Connection not secure / Encrypted using a modern cypher suite / Page includes resources which are not secure

dsknfgkjdewr · October 5, 2025, 8:03pm

1. The problem I’m having:

Running caddy as a (https) LAN reverse proxy to several LAN services. I have been accessing via mobile device client by manually syncing certificates to the device and installing. However, without any known configuration change, I am now getting ‘connection not secure’ warnings on the mobile device browser (brave). It loads the main host url (which returns only a connection established string message, but the browser indicates “Connection is not secure”. The details dialog indicates: “Your connection to IP:PORT is encrypted using a modern cypher suite. Further, this page includes other resources which are not secure”. When I attempt to access the service sitting behind the reverse proxy (via handle_path) the page no longer loads.

(I already upgraded from 10.0 to 10.2. I also deleted/regenerated all of the macOS configuration files, including pki, and cleared and reinstalled all certs on mobile client).

2. Error messages and/or full log output:

“Your connection to 192.168.0.132:4430 is encrypted using a modern cypher suite. Further, this page includes other resources which are not secure”

LOGS (GET / and GET /radicale)
2025/10/05 19:23:14.665	INFO	serving initial configuration
2025/10/05 19:23:34.486	DEBUG	events	event	{"name": "tls_get_certificate", "id": "e5acddad-34d2-44ed-9b07-161c1d87aa6a", "origin": "tls", "data": {"client_hello":{"CipherSuites":[43690,4865,4866,4867,49195,49199,49196,49200,52393,52392,49171,49172,156,157,47,53],"ServerName":"","SupportedCurves":[35466,4588,29,23,24],"SupportedPoints":"AA==","SignatureSchemes":[1027,2052,1025,1283,2053,1281,2054,1537],"SupportedProtos":["h2","http/1.1"],"SupportedVersions":[27242,772,771],"RemoteAddr":{"IP":"192.168.0.231","Port":51716,"Zone":""},"LocalAddr":{"IP":"192.168.0.132","Port":4430,"Zone":""}}}}
2025/10/05 19:23:34.486	DEBUG	tls.handshake	choosing certificate	{"identifier": "192.168.0.132", "num_choices": 1}
2025/10/05 19:23:34.486	DEBUG	tls.handshake	default certificate selection results	{"identifier": "192.168.0.132", "subjects": ["192.168.0.132"], "managed": true, "issuer_key": "local", "hash": "980921b065c3d053de355bd149ff85e699190c0dcdb222a9a948b260c8191c0c"}
2025/10/05 19:23:34.486	DEBUG	tls.handshake	matched certificate in cache	{"remote_ip": "192.168.0.231", "remote_port": "51716", "subjects": ["192.168.0.132"], "managed": true, "expiration": "2025/10/06 06:56:12.000", "hash": "980921b065c3d053de355bd149ff85e699190c0dcdb222a9a948b260c8191c0c"}
2025/10/05 19:23:34.592	DEBUG	events	event	{"name": "tls_get_certificate", "id": "30f2b939-85e9-4587-9889-e2929677f353", "origin": "tls", "data": {"client_hello":{"CipherSuites":[4865,4866,4867],"ServerName":"","SupportedCurves":[4588,29,23,24],"SupportedPoints":null,"SignatureSchemes":[1027,2052,1025,1283,2053,1281,2054,1537,513],"SupportedProtos":["h3"],"SupportedVersions":[772],"RemoteAddr":{"IP":"192.168.0.231","Port":58505,"Zone":""},"LocalAddr":{"IP":"192.168.0.132","Port":4430,"Zone":""}}}}
2025/10/05 19:23:34.592	DEBUG	tls.handshake	choosing certificate	{"identifier": "192.168.0.132", "num_choices": 1}
2025/10/05 19:23:34.592	DEBUG	tls.handshake	default certificate selection results	{"identifier": "192.168.0.132", "subjects": ["192.168.0.132"], "managed": true, "issuer_key": "local", "hash": "980921b065c3d053de355bd149ff85e699190c0dcdb222a9a948b260c8191c0c"}
2025/10/05 19:23:34.592	DEBUG	tls.handshake	matched certificate in cache	{"remote_ip": "192.168.0.231", "remote_port": "58505", "subjects": ["192.168.0.132"], "managed": true, "expiration": "2025/10/06 06:56:12.000", "hash": "980921b065c3d053de355bd149ff85e699190c0dcdb222a9a948b260c8191c0c"}
2025/10/05 19:33:41.256	DEBUG	events	event	{"name": "tls_get_certificate", "id": "3aff21d5-c5bb-4426-bc9c-a542eb2aa811", "origin": "tls", "data": {"client_hello":{"CipherSuites":[10794,4865,4866,4867,49195,49199,49196,49200,52393,52392,49171,49172,156,157,47,53],"ServerName":"","SupportedCurves":[47802,4588,29,23,24],"SupportedPoints":"AA==","SignatureSchemes":[1027,2052,1025,1283,2053,1281,2054,1537],"SupportedProtos":["h2","http/1.1"],"SupportedVersions":[51914,772,771],"RemoteAddr":{"IP":"192.168.0.132","Port":58031,"Zone":""},"LocalAddr":{"IP":"192.168.0.132","Port":4430,"Zone":""}}}}
2025/10/05 19:33:41.266	DEBUG	tls.handshake	choosing certificate	{"identifier": "192.168.0.132", "num_choices": 1}
2025/10/05 19:33:41.266	DEBUG	tls.handshake	default certificate selection results	{"identifier": "192.168.0.132", "subjects": ["192.168.0.132"], "managed": true, "issuer_key": "local", "hash": "980921b065c3d053de355bd149ff85e699190c0dcdb222a9a948b260c8191c0c"}
2025/10/05 19:33:41.266	DEBUG	tls.handshake	matched certificate in cache	{"remote_ip": "192.168.0.132", "remote_port": "58031", "subjects": ["192.168.0.132"], "managed": true, "expiration": "2025/10/06 06:56:12.000", "hash": "980921b065c3d053de355bd149ff85e699190c0dcdb222a9a948b260c8191c0c"}
2025/10/05 19:33:41.987	DEBUG	events	event	{"name": "tls_get_certificate", "id": "5d092863-fbf9-43c1-a27e-edc5153d9e07", "origin": "tls", "data": {"client_hello":{"CipherSuites":[4865,4866,4867],"ServerName":"","SupportedCurves":[4588,29,23,24],"SupportedPoints":null,"SignatureSchemes":[1027,2052,1025,1283,2053,1281,2054,1537,513],"SupportedProtos":["h3"],"SupportedVersions":[772],"RemoteAddr":{"IP":"192.168.0.132","Port":52151,"Zone":""},"LocalAddr":{"IP":"192.168.0.132","Port":4430,"Zone":""}}}}
2025/10/05 19:33:41.987	DEBUG	tls.handshake	choosing certificate	{"identifier": "192.168.0.132", "num_choices": 1}
2025/10/05 19:33:41.987	DEBUG	tls.handshake	default certificate selection results	{"identifier": "192.168.0.132", "subjects": ["192.168.0.132"], "managed": true, "issuer_key": "local", "hash": "980921b065c3d053de355bd149ff85e699190c0dcdb222a9a948b260c8191c0c"}
2025/10/05 19:33:41.987	DEBUG	tls.handshake	matched certificate in cache	{"remote_ip": "192.168.0.132", "remote_port": "52151", "subjects": ["192.168.0.132"], "managed": true, "expiration": "2025/10/06 06:56:12.000", "hash": "980921b065c3d053de355bd149ff85e699190c0dcdb222a9a948b260c8191c0c"}

3. Caddy version:

caddy_2.10.2_mac_amd64

4. How I installed and ran Caddy:

release binary installed from github

a. System environment:

macOS 12.7.6 (21H1320)

b. Command:

caddy run

d. My complete Caddy config:

{
	debug
	http_port 2080
	https_port 4430
}

localhost {
	respond "Connected to Caddy."
	handle_path /radicale/* {
		uri strip_prefix /radicale
		reverse_proxy localhost:5232 {
			header_up X-Script-Name /radicale
		}
	}
}

192.168.0.132 {
	tls internal

	handle_path / {
		respond "Client Connection to Caddy Established."
	}
	handle_path /radicale/* {
		uri strip_prefix /radicale
		reverse_proxy 127.0.0.1:5232 {
			header_up X-Script-Name /radicale
		}
	}
}

5. Links to relevant resources:

(It says I am limited to 1 image. Cannot include the others)

timelordx · October 5, 2025, 10:02pm

What’s the full URL in your browser’s screenshot?

This looks like a mixed content issue - your backend generating a content with hardcoded http:// resources.

dsknfgkjdewr · October 9, 2025, 5:51pm

The full URL is https://192.168.0.132:4430

Don’t quite follow the 2nd part of your question. ‘Backend’ as in the service behind the proxy? It is a radicale webDAV server, which itself, no, is not TLS enabled. I haven’t found http service(s) behind caddy https proxy to raise any complaints from browsers until now, including this one.

I am also able to reach the radicale service bypassing the proxy at http://192.168.0.132:5232

(I am not aware of any other resources it might pull that would be relevant. I know it doesn’t call out to any other 3rd host or service. Are there any examples to search for?)

Many thanks.

system · November 8, 2025, 5:52pm

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.