1. The problem I’m having:
Setup reverse proxy to https server (nextcloud) upstream.
Caddy is working great as a reverse proxy for other services. When I try to add a nextcloud vm, I can only get it to work using tls_insecure_skip_verify, which as I understand is a bad idea.
I have tried configuring the Caddyfile with and without forwarding the header, but I get the error in the logs shown below. Configuring Caddy to skip TLS verification works, but again as I understand, that is not something I want to do permanently?
-edit I’ve added caddy’s ip address as a trusted proxy in nextcloud’s config file.
2. Error messages and/or full log output:
Oct 24 22:01:13 caddy caddy[147]: {"level":"error","ts":1729832473.3701081,"logger":"http.log.error","msg":"tls: failed to verify certificate: x509: cannot validate certificate for 192.168.2.217 because it doesn't contain any IP SANs","request":{"remote_ip":"192.168.2.1","remote_port":"53462","client_ip":"192.168.2.1","proto":"HTTP/3.0","method":"GET","host":"cloud.rulytafzil.com","uri":"/","headers":{"User-Agent":["Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0"],"Accept-Encoding":["gzip, deflate, br, zstd"],"Priority":["u=0, i"],"Alt-Used":["cloud.rulytafzil.com"],"Sec-Fetch-Site":["none"],"Accept":["text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/png,image/svg+xml,*/*;q=0.8"],"Cookie":["REDACTED"],"Upgrade-Insecure-Requests":["1"],"Accept-Language":["en-US,en;q=0.5"],"Sec-Fetch-Dest":["document"],"Sec-Fetch-Mode":["navigate"],"Sec-Fetch-User":["?1"]},"tls":{"resumed":true,"version":772,"cipher_suite":4865,"proto":"h3","server_name":"cloud.rulytafzil.com"}},"duration":0.001556261,"status":502,"err_id":"3d4rupffk","err_trace":"reverseproxy.statusError (reverseproxy.go:1269)"}
3. Caddy version:
2.8.4
4. How I installed and ran Caddy:
a. System environment:
Debian LXC in proxmox. Installed via the instruction in the docs.
curl -1sLf 'https://dl.cloudsmith.io/public/caddy/stable/gpg.key' | sudo gpg --dearmor -o /usr/share/keyrings/caddy-stable-archive-keyring.gpg
curl -1sLf 'https://dl.cloudsmith.io/public/caddy/stable/debian.deb.txt' | sudo tee /etc/apt/sources.list.d/caddy-stable.list
sudo apt update
sudo apt install caddy
b. Command:
Runs as a systemd service. I’m using the Caddyfile.
c. Service/unit/compose file:
not running it in docker.
d. My complete Caddy config:
What I’m currently using, that “works”:
wiki.rulytafzil.com {
reverse_proxy 192.168.2.231:8080
}
cloud.rulytafzil.com {
reverse_proxy https://192.168.2.217:443 {
transport http {
tls
tls_insecure_skip_verify
}
}
}
The config I thought should work, but gives the error shown above:
wiki.rulytafzil.com {
reverse_proxy 192.168.2.231:8080
}
cloud.rulytafzil.com {
reverse_proxy https://192.168.2.217:443 {
header_up Host {upstream_hostport}
}
}