Caddy V2 reverse proxy not working

1. Caddy version (caddy version):

v2.2.0 h1:sMUFqTbVIRlmA8NkFnNt9l7s0e+0gw+7GPIrhty905A=

2. How I run Caddy:

/usr/local/bin/caddyv2 run --config /etc/caddy/Caddyfile

a. System environment:

CentOS 7. Running Caddy V2 directly as a binary.

b. Command:

/usr/local/bin/caddyv2 run --config /etc/caddy/Caddyfile 

c. Service/unit/compose file:

Not Applicable.

d. My complete Caddyfile or JSON config:

genetics.ghpc.au.dk {
        encode zstd gzip
	log {
		output file /var/log/access.log
	}

        header / Strict-Transport-Security "max-age=31536000;"
	reverse_proxy /filesend* 172.16.2.50:8081 {
	}
	root * /var/www
}

3. The problem I’m having:

I have a local http service (gouploader) running on port 8081. It is reachable on the 172.16.2.* network as http://172.16.2.50:8081. I have verified of this. I want Caddy that already serves static website - https - genetics.ghpc.au.dk to reverse proxy [https]://genetics.ghpc.au.dk/filesend to my gouploader service ([http]://172.16.2.50:8081). I cannot get Caddy to do this.

The above Caddyfile leads to a 404 when I try to reach [https]://genetics.ghpc.au.dk/filesend

The following was seen in the access log related to the 404 response.

2020/10/12 12:38:21.055 error   http.log.access.log0    handled request {"request": {"remote_addr": "10.192.156.210:61272", "proto": "HTTP/2.0", "method": "GET", "host": "genetics.ghpc.au.dk", "uri": "/filesend", "headers": {"Sec-Fetch-Site": ["none"], "Sec-Fetch-Mode": ["navigate"], "Accept-Language": ["en-GB,en-US;q=0.9,en;q=0.8"], "Cookie": ["_ga=GA1.2.2033167247.1516472574; optimizelyEndUserId=oeu1530606654843r0.7496788111050647; optimizelySegments=%7B%223013120724%22%3A%22referral%22%2C%223034530940%22%3A%22false%22%2C%223037560640%22%3A%22gc%22%7D; optimizelyBuckets=%7B%7D"], "Cache-Control": ["max-age=0"], "Upgrade-Insecure-Requests": ["1"], "User-Agent": ["Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/85.0.4183.121 Safari/537.36"], "Accept": ["text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9"], "Sec-Fetch-User": ["?1"], "Sec-Fetch-Dest": ["document"], "Accept-Encoding": ["gzip, deflate, br"]}, "tls": {"resumed": false, "version": 772, "cipher_suite": 4865, "proto": "h2", "proto_mutual": true, "server_name": "genetics.ghpc.au.dk"}}, "common_log": "10.192.156.210 - - [12/Oct/2020:14:38:21 +0200] \"GET /filesend HTTP/2.0\" 404 18", "duration": 0.00732013, "size": 18, "status": 404, "resp_headers": {"Content-Type": ["text/plain"], "Date": ["Mon, 12 Oct 2020 12:38:21 GMT"], "Content-Length": ["18"], "Server": ["Caddy"]}}

If I change the Caddyfile to

genetics.ghpc.au.dk {
        encode zstd gzip
	log {
		output file /var/log/access.log
	}

        header / Strict-Transport-Security "max-age=31536000;"
        reverse_proxy /filesend* https://172.16.2.50:8081 {
                header_up Host "genetics.ghpc.au.dk"
                header_up X-Forwarded-Proto https
        }
	root * /var/www
}

I get a 502 error:

2020/10/12 12:33:59.087	ERROR	http.log.error.log0	tls: first record does not look like a TLS handshake	{"request": {"remote_addr": "10.192.156.210:61252", "proto": "HTTP/2.0", "method": "GET", "host": "genetics.ghpc.au.dk", "uri": "/filesend", "headers": {"Cache-Control": ["max-age=0"], "Accept": ["text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9"], "Sec-Fetch-Site": ["none"], "Sec-Fetch-Mode": ["navigate"], "Sec-Fetch-User": ["?1"], "Sec-Fetch-Dest": ["document"], "Cookie": ["_ga=GA1.2.2033167247.1516472574; optimizelyEndUserId=oeu1530606654843r0.7496788111050647; optimizelySegments=%7B%223013120724%22%3A%22referral%22%2C%223034530940%22%3A%22false%22%2C%223037560640%22%3A%22gc%22%7D; optimizelyBuckets=%7B%7D"], "Upgrade-Insecure-Requests": ["1"], "User-Agent": ["Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/85.0.4183.121 Safari/537.36"], "Accept-Encoding": ["gzip, deflate, br"], "Accept-Language": ["en-GB,en-US;q=0.9,en;q=0.8"]}, "tls": {"resumed": false, "version": 772, "cipher_suite": 4865, "proto": "h2", "proto_mutual": true, "server_name": "genetics.ghpc.au.dk"}}, "duration": 0.004518668, "status": 502, "err_id": "ge53302m5", "err_trace": "reverseproxy.(*Handler).ServeHTTP (reverseproxy.go:440)"}

How should I do the reverse_proxy correctly so that
genetics.ghpc.au.dk/filesend gets proxied to 172.16.2.50:8081/ ?

Appreciate any help.

4. Error messages and/or full log output:

5. What I already tried:

6. Links to relevant resources:

I think you probably need to strip the path prefix before proxying - I figure the upstream server doesn’t know how to deal with a request to /filesend.

handle_path /filesend* {
	reverse_proxy 172.16.2.50:8081
}

Also FYI header / will only match requests to exactly /. Remove the / to make it apply to all paths.

And finally, it looks like you forgot file_server? In Caddy v2, you must explicitly enable a file server, unlike Caddy v1.

1 Like

This topic was automatically closed after 30 days. New replies are no longer allowed.