Can't get caddy to reverse_proxy anything on LAN to dockerized services that have in-built nginx servers

1. Caddy version (caddy version):

v2.1.1 h1:X9k1+ehZPYYrSqBvf/ocUgdLSRIuiNiMo7CvyGUQKeA=

2. How I run Caddy:

a. System environment:

docker

b. Command:

sudo docker run caddy

d. My complete Caddyfile or JSON config:

bw.mydomain.net {
reverse_proxy 192.168.1.188:8201 
}

3. The problem I’m having:

I just want my dockerized services that run with an inbuilt nginx server (i.e. bitwarden, firefly3, nextcloud) to be reachable on LAN with their hostname www.bw.mydomain.net (for example with bitwarden) or www.firefly3.mydomain.net (for example with firefly3)

ALL of them are reachable if i use my phone and go to sattelite internet connection and go to those domains, however if i connect to wifi and try to reach those domains i get rerouted to a page that says “forbidden Your client does not have permission to get this page from this server.” and the url gets changed to https://bw.mydomain.net/login.htm with the /login.htm part being added on to the end of the URL being new.

this part i believe is 100% the inbuilt nginx server’s doing as i’m unaware of caddy doing anything with a /login.htm route automatically, as you can see nothing of the sort is mentioned in my caddy file

4. Error messages and/or full log output:

there’s literally no errors at all on caddy’s end, from caddy’s POV everything is working normally.

5. What I already tried:

i’m not even sure where to begin. google turns up a million results for replacing nginx with caddy or vice versa but i can’t find ANYTHING for combining them effectively. This SEEMS like a NAT hairpin issue, but it’s not, something is going wrong between caddy and the inbuilt nginx server contained in only certain dockerized services, in this example bitwarden which ships with a builtin nginx server in the docker-compose.

dockerized services, like emby, which do not contain a built in nginx component, have no issue at all, and are reachable from www.emby.mydomain.net on LAN AND WAN. i.e. on my phone with satellite internet or wifi internet.

i feel like the answer is something simple, like adding some kind of header flag or some kind of rewrite URL scheme to the config, but after trying a ton of different ones without really knowing what i’m doing, i’m just shooting in the dark so any help would REALLY be appreciated because not being able to use caddy with any self-hosted service that ships with its own webserver limits a lot of the options for me

Please upgrade to v2.3.0!

What does the nginx config look like for the service that isn’t working?

I’ve seen that bitwarden is typically served over HTTPS by default, with a self-signed certificate. Is that the case here? If it is HTTPS, then you’ll need to prefix https:// in front of the proxy address in your Caddyfile to tell Caddy to connect over HTTPS.

You’ll also probably need to set tls_trusted_ca_certs to the certificate that bitwarden is using to establish trust. (You could set tls_insecure_skip_verify instead, but I strongly suggest not doing that).

So I found out what the issue was. Apparently it was my fios g3100 router.

Somehow they reserve port 443 for remote management… which is weird because i self host several services that have https and get 443 forwarded to them no problem, but only when you throw a dockerized service with a built-in nginx config does this so difficult to troubleshoot issue arise. I found this out by messing with the remote management 443 port in the advanced settings ofthe fios g3100 router and changing it to something else like 444 would then cause my bitwarden installation to forward to my fios router login… on port 444. That was apparently the login.htm part of the url that was being added… from my fios router lol.

Long story short, changing or disabling that port didn’t fix anything, just confirmed for me it was the g3100 router so i swapped to a nighthawk router i had a viola all was working as intended. Hope this helps someone!

3 Likes

This topic was automatically closed after 30 days. New replies are no longer allowed.