Caddy v2.1.1 on Docker: ERR_SSL_PROTOCOL_ERROR

1. Caddy version (caddy version):

v2.1.1 h1:X9k1+ehZPYYrSqBvf/ocUgdLSRIuiNiMo7CvyGUQKeA=
(Built from xCaddy)

2. How I run Caddy:

a. System environment:

Docker-compose OS: Pop!_OS 20.04 LTS

b. Command:

CMD ["/usr/bin/caddy", "run", "--config", "/etc/caddy/Caddyfile"]

c. Service/unit/compose file:

Docker-compose.yaml looks like: (I’ve ommited applications non-related / interacting with caddy)

version: "2"

      context: ../goautodial
      dockerfile: Dockerfile
    image: caddy:2.1-custom
    container_name: goautodial
      - 80:80/tcp
      - 443:443/tcp
      - 2015:2015/tcp
      - 2019:2019/tcp
      - ../goautodial/config/caddy:/config/caddy
      - ../goautodial/data:/data
      - ../goautodial/php/sessions:/var/lib/php/sessions
      - asterisk
      - galera

    image: kamailio/kamailio-ci:5.2-alpine
    container_name: kamailio
      - mariadb-galera-0
      - asterisk

    driver: bridge
    driver: bridge

d. My complete Caddyfile or JSON config:

:80 {
	root * /var/www/html
	encode gzip
	php_fastcgi unix//run/php/php7.3-fpm.sock

3. The problem I’m having:


  • Initial context:
    I’ve followed the quick-start, added a generic info.php file and the application GoAutodialv4 to /var/www/html

  • Behaviour inside docker container:
    curl localhost/info.php works fine with the expected php response; and curl localhost gets me an application-related issue (Failed to read session data: user (path: /var/lib/php/sessions))

  • Behaviour outside docker container:
    curl *docker-container-ip*/info.php works and gets the expected php response;
    curl *docker-container-ip* gets the application-related issue;
    Using a web browser to *docker-container-ip*/info.php works and gets the expected php webpage;
    Using a web browser to http://*docker-container-ip* (root directory of application) gets redirected to https://*docker-container-ip* and fails with ERR_CONNECTION_REFUSED

4. Error messages and/or full log output:

docker logs goautodial {"apps":{"http":{"servers":{"srv0":{"listen":[":80"],"routes":[{"handle":[{"handler":"vars","root":"/var/www/html"},{"encodings":{"gzip":{}},"handler":"encode"}]},{"match":[{"file":{"try_files":["{http.request.uri.path}/index.php"]},"not":[{"path":["*/"]}]}],"handle":[{"handler":"static_response","headers":{"Location":["{http.request.uri.path}/"]},"status_code":308}]},{"match":[{"file":{"try_files":["{http.request.uri.path}","{http.request.uri.path}/index.php","index.php"],"split_path":[".php"]}}],"handle":[{"handler":"rewrite","uri":"{http.matchers.file.relative}"}]},{"match":[{"path":["*.php"]}],"handle":[{"handler":"reverse_proxy","transport":{"protocol":"fastcgi","split_path":[".php"]},"upstreams":[{"dial":"unix//run/php/php7.3-fpm.sock"}]}]},{"handle":[{"handler":"file_server","hide":["/etc/caddy/Caddyfile"]}]}]}}}}} {"level":"info","ts":1594046137.9776142,"msg":"using provided configuration","config_file":"/etc/caddy/Caddyfile","config_adapter":""} {"level":"info","ts":1594046137.983121,"logger":"admin","msg":"admin endpoint started","address":"tcp/localhost:2019","enforce_origin":false,"origins":["[::1]:2019","","localhost:2019"]} {"level":"info","ts":1594046137.9833162,"logger":"http","msg":"server is listening only on the HTTP port, so no automatic HTTPS will be applied to this server","server_name":"srv0","http_port":80} {"level":"info","ts":1594046137.9835515,"logger":"tls","msg":"cleaned up storage units"} {"level":"info","ts":1594046137.98387,"msg":"autosaved config","file":"/root/.config/caddy/autosave.json"} {"level":"info","ts":1594046137.9838767,"msg":"serving initial configuration"} 2020/07/06 14:35:37 [INFO][cache:0xc000213f20] Started certificate maintenance routine

5. What I already tried:

  • Changing global config to debug, nothing else showed up, changing http_port and https_port to a higher one, but got same results.

“Connection refused” means that nothing on the other side was listening. I don’t use Docker so I won’t be much help there but make sure your networking is set up properly.

What is the full request you are making? (Post a curl command.)

Thanks Matt for your assitance, the full request is just curl container-ip, i.e:


  • If I intentionally change the application connection to db with a wrong username ie, application replies on http with this error (as expected):

    (here ip, is different due to a restart of the service)

Your Caddyfile specifies only :80 as the site label, which means it will not listen on 443 for HTTPS nor will it do auto-redirect. Matt’s hunch is right. There’s nothing listening on :443.

Is it as simple as letting the config ?

:80 {
	root * /var/www/html
	encode gzip
	php_fastcgi unix//run/php/php7.3-fpm.sock

:443 {
	root * /var/www/html
	encode gzip
	php_fastcgi unix//run/php/php7.3-fpm.sock

if so, response now over curl https://container-ip changes to:

curl: (35) error:14094438:SSL routines:ssl3_read_bytes:tlsv1 alert internal error

It’s even simpler than that, just change :80 to :443 (don’t duplicate your site blocks).

Of course, then Caddy needs a certificate for whatever hostname(s) it will be serving. Make sure it has a way to get those. See Automatic HTTPS — Caddy Documentation

1 Like

Hi all, as you said matt, what I needed was a certificate for my site, reading the documentation, just found I needed an DNS Challenge as our site will be (for now) in a local network. By doing so, it works like a charm (besides the application error, which I can handle).

Thank you all for your support, just letting you know and closing this thread. :hugs:

1 Like

Great, thanks for the follow-up!

This topic was automatically closed after 30 days. New replies are no longer allowed.