Caddy reverse proxy with podman networking problem

Hello Everyone,

I an trying to set up my first own home server have problems working with Caddy because I am just a beginner and who is just learing by doing.

I think my problems are mainly networking as I don’t really know how to correctly work with https and how everything works.

My set up is as follows:

  • I am running Alma Linux 10 on my server with podman version 5.4.0.
  • I have talked to our internet provider and now have an IPV4 address instead of an IPV6, as my mobile carrier only has ipv4. I think I need this to be able to connect to the server over the internet.
  • I use the dynamic DNS service from Infomaniak. I wrote a bash script which updates my ip address every half an hour.

My goal is to use podman container for everything which update on their own and everything is always up-to-date. For that I am working with Quadlets files as it makes things easily reproducible.

I want to use a podman Caddy container as a reverse proxy, so that I can have multiple domains pointing to my server and the reverse proxy then guides the traffic to the correct container.
All the traffic should be encrypted, but the reverse proxy runs on the same server as all my services.
I run the reverse proxy in a separate container, but all the nextcloud related containers are together in one single pod with the following Quadlet file.

[Pod]
PodName=nextcloud
PublishPort=8080:80
PublishPort=8443:443

[Service]
Restart=always

[Install]
WantedBy=default.target

As you see, I send the server port 8443 to the port 443 inside of the pod for the nextcloud containers.

This is where my problems start. I tried to set up a simple caddy reverse proxy in the following way with the following Caddyfile.

nextcloud.ppflaum.ch {
    reverse_proxy https://192.168.1.188:8443 {
        transport http { 
            tls_insecure_skip_verify 
        }
    }
}

For context, my Quadlet file looks as follows.

[Container]
ContainerName=caddy-nextcloud
Pod=nextcloud.pod
Image=docker.io/library/caddy:latest
AutoUpdate=registry
Volume=/mnt/storage/nextcloud/config:/var/www/html:z
Volume=/mnt/storage/nextcloud/caddy/Caddyfile:/etc/caddy/Caddyfile:z

[Unit]
After=nextcloud.pod
After=mariadb-nextcloud.container
After=nextcloud-app.container
Requires=nextcloud.pod
Requires=mariadb-nextcloud.container
Requires=nextcloud-app.container

[Service]
Restart=always

[Install]
WantedBy=default.target

I also get all the containers up an running without any issue. If I test the nextcloud-caddy container over the network via the http I also get the sign in page.
I also see incoming traffic in the logs of the reverse proxy container BUT I am not able to reach the nextcloud instance via the reverse proxy. If I look at the log of the reverse proxy I always see error along those lines.

{"level":"error","ts":1748613563.7038028,"logger":"http.log.error","msg":"remote error: tls: internal error","request":{"remote_ip":"84.75.56.130","remote_port":"50693","client_ip":"84.75.56.130","proto":"HTTP/2.0","method":"GET","host":"nextcloud.ppflaum.ch","uri":"/:8443","headers":{"Te":["trailers"],"Accept-Encoding":["gzip, deflate, br, zstd"],"Sec-Fetch-Mode":["navigate"],"Sec-Fetch-Site":["none"],"Sec-Fetch-User":["?1"],"Priority":["u=0, i"],"Sec-Fetch-Dest":["document"],"Accept-Language":["de,en-US;q=0.7,en;q=0.3"],"Cookie":["REDACTED"],"Upgrade-Insecure-Requests":["1"],"User-Agent":["Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:139.0) Gecko/20100101 Firefox/139.0"],"Accept":["text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8"],"Dnt":["1"]},"tls":{"resumed":false,"version":772,"cipher_suite":4865,"proto":"h2","server_name":"nextcloud.ppflaum.ch"}},"duration":0.001214852,"status":502,"err_id":"dp0n0w4kn","err_trace":"reverseproxy.statusError (reverseproxy.go:1390)"}

But I don’t see anything in logs on the nextcloud caddy server which has the following Caddyfile

https://192.168.1.188:443 {
    tls internal

    root * /var/www/html
    file_server

    php_fastcgi nextcloud-app:9000 {
        root /var/www/html
        env front_controller_active true
    }
    encode gzip
    log {
        output file /data/nextcloud-access.log
    }
    header {
        Strict-Transport-Security "max-age=15768000;includeSubDomains;preload"
    }
    # .htaccess / data / config / ... shouldn't be accessible from outside
    @forbidden {
        path /.htaccess
        path /data/*
        path /config/*
        path /db_structure
        path /.xml
        path /README
        path /3rdparty/*
        path /lib/*
        path /templates/*
        path /occ
        path /console.php
    }
    respond @forbidden 404
    redir /.well-known/carddav /remote.php/dav 301
    redir /.well-known/caldav /remote.php/dav 301
}

I have tried multiple variations of my setup and tried to solve the issue for houres using chatgpt but nothing worked.

I think, that the problem is, that the nextcloud caddy server is not able to talk to the reverse proxy.

I would be very greatful, if someone could explain to me, what is going wrong here and what I should do to solve this problem.

If you generally have some feedback towards my approach of setting up my home server, please leave some comments, as I am just a beginner and feedback could be very helpful.

It would also be helpful, if someone could explain to me, how exactly https work, and if someone has minimal working example, with two container and reverse proxying via https it would be great to share it with me. From there I could try to work it out by myself.

Thank you in advance for your help.