Caddy2 reverse proxy for Unifi controller

Help
1

1. Caddy version (caddy version):

Caddy v2

2. How I run Caddy:

a. System environment:

Raspbian 10.4

b. Command:

/opt/caddy/caddy run --environ --config /opt/caddy/Caddyfile

c. Service/unit/compose file:

[Unit]
Description=Caddy
Documentation=https://caddyserver.com/docs/
After=network.target

[Service]
User=caddy
Group=caddy
ExecStart=/opt/caddy/caddy run --environ --config /opt/caddy/Caddyfile
ExecReload=/opt/caddy/caddy reload --config /opt/caddy/Caddyfile
TimeoutStopSec=5s
LimitNOFILE=1048576
LimitNPROC=512
PrivateTmp=true
ProtectSystem=full
AmbientCapabilities=CAP_NET_BIND_SERVICE

[Install]
WantedBy=multi-user.target

d. My complete Caddyfile or JSON config:

unifi

reverse_proxy https://127.0.0.1:8443 {
    transport http {
        tls
        tls_insecure_skip_verify
    }
    header_up -Authorization
    header_up Host {host}
}

log {
    output file /opt/caddy/caddy.log
    level DEBUG
}
    

tls /opt/caddy/unifi.pem /opt/caddy/unifi-key.pem {
    ca_root /opt/caddy/root.pem
    protocols tls1.3 tls1.3
}

3. The problem I’m having:

I use Caddy to reverse proxy my unifi controller (version 5.13.29) and receive “400 Bad Request” when I attempt to go to the login page. The previous version of the controller I was running (5.12.66) worked no problem with this config, but after upgrading the controller (running under docker), I started receiving this error

I’ve seen other posts about this error, so I tried adding the -Authorization and passing the Host along in the Caddyfile, but it didn’t have any effect. I can reach the controller if I go to the 8443 (the non-proxied, direct port) and it works normally.

4. Error messages and/or full log output:

5. What I already tried:

Added logging to the the Caddyfile thinking that it was possibly another header related issues, but only seem to get the requests from client → Caddy, which all show 200 OK.

Is it possible to log the upstream requests (caddy → unifi) so I can see what is happening between Caddy and the controller?

journalctl -u caddy did not have any unusual looking (to me) errors:

Jun 06 12:43:44 unifi caddy[26947]: {"level":"info","ts":1591461824.623434,"msg":"using provided configuration","config_file":"/opt/caddy/Caddyfile","config_adapter":""}
Jun 06 12:43:44 unifi caddy[26947]: {"level":"info","ts":1591461824.6326926,"logger":"admin","msg":"admin endpoint started","address":"tcp/localhost:2019","enforce_origin":false,"origins":["[::1]:2019","127.0.0.1:2019","localhost:2019"]}
Jun 06 12:43:44 unifi caddy[26947]: 2020/06/06 12:43:44 [INFO][cache:0x237a000] Started certificate maintenance routine
Jun 06 12:43:44 unifi caddy[26947]: 2020/06/06 12:43:44 [WARNING] Stapling OCSP: no OCSP stapling for [unifi]: no OCSP server specified in certificate
Jun 06 12:43:44 unifi caddy[26947]: {"level":"info","ts":1591461824.6358464,"logger":"http","msg":"skipping automatic certificate management because one or more matching certificates are already loaded","domain":"unifi","server_name":"srv0"}
Jun 06 12:43:44 unifi caddy[26947]: {"level":"info","ts":1591461824.6358876,"logger":"http","msg":"enabling automatic HTTP->HTTPS redirects","server_name":"srv0"}
Jun 06 12:43:44 unifi caddy[26947]: {"level":"info","ts":1591461824.6368816,"logger":"tls","msg":"cleaned up storage units"}
Jun 06 12:43:44 unifi caddy[26947]: {"level":"info","ts":1591461824.637644,"msg":"autosaved config","file":"/var/lib/caddy/.config/caddy/autosave.json"}
Jun 06 12:43:44 unifi caddy[26947]: {"level":"info","ts":1591461824.6376848,"msg":"serving initial configuration"}
Jun 06 20:40:01 unifi caddy[26947]: 2020/06/06 20:40:01 http: TLS handshake error from 10.14.0.11:38874: no certificate available for 'trace.svc.ui.com'
Jun 07 00:43:44 unifi caddy[26947]: {"level":"info","ts":1591505024.637083,"logger":"tls","msg":"cleaned up storage units"}

Any ideas are appreciated. Thanks!

6. Links to relevant resources:

2

Hi @kfkenobi, welcome to the Caddy community!

This is directly relevant to my interests. My controller is at version 5.12.72 and works fine right now with a very bog standard reverse proxy. I wonder what Unifi is doing in 5.13 to break these requests?

You’re doing debug-level logging for this site to the file /opt/caddy/caddy.log - is there any info there? There should be full request and response data for the reverse proxy round tripper.

journalctl will only have the default logs, not the additional debug level logs you specified to go to the file.

1 Like
3

Thanks! Yeah, I think something changed in 5.13.x. Never had any issue in 5.12.x.

You’re doing debug-level logging for this site to the file /opt/caddy/caddy.log - is there any info there? There should be full request and response data for the reverse proxy round tripper.

If I was seeing the whole round trip, wouldn’t the log have remote_addr: 127.0.0.1:8443 in a request at some point? I don’t have any entries with that, all of them have remote_addr of my client (Chrome). Also, every entry has logger: http.log.access.log0 - which aligns with my hunch that I’m only logging the access request coming into caddy. And viewing them in Chrome dev tools matches with what see in the log (number of requests and their headers).

Here’s an example:

"level": "info",
    "ts": 1591664589.5920475,
    "logger": "http.log.access.log0",
    "msg": "handled request",
    "request": {
        "method": "GET",
        "uri": "/manage/angular/g7989b19/js/app.js",
        "proto": "HTTP/2.0",
        "remote_addr": "10.0.0.5:33828",
        "host": "unifi",
        "headers": {
            "Pragma": [
                "no-cache"
            ],
            "User-Agent": [
                "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.97 Safari/537.36"
            ],
            "Accept": [
                "*/*"
            ],
            "Sec-Fetch-Site": [
                "same-origin"
            ],
            "Referer": [
                "https://unifi/manage/account/login?redirect=%2Fmanage%2Ffatal"
            ],
            "Cache-Control": [
                "no-cache"
            ],
            "Sec-Fetch-Mode": [
                "no-cors"
            ],
            "Sec-Fetch-Dest": [
                "script"
            ],
            "Accept-Encoding": [
                "gzip, deflate, br"
            ],
            "Accept-Language": [
                "en-US,en;q=0.9"
            ]
        },
        "tls": {
            "resumed": false,
            "version": 772,
            "ciphersuite": 4867,
            "proto": "h2",
            "proto_mutual": true,
            "server_name": "pi4"
        }
    },
    "common_log": "10.0.0.5 - - [08/Jun/2020:21:03:09 -0400] \"GET /manage/angular/g7989b19/js/app.js HTTP/2.0\" 200 498103",
    "duration": 0.197908802,
    "size": 498103,
    "status": 200,
    "resp_headers": {
        "Accept-Ranges": [
            "bytes"
        ],
        "Last-Modified": [
            "Fri, 22 May 2020 11:14:37 GMT"
        ],
        "Content-Type": [
            "application/javascript"
        ],
        "Date": [
            "Tue, 09 Jun 2020 01:03:09 GMT"
        ],
        "X-Frame-Options": [
            "SAMEORIGIN"
        ],
        "Content-Encoding": [
            "br"
        ],
        "Cache-Control": [
            "max-age=86400"
        ],
        "Expires": [
            "Wed, 10 Jun 2020 01:03:09 GMT"
        ],
        "Server": [
            "caddy"
        ],
        "Vary": [
            "accept-encoding"
        ],
        "Content-Length": [
            "498103"
        ]
    }
}

Also, none of them are showing level: debug - does that mean I’ve messed up my logging directive in some way?

Thanks again for your help!

4

Hmm.

Just throw the debug global option at the head of your Caddyfile and give it another shot, then look at journalctl.

5

What position does debug go? I tried it before and after my hostname line, but got an error about unrecognized directive.

6

Nevermind, figured out the { } global block. Now I see debug in journalctl. I’ll take a look at the log and see if anything stands out

7

No worries. Just for the sake of posterity: Global options (Caddyfile) — Caddy Documentation

8

I got the full debug, and nothing looked obvious (e.g., it was still passing Authorization), so I tried removing more upstream headers. Now the headers in reverse_proxy look like:

    header_up -Authorization
    header_up -X-Forwarded-For
    header_up -X-Forwarded-Proto
    header_up -Origin
    header_up -Sec-Fetch-Site
    header_up -Sec-Fetch-Mode
    header_up -Sec-Fetch-Dest
    header_up Host {host}

Unfortunately this didn’t have an effect. I did see in the release notes for the new version of the controller (https://community.ui.com/releases/UniFi-Network-Controller-5-13-29/d7647910-77a2-4e61-bbfe-389206f2d6ad) this note:
Regenerate self-signed certificates for existing installations to meet Apple's new rules (see Apple's article HERE).

If the upstream server changed their certs, would that somehow affect Caddy? I would think that since I’m using tls_insecure_skip_verify in my reverse_proxy, it would accept any changes (if it even cared about HSTS for example).

Edit: another thought: can you set the TLS versions and ciphers that are used by the reverse_proxy upstream? I noticed in the debug that all requests, whether they were upstream or from http.log.access.log0 show TLS version 772 (1.3), which I’m pretty sure isn’t supported by unifi’s java server. So I tried setting min and max to 1.2, but it still failed, however I noticed it is picking ciphersuites that probably aren’t supported either (i.e. ChaCha).

9

Why remove all these headers? If the browser is sending them, it’ll be sending them to the controller, too.

Can you test with a very simple config? e.g.

{
  debug
}

unifi {
  reverse_proxy https://127.0.0.1:8443 {
    transport http {
      tls_insecure_skip_verify
    }
  }
}

And then post the full debug output line?

You would not receive Status 400 Bad Request from the controller if this error was occurring at the transport layer. You would get Status 502 Bad Gateway, from Caddy itself. From the Status 400 we can infer that the issue is with the HTTP request itself, not TLS negotiation.

10

From the Status 400 we can infer that the issue is with the HTTP request itself, not TLS negotiation.

Good point, the controller is displaying the error page, so that piece should be fine. I was thrown off that the debug log was reporting 1.3.

Why remove all these headers?

These were just debugging attempts. I originally started with a config very similar the simple one you suggested. I tried yours, only adding this:

tls /opt/caddy/unifi.pem /opt/caddy/unifi-key.pem {
    ca_root /opt/caddy/root.pem
    protocols tls1.2 tls1.3
}

since I don’t want it to attempt ACME (which will fail in my setup since it’s not intended to be publicly accessible)

Here’s the truncated log (hit the max lines for a post). Hope I’m positing this in the right format:

Full debug log 
Jun 09 20: 34: 45 unifi systemd[
    1
]: Started Caddy.
Jun 09 20: 34: 45 unifi caddy[
    2235
]: caddy.HomeDir=/var/lib/caddy
Jun 09 20: 34: 45 unifi caddy[
    2235
]: caddy.AppDataDir=/var/lib/caddy/.local/share/caddy
Jun 09 20: 34: 45 unifi caddy[
    2235
]: caddy.AppConfigDir=/var/lib/caddy/.config/caddy
Jun 09 20: 34: 45 unifi caddy[
    2235
]: caddy.ConfigAutosavePath=/var/lib/caddy/.config/caddy/autosave.json
Jun 09 20: 34: 45 unifi caddy[
    2235
]: runtime.GOOS=linux
Jun 09 20: 34: 45 unifi caddy[
    2235
]: runtime.GOARCH=arm
Jun 09 20: 34: 45 unifi caddy[
    2235
]: runtime.Compiler=gc
Jun 09 20: 34: 45 unifi caddy[
    2235
]: runtime.NumCPU=4
Jun 09 20: 34: 45 unifi caddy[
    2235
]: runtime.GOMAXPROCS=4
Jun 09 20: 34: 45 unifi caddy[
    2235
]: runtime.Version=go1.14.3
Jun 09 20: 34: 45 unifi caddy[
    2235
]: os.Getwd=/
Jun 09 20: 34: 45 unifi caddy[
    2235
]: LANG=en_GB.UTF-8
Jun 09 20: 34: 45 unifi caddy[
    2235
]: PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
Jun 09 20: 34: 45 unifi caddy[
    2235
]: HOME=/var/lib/caddy
Jun 09 20: 34: 45 unifi caddy[
    2235
]: LOGNAME=caddy
Jun 09 20: 34: 45 unifi caddy[
    2235
]: USER=caddy
Jun 09 20: 34: 45 unifi caddy[
    2235
]: INVOCATION_ID=824bcd75c53c4b15b44fea118f4d808a
Jun 09 20: 34: 45 unifi caddy[
    2235
]: JOURNAL_STREAM=8: 372336
Jun 09 20: 34: 45 unifi caddy[
    2235
]: {
    "level": "info",
    "ts": 1591749285.8054156,
    "msg": "using provided configuration",
    "config_file": "/opt/caddy/Caddyfile",
    "config_adapter": ""
}
Jun 09 20: 34: 45 unifi caddy[
    2235
]: {
    "level": "info",
    "ts": 1591749285.8147528,
    "logger": "admin",
    "msg": "admin endpoint started",
    "address": "tcp/localhost:2019",
    "enforce_origin": false,
    "origins": [
        "localhost:2019",
        "[::1]:2019",
        "127.0.0.1:2019"
    ]
}
Jun 09 20: 34: 45 unifi caddy[
    2235
]: 2020/06/09 20: 34: 45 [INFO
][cache: 0x3f6a380
] Started certificate maintenance routine
Jun 09 20: 34: 45 unifi caddy[
    2235
]: 2020/06/09 20: 34: 45 [WARNING
] Stapling OCSP: no OCSP stapling for [unifi
]: no OCSP server specified in certificate
Jun 09 20: 34: 45 unifi caddy[
    2235
]: {
    "level": "info",
    "ts": 1591749285.818305,
    "logger": "hxxp",
    "msg": "skipping automatic certificate management because one or more matching certificates are already loaded",
    "domain": "unifi",
    "server_name": "srv0"
}
Jun 09 20: 34: 45 unifi caddy[
    2235
]: {
    "level": "info",
    "ts": 1591749285.8183544,
    "logger": "hxxp",
    "msg": "enabling automatic hxxp->hxxpS redirects",
    "server_name": "srv0"
}
Jun 09 20: 34: 45 unifi caddy[
    2235
]: {
    "level": "info",
    "ts": 1591749285.8195863,
    "logger": "tls",
    "msg": "cleaned up storage units"
}
Jun 09 20: 34: 45 unifi caddy[
    2235
]: {
    "level": "debug",
    "ts": 1591749285.8198726,
    "logger": "hxxp",
    "msg": "starting server loop",
    "address": "[::]:443",
    "hxxp3": false,
    "tls": true
}
Jun 09 20: 34: 45 unifi caddy[
    2235
]: {
    "level": "debug",
    "ts": 1591749285.8199682,
    "logger": "hxxp",
    "msg": "starting server loop",
    "address": "[::]:80",
    "hxxp3": false,
    "tls": false
}
Jun 09 20: 34: 45 unifi caddy[
    2235
]: {
    "level": "info",
    "ts": 1591749285.8203464,
    "msg": "autosaved config",
    "file": "/var/lib/caddy/.config/caddy/autosave.json"
}
Jun 09 20: 34: 45 unifi caddy[
    2235
]: {
    "level": "info",
    "ts": 1591749285.820376,
    "msg": "serving initial configuration"
}

Jun 09 20: 38: 14 unifi caddy[
    2235
]: {
    "level": "debug",
    "ts": 1591749494.0635881,
    "logger": "hxxp.handlers.reverse_proxy",
    "msg": "upstream roundtrip",
    "upstream": "127.0.0.1:8443",
    "request": {
        "method": "GET",
        "uri": "/manage/fatal",
        "proto": "hxxp/2.0",
        "remote_addr": "10.0.0.5:36338",
        "host": "unifi",
        "headers": {
            "Accept": [
                "text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9"
            ],
            "X-Forwarded-For": [
                "10.0.0.5"
            ],
            "X-Forwarded-Proto": [
                "hxxps"
            ],
            "Sec-Fetch-Mode": [
                "navigate"
            ],
            "Sec-Fetch-User": [
                "?1"
            ],
            "Sec-Fetch-Dest": [
                "document"
            ],
            "Pragma": [
                "no-cache"
            ],
            "Cache-Control": [
                "no-cache"
            ],
            "Upgrade-Insecure-Requests": [
                "1"
            ],
            "User-Agent": [
                "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.97 Safari/537.36"
            ],
            "Sec-Fetch-Site": [
                "same-origin"
            ],
            "Accept-Encoding": [
                "gzip, deflate, br"
            ],
            "Accept-Language": [
                "en-US,en;q=0.9"
            ]
        },
        "tls": {
            "resumed": false,
            "version": 772,
            "ciphersuite": 4867,
            "proto": "h2",
            "proto_mutual": true,
            "server_name": "unifi"
        }
    },
    "headers": {
        "Date": [
            "Wed, 10 Jun 2020 00:38:14 GMT"
        ],
        "Location": [
            "/manage/account/login?redirect=%2Fmanage%2Ffatal"
        ],
        "Content-Length": [
            "0"
        ]
    },
    "duration": 0.151075009,
    "status": 302
}
Jun 09 20: 38: 14 unifi caddy[
    2235
]: {
    "level": "debug",
    "ts": 1591749494.0817688,
    "logger": "hxxp.handlers.reverse_proxy",
    "msg": "upstream roundtrip",
    "upstream": "127.0.0.1:8443",
    "request": {
        "method": "GET",
        "uri": "/manage/account/login?redirect=%2Fmanage%2Ffatal",
        "proto": "hxxp/2.0",
        "remote_addr": "10.0.0.5:36338",
        "host": "unifi",
        "headers": {
            "User-Agent": [
                "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.97 Safari/537.36"
            ],
            "Accept": [
                "text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9"
            ],
            "Accept-Encoding": [
                "gzip, deflate, br"
            ],
            "X-Forwarded-Proto": [
                "hxxps"
            ],
            "Upgrade-Insecure-Requests": [
                "1"
            ],
            "Cache-Control": [
                "no-cache"
            ],
            "Sec-Fetch-Site": [
                "same-origin"
            ],
            "Sec-Fetch-Mode": [
                "navigate"
            ],
            "Sec-Fetch-User": [
                "?1"
            ],
            "Sec-Fetch-Dest": [
                "document"
            ],
            "Accept-Language": [
                "en-US,en;q=0.9"
            ],
            "X-Forwarded-For": [
                "10.0.0.5"
            ],
            "Pragma": [
                "no-cache"
            ]
        },
        "tls": {
            "resumed": false,
            "version": 772,
            "ciphersuite": 4867,
            "proto": "h2",
            "proto_mutual": true,
            "server_name": "unifi"
        }
    },
    "headers": {
        "X-Frame-Options": [
            "SAMEORIGIN"
        ],
        "Content-Encoding": [
            "br"
        ],
        "Cache-Control": [
            "max-age=0"
        ],
        "Date": [
            "Wed, 10 Jun 2020 00:38:14 GMT"
        ],
        "Content-Length": [
            "319"
        ],
        "Vary": [
            "accept-encoding"
        ],
        "Accept-Ranges": [
            "bytes"
        ],
        "Last-Modified": [
            "Fri, 22 May 2020 11:14:54 GMT"
        ],
        "Expires": [
            "Wed, 10 Jun 2020 00:38:14 GMT"
        ],
        "Content-Type": [
            "text/html"
        ]
    },
    "duration": 0.00685334,
    "status": 200
}
Jun 09 20: 38: 14 unifi caddy[
    2235
]: {
    "level": "debug",
    "ts": 1591749494.2941158,
    "logger": "hxxp.handlers.reverse_proxy",
    "msg": "upstream roundtrip",
    "upstream": "127.0.0.1:8443",
    "request": {
        "method": "GET",
        "uri": "/manage/angular/g7989b19/js/index.js",
        "proto": "hxxp/2.0",
        "remote_addr": "10.0.0.5:36338",
        "host": "unifi",
        "headers": {
            "Pragma": [
                "no-cache"
            ],
            "Accept": [
                "*/*"
            ],
            "Sec-Fetch-Site": [
                "same-origin"
            ],
            "Sec-Fetch-Mode": [
                "no-cors"
            ],
            "Referer": [
                "hxxps://unifi/manage/account/login?redirect=%2Fmanage%2Ffatal"
            ],
            "X-Forwarded-Proto": [
                "hxxps"
            ],
            "Cache-Control": [
                "no-cache"
            ],
            "User-Agent": [
                "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.97 Safari/537.36"
            ],
            "Sec-Fetch-Dest": [
                "script"
            ],
            "Accept-Encoding": [
                "gzip, deflate, br"
            ],
            "Accept-Language": [
                "en-US,en;q=0.9"
            ],
            "X-Forwarded-For": [
                "10.0.0.5"
            ]
        },
        "tls": {
            "resumed": false,
            "version": 772,
            "ciphersuite": 4867,
            "proto": "h2",
            "proto_mutual": true,
            "server_name": "unifi"
        }
    },
    "headers": {
        "Content-Encoding": [
            "br"
        ],
        "Cache-Control": [
            "max-age=86400"
        ],
        "Date": [
            "Wed, 10 Jun 2020 00:38:14 GMT"
        ],
        "X-Frame-Options": [
            "SAMEORIGIN"
        ],
        "Vary": [
            "accept-encoding"
        ],
        "Expires": [
            "Thu, 11 Jun 2020 00:38:14 GMT"
        ],
        "Content-Type": [
            "application/javascript"
        ],
        "Content-Length": [
            "4688"
        ],
        "Accept-Ranges": [
            "bytes"
        ],
        "Last-Modified": [
            "Fri, 22 May 2020 11:14:45 GMT"
        ]
    },
    "duration": 0.006732806,
    "status": 200
}
Jun 09 20: 38: 14 unifi caddy[
    2235
]: {
    "level": "debug",
    "ts": 1591749494.3719294,
    "logger": "hxxp.handlers.reverse_proxy",
    "msg": "upstream roundtrip",
    "upstream": "127.0.0.1:8443",
    "request": {
        "method": "GET",
        "uri": "/manage/angular/g7989b19/fonts/ubnt-icon/style.css",
        "proto": "hxxp/2.0",
        "remote_addr": "10.0.0.5:36338",
        "host": "unifi",
        "headers": {
            "Sec-Fetch-Mode": [
                "no-cors"
            ],
            "Sec-Fetch-Dest": [
                "style"
            ],
            "Referer": [
                "hxxps://unifi/manage/account/login?redirect=%2Fmanage%2Ffatal"
            ],
            "Accept-Encoding": [
                "gzip, deflate, br"
            ],
            "Accept-Language": [
                "en-US,en;q=0.9"
            ],
            "Cache-Control": [
                "no-cache"
            ],
            "Accept": [
                "text/css,*/*;q=0.1"
            ],
            "Sec-Fetch-Site": [
                "same-origin"
            ],
            "X-Forwarded-For": [
                "10.0.0.5"
            ],
            "Pragma": [
                "no-cache"
            ],
            "User-Agent": [
                "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.97 Safari/537.36"
            ],
            "X-Forwarded-Proto": [
                "hxxps"
            ]
        },
        "tls": {
            "resumed": false,
            "version": 772,
            "ciphersuite": 4867,
            "proto": "h2",
            "proto_mutual": true,
            "server_name": "unifi"
        }
    },
    "headers": {
        "Vary": [
            "accept-encoding"
        ],
        "Cache-Control": [
            "max-age=86400"
        ],
        "Content-Length": [
            "5181"
        ],
        "X-Frame-Options": [
            "SAMEORIGIN"
        ],
        "Accept-Ranges": [
            "bytes"
        ],
        "Last-Modified": [
            "Fri, 22 May 2020 11:14:27 GMT"
        ],
        "Expires": [
            "Thu, 11 Jun 2020 00:38:14 GMT"
        ],
        "Content-Type": [
            "text/css"
        ],
        "Date": [
            "Wed, 10 Jun 2020 00:38:14 GMT"
        ],
        "Content-Encoding": [
            "br"
        ]
    },
    "duration": 0.008517116,
    "status": 200
}
Jun 09 20: 38: 14 unifi caddy[
    2235
]: {
    "level": "debug",
    "ts": 1591749494.38364,
    "logger": "hxxp.handlers.reverse_proxy",
    "msg": "upstream roundtrip",
    "upstream": "127.0.0.1:8443",
    "request": {
        "method": "GET",
        "uri": "/manage/angular/g7989b19/css/styles.bundle.css",
        "proto": "hxxp/2.0",
        "remote_addr": "10.0.0.5:36338",
        "host": "unifi",
        "headers": {
            "User-Agent": [
                "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.97 Safari/537.36"
            ],
            "Sec-Fetch-Site": [
                "same-origin"
            ],
            "Accept-Encoding": [
                "gzip, deflate, br"
            ],
            "X-Forwarded-For": [
                "10.0.0.5"
            ],
            "Cache-Control": [
                "no-cache"
            ],
            "Accept": [
                "text/css,*/*;q=0.1"
            ],
            "Sec-Fetch-Mode": [
                "no-cors"
            ],
            "Sec-Fetch-Dest": [
                "style"
            ],
            "Referer": [
                "hxxps://unifi/manage/account/login?redirect=%2Fmanage%2Ffatal"
            ],
            "Accept-Language": [
                "en-US,en;q=0.9"
            ],
            "X-Forwarded-Proto": [
                "hxxps"
            ],
            "Pragma": [
                "no-cache"
            ]
        },
        "tls": {
            "resumed": false,
            "version": 772,
            "ciphersuite": 4867,
            "proto": "h2",
            "proto_mutual": true,
            "server_name": "unifi"
        }
    },
    "headers": {
        "Last-Modified": [
            "Fri, 22 May 2020 11:14:23 GMT"
        ],
        "Expires": [
            "Thu, 11 Jun 2020 00:38:14 GMT"
        ],
        "Content-Length": [
            "24549"
        ],
        "X-Frame-Options": [
            "SAMEORIGIN"
        ],
        "Content-Encoding": [
            "br"
        ],
        "Accept-Ranges": [
            "bytes"
        ],
        "Cache-Control": [
            "max-age=86400"
        ],
        "Content-Type": [
            "text/css"
        ],
        "Date": [
            "Wed, 10 Jun 2020 00:38:14 GMT"
        ],
        "Vary": [
            "accept-encoding"
        ]
    },
    "duration": 0.016833311,
    "status": 200
}
Jun 09 20: 38: 14 unifi caddy[
    2235
]: {
    "level": "debug",
    "ts": 1591749494.395961,
    "logger": "hxxp.handlers.reverse_proxy",
    "msg": "upstream roundtrip",
    "upstream": "127.0.0.1:8443",
    "request": {
        "method": "GET",
        "uri": "/manage/angular/g7989b19/css/app.css",
        "proto": "hxxp/2.0",
        "remote_addr": "10.0.0.5:36338",
        "host": "unifi",
        "headers": {
            "X-Forwarded-Proto": [
                "hxxps"
            ],
            "Pragma": [
                "no-cache"
            ],
            "Sec-Fetch-Site": [
                "same-origin"
            ],
            "Sec-Fetch-Mode": [
                "no-cors"
            ],
            "Sec-Fetch-Dest": [
                "style"
            ],
            "Referer": [
                "hxxps://unifi/manage/account/login?redirect=%2Fmanage%2Ffatal"
            ],
            "Accept-Encoding": [
                "gzip, deflate, br"
            ],
            "Accept-Language": [
                "en-US,en;q=0.9"
            ],
            "Cache-Control": [
                "no-cache"
            ],
            "User-Agent": [
                "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.97 Safari/537.36"
            ],
            "Accept": [
                "text/css,*/*;q=0.1"
            ],
            "X-Forwarded-For": [
                "10.0.0.5"
            ]
        },
        "tls": {
            "resumed": false,
            "version": 772,
            "ciphersuite": 4867,
            "proto": "h2",
            "proto_mutual": true,
            "server_name": "unifi"
        }
    },
    "headers": {
        "Vary": [
            "accept-encoding"
        ],
        "Last-Modified": [
            "Fri, 22 May 2020 11:14:22 GMT"
        ],
        "Expires": [
            "Thu, 11 Jun 2020 00:38:14 GMT"
        ],
        "Content-Type": [
            "text/css"
        ],
        "Date": [
            "Wed, 10 Jun 2020 00:38:14 GMT"
        ],
        "X-Frame-Options": [
            "SAMEORIGIN"
        ],
        "Content-Encoding": [
            "br"
        ],
        "Accept-Ranges": [
            "bytes"
        ],
        "Cache-Control": [
            "max-age=86400"
        ],
        "Content-Length": [
            "104401"
        ]
    },
    "duration": 0.026280719,
    "status": 200
}
Jun 09 20: 38: 14 unifi caddy[
    2235
]: {
    "level": "debug",
    "ts": 1591749494.433334,
    "logger": "hxxp.handlers.reverse_proxy",
    "msg": "upstream roundtrip",
    "upstream": "127.0.0.1:8443",
    "request": {
        "method": "GET",
        "uri": "/manage/angular/g7989b19/js/initial.js",
        "proto": "hxxp/2.0",
        "remote_addr": "10.0.0.5:36338",
        "host": "unifi",
        "headers": {
            "Cache-Control": [
                "no-cache"
            ],
            "User-Agent": [
                "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.97 Safari/537.36"
            ],
            "Sec-Fetch-Site": [
                "same-origin"
            ],
            "Sec-Fetch-Mode": [
                "no-cors"
            ],
            "Sec-Fetch-Dest": [
                "script"
            ],
            "Accept-Encoding": [
                "gzip, deflate, br"
            ],
            "Pragma": [
                "no-cache"
            ],
            "Accept": [
                "*/*"
            ],
            "Referer": [
                "hxxps://unifi/manage/account/login?redirect=%2Fmanage%2Ffatal"
            ],
            "Accept-Language": [
                "en-US,en;q=0.9"
            ],
            "X-Forwarded-For": [
                "10.0.0.5"
            ],
            "X-Forwarded-Proto": [
                "hxxps"
            ]
        },
        "tls": {
            "resumed": false,
            "version": 772,
            "ciphersuite": 4867,
            "proto": "h2",
            "proto_mutual": true,
            "server_name": "unifi"
        }
    },
    "headers": {
        "Date": [
            "Wed, 10 Jun 2020 00:38:14 GMT"
        ],
        "X-Frame-Options": [
            "SAMEORIGIN"
        ],
        "Vary": [
            "accept-encoding"
        ],
        "Accept-Ranges": [
            "bytes"
        ],
        "Expires": [
            "Thu, 11 Jun 2020 00:38:14 GMT"
        ],
        "Content-Length": [
            "92105"
        ],
        "Content-Encoding": [
            "br"
        ],
        "Last-Modified": [
            "Fri, 22 May 2020 11:14:45 GMT"
        ],
        "Cache-Control": [
            "max-age=86400"
        ],
        "Content-Type": [
            "application/javascript"
        ]
    },
    "duration": 0.036196191,
    "status": 200
}
Jun 09 20: 38: 14 unifi caddy[
    2235
]: {
    "level": "debug",
    "ts": 1591749494.4687343,
    "logger": "hxxp.handlers.reverse_proxy",
    "msg": "upstream roundtrip",
    "upstream": "127.0.0.1:8443",
    "request": {
        "method": "GET",
        "uri": "/manage/angular/g7989b19/js/components.js",
        "proto": "hxxp/2.0",
        "remote_addr": "10.0.0.5:36338",
        "host": "unifi",
        "headers": {
            "Sec-Fetch-Site": [
                "same-origin"
            ],
            "Sec-Fetch-Mode": [
                "no-cors"
            ],
            "X-Forwarded-For": [
                "10.0.0.5"
            ],
            "X-Forwarded-Proto": [
                "hxxps"
            ],
            "Pragma": [
                "no-cache"
            ],
            "User-Agent": [
                "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.97 Safari/537.36"
            ],
            "Sec-Fetch-Dest": [
                "script"
            ],
            "Referer": [
                "hxxps://unifi/manage/account/login?redirect=%2Fmanage%2Ffatal"
            ],
            "Accept-Encoding": [
                "gzip, deflate, br"
            ],
            "Accept-Language": [
                "en-US,en;q=0.9"
            ],
            "Cache-Control": [
                "no-cache"
            ],
            "Accept": [
                "*/*"
            ]
        },
        "tls": {
            "resumed": false,
            "version": 772,
            "ciphersuite": 4867,
            "proto": "h2",
            "proto_mutual": true,
            "server_name": "unifi"
        }
    },
    "headers": {
        "Vary": [
            "accept-encoding"
        ],
        "Accept-Ranges": [
            "bytes"
        ],
        "Last-Modified": [
            "Fri, 22 May 2020 11:14:41 GMT"
        ],
        "Content-Type": [
            "application/javascript"
        ],
        "X-Frame-Options": [
            "SAMEORIGIN"
        ],
        "Content-Encoding": [
            "br"
        ],
        "Cache-Control": [
            "max-age=86400"
        ],
        "Expires": [
            "Thu, 11 Jun 2020 00:38:14 GMT"
        ],
        "Content-Length": [
            "334338"
        ],
        "Date": [
            "Wed, 10 Jun 2020 00:38:14 GMT"
        ]
    },
    "duration": 0.012445005,
    "status": 200
}
Jun 09 20: 38: 14 unifi caddy[
    2235
]: {
    "level": "debug",
    "ts": 1591749494.5119152,
    "logger": "hxxp.handlers.reverse_proxy",
    "msg": "upstream roundtrip",
    "upstream": "127.0.0.1:8443",
    "request": {
        "method": "GET",
        "uri": "/manage/angular/g7989b19/fonts/aura/fonts.css",
        "proto": "hxxp/2.0",
        "remote_addr": "10.0.0.5:36338",
        "host": "unifi",
        "headers": {
            "Referer": [
                "hxxps://unifi/manage/account/login?redirect=%2Fmanage%2Ffatal"
            ],
            "X-Forwarded-For": [
                "10.0.0.5"
            ],
            "X-Forwarded-Proto": [
                "hxxps"
            ],
            "Accept": [
                "text/css,*/*;q=0.1"
            ],
            "Sec-Fetch-Site": [
                "same-origin"
            ],
            "Sec-Fetch-Dest": [
                "style"
            ],
            "Sec-Fetch-Mode": [
                "no-cors"
            ],
            "Accept-Encoding": [
                "gzip, deflate, br"
            ],
            "Accept-Language": [
                "en-US,en;q=0.9"
            ],
            "Pragma": [
                "no-cache"
            ],
            "Cache-Control": [
                "no-cache"
            ],
            "User-Agent": [
                "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.97 Safari/537.36"
            ]
        },
        "tls": {
            "resumed": false,
            "version": 772,
            "ciphersuite": 4867,
            "proto": "h2",
            "proto_mutual": true,
            "server_name": "unifi"
        }
    },
    "headers": {
        "Cache-Control": [
            "max-age=86400"
        ],
        "Expires": [
            "Thu, 11 Jun 2020 00:38:14 GMT"
        ],
        "X-Frame-Options": [
            "SAMEORIGIN"
        ],
        "Last-Modified": [
            "Fri, 22 May 2020 11:14:23 GMT"
        ],
        "Accept-Ranges": [
            "bytes"
        ],
        "Content-Type": [
            "text/css"
        ],
        "Content-Length": [
            "273"
        ],
        "Date": [
            "Wed, 10 Jun 2020 00:38:14 GMT"
        ],
        "Vary": [
            "accept-encoding"
        ],
        "Content-Encoding": [
            "br"
        ]
    },
    "duration": 0.009673867,
    "status": 200
}
Jun 09 20: 38: 16 unifi caddy[
    2235
]: {
    "level": "debug",
    "ts": 1591749496.3002424,
    "logger": "hxxp.handlers.reverse_proxy",
    "msg": "upstream roundtrip",
    "upstream": "127.0.0.1:8443",
    "request": {
        "method": "GET",
        "uri": "/manage/angular/g7989b19/js/base.js",
        "proto": "hxxp/2.0",
        "remote_addr": "10.0.0.5:36338",
        "host": "unifi",
        "headers": {
            "Accept-Encoding": [
                "gzip, deflate, br"
            ],
            "X-Forwarded-Proto": [
                "hxxps"
            ],
            "Cache-Control": [
                "no-cache"
            ],
            "Sec-Fetch-Site": [
                "same-origin"
            ],
            "Sec-Fetch-Mode": [
                "no-cors"
            ],
            "Sec-Fetch-Dest": [
                "script"
            ],
            "Referer": [
                "hxxps://unifi/manage/account/login?redirect=%2Fmanage%2Ffatal"
            ],
            "Pragma": [
                "no-cache"
            ],
            "User-Agent": [
                "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.97 Safari/537.36"
            ],
            "Accept": [
                "*/*"
            ],
            "Accept-Language": [
                "en-US,en;q=0.9"
            ],
            "X-Forwarded-For": [
                "10.0.0.5"
            ]
        },
        "tls": {
            "resumed": false,
            "version": 772,
            "ciphersuite": 4867,
            "proto": "h2",
            "proto_mutual": true,
            "server_name": "unifi"
        }
    },
    "headers": {
        "Date": [
            "Wed, 10 Jun 2020 00:38:15 GMT"
        ],
        "Content-Encoding": [
            "br"
        ],
        "Last-Modified": [
            "Fri, 22 May 2020 11:14:40 GMT"
        ],
        "Cache-Control": [
            "max-age=86400"
        ],
        "Content-Length": [
            "241236"
        ],
        "Content-Type": [
            "application/javascript"
        ],
        "X-Frame-Options": [
            "SAMEORIGIN"
        ],
        "Vary": [
            "accept-encoding"
        ],
        "Accept-Ranges": [
            "bytes"
        ],
        "Expires": [
            "Thu, 11 Jun 2020 00:38:16 GMT"
        ]
    },
    "duration": 0.01158571,
    "status": 200
}
Jun 09 20: 38: 16 unifi caddy[
    2235
]: {
    "level": "debug",
    "ts": 1591749496.383039,
    "logger": "hxxp.handlers.reverse_proxy",
    "msg": "upstream roundtrip",
    "upstream": "127.0.0.1:8443",
    "request": {
        "method": "GET",
        "uri": "/manage/angular/g7989b19/js/app.js",
        "proto": "hxxp/2.0",
        "remote_addr": "10.0.0.5:36338",
        "host": "unifi",
        "headers": {
            "Accept": [
                "*/*"
            ],
            "Sec-Fetch-Site": [
                "same-origin"
            ],
            "Sec-Fetch-Mode": [
                "no-cors"
            ],
            "Referer": [
                "hxxps://unifi/manage/account/login?redirect=%2Fmanage%2Ffatal"
            ],
            "Accept-Encoding": [
                "gzip, deflate, br"
            ],
            "X-Forwarded-Proto": [
                "hxxps"
            ],
            "Cache-Control": [
                "no-cache"
            ],
            "User-Agent": [
                "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.97 Safari/537.36"
            ],
            "Accept-Language": [
                "en-US,en;q=0.9"
            ],
            "X-Forwarded-For": [
                "10.0.0.5"
            ],
            "Pragma": [
                "no-cache"
            ],
            "Sec-Fetch-Dest": [
                "script"
            ]
        },
        "tls": {
            "resumed": false,
            "version": 772,
            "ciphersuite": 4867,
            "proto": "h2",
            "proto_mutual": true,
            "server_name": "unifi"
        }
    },
    "headers": {
        "Content-Encoding": [
            "br"
        ],
        "Content-Type": [
            "application/javascript"
        ],
        "Content-Length": [
            "498103"
        ],
        "X-Frame-Options": [
            "SAMEORIGIN"
        ],
        "Vary": [
            "accept-encoding"
        ],
        "Accept-Ranges": [
            "bytes"
        ],
        "Last-Modified": [
            "Fri, 22 May 2020 11:14:37 GMT"
        ],
        "Cache-Control": [
            "max-age=86400"
        ],
        "Expires": [
            "Thu, 11 Jun 2020 00:38:16 GMT"
        ],
        "Date": [
            "Wed, 10 Jun 2020 00:38:15 GMT"
        ]
    },
    "duration": 0.009377133,
    "status": 200
}
11

Not to worry - for hostnames that don’t look like public domain names, Caddy will issue an internal, locally-trusted certificate instead of trying to use LetsEncrypt.

Yep!

I can’t find any 400 status on a search and I can’t see any specific problems glancing through it all, though. I’m seeing a number of 200 status responses of varying length coming back from upstream, which seems to be healthy looking behaviour. What were you seeing in your browser when making these requests?

12

I can’t find any 400 status on a search and I can’t see any specific problems glancing through it all, though. I’m seeing a number of 200 status responses of varying length coming back from upstream, which seems to be healthy looking behaviour. What were you seeing in your browser when making these requests?

Error looks like this:

unifi-error
unifi-error1536Ă—864 17.3 KB

13

Hmm! That’s annoying, because the logs don’t show any 400s. In fact, every one of those logs (other than a single 302 redirect) is a 200 OK. Rather rude for the Unifi controller to say “all good!” to Caddy while giving you a page which itself says “bad request!”.

14

This topic was automatically closed after 30 days. New replies are no longer allowed.