Caddy reverse proxy not rendering site

senor-burns · January 20, 2025, 8:20pm

1. The problem I’m having:

I have set up SearxNG according to this guide on my FreeBSD server in a VNET jail. It uses uwsgi and NGINX to serve the static page of SearxNG at port 80. Caddy reverse proxies from the router (FreeBSD 14.0 aarch64 on RPi 4) to the server.

Set up:

Internet → Router (Caddy reverse proxy, ssl termination) --LAN–> Host (VNET Jail exposing port 80: nginx (serving at port 80)) → uwsgi → searxng)

When I access the page over my lan it looks like it should.
When i access the page over the internet (test2.senor-burns.net) via Caddy reverse proxy, it looks like this:

Any idea what’s wrong? What am I not getting? Thanks in advance.

2. Error messages and/or full log output:

{"level":"debug","ts":1737390642.6045926,"logger":"events","msg":"event","name":"tls_get_certificate","id":"f850455b-9aa2-4490-87c9-258d23ff0c6e","origin":"tls","data":{"client_hello":{"CipherSuites":[4865,4867,4866,49195,49199,52393,52392,49196,49200,49162,49161,49171,49172,156,157,47,53],"ServerName":"test2.senor-burns.net","SupportedCurves":[4588,29,23,24,25,256,257],"SupportedPoints":"AA==","SignatureSchemes":[1027,1283,1539,2052,2053,2054,1025,1281,1537],"SupportedProtos":["h2","http/1.1"],"SupportedVersions":[772,771],"RemoteAddr":{"IP":"192.168.3.100","Port":57128,"Zone":""},"LocalAddr":{"IP":"212.51.157.166","Port":443,"Zone":""}}}}
{"level":"debug","ts":1737390642.6047678,"logger":"tls.handshake","msg":"choosing certificate","identifier":"test2.senor-burns.net","num_choices":1}
{"level":"debug","ts":1737390642.604848,"logger":"tls.handshake","msg":"default certificate selection results","identifier":"test2.senor-burns.net","subjects":["test2.senor-burns.net"],"managed":true,"issuer_key":"acme-v02.api.letsencrypt.org-directory","hash":"b0e9eba3365ea1e7a6538e50c4214e347aaa33396ad6793f1a853cdd7ba038c5"}
{"level":"debug","ts":1737390642.6049018,"logger":"tls.handshake","msg":"matched certificate in cache","remote_ip":"192.168.3.100","remote_port":"57128","subjects":["test2.senor-burns.net"],"managed":true,"expiration":1744915389,"hash":"b0e9eba3365ea1e7a6538e50c4214e347aaa33396ad6793f1a853cdd7ba038c5"}
{"level":"debug","ts":1737390642.6131039,"logger":"http.handlers.reverse_proxy","msg":"selected upstream","dial":"192.168.3.52:80","total_upstreams":1}
{"level":"debug","ts":1737390642.6230755,"logger":"http.handlers.reverse_proxy","msg":"upstream roundtrip","upstream":"192.168.3.52:80","duration":0.009721111,"request":{"remote_ip":"192.168.3.100","remote_port":"57128","client_ip":"192.168.3.100","proto":"HTTP/2.0","method":"GET","host":"test2.senor-burns.net","uri":"/","headers":{"User-Agent":["Mozilla/5.0 (X11; Linux x86_64; rv:134.0) Gecko/20100101 Firefox/134.0"],"Te":["trailers"],"Accept":["text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8"],"Sec-Fetch-Dest":["document"],"Sec-Fetch-Mode":["navigate"],"Dnt":["1"],"Upgrade-Insecure-Requests":["1"],"Sec-Fetch-Site":["none"],"Priority":["u=0, i"],"Accept-Language":["en-US,en;q=0.5"],"X-Forwarded-For":["192.168.3.100"],"X-Forwarded-Proto":["https"],"Accept-Encoding":["gzip, deflate, br, zstd"],"Sec-Fetch-User":["?1"],"X-Forwarded-Host":["test2.senor-burns.net"]},"tls":{"resumed":false,"version":772,"cipher_suite":4867,"proto":"h2","server_name":"test2.senor-burns.net"}},"headers":{"Date":["Mon, 20 Jan 2025 18:56:18 GMT"],"X-Robots-Tag":["noindex, nofollow"],"X-Frame-Options":["SAMEORIGIN"],"Content-Encoding":["gzip"],"Connection":["keep-alive"],"X-Content-Type-Options":["nosniff"],"Content-Security-Policy":["default-src 'none'; script-src 'self'; style-src 'self' 'unsafe-inline'; form-action 'self'; font-src 'self'; frame-ancestors 'self'; base-uri 'self'; connect-src 'self' https://overpass-api.de; img-src 'self' data: https://*.tile.openstreetmap.org; frame-src https://www.youtube-nocookie.com https://player.vimeo.com https://www.dailymotion.com https://www.deezer.com https://www.mixcloud.com https://w.soundcloud.com https://embed.spotify.com"],"Server":["nginx"],"Content-Type":["text/html; charset=utf-8"],"Server-Timing":["total;dur=5.471, render;dur=0.888"],"X-Download-Options":["noopen"],"Feature-Policy":["accelerometer 'none'; ambient-light-sensor 'none'; autoplay 'none'; battery 'none'; camera 'none'; display-capture 'none'; encrypted-media 'none'; fullscreen 'none'; geolocation 'none'; gyroscope 'none'; idle-detection 'none'; magnetometer 'none'; microphone 'none'; midi 'none'; payment 'none'; picture-in-picture 'none'; screen-wake-lock 'none'; serial 'none'; usb 'none'; web-share 'none'; xr-spatial-tracking 'none'; clipboard-read 'none'; clipboard-write 'none'; gamepad 'none'; speaker-selection 'none'"],"Referrer-Policy":["no-referrer"],"X-Dns-Prefetch-Control":["off"],"Permissions-Policy":["accelerometer=(); ambient-light-sensor=(); autoplay=(); battery=(); camera=(); display-capture=(); encrypted-media=(); fullscreen=(); geolocation=(); gyroscope=(); idle-detection=(); magnetometer=(); microphone=(); midi=(); payment=(); picture-in-picture=(); screen-wake-lock=(); serial=(); usb=(); web-share=(); xr-spatial-tracking=(); clipboard-read=(); clipboard-write=(); gamepad=(); speaker-selection=()"]},"status":200}

3. Caddy version:

Caddy 2.8.4 (FreeBSD)

4. How I installed and ran Caddy:

Installed with pkg

a. System environment:

FreeBSD 14.0, Aarch64, Raspberry Pi 4

b. Command:

Caddy enabled in /etc/rc.conf: caddy_enable=“YES”

service caddy start

c. Service/unit/compose file:

d. My complete Caddy config:

# Global options
{
	email owlnet-pi@protonmail.com
	debug
}

# Reverse Proxy definitions
nextcloud.senor-burns.net:443 {
	redir /.well-known/carddav /remote.php/dav/ 301
	redir /.well-known/caldav /remote.php/dav/ 301

	reverse_proxy 192.168.3.3:9001
}
synapse.senor-burns.net:443 {
	reverse_proxy 192.168.3.3:9003
}
matrix.senor-burns.net:443 {
	reverse_proxy 192.168.3.3:9004
}
chat.senor-burns.net:443 {
	reverse_proxy 192.168.3.3:9005
}
search.senor-burns.net:443 {
	reverse_proxy 192.168.3.3:9011
}
download.senor-burns.net:443 {
	reverse_proxy 192.168.3.3:9010
}
media.senor-burns.net:443 {
	reverse_proxy 192.168.3.3:8096
}
test.senor-burns.net:443 {
	redir /.well-known/carddav /remote.php/dav/ 301
	redir /.well-known/caldav /remote.php/dav/ 301

	reverse_proxy 192.168.3.51:80
}
test2.senor-burns.net:443 {
	reverse_proxy 192.168.3.52:80
}

5. Links to relevant resources:

Guide for SearXNG: Link

hmoffatt · January 21, 2025, 3:23am

I’d check the network tab in your browser to see where it’s sending the requests and what is failing. At a guess it is not working out the correct URL for the static assets. Often you have to configure the application explicitly to know its external URL, or respect X-Forwarded-Host.

senor-burns · January 21, 2025, 9:09am

Thanks @hmoffatt, i will check later when i’ll be home .

system · February 20, 2025, 9:10am

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.