DNS Challenge Reverse Proxy Njalla

1. The problem I’m having:

Installed caddy-dns/njalla with xcaddy build --with github.com/caddy-dns/njalla.

go version go1.22.5 linux/arm64

I’ve successfully used nginx proxy manager in a docker before, with a DNS challenge. Using ports 80 and 443 works,
but I have some local services “192.168.250.x” that need to do DNS challenge, because I can’t use port 80 or 443 at home.
I would want them all certified under DNS challenge.

It isn’t using the api access; I don’t see any additional _acme-challenge TXT records to my domain names while caddy starts?

Doing command caddy list-modules | grep dns, it shows dns.providers.njalla.

Edit
Ok I forgot. This time I am adding this for the Caddyfile (i had to change my api keys oops…):

*.shelldrive.bzmb.eu {
        tls {
                dns njalla <api_key>
        }
}
curl -v https://bzmb.eu

*   Trying 198.23.219.167:443...
* Connected to bzmb.eu (198.23.219.167) port 443 (#0)
* ALPN: offers h2,http/1.1
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
*  CAfile: /etc/ssl/certs/ca-certificates.crt
*  CApath: /etc/ssl/certs
* TLSv1.3 (IN), TLS handshake, Server hello (2):
* TLSv1.3 (IN), TLS handshake, Encrypted Extensions (8):
* TLSv1.3 (IN), TLS handshake, Certificate (11):
* TLSv1.3 (IN), TLS handshake, CERT verify (15):
* TLSv1.3 (IN), TLS handshake, Finished (20):
* TLSv1.3 (OUT), TLS change cipher, Change cipher spec (1):
* TLSv1.3 (OUT), TLS handshake, Finished (20):
* SSL connection using TLSv1.3 / TLS_CHACHA20_POLY1305_SHA256
* ALPN: server accepted h2
* Server certificate:
*  subject: CN=bzmb.eu
*  start date: Jul  9 16:16:27 2024 GMT
*  expire date: Oct  7 16:16:26 2024 GMT
*  subjectAltName: host "bzmb.eu" matched cert's "bzmb.eu"
*  issuer: C=US; O=Let's Encrypt; CN=E5
*  SSL certificate verify ok.
* using HTTP/2
* h2h3 [:method: GET]
* h2h3 [:path: /]
* h2h3 [:scheme: https]
* h2h3 [:authority: bzmb.eu]
* h2h3 [user-agent: curl/7.88.1]
* h2h3 [accept: */*]
* Using Stream ID: 1 (easy handle 0x5572ae6760)
> GET / HTTP/2
> Host: bzmb.eu
> user-agent: curl/7.88.1
> accept: */*
> 
* TLSv1.3 (IN), TLS handshake, Newsession Ticket (4):
< HTTP/2 200 
< accept-ranges: bytes
< alt-svc: h3=":443"; ma=2592000
< content-security-policy: upgrade-insecure-requests;
< content-type: text/html; charset=utf-8
< date: Tue, 09 Jul 2024 18:27:33 GMT
< etag: "sfxd052pj"
< last-modified: Mon, 01 Jul 2024 03:14:29 GMT
< onion-location: http://hrctrdfgz3w7etdp56whxzavj7sahvsf4ppjigdcyqklotxinpcjmcad.onion/
< permissions-policy: interest-cohort=();
< referrer-policy: strict-origin-when-cross-origin;
< server: Caddy
< server: Caddy
< x-content-type-options: nosniff;
< x-frame-options: SAMEORIGIN;
< content-length: 3511
< 
<!DOCTYPE html><html lang=en><link rel="icon" href="/assets/img/image_proxy.jpg">
    <head><meta charset="utf-8"><meta name="viewport" content="width=device-width, initial-scale=1.0">
    <link rel="stylesheet" type="text/css" href="/assets/styles.css"><title>Randomsource - RNG SRC</title></head>
        <body>

            <!-- title -->
            <h1 class="site-title">🖥️randomsource:~$</h1>
            <a href="https://mcraft.fun" style="position: absolute; right: 26px; top: 24px;">minecraft</a>
            <!-- archives and note -->
           <b style="font-size: 20px;"><p class="centertext">Blog <a href="/archive.html">Archive</a> | Hello to my personal website?</b><br><br>

            <!-- posts -->
            Nov 17, 2022<br><a href="/posts/using-webp-and-dithering.html">Using webp and dithering?</a><br><br>
            Aug 9, 2022<br><a href="/posts/i-dont-really-need-animations.html">i don't really need animations</a><br><br>
            Jun 15, 2022<br><a href="/posts/using-3d-printers-to-recycle-plastic.html">Using 3d printers to recycle plastic?</a><br><br>
            Jun 7, 2022<br><a href="/posts/another-way-to-make-websites.html">Another Way To Make Websites</a><br><br>
            May 29, 2022<br><a href="/posts/more-people-need-websites.html">More people need websites.</a><br><br>
            May 28, 2022<br><a href="/posts/i-know-youre-using-windows-and-chrome.html">I know you're using Windows and Chrome</a><br><br>
            May 24, 2022<br><a href="/posts/what-is-monero-and-why-do-i-recommend-it.html">What is Monero, and why do I recommend it?</a><br><br>
            May 13, 2022<br><a href="/posts/what-is-solar-and-why-does-it-matter.html">What is solar? And why does it matter?</a><br><br>
            May 12, 2022<br><a href="/posts/advice-for-myself-on-webhosting.html">Advice for myself on Web hosting</a><br><br>
            May 4, 2022<br><a href="/posts/how-i-made-this-website.html">How I Made This Website</a><br><br>

            <!-- feed and source code -->
            <b style="font-size: 20px;">Subscribe via <a href="/feed.xml">RSS</a> | Website <a href="https://codeberg.org/slendermon/pages/src/branch/main">Source Code</a> | Some of my <a href="/projects.html">Services</a></p></b><br>
        </body>
    <!-- chat box -->
    <div>
        <i class="center">Live Chat! (maybe this is a bad idea)</i>
        <iframe src="https://chat.server.bzmb.eu" style="background-color: darkslategrey;"></iframe>
        <br>
        
        <img src="/assets/img/drive.webp" width="125px" style="display: block;margin-left: auto;margin-right: auto;">

        <p class="site-footer" style="margin-left: 15%; margin-right: 15%;"> 
        Let me know if there are any ideas for me to improve about tech
        <br>
        <audio controls style="display: block; margin: auto; text-align: center; margin-bottom: 4px; height: 50px; width: 150px;">
            <source src="/assets/sounds/Studio_Project.mp4" type="audio/mp4">
        Your browser does not support the audio element. Lol
        </audio>
        </p>
    </div>
</html>
* Connection #0 to host bzmb.eu left intact
curl -v https://uptime.bzmb.eu

*   Trying 192.168.250.21:443...
* Connected to uptime.shelldrive.bzmb.eu (192.168.250.21) port 443 (#0)
* ALPN: offers h2,http/1.1
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
*  CAfile: /etc/ssl/certs/ca-certificates.crt
*  CApath: /etc/ssl/certs
* TLSv1.3 (IN), TLS alert, internal error (592):
* OpenSSL/3.0.11: error:0A000438:SSL routines::tlsv1 alert internal error
* Closing connection 0
curl: (35) OpenSSL/3.0.11: error:0A000438:SSL routines::tlsv1 alert internal error

2. Error messages and/or full log output:

[2570,4865,4866,4867,49195,49199,49196,49200,52393,52392,49171,49172,156,157,47,53],"ServerName":"chat.server.bzmb.eu","SupportedCurves":[19018,29,23,24],"SupportedPoints":"AA==","SignatureSchemes":[1027,2052,1025,1283,2053,1281,2054,1537],"SupportedProtos":["h2","http/1.1"],"SupportedVersions":[64250,772,771],"RemoteAddr":{"IP":"::1","Port":35228,"Zone":""},"LocalAddr":{"IP":"::1","Port":443,"Zone":""}}}}
Jul 09 11:00:42 localhost caddy[699661]: {"level":"debug","ts":1720548042.6415665,"logger":"tls.handshake","msg":"choosing certificate","identifier":"chat.server.bzmb.eu","num_choices":1}
Jul 09 11:00:42 localhost caddy[699661]: {"level":"debug","ts":1720548042.6416883,"logger":"tls.handshake","msg":"default certificate selection results","identifier":"chat.server.bzmb.eu","subjects":["chat.server.bzmb.eu"],"managed":true,"issuer_key":"acme-v02.api.letsencrypt.org-directory","hash":"df94cfc989002b4c9a9214441991d5d53741fd1038890e168010497ae100adff"}
Jul 09 11:00:42 localhost caddy[699661]: {"level":"debug","ts":1720548042.6417694,"logger":"tls.handshake","msg":"matched certificate in cache","remote_ip":"::1","remote_port":"35228","subjects":["chat.server.bzmb.eu"],"managed":true,"expiration":1728317779,"hash":"df94cfc989002b4c9a9214441991d5d53741fd1038890e168010497ae100adff"}
Jul 09 11:00:42 localhost caddy[699661]: {"level":"debug","ts":1720548042.6906834,"logger":"http.handlers.reverse_proxy","msg":"selected upstream","dial":"198.23.219.167:8080","total_upstreams":1}
Jul 09 11:00:42 localhost caddy[699661]: {"level":"debug","ts":1720548042.6909325,"logger":"http.handlers.reverse_proxy","msg":"selected upstream","dial":"198.23.219.167:8080","total_upstreams":1}
Jul 09 11:00:42 localhost caddy[699661]: {"level":"debug","ts":1720548042.7356527,"logger":"http.handlers.reverse_proxy","msg":"selected upstream","dial":"198.23.219.167:3030","total_upstreams":1}
Jul 09 11:00:42 localhost caddy[699661]: {"level":"debug","ts":1720548042.802981,"logger":"http.handlers.reverse_proxy","msg":"selected upstream","dial":"198.23.219.167:3030","total_upstreams":1}
Jul 09 11:00:42 localhost caddy[699661]: {"level":"debug","ts":1720548042.8605278,"logger":"http.handlers.reverse_proxy","msg":"upstream roundtrip","upstream":"198.23.219.167:3030","duration":0.505495389,"request":{"remote_ip":"::1","remote_port":"35192","client_ip":"::1","proto":"HTTP/2.0","method":"GET","host":"draw.server.bzmb.eu","uri":"/socket.io/?EIO=4&transport=polling&t=P2OiANu&sid=eU_NDjntyfU0SH9uABDj","headers":{"Sec-Ch-Ua-Platform":["\"Chrome OS\""],"Sec-Fetch-Site":["same-origin"],"Accept-Language":["en-US,en;q=0.9"],"Sec-Ch-Ua-Mobile":["?0"],"User-Agent":["Mozilla/5.0 (X11; CrOS x86_64 14541.0.0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/126.0.0.0 Safari/537.36"],"Sec-Fetch-Dest":["empty"],"X-Forwarded-Host":["draw.server.bzmb.eu"],"Priority":["u=1, i"],"Sec-Ch-Ua":["\"Not/A)Brand\";v=\"8\", \"Chromium\";v=\"126\", \"Google Chrome\";v=\"126\""],"Accept":["*/*"],"Accept-Encoding":["gzip, deflate, br, zstd"],"Sec-Fetch-Mode":["cors"],"X-Forwarded-Proto":["https"],"X-Forwarded-For":["::1"]},"tls":{"resumed":false,"version":772,"cipher_suite":4867,"proto":"h2","server_name":"draw.server.bzmb.eu"}},"headers":{"Content-Type":["text/plain; charset=UTF-8"],"Content-Encoding":["gzip"],"Content-Length":["1493296"],"Cache-Control":["no-store"],"Date":["Tue, 09 Jul 2024 18:10:33 GMT"],"Connection":["keep-alive"],"Keep-Alive":["timeout=5"]},"status":200}
Jul 09 11:00:42 localhost caddy[699661]: {"level":"debug","ts":1720548042.862452,"logger":"http.handlers.reverse_proxy","msg":"selected upstream","dial":"198.23.219.167:8080","total_upstreams":1}
Jul 09 11:00:42 localhost caddy[699661]: {"level":"debug","ts":1720548042.9137676,"logger":"http.handlers.reverse_proxy","msg":"upstream roundtrip","upstream":"198.23.219.167:8080","duration":0.2215805,"request":{"remote_ip":"::1","remote_port":"35218","client_ip":"::1","proto":"HTTP/2.0","method":"GET","host":"chat.server.bzmb.eu","uri":"/socket.io/?EIO=4&transport=polling&t=P2OiAvA&sid=4aanVD0LObak1abnABOS","headers":{"Accept-Language":["en-GB,en;q=0.5"],"User-Agent":["Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:127.0) Gecko/20100101 Firefox/127.0"],"X-Forwarded-Proto":["https"],"X-Forwarded-Host":["chat.server.bzmb.eu"],"Accept-Encoding":["gzip, deflate, br, zstd"],"Sec-Fetch-Dest":["empty"],"Sec-Fetch-Mode":["cors"],"Sec-Fetch-Site":["same-origin"],"Te":["trailers"],"Accept":["*/*"],"X-Forwarded-For":["::1"]},"tls":{"resumed":false,"version":772,"cipher_suite":4867,"proto":"h2","server_name":"chat.server.bzmb.eu"}},"headers":{"Content-Length":["32"],"Cache-Control":["no-store"],"Date":["Tue, 09 Jul 2024 18:10:33 GMT"],"Connection":["keep-alive"],"Keep-Alive":["timeout=5"],"Content-Type":["text/plain; charset=UTF-8"]},"status":200}
Jul 09 11:00:42 localhost caddy[699661]: {"level":"debug","ts":1720548042.9207716,"logger":"http.handlers.reverse_proxy","msg":"upstream roundtrip","upstream":"198.23.219.167:8080","duration":0.229424389,"request":{"remote_ip":"::1","remote_port":"35218","client_ip":"::1","proto":"HTTP/2.0","method":"POST","host":"chat.server.bzmb.eu","uri":"/socket.io/?EIO=4&transport=polling&t=P2OiAv9&sid=4aanVD0LObak1abnABOS","headers":{"Accept-Language":["en-GB,en;q=0.5"],"Origin":["https://chat.server.bzmb.eu"],"Accept-Encoding":["gzip, deflate, br, zstd"],"Sec-Fetch-Mode":["cors"],"Content-Length":["2"],"Sec-Fetch-Site":["same-origin"],"Accept":["*/*"],"X-Forwarded-Proto":["https"],"X-Forwarded-Host":["chat.server.bzmb.eu"],"Content-Type":["text/plain;charset=UTF-8"],"Sec-Fetch-Dest":["empty"],"X-Forwarded-For":["::1"],"User-Agent":["Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:127.0) Gecko/20100101 Firefox/127.0"],"Te":["trailers"]},"tls":{"resumed":false,"version":772,"cipher_suite":4867,"proto":"h2","server_name":"chat.server.bzmb.eu"}},"headers":{"Content-Type":["text/html"],"Content-Length":["2"],"Cache-Control":["no-store"],"Date":["Tue, 09 Jul 2024 18:10:33 GMT"],"Connection":["keep-alive"],"Keep-Alive":["timeout=5"]},"status":200}
Jul 09 11:00:42 localhost caddy[699661]: {"level":"debug","ts":1720548042.9938025,"logger":"http.handlers.reverse_proxy","msg":"upstream roundtrip","upstream":"198.23.219.167:8080","duration":0.897518777,"request":{"remote_ip":"::1","remote_port":"35196","client_ip":"::1","proto":"HTTP/2.0","method":"GET","host":"chat.server.bzmb.eu","uri":"/socket.io/?EIO=4&transport=polling&t=P2OiAJ3&sid=nM0bM4S7RBXyTJ_DABOO","headers":{"Priority":["u=1, i"],"User-Agent":["Mozilla/5.0 (X11; CrOS x86_64 14541.0.0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/126.0.0.0 Safari/537.36"],"Sec-Fetch-Site":["same-origin"],"Sec-Fetch-Dest":["empty"],"X-Forwarded-For":["::1"],"Sec-Ch-Ua":["\"Not/A)Brand\";v=\"8\", \"Chromium\";v=\"126\", \"Google Chrome\";v=\"126\""],"Accept-Encoding":["gzip, deflate, br, zstd"],"Sec-Fetch-Mode":["cors"],"X-Forwarded-Host":["chat.server.bzmb.eu"],"Accept":["*/*"],"Sec-Ch-Ua-Platform":["\"Chrome OS\""],"X-Forwarded-Proto":["https"],"Accept-Language":["en-US,en;q=0.9"],"Sec-Ch-Ua-Mobile":["?0"]},"tls":{"resumed":false,"version":772,"cipher_suite":4867,"proto":"h2","server_name":"chat.server.bzmb.eu"}},"headers":{"Cache-Control":["no-store"],"Date":["Tue, 09 Jul 2024 18:10:33 GMT"],"Connection":["keep-alive"],"Keep-Alive":["timeout=5"],"Content-Type":["text/plain; charset=UTF-8"],"Content-Length":["1"]},"status":200}
Jul 09 11:00:43 localhost caddy[699661]: {"level":"debug","ts":1720548043.0257862,"logger":"http.handlers.reverse_proxy","msg":"upstream roundtrip","upstream":"198.23.219.167:3030","duration":0.222285055,"request":{"remote_ip":"::1","remote_port":"35198","client_ip":"::1","proto":"HTTP/2.0","method":"GET","host":"draw.server.bzmb.eu","uri":"/socket.io/?EIO=4&transport=polling&t=P2OiAS6&sid=g8WMJs-zb0YKZxr2ABDl","headers":{"Accept-Encoding":["gzip, deflate, br"],"Sec-Ch-Ua":["\"Google Chrome\";v=\"93\", \" Not;A Brand\";v=\"99\", \"Chromium\";v=\"93\""],"Sec-Fetch-Site":["same-origin"],"X-Forwarded-For":["::1"],"X-Forwarded-Host":["draw.server.bzmb.eu"],"Sec-Fetch-Mode":["cors"],"Sec-Ch-Ua-Mobile":["?0"],"User-Agent":["Mozilla/5.0 (X11; CrOS x86_64 14092.77.0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/93.0.4577.107 Safari/537.36"],"Accept":["*/*"],"X-Forwarded-Proto":["https"],"Sec-Fetch-Dest":["empty"],"Accept-Language":["en-US,en;q=0.9"],"Sec-Ch-Ua-Platform":["\"Chrome OS\""]},"tls":{"resumed":false,"version":772,"cipher_suite":4867,"proto":"h2","server_name":"draw.server.bzmb.eu"}},"headers":{"Date":["Tue, 09 Jul 2024 18:10:33 GMT"],"Connection":["keep-alive"],"Keep-Alive":["timeout=5"],"Content-Type":["text/plain; charset=UTF-8"],"Content-Length":["32"],"Cache-Control":["no-store"]},"status":200}
Jul 09 11:00:43 localhost caddy[699661]: {"level":"debug","ts":1720548043.037511,"logger":"http.handlers.reverse_proxy","msg":"upstream roundtrip","upstream":"198.23.219.167:8080","duration":0.174480389,"request":{"remote_ip":"::1","remote_port":"35228","client_ip":"::1","proto":"HTTP/2.0","method":"GET","host":"chat.server.bzmb.eu","uri":"/socket.io/?EIO=4&transport=polling&t=P2OiANw","headers":{"Sec-Fetch-Site":["same-origin"],"Accept-Language":["de-DE,de;q=0.9,en-US;q=0.8,en;q=0.7,ru;q=0.6"],"Sec-Ch-Ua":["\"Google Chrome\";v=\"123\", \"Not:A-Brand\";v=\"8\", \"Chromium\";v=\"123\""],"Sec-Fetch-Dest":["empty"],"User-Agent":["Mozilla/5.0 (X11; CrOS x86_64 14541.0.0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36"],"X-Forwarded-Host":["chat.server.bzmb.eu"],"Sec-Ch-Ua-Mobile":["?0"],"Accept-Encoding":["gzip, deflate, br, zstd"],"Accept":["*/*"],"Sec-Fetch-Mode":["cors"],"Sec-Ch-Ua-Platform":["\"Chrome OS\""],"X-Forwarded-For":["::1"],"X-Forwarded-Proto":["https"]},"tls":{"resumed":false,"version":772,"cipher_suite":4867,"proto":"h2","server_name":"chat.server.bzmb.eu"}},"headers":{"Connection":["keep-alive"],"Keep-Alive":["timeout=5"],"Content-Type":["text/plain; charset=UTF-8"],"Content-Length":["118"],"Cache-Control":["no-store"],"Date":["Tue, 09 Jul 2024 18:10:33 GMT"]},"status":200}
Jul 09 11:00:43 localhost caddy[699661]: {"level":"debug","ts":1720548043.0458825,"logger":"http.handlers.reverse_proxy","msg":"upstream roundtrip","upstream":"198.23.219.167:3030","duration":0.309797371,"request":{"remote_ip":"::1","remote_port":"35198","client_ip":"::1","proto":"HTTP/2.0","method":"POST","host":"draw.server.bzmb.eu","uri":"/socket.io/?EIO=4&transport=polling&t=P2OiAQy&sid=g8WMJs-zb0YKZxr2ABDl","headers":{"Content-Length":["2"],"Sec-Fetch-Site":["same-origin"],"Accept-Encoding":["gzip, deflate, br"],"Accept":["*/*"],"User-Agent":["Mozilla/5.0 (X11; CrOS x86_64 14092.77.0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/93.0.4577.107 Safari/537.36"],"Sec-Fetch-Mode":["cors"],"Sec-Ch-Ua-Platform":["\"Chrome OS\""],"X-Forwarded-Host":["draw.server.bzmb.eu"],"Content-Type":["text/plain;charset=UTF-8"],"Accept-Language":["en-US,en;q=0.9"],"Sec-Ch-Ua":["\"Google Chrome\";v=\"93\", \" Not;A Brand\";v=\"99\", \"Chromium\";v=\"93\""],"X-Forwarded-For":["::1"],"X-Forwarded-Proto":["https"],"Sec-Ch-Ua-Mobile":["?0"],"Origin":["https://draw.server.bzmb.eu"],"Sec-Fetch-Dest":["empty"]},"tls":{"resumed":false,"version":772,"cipher_suite":4867,"proto":"h2","server_name":"draw.server.bzmb.eu"}},"headers":{"Content-Type":["text/html"],"Content-Length":["2"],"Cache-Control":["no-store"],"Date":["Tue, 09 Jul 2024 18:10:33 GMT"],"Connection":["keep-alive"],"Keep-Alive":["timeout=5"]},"status":200}
Jul 09 11:00:43 localhost caddy[699661]: {"level":"debug","ts":1720548043.0982015,"logger":"http.handlers.reverse_proxy","msg":"selected upstream","dial":"198.23.219.167:8080","total_upstreams":1}
Jul 09 11:00:43 localhost caddy[699661]: {"level":"debug","ts":1720548043.1526687,"logger":"http.handlers.reverse_proxy","msg":"selected upstream","dial":"198.23.219.167:3030","total_upstreams":1}
Jul 09 11:00:43 localhost caddy[699661]: {"level":"debug","ts":1720548043.2564945,"logger":"http.handlers.reverse_proxy","msg":"selected upstream","dial":"198.23.219.167:8080","total_upstreams":1}
Jul 09 11:00:43 localhost caddy[699661]: {"level":"debug","ts":1720548043.272936,"logger":"http.handlers.reverse_proxy","msg":"upstream roundtrip","upstream":"198.23.219.167:8080","duration":0.174190315,"request":{"remote_ip":"::1","remote_port":"35218","client_ip":"::1","proto":"HTTP/2.0","method":"GET","host":"chat.server.bzmb.eu","uri":"/socket.io/?EIO=4&transport=polling&t=P2OiB0i&sid=4aanVD0LObak1abnABOS","headers":{"Sec-Fetch-Dest":["empty"],"Sec-Fetch-Mode":["cors"],"Te":["trailers"],"User-Agent":["Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:127.0) Gecko/20100101 Firefox/127.0"],"Accept":["*/*"],"Accept-Language":["en-GB,en;q=0.5"],"X-Forwarded-Proto":["https"],"Accept-Encoding":["gzip, deflate, br, zstd"],"Sec-Fetch-Site":["same-origin"],"X-Forwarded-For":["::1"],"X-Forwarded-Host":["chat.server.bzmb.eu"]},"tls":{"resumed":false,"version":772,"cipher_suite":4867,"proto":"h2","server_name":"chat.server.bzmb.eu"}},"headers":{"Cache-Control":["no-store"],"Date":["Tue, 09 Jul 2024 18:10:33 GMT"],"Connection":["keep-alive"],"Keep-Alive":["timeout=5"],"Content-Type":["text/plain; charset=UTF-8"],"Content-Encoding":["gzip"],"Content-Length":["726"]},"status":200}
Jul 09 11:00:43 localhost caddy[699661]: {"level":"debug","ts":1720548043.3329911,"logger":"http.handlers.reverse_proxy","msg":"selected upstream","dial":"198.23.219.167:8080","total_upstreams":1}
Jul 09 11:00:43 localhost caddy[699661]: {"level":"debug","ts":1720548043.4377608,"logger":"http.handlers.reverse_proxy","msg":"selected upstream","dial":"198.23.219.167:8080","total_upstreams":1}
Jul 09 11:00:43 localhost caddy[699661]: {"level":"debug","ts":1720548043.4890344,"logger":"events","msg":"event","name":"tls_get_certificate","id":"9bb75a63-1f39-4ac1-9629-98b1e0a337a0","origin":"tls","data":{"client_hello":{"CipherSuites":[4866,4867,4865,49199,49195,49200,49196,158,49191,103,49192,107,163,159,52393,52392,52394,49327,49325,49315,49311,49245,49249,49239,49235,162,49326,49324,49314,49310,49244,49248,49238,49234,49188,106,49187,64,49162,49172,57,56,49161,49171,51,50,157,49313,49309,49233,156,49312,49308,49232,61,60,53,47,255],"ServerName":"nginx.shelldrive.bzmb.eu","SupportedCurves":[29,23,30,25,24,256,257,258,259,260],"SupportedPoints":"AAEC","SignatureSchemes":[1027,1283,1539,2055,2056,2057,2058,2059,2052,2053,2054,1025,1281,1537,771,769,770,1026,1282,1538],"SupportedProtos":null,"SupportedVersions":[772,771],"RemoteAddr":{"IP":"192.168.250.19","Port":55246,"Zone":""},"LocalAddr":{"IP":"192.168.250.21","Port":443,"Zone":""}}}}
Jul 09 11:00:43 localhost caddy[699661]: {"level":"debug","ts":1720548043.4892228,"logger":"tls.handshake","msg":"no matching certificates and no custom selection logic","identifier":"nginx.shelldrive.bzmb.eu"}
Jul 09 11:00:43 localhost caddy[699661]: {"level":"debug","ts":1720548043.489305,"logger":"tls.handshake","msg":"no matching certificates and no custom selection logic","identifier":"*.shelldrive.bzmb.eu"}
Jul 09 11:00:43 localhost caddy[699661]: {"level":"debug","ts":1720548043.4893641,"logger":"tls.handshake","msg":"no matching certificates and no custom selection logic","identifier":"*.*.bzmb.eu"}
Jul 09 11:00:43 localhost caddy[699661]: {"level":"debug","ts":1720548043.4894211,"logger":"tls.handshake","msg":"no matching certificates and no custom selection logic","identifier":"*.*.*.eu"}
Jul 09 11:00:43 localhost caddy[699661]: {"level":"debug","ts":1720548043.4894762,"logger":"tls.handshake","msg":"no matching certificates and no custom selection logic","identifier":"*.*.*.*"}
Jul 09 11:00:43 localhost caddy[699661]: {"level":"debug","ts":1720548043.4895911,"logger":"tls.handshake","msg":"no certificate matching TLS ClientHello","remote_ip":"192.168.250.19","remote_port":"55246","server_name":"nginx.shelldrive.bzmb.eu","remote":"192.168.250.19:55246","identifier":"nginx.shelldrive.bzmb.eu","cipher_suites":[4866,4867,4865,49199,49195,49200,49196,158,49191,103,49192,107,163,159,52393,52392,52394,49327,49325,49315,49311,49245,49249,49239,49235,162,49326,49324,49314,49310,49244,49248,49238,49234,49188,106,49187,64,49162,49172,57,56,49161,49171,51,50,157,49313,49309,49233,156,49312,49308,49232,61,60,53,47,255],"cert_cache_fill":0.0007,"load_or_obtain_if_necessary":true,"on_demand":false}
Jul 09 11:00:43 localhost caddy[699661]: {"level":"debug","ts":1720548043.4899771,"logger":"http.stdlib","msg":"http: TLS handshake error from 192.168.250.19:55246: no certificate available for 'nginx.shelldrive.bzmb.eu'"}
Jul 09 11:00:43 localhost caddy[699661]: {"level":"debug","ts":1720548043.5018065,"logger":"http.handlers.reverse_proxy","msg":"upstream roundtrip","upstream":"198.23.219.167:8080","duration":0.244715945,"request":{"remote_ip":"::1","remote_port":"35228","client_ip":"::1","proto":"HTTP/2.0","method":"POST","host":"chat.server.bzmb.eu","uri":"/socket.io/?EIO=4&transport=polling&t=P2OiAif&sid=mjP2Ei6r0PL4BgVZABOU","headers":{"Accept":["*/*"],"Origin":["https://chat.server.bzmb.eu"],"X-Forwarded-For":["::1"],"X-Forwarded-Host":["chat.server.bzmb.eu"],"X-Forwarded-Proto":["https"],"Content-Length":["2"],"Sec-Fetch-Mode":["cors"],"Sec-Fetch-Site":["same-origin"],"Accept-Encoding":["gzip, deflate, br, zstd"],"Sec-Fetch-Dest":["empty"],"Sec-Ch-Ua":["\"Google Chrome\";v=\"123\", \"Not:A-Brand\";v=\"8\", \"Chromium\";v=\"123\""],"Sec-Ch-Ua-Platform":["\"Chrome OS\""],"Accept-Language":["de-DE,de;q=0.9,en-US;q=0.8,en;q=0.7,ru;q=0.6"],"Content-Type":["text/plain;charset=UTF-8"],"User-Agent":["Mozilla/5.0 (X11; CrOS x86_64 14541.0.0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36"],"Sec-Ch-Ua-Mobile":["?0"]},"tls":{"resumed":false,"version":772,"cipher_suite":4867,"proto":"h2","server_name":"chat.server.bzmb.eu"}},"headers":{"Keep-Alive":["timeout=5"],"Content-Type":["text/html"],"Content-Length":["2"],"Cache-Control":["no-store"],"Date":["Tue, 09 Jul 2024 18:10:34 GMT"],"Connection":["keep-alive"]},"status":200}
Jul 09 11:00:43 localhost caddy[699661]: {"level":"debug","ts":1720548043.5089405,"logger":"http.handlers.reverse_proxy","msg":"upstream roundtrip","upstream":"198.23.219.167:8080","duration":0.174441425,"request":{"remote_ip":"::1","remote_port":"35228","client_ip":"::1","proto":"HTTP/2.0","method":"GET","host":"chat.server.bzmb.eu","uri":"/socket.io/?EIO=4&transport=polling&t=P2OiAiz&sid=mjP2Ei6r0PL4BgVZABOU","headers":{"User-Agent":["Mozilla/5.0 (X11; CrOS x86_64 14541.0.0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36"],"Accept-Encoding":["gzip, deflate, br, zstd"],"Sec-Ch-Ua-Platform":["\"Chrome OS\""],"Sec-Ch-Ua-Mobile":["?0"],"Sec-Ch-Ua":["\"Google Chrome\";v=\"123\", \"Not:A-Brand\";v=\"8\", \"Chromium\";v=\"123\""],"Sec-Fetch-Site":["same-origin"],"Sec-Fetch-Mode":["cors"],"Accept":["*/*"],"X-Forwarded-For":["::1"],"X-Forwarded-Proto":["https"],"Sec-Fetch-Dest":["empty"],"Accept-Language":["de-DE,de;q=0.9,en-US;q=0.8,en;q=0.7,ru;q=0.6"],"X-Forwarded-Host":["chat.server.bzmb.eu"]},"tls":{"resumed":false,"version":772,"cipher_suite":4867,"proto":"h2","server_name":"chat.server.bzmb.eu"}},"headers":{"Date":["Tue, 09 Jul 2024 18:10:34 GMT"],"Connection":["keep-alive"],"Keep-Alive":["timeout=5"],"Content-Type":["text/plain; charset=UTF-8"],"Content-Encoding":["gzip"],"Content-Length":["758"],"Cache-Control":["no-store"]},"status":200}
Jul 09 11:00:43 localhost caddy[699661]: {"level":"debug","ts":1720548043.5384762,"logger":"http.handlers.reverse_proxy","msg":"selected upstream","dial":"198.23.219.167:8080","total_upstreams":1}
Jul 09 11:00:43 localhost caddy[699661]: {"level":"debug","ts":1720548043.6527302,"logger":"http.handlers.reverse_proxy","msg":"selected upstream","dial":"198.23.219.167:3030","total_upstreams":1}
Jul 09 11:00:43 localhost caddy[699661]: {"level":"debug","ts":1720548043.6857178,"logger":"http.handlers.reverse_proxy","msg":"upstream roundtrip","upstream":"198.23.219.167:3030","duration":0.532021518,"request":{"remote_ip":"::1","remote_port":"35198","client_ip":"::1","proto":"HTTP/2.0","method":"GET","host":"draw.server.bzmb.eu","uri":"/socket.io/?EIO=4&transport=polling&t=P2OiAZU&sid=g8WMJs-zb0YKZxr2ABDl","headers":{"X-Forwarded-For":["::1"],"X-Forwarded-Proto":["https"],"X-Forwarded-Host":["draw.server.bzmb.eu"],"Sec-Ch-Ua-Platform":["\"Chrome OS\""],"Sec-Fetch-Dest":["empty"],"Accept-Language":["en-US,en;q=0.9"],"Sec-Ch-Ua-Mobile":["?0"],"Sec-Fetch-Site":["same-origin"],"Sec-Fetch-Mode":["cors"],"Accept":["*/*"],"Accept-Encoding":["gzip, deflate, br"],"Sec-Ch-Ua":["\"Google Chrome\";v=\"93\", \" Not;A Brand\";v=\"99\", \"Chromium\";v=\"93\""],"User-Agent":["Mozilla/5.0 (X11; CrOS x86_64 14092.77.0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/93.0.4577.107 Safari/537.36"]},"tls":{"resumed":false,"version":772,"cipher_suite":4867,"proto":"h2","server_name":"draw.server.bzmb.eu"}},"headers":{"Keep-Alive":["timeout=5"],"Content-Type":["text/plain; charset=UTF-8"],"Content-Encoding":["gzip"],"Content-Length":["1493296"],"Cache-Control":["no-store"],"Date":["Tue, 09 Jul 2024 18:10:34 GMT"],"Connection":["keep-alive"]},"status":200}

3. Caddy version:

caddy v2.8.4 h1:q3pe0wpBj1OcHFZ3n/1nl4V4bxBrYoSoab7rL9BMYNk=
xcaddy v0.4.2 h1:N+W2glljYrfHO4mTnpDhUnNzobeQE46OfPXfiPbO3dY=

4. How I installed and ran Caddy:

a. System environment:

Using dietpi debian, raspberry pi arm64, systemd version.

b. Command:

Jul 09 11:00:43 localhost caddy[699661]: {"level":"debug","ts":1720548043.4892228,"logger":"tls.handshake","msg":"no matching certificates and no custom selection logic","identifier":"nginx.shelldrive.bzmb.eu"}
Jul 09 11:00:43 localhost caddy[699661]: {"level":"debug","ts":1720548043.489305,"logger":"tls.handshake","msg":"no matching certificates and no custom selection logic","identifier":"*.shelldrive.bzmb.eu"}
Jul 09 11:00:43 localhost caddy[699661]: {"level":"debug","ts":1720548043.4893641,"logger":"tls.handshake","msg":"no matching certificates and no custom selection logic","identifier":"*.*.bzmb.eu"}
Jul 09 11:00:43 localhost caddy[699661]: {"level":"debug","ts":1720548043.4894211,"logger":"tls.handshake","msg":"no matching certificates and no custom selection logic","identifier":"*.*.*.eu"}
Jul 09 11:00:43 localhost caddy[699661]: {"level":"debug","ts":1720548043.4894762,"logger":"tls.handshake","msg":"no matching certificates and no custom selection logic","identifier":"*.*.*.*"}
Jul 09 11:00:43 localhost caddy[699661]: {"level":"debug","ts":1720548043.4895911,"logger":"tls.handshake","msg":"no certificate matching TLS ClientHello","remote_ip":"192.168.250.19","remote_port":"55246","server_name":"nginx.shelldrive.bzmb.eu","remote":"192.168.250.19:55246","identifier":"nginx.shelldrive.bzmb.eu","cipher_suites":[4866,4867,4865,49199,49195,49200,49196,158,49191,103,49192,107,163,159,52393,52392,52394,49327,49325,49315,49311,49245,49249,49239,49235,162,49326,49324,49314,49310,49244,49248,49238,49234,49188,106,49187,64,49162,49172,57,56,49161,49171,51,50,157,49313,49309,49233,156,49312,49308,49232,61,60,53,47,255],"cert_cache_fill":0.0007,"load_or_obtain_if_necessary":true,"on_demand":false}
Jul 09 11:00:43 localhost caddy[699661]: {"level":"debug","ts":1720548043.4899771,"logger":"http.stdlib","msg":"http: TLS handshake error from 192.168.250.19:55246: no certificate available for 'nginx.shelldrive.bzmb.eu'"}
Jul 09 11:00:43 localhost caddy[699661]: {"level":"debug","ts":1720548043.5018065,"logger":"http.handlers.reverse_proxy","msg":"upstream roundtrip","upstream":"198.23.219.167:8080","duration":0.244715945,"request":{"remote_ip":"::1","remote_port":"35228","client_ip":"::1","proto":"HTTP/2.0","method":"POST","host":"chat.server.bzmb.eu","uri":"/socket.io/?EIO=4&transport=polling&t=P2OiAif&sid=mjP2Ei6r0PL4BgVZABOU","headers":{"Accept":["*/*"],"Origin":["https://chat.server.bzmb.eu"],"X-Forwarded-For":["::1"],"X-Forwarded-Host":["chat.server.bzmb.eu"],"X-Forwarded-Proto":["https"],"Content-Length":["2"],"Sec-Fetch-Mode":["cors"],"Sec-Fetch-Site":["same-origin"],"Accept-Encoding":["gzip, deflate, br, zstd"],"Sec-Fetch-Dest":["empty"],"Sec-Ch-Ua":["\"Google Chrome\";v=\"123\", \"Not:A-Brand\";v=\"8\", \"Chromium\";v=\"123\""],"Sec-Ch-Ua-Platform":["\"Chrome OS\""],"Accept-Language":["de-DE,de;q=0.9,en-US;q=0.8,en;q=0.7,ru;q=0.6"],"Content-Type":["text/plain;charset=UTF-8"],"User-Agent":["Mozilla/5.0 (X11; CrOS x86_64 14541.0.0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36"],"Sec-Ch-Ua-Mobile":["?0"]},"tls":{"resumed":false,"version":772,"cipher_suite":4867,"proto":"h2","server_name":"chat.server.bzmb.eu"}},"headers":{"Keep-Alive":["timeout=5"],"Content-Type":["text/html"],"Content-Length":["2"],"Cache-Control":["no-store"],"Date":["Tue, 09 Jul 2024 18:10:34 GMT"],"Connection":["keep-alive"]},"status":200}
Jul 09 11:00:43 localhost caddy[699661]: {"level":"debug","ts":1720548043.5089405,"logger":"http.handlers.reverse_proxy","msg":"upstream roundtrip","upstream":"198.23.219.167:8080","duration":0.174441425,"request":{"remote_ip":"::1","remote_port":"35228","client_ip":"::1","proto":"HTTP/2.0","method":"GET","host":"chat.server.bzmb.eu","uri":"/socket.io/?EIO=4&transport=polling&t=P2OiAiz&sid=mjP2Ei6r0PL4BgVZABOU","headers":{"User-Agent":["Mozilla/5.0 (X11; CrOS x86_64 14541.0.0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36"],"Accept-Encoding":["gzip, deflate, br, zstd"],"Sec-Ch-Ua-Platform":["\"Chrome OS\""],"Sec-Ch-Ua-Mobile":["?0"],"Sec-Ch-Ua":["\"Google Chrome\";v=\"123\", \"Not:A-Brand\";v=\"8\", \"Chromium\";v=\"123\""],"Sec-Fetch-Site":["same-origin"],"Sec-Fetch-Mode":["cors"],"Accept":["*/*"],"X-Forwarded-For":["::1"],"X-Forwarded-Proto":["https"],"Sec-Fetch-Dest":["empty"],"Accept-Language":["de-DE,de;q=0.9,en-US;q=0.8,en;q=0.7,ru;q=0.6"],"X-Forwarded-Host":["chat.server.bzmb.eu"]},"tls":{"resumed":false,"version":772,"cipher_suite":4867,"proto":"h2","server_name":"chat.server.bzmb.eu"}},"headers":{"Date":["Tue, 09 Jul 2024 18:10:34 GMT"],"Connection":["keep-alive"],"Keep-Alive":["timeout=5"],"Content-Type":["text/plain; charset=UTF-8"],"Content-Encoding":["gzip"],"Content-Length":["758"],"Cache-Control":["no-store"]},"status":200}
Jul 09 11:00:43 localhost caddy[699661]: {"level":"debug","ts":1720548043.5384762,"logger":"http.handlers.reverse_proxy","msg":"selected upstream","dial":"198.23.219.167:8080","total_upstreams":1}
Jul 09 11:00:43 localhost caddy[699661]: {"level":"debug","ts":1720548043.6527302,"logger":"http.handlers.reverse_proxy","msg":"selected upstream","dial":"198.23.219.167:3030","total_upstreams":1}
Jul 09 11:00:43 localhost caddy[699661]: {"level":"debug","ts":1720548043.6857178,"logger":"http.handlers.reverse_proxy","msg":"upstream roundtrip","upstream":"198.23.219.167:3030","duration":0.532021518,"request":{"remote_ip":"::1","remote_port":"35198","client_ip":"::1","proto":"HTTP/2.0","method":"GET","host":"draw.server.bzmb.eu","uri":"/socket.io/?EIO=4&transport=polling&t=P2OiAZU&sid=g8WMJs-zb0YKZxr2ABDl","headers":{"X-Forwarded-For":["::1"],"X-Forwarded-Proto":["https"],"X-Forwarded-Host":["draw.server.bzmb.eu"],"Sec-Ch-Ua-Platform":["\"Chrome OS\""],"Sec-Fetch-Dest":["empty"],"Accept-Language":["en-US,en;q=0.9"],"Sec-Ch-Ua-Mobile":["?0"],"Sec-Fetch-Site":["same-origin"],"Sec-Fetch-Mode":["cors"],"Accept":["*/*"],"Accept-Encoding":["gzip, deflate, br"],"Sec-Ch-Ua":["\"Google Chrome\";v=\"93\", \" Not;A Brand\";v=\"99\", \"Chromium\";v=\"93\""],"User-Agent":["Mozilla/5.0 (X11; CrOS x86_64 14092.77.0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/93.0.4577.107 Safari/537.36"]},"tls":{"resumed":false,"version":772,"cipher_suite":4867,"proto":"h2","server_name":"draw.server.bzmb.eu"}},"headers":{"Keep-Alive":["timeout=5"],"Content-Type":["text/plain; charset=UTF-8"],"Content-Encoding":["gzip"],"Content-Length":["1493296"],"Cache-Control":["no-store"],"Date":["Tue, 09 Jul 2024 18:10:34 GMT"],"Connection":["keep-alive"]},"status":200}

c. Service/unit/compose file:

# caddy.service
#
# For using Caddy with a config file.
#
# Make sure the ExecStart and ExecReload commands are correct
# for your installation.
#
# See https://caddyserver.com/docs/install for instructions.
#
# WARNING: This service does not use the --resume flag, so if you
# use the API to make changes, they will be overwritten by the
# Caddyfile next time the service is restarted. If you intend to
# use Caddy's API to configure it, add the --resume flag to the
# `caddy run` command or use the caddy-api.service file instead.

[Unit]
Description=Caddy
Documentation=https://caddyserver.com/docs/
After=network.target network-online.target
Requires=network-online.target

[Service]
Type=notify
User=caddy
Group=caddy
ExecStart=/usr/bin/caddy run --environ --config /etc/caddy/Caddyfile
ExecReload=/usr/bin/caddy reload --config /etc/caddy/Caddyfile --force
TimeoutStopSec=5s
LimitNOFILE=1048576
LimitNPROC=512
PrivateTmp=true
ProtectSystem=full
AmbientCapabilities=CAP_NET_BIND_SERVICE

[Install]
WantedBy=multi-user.target

d. My complete Caddy config:

{
        debug
        acme_dns njalla "<api_key>"
}

bzmb.eu {
        reverse_proxy 198.23.219.167:1400

        # Tor onion header
        header Onion-Location http://hrctrdfgz3w7etdp56whxzavj7sahvsf4ppjigdcyqklotxinpcjmcad.onion{path}

        # Miscellaneous security headers
        header Strict-Transport-Security "max-age=63072000;{% if hsts_subdomains == 1 or hsts_subdomains == true -%} includeSubDomains;{% endif %} preload" always;
        header Referrer-Policy strict-origin-when-cross-origin;
        header X-Content-Type-Options nosniff;
        header X-XSS-Protection "1; mode=block";
        header X-Frame-Options SAMEORIGIN;
        header Content-Security-Policy upgrade-insecure-requests;
        header Permissions-Policy interest-cohort=();
        header Expect-CT 'enforce; max-age=604800';

        # Other security headers
        header X-Content-Type-Options 'enforce; max-age=604800';
        header X-Frame-Options 'enforce; max-age=604800';
        header Referrer-Policy 'enforce; max-age=604800';
}

www.bzmb.eu {
        reverse_proxy 198.23.219.167:1400

        # Tor onion header
        header Onion-Location http://hrctrdfgz3w7etdp56whxzavj7sahvsf4ppjigdcyqklotxinpcjmcad.onion{path}

        # Miscellaneous security headers
        header Strict-Transport-Security "max-age=63072000;{% if hsts_subdomains == 1 or hsts_subdomains == true -%} includeSubDomains;{% endif %} preload" always;
        header Referrer-Policy strict-origin-when-cross-origin;
        header X-Content-Type-Options nosniff;
        header X-XSS-Protection "1; mode=block";
        header X-Frame-Options SAMEORIGIN;
        header Content-Security-Policy upgrade-insecure-requests;
        header Permissions-Policy interest-cohort=();
        header Expect-CT 'enforce; max-age=604800';

        # Other security headers
        header X-Content-Type-Options 'enforce; max-age=604800';
        header X-Frame-Options 'enforce; max-age=604800';
        header Referrer-Policy 'enforce; max-age=604800';
}

chat.server.bzmb.eu {
        reverse_proxy 198.23.219.167:8080

        # Miscellaneous security headers
        header Strict-Transport-Security "max-age=63072000;{% if hsts_subdomains == 1 or hsts_subdomains == true -%} includeSubDomains;{% endif %} preload" always;
        header Referrer-Policy strict-origin-when-cross-origin;
        header X-Content-Type-Options nosniff;
        header X-XSS-Protection "1; mode=block";
        header X-Frame-Options SAMEORIGIN;
        header Content-Security-Policy upgrade-insecure-requests;
        header Permissions-Policy interest-cohort=();
        header Expect-CT 'enforce; max-age=604800';

        # Other security headers
        header X-Content-Type-Options 'enforce; max-age=604800';
        header X-Frame-Options 'enforce; max-age=604800';
        header Referrer-Policy 'enforce; max-age=604800';
}

comments.bzmb.eu {
        reverse_proxy 198.23.219.167:7777

        # Miscellaneous security headers
        header Strict-Transport-Security "max-age=63072000;{% if hsts_subdomains == 1 or hsts_subdomains == true -%} includeSubDomains;{% endif %} preload" always;
        header Referrer-Policy strict-origin-when-cross-origin;
        header X-Content-Type-Options nosniff;
        header X-XSS-Protection "1; mode=block";
        header X-Frame-Options SAMEORIGIN;
        header Content-Security-Policy upgrade-insecure-requests;
        header Permissions-Policy interest-cohort=();
        header Expect-CT 'enforce; max-age=604800';

        # Other security headers
        header X-Content-Type-Options 'enforce; max-age=604800';
        header X-Frame-Options 'enforce; max-age=604800';
        header Referrer-Policy 'enforce; max-age=604800';
}

draw.server.bzmb.eu {
        reverse_proxy 198.23.219.167:3030

        # Miscellaneous security headers
        header Strict-Transport-Security "max-age=63072000;{% if hsts_subdomains == 1 or hsts_subdomains == true -%} includeSubDomains;{% endif %} preload" always;
        header Referrer-Policy strict-origin-when-cross-origin;
        header X-Content-Type-Options nosniff;
        header X-XSS-Protection "1; mode=block";
        header X-Frame-Options SAMEORIGIN;
        header Content-Security-Policy upgrade-insecure-requests;
        header Permissions-Policy interest-cohort=();
        header Expect-CT 'enforce; max-age=604800';

        # Other security headers
        header X-Content-Type-Options 'enforce; max-age=604800';
        header X-Frame-Options 'enforce; max-age=604800';
        header Referrer-Policy 'enforce; max-age=604800';
}

ha.shelldrive.bzmb.eu {
        reverse_proxy 192.168.250.7:8123

        # Miscellaneous security headers
        header Strict-Transport-Security "max-age=63072000;{% if hsts_subdomains == 1 or hsts_subdomains == true -%} includeSubDomains;{% endif %} preload" always;
        header Referrer-Policy strict-origin-when-cross-origin;
        header X-Content-Type-Options nosniff;
        header X-XSS-Protection "1; mode=block";
        header X-Frame-Options SAMEORIGIN;
        header Content-Security-Policy upgrade-insecure-requests;
        header Permissions-Policy interest-cohort=();
        header Expect-CT 'enforce; max-age=604800';

        # Other security headers
        header X-Content-Type-Options 'enforce; max-age=604800';
        header X-Frame-Options 'enforce; max-age=604800';
        header Referrer-Policy 'enforce; max-age=604800';

        @blocked not remote_ip 192.168.250.21
        respond @blocked "Nope" 403
}

img.server.bzmb.eu {
        reverse_proxy 198.23.219.167:9999

        # Tor onion header
        header Onion-Location http://3envwxzyxfqi4qs35ugo6dusu3bdawz55nj63vxvmnptpnhc5zsftfid.onion{path}

        # Miscellaneous security headers
        header Strict-Transport-Security "max-age=63072000;{% if hsts_subdomains == 1 or hsts_subdomains == true -%} includeSubDomains;{% endif %} preload" always;
        header Referrer-Policy strict-origin-when-cross-origin;
        header X-Content-Type-Options nosniff;
        header X-XSS-Protection "1; mode=block";
        header X-Frame-Options SAMEORIGIN;
        header Content-Security-Policy upgrade-insecure-requests;
        header Permissions-Policy interest-cohort=();
        header Expect-CT 'enforce; max-age=604800';

        # Other security headers
        header X-Content-Type-Options 'enforce; max-age=604800';
        header X-Frame-Options 'enforce; max-age=604800';
        header Referrer-Policy 'enforce; max-age=604800';
}

#modem.shelldrive.bzmb.eu {
#       reverse_proxy 192.168.0.1:80
#
#        # Miscellaneous security headers
#        header Strict-Transport-Security "max-age=63072000;{% if hsts_subdomains == 1 or hsts_subdomains == true -%} includeSubDomains;{% endif %} preload" always;
#        header Referrer-Policy strict-origin-when-cross-origin;
#        header X-Content-Type-Options nosniff;
#        header X-XSS-Protection "1; mode=block";
#        header X-Frame-Options SAMEORIGIN;
#        header Content-Security-Policy upgrade-insecure-requests;
#        header Permissions-Policy interest-cohort=();
#        header Expect-CT 'enforce; max-age=604800';
#
#        # Other security headers
#        header X-Content-Type-Options 'enforce; max-age=604800';
#        header X-Frame-Options 'enforce; max-age=604800';
#        header Referrer-Policy 'enforce; max-age=604800'; 
#
#        @blocked not remote_ip 192.168.250.21  
#        respond @blocked "Nope" 403
#}

nextcloud.shelldrive.bzmb.eu {
        reverse_proxy 192.168.250.62:80

        # Miscellaneous security headers
        header Strict-Transport-Security "max-age=63072000;{% if hsts_subdomains == 1 or hsts_subdomains == true -%} includeSubDomains;{% endif %} preload" always;
        header Referrer-Policy strict-origin-when-cross-origin;
        header X-Content-Type-Options nosniff;
        header X-XSS-Protection "1; mode=block";
        header X-Frame-Options SAMEORIGIN;
        header Content-Security-Policy upgrade-insecure-requests;
        header Permissions-Policy interest-cohort=();
        header Expect-CT 'enforce; max-age=604800';

        # Other security headers
        header X-Content-Type-Options 'enforce; max-age=604800';
        header X-Frame-Options 'enforce; max-age=604800';
        header Referrer-Policy 'enforce; max-age=604800';

        @blocked not remote_ip 192.168.250.21
        respond @blocked "Nope" 403
}

#nginx.shelldrive.bzmb.eu {
#       reverse_proxy 192.168.250.21:81
#
#        # Miscellaneous security headers
#        header Strict-Transport-Security "max-age=63072000;{% if hsts_subdomains == 1 or hsts_subdomains == true -%} includeSubDomains;{% endif %} preload" always;
#        header Referrer-Policy strict-origin-when-cross-origin;
#        header X-Content-Type-Options nosniff;
#        header X-XSS-Protection "1; mode=block";
#        header X-Frame-Options SAMEORIGIN;
#        header Content-Security-Policy upgrade-insecure-requests;
#        header Permissions-Policy interest-cohort=();
#        header Expect-CT 'enforce; max-age=604800';
#
#        # Other security headers
#        header X-Content-Type-Options 'enforce; max-age=604800';
#        header X-Frame-Options 'enforce; max-age=604800';
#        header Referrer-Policy 'enforce; max-age=604800'; 
#
#        @blocked not remote_ip 192.168.250.21  
#        respond @blocked "Nope" 403
#}

pihole.shelldrive.bzmb.eu {
        reverse_proxy 192.168.250.21:8000

        # Miscellaneous security headers
        header Strict-Transport-Security "max-age=63072000;{% if hsts_subdomains == 1 or hsts_subdomains == true -%} includeSubDomains;{% endif %} preload" always;
        header Referrer-Policy strict-origin-when-cross-origin;
        header X-Content-Type-Options nosniff;
        header X-XSS-Protection "1; mode=block";
        header X-Frame-Options SAMEORIGIN;
        header Content-Security-Policy upgrade-insecure-requests;
        header Permissions-Policy interest-cohort=();
        header Expect-CT 'enforce; max-age=604800';

        # Other security headers
        header X-Content-Type-Options 'enforce; max-age=604800';
        header X-Frame-Options 'enforce; max-age=604800';
        header Referrer-Policy 'enforce; max-age=604800';

        @blocked not remote_ip 192.168.250.21
        respond @blocked "Nope" 403
}

#router.shelldrive.bzmb.eu {
#       reverse_proxy 192.168.250.1:443
#
#        # Miscellaneous security headers
#        header Strict-Transport-Security "max-age=63072000;{% if hsts_subdomains == 1 or hsts_subdomains == true -%} includeSubDomains;{% endif %} preload" always;
#        header Referrer-Policy strict-origin-when-cross-origin;
#        header X-Content-Type-Options nosniff;
#        header X-XSS-Protection "1; mode=block";
#        header X-Frame-Options SAMEORIGIN;
#        header Content-Security-Policy upgrade-insecure-requests;
#        header Permissions-Policy interest-cohort=();
#        header Expect-CT 'enforce; max-age=604800';
#
#        # Other security headers
#        header X-Content-Type-Options 'enforce; max-age=604800';
#        header X-Frame-Options 'enforce; max-age=604800';
#        header Referrer-Policy 'enforce; max-age=604800'; 
#
#        @blocked not remote_ip 192.168.250.21  
#        respond @blocked "Nope" 403
#}

tube.server.bzmb.eu {
        reverse_proxy 198.23.219.167:1515

        # Tor onion header
        header Onion-Location http://rcpykc6ydn3ehx5eebifb3agzemgriycd76vzapzh5h6qmnh7v5y6ryd.onion/{path}

        # Miscellaneous security headers
        header Strict-Transport-Security "max-age=63072000;{% if hsts_subdomains == 1 or hsts_subdomains == true -%} includeSubDomains;{% endif %} preload" always;
        header Referrer-Policy strict-origin-when-cross-origin;
        header X-Content-Type-Options nosniff;
        header X-XSS-Protection "1; mode=block";
        header X-Frame-Options SAMEORIGIN;
        header Content-Security-Policy upgrade-insecure-requests;
        header Permissions-Policy interest-cohort=();
        header Expect-CT 'enforce; max-age=604800';

        # Other security headers
        header X-Content-Type-Options 'enforce; max-age=604800';
        header X-Frame-Options 'enforce; max-age=604800';
        header Referrer-Policy 'enforce; max-age=604800';
}

uptime.shelldrive.bzmb.eu {
        reverse_proxy 192.168.250.19:3001

        # Miscellaneous security headers
        header Strict-Transport-Security "max-age=63072000;{% if hsts_subdomains == 1 or hsts_subdomains == true -%} includeSubDomains;{% endif %} preload" always;
        header Referrer-Policy strict-origin-when-cross-origin;
        header X-Content-Type-Options nosniff;
        header X-XSS-Protection "1; mode=block";
        header X-Frame-Options SAMEORIGIN;
        header Content-Security-Policy upgrade-insecure-requests;
        header Permissions-Policy interest-cohort=();
        header Expect-CT 'enforce; max-age=604800';

        # Other security headers
        header X-Content-Type-Options 'enforce; max-age=604800';
        header X-Frame-Options 'enforce; max-age=604800';
        header Referrer-Policy 'enforce; max-age=604800';

        @blocked not remote_ip 192.168.250.21
        respond @blocked "Nope" 403
}

vaultwarden.shelldrive.bzmb.eu {
        reverse_proxy 192.168.250.62:1010

        # Miscellaneous security headers
        header Strict-Transport-Security "max-age=63072000;{% if hsts_subdomains == 1 or hsts_subdomains == true -%} includeSubDomains;{% endif %} preload" always;
        header Referrer-Policy strict-origin-when-cross-origin;
        header X-Content-Type-Options nosniff;
        header X-XSS-Protection "1; mode=block";
        header X-Frame-Options SAMEORIGIN;
        header Content-Security-Policy upgrade-insecure-requests;
        header Permissions-Policy interest-cohort=();
        header Expect-CT 'enforce; max-age=604800';

        # Other security headers
        header X-Content-Type-Options 'enforce; max-age=604800';
        header X-Frame-Options 'enforce; max-age=604800';
        header Referrer-Policy 'enforce; max-age=604800';

        @blocked not remote_ip 192.168.250.21
        respond @blocked "Nope" 403
}

wetty.shelldrive.bzmb.eu {
        reverse_proxy 192.168.250.21:1616

        # Miscellaneous security headers
        header Strict-Transport-Security "max-age=63072000;{% if hsts_subdomains == 1 or hsts_subdomains == true -%} includeSubDomains;{% endif %} preload" always;
        header Referrer-Policy strict-origin-when-cross-origin;
        header X-Content-Type-Options nosniff;
        header X-XSS-Protection "1; mode=block";
        header X-Frame-Options SAMEORIGIN;
        header Content-Security-Policy upgrade-insecure-requests;
        header Permissions-Policy interest-cohort=();
        header Expect-CT 'enforce; max-age=604800';

        # Other security headers
        header X-Content-Type-Options 'enforce; max-age=604800';
        header X-Frame-Options 'enforce; max-age=604800';
        header Referrer-Policy 'enforce; max-age=604800';

        @blocked not remote_ip 192.168.250.21
        respond @blocked "Nope" 403
}

5. Links to relevant resources:

Ok sorry, I fixed it. I just edited my post for the answer (also changed api keys…).

*.shelldrive.bzmb.eu {
        tls {
                dns njalla <api_key>
        }
}

Forgot that my njalla DNS settings were wildcards.