1. Output of caddy version
:
v2.5.2 h1:eCJdLyEyAGzuQTa5Mh3gETnYWDClo1LjtQm2q9RNZrs=
2. How I run Caddy:
a. System environment:
Ubuntu 22.04 LTS headless server behind NETGEAR R6250 router.
b. Command:
caddy run --watch
c. Service/unit/compose file:
N/A
d. My complete Caddy config:
{
default_sni 192.168.1.5
}
https://192.168.1.5:443 {
tls internal
handle /static/* {
root * /srv
file_server browse
}
handle /foundry/* {
reverse_proxy /foundry/* localhost:30000
}
handle /foundry {
reverse_proxy /foundry localhost:30000
}
handle {
reverse_proxy * localhost:8000
}
}
3. The problem I’m having:
I’m trying to set up Caddy as a reverse proxy between two web applications and a static file server (all on one machine). When I curl
the internal IP, it works as expected, but when I try to curl
the external IP, it returns content-length: 0
. Ultimately, my question is why is this happening?
I’m not using a domain name, just straight IP. I know I could get a free domain from a bunch of different DNS hosts; I’d really rather not.
Network Setup
I have a router connected to a single single physical server that is home to Caddy and the two web applications. I’m forwarding port 443 from my router to the server where Caddy is installed.
4. Error messages and/or full log output:
caddy run --watch
2022/08/21 20:18:50.848 INFO watcher config file changed; reloading {"config_file": "Caddyfile"}
2022/08/21 20:18:50.848 INFO using provided configuration {"config_file": "Caddyfile", "config_adapter": ""}
2022/08/21 20:18:50.851 WARN Caddyfile input is not formatted; run the 'caddy fmt' command to fix inconsistencies {"adapter": "caddyfile", "file": "Caddyfile", "line": 2}
2022/08/21 20:18:50.853 INFO admin admin endpoint started {"address": "tcp/localhost:2019", "enforce_origin": false, "origins": ["//localhost:2019", "//[::1]:2019", "//127.0.0.1:2019"]}
2022/08/21 20:18:50.853 INFO admin stopped previous server {"address": "tcp/localhost:2019"}
2022/08/21 20:18:50.854 INFO tls.cache.maintenance started background certificate maintenance {"cache": "0xc00016d7a0"}
2022/08/21 20:18:50.855 INFO http enabling automatic HTTP->HTTPS redirects {"server_name": "srv0"}
2022/08/21 20:18:50.857 INFO pki.ca.local root certificate is already trusted by system {"path": "storage:pki/authorities/local/root.crt"}
2022/08/21 20:18:50.857 DEBUG http starting server loop {"address": "[::]:80", "http3": false, "tls": false}
2022/08/21 20:18:50.857 DEBUG http starting server loop {"address": "[::]:443", "http3": false, "tls": true}
2022/08/21 20:18:50.857 INFO http enabling automatic TLS certificate management {"domains": ["192.168.1.5"]}
2022/08/21 20:18:50.858 WARN tls stapling OCSP {"error": "no OCSP stapling for [192.168.1.5]: no OCSP server specified in certificate", "identifiers": ["192.168.1.5"]}
2022/08/21 20:18:50.858 DEBUG tls.cache added certificate to cache {"subjects": ["192.168.1.5"], "expiration": "2022/08/22 04:48:25.000", "managed": true, "issuer_key": "local", "hash": "0e0049589aae4e422aced249b7b26fedc44e4929fdef4ea4b7e48989115e908b", "cache_size": 1, "cache_capacity": 10000}
2022/08/21 20:18:50.861 INFO tls.cache.maintenance stopped background certificate maintenance {"cache": "0xc0001678f0"}
2022/08/21 20:18:50.862 INFO autosaved config (load with --resume flag) {"file": "/root/.config/caddy/autosave.json"}
2022/08/21 20:19:11.612 DEBUG tls.handshake choosing certificate {"identifier": "192.168.1.5", "num_choices": 1}
2022/08/21 20:19:11.612 DEBUG tls.handshake default certificate selection results {"identifier": "192.168.1.5", "subjects": ["192.168.1.5"], "managed": true, "issuer_key": "local", "hash": "0e0049589aae4e422aced249b7b26fedc44e4929fdef4ea4b7e48989115e908b"}
2022/08/21 20:19:11.612 DEBUG tls.handshake matched certificate in cache {"subjects": ["192.168.1.5"], "managed": true, "expiration": "2022/08/22 04:48:25.000", "hash": "0e0049589aae4e422aced249b7b26fedc44e4929fdef4ea4b7e48989115e908b"}
curl
on Internal IP
admin@server:~$ curl -vk https://192.168.1.5/
* Trying 192.168.1.5:443...
* TCP_NODELAY set
* Connected to 192.168.1.5 (192.168.1.5) port 443 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
* successfully set certificate verify locations:
* CAfile: /etc/ssl/certs/ca-certificates.crt
CApath: /etc/ssl/certs
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
* TLSv1.3 (IN), TLS handshake, Server hello (2):
* TLSv1.3 (IN), TLS handshake, Encrypted Extensions (8):
* TLSv1.3 (IN), TLS handshake, Certificate (11):
* TLSv1.3 (IN), TLS handshake, CERT verify (15):
* TLSv1.3 (IN), TLS handshake, Finished (20):
* TLSv1.3 (OUT), TLS change cipher, Change cipher spec (1):
* TLSv1.3 (OUT), TLS handshake, Finished (20):
* SSL connection using TLSv1.3 / TLS_AES_128_GCM_SHA256
* ALPN, server accepted to use h2
* Server certificate:
* subject: [NONE]
* start date: Aug 21 00:46:28 2022 GMT
* expire date: Aug 21 12:46:28 2022 GMT
* issuer: CN=Caddy Local Authority - ECC Intermediate
* SSL certificate verify result: unable to get local issuer certificate (20), continuing anyway.
* Using HTTP2, server supports multi-use
* Connection state changed (HTTP/2 confirmed)
* Copying HTTP/2 data in stream buffer to connection buffer after upgrade: len=0
* Using Stream ID: 1 (easy handle 0x561a91115210)
> GET / HTTP/2
> Host: 192.168.1.5
> user-agent: curl/7.68.0
> accept: */*
>
* TLSv1.3 (IN), TLS handshake, Newsession Ticket (4):
* Connection state changed (MAX_CONCURRENT_STREAMS == 250)!
< HTTP/2 200
< content-type: text/html; charset=utf-8
< cross-origin-opener-policy: same-origin
< referrer-policy: same-origin
< server: Caddy
< x-content-type-options: nosniff
< x-frame-options: DENY
< content-length: 2921
< date: Sun, 21 Aug 2022 05:07:17 GMT
<!doctype html>
<html lang="en">
<body>
<h1>Hello World!</h1>
</body>
</html>
* Connection #0 to host 192.168.1.5 left intact
curl
on External IP
admin@server:~$ curl -vk https://203.0.113.0/
* Trying 203.0.113.0:443...
* TCP_NODELAY set
* Connected to 203.0.113.0 (203.0.113.0) port 443 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
* successfully set certificate verify locations:
* CAfile: /etc/ssl/certs/ca-certificates.crt
CApath: /etc/ssl/certs
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
* TLSv1.3 (IN), TLS handshake, Server hello (2):
* TLSv1.3 (IN), TLS handshake, Encrypted Extensions (8):
* TLSv1.3 (IN), TLS handshake, Certificate (11):
* TLSv1.3 (IN), TLS handshake, CERT verify (15):
* TLSv1.3 (IN), TLS handshake, Finished (20):
* TLSv1.3 (OUT), TLS change cipher, Change cipher spec (1):
* TLSv1.3 (OUT), TLS handshake, Finished (20):
* SSL connection using TLSv1.3 / TLS_AES_128_GCM_SHA256
* ALPN, server accepted to use h2
* Server certificate:
* subject: [NONE]
* start date: Aug 21 00:46:28 2022 GMT
* expire date: Aug 21 12:46:28 2022 GMT
* issuer: CN=Caddy Local Authority - ECC Intermediate
* SSL certificate verify result: unable to get local issuer certificate (20), continuing anyway.
* Using HTTP2, server supports multi-use
* Connection state changed (HTTP/2 confirmed)
* Copying HTTP/2 data in stream buffer to connection buffer after upgrade: len=0
* Using Stream ID: 1 (easy handle 0x55e3ae7aa210)
> GET / HTTP/2
> Host: 203.0.113.0
> user-agent: curl/7.68.0
> accept: */*
>
* TLSv1.3 (IN), TLS handshake, Newsession Ticket (4):
* Connection state changed (MAX_CONCURRENT_STREAMS == 250)!
< HTTP/2 200
< server: Caddy
< content-length: 0
< date: Sun, 21 Aug 2022 05:08:16 GMT
<
* Connection #0 to host 203.0.113.0 left intact
5. What I already tried:
- Tried configuring as suggested in this post
- Tried adding/removing
tls internal
from Caddyfile - Tried removing
default_sni
from global - Tried changing
default_sni
to203.0.113.0