Can Caddy be reverse proxy to Ocserver?

  1. Caddy version 2.3.0:

  2. How I run Caddy:
    caddy run --environ --config /etc/caddy/Caddyfile

a. System environment:
ArchLinux 5.10.13

d. My relative Caddyfile config:

> {
>         tls /etc/ssl/Letsencrypt/ec/0000_cert.pem /etc/ssl/Letsencrypt/ec/ecc.key
>         reverse_proxy *
> }
  1. The problem I’m having:
    The backend is Ocserver (Anyconnect). While it worked behind Haproxy it was OK, and I tried Caddy as loadbalancer, instead of Haproxy. Unfortunately Ocserv rejects connections from Caddy.

  2. Error messages and/or full log output:
    Caddy says:

feb 08 00:59:11 caddy[25041]: {“level”:“error”,“ts”:1612738751.0278764,“logger”:“http.log.error”,“msg”:“read tcp> read: connection reset by peer”,“request”:{“remote_addr”:“”,“proto”:“HTTP/1.1”,“method”:“POST”,“host”:“”,“uri”:"/",“headers”:{“X-Anyconnect-Platform”:[“linux-64”],“X-Support-Http-Auth”:[“true”],“X-Pad”:[“000000000000000000000000000000000000000000000”],“Content-Type”:[“application/xml; charset=utf-8”],“Content-Length”:[“211”],“User-Agent”:[“Open AnyConnect VPN Agent v8.10”],“X-Aggregate-Auth”:[“1”],“Accept”:["/"],“Accept-Encoding”:[“identity”],“X-Transcend-Version”:[“1”]},“tls”:{“resumed”:false,“version”:772,“cipher_suite”:4867,“proto”:"",“proto_mutual”:true,“server_name”:“”}},“duration”:0.064781622,“status”:502,“err_id”:“n4ktyhm1g”,“err_trace”:“reverseproxy.statusError (reverseproxy.go:783)”}

Ocserv says:

feb 08 00:59:11 ocserv[25200]: worker: worker-proxyproto.c:321: proxy-hdr: invalid v2 header
feb 08 00:59:11 ocserv[25200]: worker: worker-vpn.c:778: could not parse proxy protocol header; discarding con

As far as I understand Caddy sends to Ocserv headers which are not suitable for the backend. It wants “v2 header” or sometings like this. Is there any way to change the headers sent by Caddy? I mean, do you have any idea what is “v2 header” to change it in Caddy?

I think it’s expecting a connection with the PROXY protocol, which is basically a protocol that sends some additional data before the rest of the request that tells the upstream the original IP of the client, as an alternative to the X-Forwarded-For header that doesn’t require terminating TLS.

I think that’s enabled with a setting listen-proxy-proto = true according to this page:

So I think you should just turn that off for use with Caddy.

I’m not certain about this, but that may also not work, if it’s actually a TCP service rather than HTTP. Caddy is an HTTP proxy.

If you need a TCP proxy, you would have more luck with this plugin:

Thank you, I have also tried without the setting listen-proxy-proto = true, Ocserver this time required a certificat from Caddy. I put the directive transport http {.... with the client sertificate in Caddyfile, the connection established but between Caddy and Ocserver only, no peer connection with the final client (my computer). I think that because as you say it’s actually a TCP service rather than HTTP.
Well, I will try caddy-l4 plugin

This topic was automatically closed after 30 days. New replies are no longer allowed.