Connection refused / 502 / Upgrade-Insecure-Requests error for a single app, the rest work fine

1. Caddy version:


2. How I installed, and run Caddy:

docker compose

a. System environment:

Docker, Lubuntu

b. Command:

docker compose up caddy -d

c. Service/unit/compose file:

version: "3.8"
    external: true
    image: caddy:latest
    container_name: caddy
    restart: unless-stopped
      - caddy
      - "80:80"
      - "443:443"
      - "443:443/udp"
      - /opt/appdata/caddy/Caddyfile:/etc/caddy/Caddyfile:rw
      - /opt/appdata/caddy/site:/srv
      - /opt/appdata/caddy/data:/data/caddy
      - /opt/appdata/caddy/config:/config/caddy

    image: gotify/server
    container_name: gotify
      - caddy
      - 1245:80
      - "/opt/appdata/gotify:/app/data"
    restart: always

d. My complete Caddy config:

    cert_issuer zerossl [redacted]
    email [redacted]

(authentik) {
	reverse_proxy /* http://authentik:9000
	forward_auth http://authentik:9000 {
		uri /
		copy_headers X-Authentik-Username X-Authentik-Groups X-Authentik-Email X-Authentik-Name X-Authentik-Uid X-Authentik-Jwt X-Authentik-Meta-Jwks X-Authentik-Meta-Outpost X-Authentik-Meta-Provider X-Authentik-Meta-App X-Authentik-Meta-Version

# works fine {
    reverse_proxy authentik:9000
} {
    # No authenik here for now, just trying to get it working normally first
    # I experienced this problem before authentik was installed
    reverse_proxy gotify:1245

# works fine {
    import authentik
    reverse_proxy homepage:3000

3. The problem I’m having:

Caddy gives me errors when accessing a single service (Gotify) via reverse proxy despite the service working just fine on localhost:port. No other app experiences this problem, and they are set up identically.

4. Error messages and/or full log output:

caddy  | {"level":"error","ts":1675163175.496656,"logger":"http.log.error","msg":"dial tcp connect: connection refused","request":{"remote_ip":"","remote_port":"60424","proto":"HTTP/2.0","method":"GET","host":"","uri":"/","headers":{"User-Agent":["curl/7.85.0"],"Accept":["*/*"]},"tls":{"resumed":false,"version":772,"cipher_suite":4865,"proto":"h2","server_name":""}},"duration":0.001130156,"status":502,"err_id":"7ys3ep101","err_trace":"reverseproxy.statusError (reverseproxy.go:1272)"}
caddy  | {"level":"error","ts":1675163184.699816,"logger":"http.log.error","msg":"dial tcp connect: connection refused","request":{"remote_ip":"","remote_port":"37216","proto":"HTTP/2.0","method":"GET","host":"","uri":"/","headers":{"User-Agent":["Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:109.0) Gecko/20100101 Firefox/109.0"],"Accept-Encoding":["gzip, deflate, br"],"Cookie":[],"Upgrade-Insecure-Requests":["1"],"Te":["trailers"],"Accept":["text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8"],"Accept-Language":["en-US,en;q=0.5"],"Sec-Fetch-Dest":["document"],"Sec-Fetch-Mode":["navigate"],"Sec-Fetch-Site":["same-site"],"Sec-Fetch-User":["?1"]},"tls":{"resumed":false,"version":772,"cipher_suite":4865,"proto":"h2","server_name":""}},"duration":0.000409353,"status":502,"err_id":"0s3vmtzzs","err_trace":"reverseproxy.statusError (reverseproxy.go:1272)"}

5. What I already tried:

  • Mapping different ports to the Gotify docker container
  • Mapping a local port to port 443 in the container (1245:443)

6. Links to relevant resources:

Security Headers not Working with Reverse Proxy? (I’m not using caddy security so I wasn’t sure how to make this apply to me)

When you proxy to other containers, you should use the port internal to the docker network, not one you bound to the host. So use gotify:80 instead.

And you can remove the port mapping for that service from your docker-compose file, because you should let Caddy protect access to it. If you publish it to the host, then anything on your host (or anything that can connect to your host) will be able to reach that container, allowing a bypass of your authentication.

Ah somehow I didn’t catch that, that worked perfectly. Thanks!

1 Like

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.