MsmLyGSqD34g2WpZ6oGxRdsFczDWmBIragGLml
		}
	}
}

movies.strayt.info {
	log 400f436b-afe3-4ef1-9790-d041f1501e13
	tls {
		issuer acme {
			dns cloudflare H6MsmLyGSqD34g2WpZ6oGxRdsFczDWmBIragGLml
		}
	}
}

pdf.strayt.info {
	log d5dbf9f8-d409-4cd1-b028-008f7ec8bd4e
	tls {
		issuer acme {
			dns cloudflare H6MsmLyGSqD34g2WpZ6oGxRdsFczDWmBIragGLml
		}
	}
}

auth.strayt.info {
	log ceba6fca-4173-4598-95b8-d4498449b283
	tls {
		issuer acme {
			dns cloudflare H6MsmLyGSqD34g2WpZ6oGxRdsFczDWmBIragGLml
		}
	}
}

import /usr/local/etc/caddy/caddy.d/*.conf

5. Links to relevant resources: