Cant proxy POST requests from HTTPS to HTTP localhost backend

tupo-nain · August 27, 2025, 9:16pm

1. The problem I’m having:

with http entire proxying works fine, but when i trying to proxy from HTTPS endpoint to HTTP backend, in answer to POST requests i constantly catches 403 err

2. Error messages and/or full log output:

nothing :c

3. Caddy version:

2.10.2

4. How I installed and ran Caddy:

rebuild with xcaddy

a. System environment:

Debian GNU/Linux 12 (bookworm)

b. Command:

```
/mnt/sdd/caddy/caddy run --environ --config /mnt/sdd/caddy/Caddyfile --watch
```

c. Service/unit/compose file:

PASTE OVER THIS, BETWEEN THE ``` LINES.
Please use the preview pane to ensure it looks nice.

d. My complete Caddy config:

```
e621ng.dn42:443 {
    reverse_proxy 127.0.0.1:3000
    replace "http://huliplakat:3000" "https://e621ng.dn42"
    replace "http://localhost:3000" "https://e621ng.dn42"
    tls /etc/letsencrypt/live/e621ng.dn42/fullchain.pem /etc/letsencrypt/live/e621ng.dn42/privkey.pem
}
```

5. Links to relevant resources:

Mohammed90 · September 2, 2025, 9:24pm

Can you share Caddy logs as well as the upstream app logs? Enable debug logs to see more details around the proxying activity

tupo-nain · September 3, 2025, 6:35pm

2025/09/03 18:34:47.246 DEBUG   http    starting server loop    {"address": "[::]:443", "tls": true, "http3": false}
2025/09/03 18:34:47.246 INFO    http    enabling HTTP/3 listener        {"addr": ":443"}
2025/09/03 18:34:47.246 INFO    http.log        server running  {"name": "srv0", "protocols": ["h1", "h2", "h3"]}
2025/09/03 18:34:47.246 DEBUG   http    starting server loop    {"address": "[::]:80", "tls": false, "http3": false}
2025/09/03 18:34:47.246 WARN    http    HTTP/2 skipped because it requires TLS  {"network": "tcp", "addr": ":80"}
2025/09/03 18:34:47.246 WARN    http    HTTP/3 skipped because it requires TLS  {"network": "tcp", "addr": ":80"}
2025/09/03 18:34:47.246 INFO    http.log        server running  {"name": "srv1", "protocols": ["h1", "h2", "h3"]}
2025/09/03 18:34:47.246 DEBUG   events  event   {"name": "started", "id": "7d0c1626-482f-4ad8-9725-7e2631fc5cdf", "origin": "", "data": null}
2025/09/03 18:34:47.246 INFO    http    servers shutting down with eternal grace period
2025/09/03 18:34:47.247 INFO    autosaved config (load with --resume flag)      {"file": "/root/.config/caddy/autosave.json"}
2025/09/03 18:34:54.312 DEBUG   events  event   {"name": "tls_get_certificate", "id": "d4a7fc9c-7fb1-49a0-85c7-c1af3646b2d7", "origin": "tls", "data": {"client_hello":{"CipherSuites":[4865,4867,4866,49195,49199,52393,52392,49196,49200,49162,49161,49171,49172,156,157,47,53],"ServerName":"e621ng.dn42","SupportedCurves":[4588,29,23,24,25,256,257],"SupportedPoints":"AA==","SignatureSchemes":[1027,1283,1539,2052,2053,2054,1025,1281,1537,515,513],"SupportedProtos":["h2","http/1.1"],"SupportedVersions":[772,771],"RemoteAddr":{"IP":"192.168.2.1","Port":53614,"Zone":""},"LocalAddr":{"IP":"192.168.2.11","Port":443,"Zone":""}}}}
2025/09/03 18:34:54.312 DEBUG   tls.handshake   choosing certificate    {"identifier": "e621ng.dn42", "num_choices": 1}
2025/09/03 18:34:54.312 DEBUG   tls.handshake   custom certificate selection results    {"identifier": "e621ng.dn42", "subjects": ["e621ng.dn42"], "managed": false, "issuer_key": "", "hash": "677fe9479a379dfe1234c0827bf3968dbe64adf0fef9e9dc124692b61f35891a"}
2025/09/03 18:34:54.312 DEBUG   tls.handshake   matched certificate in cache    {"remote_ip": "192.168.2.1", "remote_port": "53614", "subjects": ["e621ng.dn42"], "managed": false, "expiration": "2025/09/19 19:47:56.000", "hash": "677fe9479a379dfe1234c0827bf3968dbe64adf0fef9e9dc124692b61f35891a"}
2025/09/03 18:34:54.316 DEBUG   http.handlers.reverse_proxy     selected upstream       {"dial": "127.0.0.1:3000", "total_upstreams": 1}
2025/09/03 18:34:54.420 DEBUG   http.handlers.reverse_proxy     upstream roundtrip      {"upstream": "127.0.0.1:3000", "duration": 0.103666017, "request": {"remote_ip": "192.168.2.1", "remote_port": "53614", "client_ip": "192.168.2.1", "proto": "HTTP/2.0", "method": "POST", "host": "e621ng.dn42", "uri": "/admin/users/34", "headers": {"Referer": ["https://e621ng.dn42/admin/users/34/edit"], "Cookie": ["REDACTED"], "Te": ["trailers"], "Priority": ["u=0, i"], "User-Agent": ["Mozilla/5.0 (X11; Linux x86_64; rv:142.0) Gecko/20100101 Firefox/142.0"], "Content-Type": ["application/x-www-form-urlencoded"], "X-Forwarded-Host": ["e621ng.dn42"], "Sec-Fetch-Dest": ["document"], "X-Forwarded-Proto": ["https"], "Via": ["2.0 Caddy"], "Accept": ["text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8"], "Accept-Encoding": ["gzip, deflate, br, zstd"], "Sec-Fetch-Site": ["same-origin"], "X-Forwarded-For": ["192.168.2.1"], "Content-Length": ["439"], "Origin": ["https://e621ng.dn42"], "Upgrade-Insecure-Requests": ["1"], "Sec-Fetch-Mode": ["navigate"], "Accept-Language": ["en-US,en;q=0.5"], "Sec-Fetch-User": ["?1"]}, "tls": {"resumed": false, "version": 772, "cipher_suite": 4865, "proto": "h2", "server_name": "e621ng.dn42"}}, "headers": {"X-Xss-Protection": ["0"], "Referrer-Policy": ["strict-origin-when-cross-origin"], "Content-Security-Policy": ["default-src 'self'; script-src 'self' ads.dragonfru.it https://www.google.com/recaptcha/ https://www.gstatic.com/recaptcha/ https://www.recaptcha.net/ https://assets.freespeechcoalition.com 'nonce-FUk7HNRuRdbCaz98I5RKEg=='; style-src 'self' 'unsafe-inline'; connect-src 'self' ads.dragonfru.it plausible.dragonfru.it static1.e621.net static1.e926.net api.freespeechcoalition.com; object-src 'self' static1.e621.net static1.e926.net; media-src 'self' static1.e621.net static1.e926.net; frame-ancestors 'none'; frame-src https://www.google.com/recaptcha/ https://www.recaptcha.net/; font-src 'self'; img-src 'self' data: static1.e621.net static1.e926.net ads.dragonfru.it; child-src 'none'; form-action 'self' discord.e621.net discord.com"], "Set-Cookie": ["REDACTED"], "Connection": ["keep-alive"], "X-Frame-Options": ["SAMEORIGIN"], "X-Content-Type-Options": ["nosniff"], "X-Runtime": ["0.100849"], "Server-Timing": ["start_processing.action_controller;dur=0.01, render_template.action_view;dur=0.09, render_partial.action_view;dur=88.15, cache_read.active_support;dur=0.45, cache_fetch_hit.active_support;dur=0.00, render_layout.action_view;dur=89.43, process_action.action_controller;dur=90.50"], "Server": ["nginx/1.28.0"], "Date": ["Wed, 03 Sep 2025 18:34:54 GMT"], "X-Permitted-Cross-Domain-Policies": ["none"], "Cache-Control": ["no-cache"], "X-Request-Id": ["22c8e16a-f663-4faf-83da-e735e6c537bf"], "Content-Type": ["text/html; charset=utf-8"], "Content-Length": ["13652"], "Link": ["</packs/css/vendors-node_modules_rails_ujs_app_assets_javascripts_rails-ujs_esm_js-node_modules_vue-loade-69ebc1.css>; rel=preload; as=style; nopush,</packs/css/application.css>; rel=preload; as=style; nopush,</packs/js/vendors-node_modules_rails_ujs_app_assets_javascripts_rails-ujs_esm_js-node_modules_vue-loade-69ebc1.js>; rel=preload; as=script; nopush,</packs/js/application.js>; rel=preload; as=script; nopush"]}, "status": 403}
2025/09/03 18:34:54.420 DEBUG   http.handlers.replace_response  buffered body replacement       {"replacements": [{"search":"http://localhost:3000","replace":"https://e621ng.dn42"}], "request": {"remote_ip": "192.168.2.1", "remote_port": "53614", "client_ip": "192.168.2.1", "proto": "HTTP/2.0", "method": "POST", "host": "e621ng.dn42", "uri": "/admin/users/34", "headers": {"Sec-Fetch-Dest": ["document"], "Accept": ["text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8"], "Referer": ["https://e621ng.dn42/admin/users/34/edit"], "Sec-Fetch-Mode": ["navigate"], "Accept-Language": ["en-US,en;q=0.5"], "Accept-Encoding": ["gzip, deflate, br, zstd"], "Cookie": ["REDACTED"], "Te": ["trailers"], "Sec-Fetch-Site": ["same-origin"], "Sec-Fetch-User": ["?1"], "Priority": ["u=0, i"], "User-Agent": ["Mozilla/5.0 (X11; Linux x86_64; rv:142.0) Gecko/20100101 Firefox/142.0"], "Content-Type": ["application/x-www-form-urlencoded"], "Content-Length": ["439"], "Origin": ["https://e621ng.dn42"], "Upgrade-Insecure-Requests": ["1"]}, "tls": {"resumed": false, "version": 772, "cipher_suite": 4865, "proto": "h2", "server_name": "e621ng.dn42"}}}
2025/09/03 18:34:54.420 DEBUG   http.handlers.replace_response  buffered body replacement       {"replacements": [{"search":"http://huliplakat:3000","replace":"https://e621ng.dn42"}], "request": {"remote_ip": "192.168.2.1", "remote_port": "53614", "client_ip": "192.168.2.1", "proto": "HTTP/2.0", "method": "POST", "host": "e621ng.dn42", "uri": "/admin/users/34", "headers": {"Accept-Language": ["en-US,en;q=0.5"], "Accept-Encoding": ["gzip, deflate, br, zstd"], "Cookie": ["REDACTED"], "Te": ["trailers"], "Sec-Fetch-Site": ["same-origin"], "Sec-Fetch-User": ["?1"], "Priority": ["u=0, i"], "User-Agent": ["Mozilla/5.0 (X11; Linux x86_64; rv:142.0) Gecko/20100101 Firefox/142.0"], "Content-Type": ["application/x-www-form-urlencoded"], "Content-Length": ["439"], "Origin": ["https://e621ng.dn42"], "Upgrade-Insecure-Requests": ["1"], "Sec-Fetch-Dest": ["document"], "Accept": ["text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8"], "Referer": ["https://e621ng.dn42/admin/users/34/edit"], "Sec-Fetch-Mode": ["navigate"]}, "tls": {"resumed": false, "version": 772, "cipher_suite": 4865, "proto": "h2", "server_name": "e621ng.dn42"}}}

Mohammed90 · September 3, 2025, 10:27pm

The 403 is coming from your upstream app. Check its logs to see why it responds with 403.

system · October 3, 2025, 10:28pm

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.