Encrypted Client Hello (ECH) - Issues with internal network

Darknicks · May 26, 2025, 1:36am

1. The problem I’m having:

I’ve been having issues with Caddy, my domain (on Cloudflare) and ECH.
First of all, please be aware that there is no port forwarding.
This website is only supposed to be available internally.
I’m using Caddy with Cloudflare’s DNS challenge plugin to get the SSL certificates.

It looks like the Encrypted Client Hello (ECH) is what’s failing here.

When I start Caddy, it successfully creates the HTTPS records on my Cloudflare domain Dashboard, so it looks like that part is working fine. But still ECH is failing because 99% of the time, when I try to access the site, I get this error: ERR_SSL_PROTOCOL_ERROR

Unless I’m missing something about ECH… Is it supposed to only work for externally accessible domains? I don’t think so. Otherwise it wouldn’t need the Cloudflare DNS plugin.

When I visit the site from Chrome, Firefox and Edge, sometimes it goes through, but 99% of the time it fails and results in this error: ERR_SSL_PROTOCOL_ERROR

DuckDuckGo Browser works fine all the time.

What am I doing wrong?

Here’s the curl -vL output:


curl -vL https://www.SelfHosted.pp.ua

*   Trying 192.168.0.15:443...
* Connected to www.SelfHosted.pp.ua (192.168.0.15) port 443 (#0)
* ALPN: offers h2,http/1.1
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
*  CAfile: /etc/ssl/certs/ca-certificates.crt
*  CApath: /etc/ssl/certs
* TLSv1.3 (IN), TLS handshake, Server hello (2):
* TLSv1.3 (IN), TLS handshake, Encrypted Extensions (8):
* TLSv1.3 (IN), TLS handshake, Certificate (11):
* TLSv1.3 (IN), TLS handshake, CERT verify (15):
* TLSv1.3 (IN), TLS handshake, Finished (20):
* TLSv1.3 (OUT), TLS change cipher, Change cipher spec (1):
* TLSv1.3 (OUT), TLS handshake, Finished (20):
* SSL connection using TLSv1.3 / TLS_CHACHA20_POLY1305_SHA256
* ALPN: server accepted h2
* Server certificate:
*  subject: CN=*.selfhosted.pp.ua
*  start date: May 25 02:01:43 2025 GMT
*  expire date: Aug 23 02:01:42 2025 GMT
*  subjectAltName: host "www.SelfHosted.pp.ua" matched cert's "*.selfhosted.pp.ua"
*  issuer: C=US; O=Let's Encrypt; CN=E6
*  SSL certificate verify ok.
* using HTTP/2
* h2h3 [:method: GET]
* h2h3 [:path: /]
* h2h3 [:scheme: https]
* h2h3 [:authority: www.SelfHosted.pp.ua]
* h2h3 [user-agent: curl/7.88.1]
* h2h3 [accept: */*]
* Using Stream ID: 1 (easy handle 0x55d4307c27a0)
> GET / HTTP/2
> Host: www.SelfHosted.pp.ua
> user-agent: curl/7.88.1
> accept: */*
>
* TLSv1.3 (IN), TLS handshake, Newsession Ticket (4):
< HTTP/2 302
< alt-svc: h3=":443"; ma=2592000
< content-type: text/plain; charset=utf-8
< date: Mon, 26 May 2025 01:31:02 GMT
< location: /status/services
< vary: Accept
< via: 1.1 Caddy
< x-frame-options: SAMEORIGIN
< content-length: 38
<
* Ignoring the response-body
* Connection #0 to host www.SelfHosted.pp.ua left intact
* Issue another request to this URL: 'https://www.SelfHosted.pp.ua/status/services'
* Found bundle for host: 0x55d4307bc440 [can multiplex]
* Re-using existing connection #0 with host www.SelfHosted.pp.ua
* h2h3 [:method: GET]
* h2h3 [:path: /status/services]
* h2h3 [:scheme: https]
* h2h3 [:authority: www.SelfHosted.pp.ua]
* h2h3 [user-agent: curl/7.88.1]
* h2h3 [accept: */*]
* Using Stream ID: 3 (easy handle 0x55d4307c27a0)
> GET /status/services HTTP/2
> Host: www.SelfHosted.pp.ua
> user-agent: curl/7.88.1
> accept: */*
>
< HTTP/2 200
< alt-svc: h3=":443"; ma=2592000
< content-type: text/html; charset=utf-8
< date: Mon, 26 May 2025 01:31:02 GMT
< etag: W/"ba9-/T3XoCbFPywxqTam0YxDAHgYwaY"
< via: 1.1 Caddy
< x-frame-options: SAMEORIGIN
< content-length: 2985
<
<!DOCTYPE html><html lang="en"><head>
    <meta charset="UTF-8">
    <meta name="viewport" content="width=device-width, initial-scale=1.0, viewport-fit=cover">

    <link rel="icon" href="/icon.svg">
    <link rel="manifest" href="/api/status-page/services/manifest.json">
    <meta name="theme-color" id="theme-color" content="">
    <meta name="description" content="">
    <title>Services</title>
    <style>        .noscript-message {
            font-size: 20px;
            text-align: center;
            padding: 10px;
            max-width: 500px;
            margin: 0 auto;
        }
    </style>
  <script type="module" crossorigin="" src="/assets/index-B_z9mVlf.js"></script>
  <link rel="stylesheet" crossorigin="" href="/assets/index-bOVKKa1O.css">
  <script type="module">import.meta.url;import("_").catch(()=>1);async function* g(){};if(location.protocol!="file:"){window.__vite_is_modern_browser=true}</script>
  <script type="module">!function(){if(window.__vite_is_modern_browser)return;console.warn("vite: loading legacy chunks, syntax error above and the same error below should be ignored");var e=document.getElementById("vite-legacy-polyfill"),n=document.createElement("script");n.src=e.src,n.onload=function(){System.import(document.getElementById('vite-legacy-entry').getAttribute('data-src'))},document.body.appendChild(n)}();</script>
<meta property="og:title" content="Services"><meta property="og:description" content="">
            <script id="preload-data" data-json="{}">
                window.preloadData = {'config':{'slug':'services','title':'Services','description':null,'icon':'/icon.svg','theme':'auto','published':true,'showTags':false,'customCSS':'body {\n  \n}\n','footerText':null,'showPoweredBy':true,'googleAnalyticsId':null,'showCertificateExpiry':false},'incident':null,'publicGroupList':[{'id':2,'name':'Services','weight':1,'monitorList':[{'id':8,'name':'Debian','sendUrl':0,'type':'ping'}]}],'maintenanceList':[]};
            </script>
        </head>
<body>
<noscript>
<div class="noscript-message">
    Sorry, you don't seem to have JavaScript enabled or your browser
    doesn't support it.<br />This website requires JavaScript to function.
    Please enable JavaScript in your browser settings to continue.
</div>
</noscript>
<div id="app"></div>
  <script nomodule="">!function(){var e=document,t=e.createElement("script");if(!("noModule"in t)&&"onbeforeload"in t){var n=!1;e.addEventListener("beforeload",(function(e){if(e.target===t)n=!0;else if(!e.target.hasAttribute("nomodule")||!n)return;e.preventDefault()}),!0),t.type="module",t.src=".",e.head.appendChild(t),t.remove()}}();</script>
  <script nomodule="" crossorigin="" id="vite-legacy-polyfill" src="/assets/polyfills-legacy-CProAAlf.js"></script>
  <script nomodule="" crossorigin="" id="vite-legacy-entry" data-src="/assets/index-legacy-PIuZWdNf.js">System.import(document.getElementById('vite-legacy-entry').getAttribute('data-src'))</script>


* Connection #0 to host www.SelfHosted.pp.ua left intact
</body></html>

2. Error messages and/or full log output:


caddy  | {"level":"info","ts":1748193304.3745239,"msg":"maxprocs: Leaving GOMAXPROCS=4: CPU quota undefined"}
caddy  | {"level":"info","ts":1748193304.3746724,"msg":"GOMEMLIMIT is updated","package":"github.com/KimMachineGun/automemlimit/memlimit","GOMEMLIMIT":7493758156,"previous":9223372036854775807}
caddy  | {"level":"info","ts":1748193304.3747456,"msg":"using config from file","file":"/etc/caddy/Caddyfile"}
caddy  | {"level":"info","ts":1748193304.3759706,"msg":"adapted config to JSON","adapter":"caddyfile"}
caddy  | {"level":"warn","ts":1748193304.3760104,"msg":"Caddyfile input is not formatted; run 'caddy fmt --overwrite' to fix inconsistencies","adapter":"caddyfile","file":"/etc/caddy/Caddyfile","line":10}
caddy  | {"level":"info","ts":1748193304.3768759,"logger":"admin","msg":"admin endpoint started","address":"localhost:2019","enforce_origin":false,"origins":["//localhost:2019","//[::1]:2019","//127.0.0.1:2019"]}
caddy  | {"level":"info","ts":1748193304.3771596,"logger":"tls.cache.maintenance","msg":"started background certificate maintenance","cache":"0xc000138c80"}
caddy  | {"level":"debug","ts":1748193304.4226127,"logger":"tls.ech","msg":"generated new ECH config","public_name":"ech.selfhosted.pp.ua","id":131}
caddy  | {"level":"info","ts":1748193304.4249513,"logger":"http.auto_https","msg":"server is listening only on the HTTPS port but has no TLS connection policies; adding one to enable TLS","server_name":"srv0","https_port":443}
caddy  | {"level":"info","ts":1748193304.42506,"logger":"http.auto_https","msg":"enabling automatic HTTP->HTTPS redirects","server_name":"srv0"}
caddy  | {"level":"debug","ts":1748193304.425129,"logger":"http.auto_https","msg":"adjusted config","tls":{"automation":{"policies":[{"subjects":["www.selfhosted.pp.ua","yt.selfhosted.pp.ua","selfhosted.pp.ua","*.selfhosted.pp.ua"]},{"subjects":["ech.SelfHosted.pp.ua"]},{}]},"encrypted_client_hello":{"configs":[{"public_name":"ech.SelfHosted.pp.ua"}]}},"http":{"servers":{"remaining_auto_https_redirects":{"listen":[":80"],"routes":[{},{}]},"srv0":{"listen":[":443"],"routes":[{"handle":[{"handler":"subroute","routes":[{"handle":[{"handler":"reverse_proxy","upstreams":[{"dial":"192.168.0.50:3001"}]}]}]}],"terminal":true},{"handle":[{"handler":"subroute","routes":[{"handle":[{"handler":"reverse_proxy","upstreams":[{"dial":"192.168.0.50:3000"}]}]}]}],"terminal":true},{"handle":[{"handler":"subroute","routes":[{"handle":[{"handler":"reverse_proxy","upstreams":[{"dial":"192.168.0.50:3001"}]}]}]}],"terminal":true},{"handle":[{"handler":"subroute","routes":[{"handle":[{"handler":"reverse_proxy","upstreams":[{"dial":"192.168.0.50:3001"}]}]}]}],"terminal":true}],"tls_connection_policies":[{}],"automatic_https":{}}}}}
caddy  | {"level":"debug","ts":1748193304.425642,"logger":"http","msg":"starting server loop","address":"[::]:443","tls":true,"http3":false}
caddy  | {"level":"info","ts":1748193304.4256914,"logger":"http","msg":"enabling HTTP/3 listener","addr":":443"}
caddy  | {"level":"info","ts":1748193304.4258146,"msg":"failed to sufficiently increase receive buffer size (was: 208 kiB, wanted: 7168 kiB, got: 416 kiB). See https://github.com/quic-go/quic-go/wiki/UDP-Buffer-Sizes for details."}
caddy  | {"level":"info","ts":1748193304.4259522,"logger":"http.log","msg":"server running","name":"srv0","protocols":["h1","h2","h3"]}
caddy  | {"level":"debug","ts":1748193304.42615,"logger":"http","msg":"starting server loop","address":"[::]:80","tls":false,"http3":false}
caddy  | {"level":"warn","ts":1748193304.4262114,"logger":"http","msg":"HTTP/2 skipped because it requires TLS","network":"tcp","addr":":80"}
caddy  | {"level":"warn","ts":1748193304.4262323,"logger":"http","msg":"HTTP/3 skipped because it requires TLS","network":"tcp","addr":":80"}
caddy  | {"level":"info","ts":1748193304.426251,"logger":"http.log","msg":"server running","name":"remaining_auto_https_redirects","protocols":["h1","h2","h3"]}
caddy  | {"level":"info","ts":1748193304.426301,"logger":"http","msg":"enabling automatic TLS certificate management","domains":["www.selfhosted.pp.ua","yt.selfhosted.pp.ua","selfhosted.pp.ua","*.selfhosted.pp.ua"]}
caddy  | {"level":"warn","ts":1748193304.4266412,"logger":"tls","msg":"stapling OCSP","error":"no OCSP stapling for [selfhosted.pp.ua]: no OCSP server specified in certificate","identifiers":["selfhosted.pp.ua"]}
caddy  | {"level":"debug","ts":1748193304.42673,"logger":"tls.cache","msg":"added certificate to cache","subjects":["selfhosted.pp.ua"],"expiration":1755914507,"managed":true,"issuer_key":"acme-v02.api.letsencrypt.org-directory","hash":"341bf291c7690f98c099c1580d338dedd14ed1d9165f5f431c4f3519c0273e8a","cache_size":1,"cache_capacity":10000}
caddy  | {"level":"debug","ts":1748193304.4267805,"logger":"events","msg":"event","name":"cached_managed_cert","id":"b3d46d8d-06e9-4771-b882-9d7e0ff80969","origin":"tls","data":{"sans":["selfhosted.pp.ua"]}}
caddy  | {"level":"warn","ts":1748193304.4271464,"logger":"tls","msg":"stapling OCSP","error":"no OCSP stapling for [*.selfhosted.pp.ua]: no OCSP server specified in certificate","identifiers":["*.selfhosted.pp.ua"]}
caddy  | {"level":"debug","ts":1748193304.4272,"logger":"tls.cache","msg":"added certificate to cache","subjects":["*.selfhosted.pp.ua"],"expiration":1755914503,"managed":true,"issuer_key":"acme-v02.api.letsencrypt.org-directory","hash":"4bcaf06663bca5c003e07abd20a99bdcf72b47eb8950928c06083340caf2467d","cache_size":2,"cache_capacity":10000}
caddy  | {"level":"debug","ts":1748193304.4272316,"logger":"events","msg":"event","name":"cached_managed_cert","id":"d40aa68b-dafb-4da2-b5c5-0182dfd52d76","origin":"tls","data":{"sans":["*.selfhosted.pp.ua"]}}
caddy  | {"level":"warn","ts":1748193304.4275224,"logger":"tls","msg":"stapling OCSP","error":"no OCSP stapling for [ech.selfhosted.pp.ua]: no OCSP server specified in certificate","identifiers":["ech.selfhosted.pp.ua"]}
caddy  | {"level":"debug","ts":1748193304.427601,"logger":"tls.cache","msg":"added certificate to cache","subjects":["ech.selfhosted.pp.ua"],"expiration":1755914503,"managed":true,"issuer_key":"acme-v02.api.letsencrypt.org-directory","hash":"2a0b71a34009dfc38b35f77fb4f88bfc8759ff09e1d89ee3049358962e17e3d4","cache_size":3,"cache_capacity":10000}
caddy  | {"level":"debug","ts":1748193304.427645,"logger":"events","msg":"event","name":"cached_managed_cert","id":"87f04afe-ac42-4c32-9d70-fb1df2915e15","origin":"tls","data":{"sans":["ech.selfhosted.pp.ua"]}}
caddy  | {"level":"debug","ts":1748193304.4277093,"logger":"events","msg":"event","name":"started","id":"3b381260-2d52-42fd-a3e3-f4d45713c498","origin":"","data":null}
caddy  | {"level":"info","ts":1748193304.4286346,"msg":"autosaved config (load with --resume flag)","file":"/config/caddy/autosave.json"}
caddy  | {"level":"info","ts":1748193304.428686,"msg":"serving initial configuration"}
caddy  | {"level":"debug","ts":1748193304.439168,"logger":"tls.ech","msg":"publishing ECH config list","domains":["www.selfhosted.pp.ua","yt.selfhosted.pp.ua","selfhosted.pp.ua","*.selfhosted.pp.ua"],"config_ids":[131]}
caddy  | {"level":"debug","ts":1748193304.4402435,"logger":"tls.soa_lookup","msg":"fetched SOA","msg":";; opcode: QUERY, status: NOERROR, id: 31038\n;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1\n\n;; OPT PSEUDOSECTION:\n; EDNS: version 0; flags:; udp: 1232\n\n;; QUESTION SECTION:\n;www.selfhosted.pp.ua.\tIN\t SOA\n\n;; AUTHORITY SECTION:\nselfhosted.pp.ua.\t1094\tIN\tSOA\thoward.ns.cloudflare.com. dns.cloudflare.com. 2373640417 10000 2400 604800 1800\n"}
caddy  | {"level":"debug","ts":1748193304.440983,"logger":"tls.soa_lookup","msg":"fetched SOA","msg":";; opcode: QUERY, status: NOERROR, id: 44449\n;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1\n\n;; OPT PSEUDOSECTION:\n; EDNS: version 0; flags:; udp: 1232\n\n;; QUESTION SECTION:\n;selfhosted.pp.ua.\tIN\t SOA\n\n;; ANSWER SECTION:\nselfhosted.pp.ua.\t1094\tIN\tSOA\thoward.ns.cloudflare.com. dns.cloudflare.com. 2373640417 10000 2400 604800 1800\n"}
caddy  | {"level":"info","ts":1748193304.4774373,"logger":"tls","msg":"storage cleaning happened too recently; skipping for now","storage":"FileStorage:/data/caddy","instance":"aae20edd-ca84-4b58-af5a-fccb411b6a18","try_again":1748279704.4774346,"try_again_in":86399.999999555}
caddy  | {"level":"info","ts":1748193304.4776158,"logger":"tls","msg":"finished cleaning storage units"}
caddy  | {"level":"debug","ts":1748193305.9060032,"logger":"tls.soa_lookup","msg":"fetched SOA","msg":";; opcode: QUERY, status: NOERROR, id: 14287\n;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1\n\n;; OPT PSEUDOSECTION:\n; EDNS: version 0; flags:; udp: 1232\n\n;; QUESTION SECTION:\n;yt.selfhosted.pp.ua.\tIN\t SOA\n\n;; AUTHORITY SECTION:\nselfhosted.pp.ua.\t1093\tIN\tSOA\thoward.ns.cloudflare.com. dns.cloudflare.com. 2373640417 10000 2400 604800 1800\n"}
caddy  | {"level":"debug","ts":1748193305.9070034,"logger":"tls.soa_lookup","msg":"fetched SOA","msg":";; opcode: QUERY, status: NOERROR, id: 19100\n;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1\n\n;; OPT PSEUDOSECTION:\n; EDNS: version 0; flags:; udp: 1232\n\n;; QUESTION SECTION:\n;selfhosted.pp.ua.\tIN\t SOA\n\n;; ANSWER SECTION:\nselfhosted.pp.ua.\t1093\tIN\tSOA\thoward.ns.cloudflare.com. dns.cloudflare.com. 2373640417 10000 2400 604800 1800\n"}
caddy  | {"level":"debug","ts":1748193307.0978634,"logger":"tls.soa_lookup","msg":"fetched SOA","msg":";; opcode: QUERY, status: NOERROR, id: 39940\n;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1\n\n;; OPT PSEUDOSECTION:\n; EDNS: version 0; flags:; udp: 1232\n\n;; QUESTION SECTION:\n;selfhosted.pp.ua.\tIN\t SOA\n\n;; ANSWER SECTION:\nselfhosted.pp.ua.\t1091\tIN\tSOA\thoward.ns.cloudflare.com. dns.cloudflare.com. 2373640417 10000 2400 604800 1800\n"}
caddy  | {"level":"debug","ts":1748193308.4273028,"logger":"tls.soa_lookup","msg":"fetched SOA","msg":";; opcode: QUERY, status: NOERROR, id: 46285\n;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1\n\n;; OPT PSEUDOSECTION:\n; EDNS: version 0; flags:; udp: 1232\n\n;; QUESTION SECTION:\n;*.selfhosted.pp.ua.\tIN\t SOA\n\n;; AUTHORITY SECTION:\nselfhosted.pp.ua.\t1090\tIN\tSOA\thoward.ns.cloudflare.com. dns.cloudflare.com. 2373640417 10000 2400 604800 1800\n"}
caddy  | {"level":"debug","ts":1748193308.4294531,"logger":"tls.soa_lookup","msg":"fetched SOA","msg":";; opcode: QUERY, status: NOERROR, id: 17499\n;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1\n\n;; OPT PSEUDOSECTION:\n; EDNS: version 0; flags:; udp: 1232\n\n;; QUESTION SECTION:\n;selfhosted.pp.ua.\tIN\t SOA\n\n;; ANSWER SECTION:\nselfhosted.pp.ua.\t1090\tIN\tSOA\thoward.ns.cloudflare.com. dns.cloudflare.com. 2373640417 10000 2400 604800 1800\n"}
caddy  | {"level":"info","ts":1748193308.972385,"logger":"tls","msg":"published ECH configuration list","domains":["www.selfhosted.pp.ua","yt.selfhosted.pp.ua","selfhosted.pp.ua","*.selfhosted.pp.ua"],"config_ids":[131]}
caddy  | {"level":"debug","ts":1748193326.1701038,"logger":"events","msg":"event","name":"tls_get_certificate","id":"432ad294-142b-4582-82c2-b14cbf40f89f","origin":"tls","data":{"client_hello":{"CipherSuites":[10794,4865,4866,4867,49195,49199,49196,49200,52393,52392,49171,49172,156,157,47,53],"ServerName":"cloudflare-ech.com","SupportedCurves":[56026,4588,29,23,24],"SupportedPoints":"AA==","SignatureSchemes":[1027,2052,1025,1283,2053,1281,2054,1537],"SupportedProtos":["h2","http/1.1"],"SupportedVersions":[31354,772,771],"RemoteAddr":{"IP":"192.168.0.60","Port":47040,"Zone":""},"LocalAddr":{"IP":"172.18.0.2","Port":443,"Zone":""}}}}
caddy  | {"level":"debug","ts":1748193326.1701834,"logger":"tls.handshake","msg":"no matching certificates and no custom selection logic","identifier":"cloudflare-ech.com"}
caddy  | {"level":"debug","ts":1748193326.1701896,"logger":"tls.handshake","msg":"no matching certificates and no custom selection logic","identifier":"*.com"}
caddy  | {"level":"debug","ts":1748193326.170193,"logger":"tls.handshake","msg":"no matching certificates and no custom selection logic","identifier":"*.*"}
caddy  | {"level":"debug","ts":1748193326.1702318,"logger":"tls.handshake","msg":"no certificate matching TLS ClientHello","remote_ip":"192.168.0.60","remote_port":"47040","server_name":"cloudflare-ech.com","remote":"192.168.0.60:47040","identifier":"cloudflare-ech.com","cipher_suites":[10794,4865,4866,4867,49195,49199,49196,49200,52393,52392,49171,49172,156,157,47,53],"cert_cache_fill":0.0003,"load_or_obtain_if_necessary":true,"on_demand":false}
caddy  | {"level":"debug","ts":1748193326.170298,"logger":"http.stdlib","msg":"http: TLS handshake error from 192.168.0.60:47040: no certificate available for 'cloudflare-ech.com'"}
caddy  | {"level":"debug","ts":1748193326.194233,"logger":"events","msg":"event","name":"tls_get_certificate","id":"1b1a774c-0804-4d8b-88d8-073491a93244","origin":"tls","data":{"client_hello":{"CipherSuites":[35466,4865,4866,4867,49195,49199,49196,49200,52393,52392,49171,49172,156,157,47,53],"ServerName":"cloudflare-ech.com","SupportedCurves":[51914,4588,29,23,24],"SupportedPoints":"AA==","SignatureSchemes":[1027,2052,1025,1283,2053,1281,2054,1537],"SupportedProtos":["h2","http/1.1"],"SupportedVersions":[39578,772,771],"RemoteAddr":{"IP":"192.168.0.60","Port":47050,"Zone":""},"LocalAddr":{"IP":"172.18.0.2","Port":443,"Zone":""}}}}
caddy  | {"level":"debug","ts":1748193326.1942956,"logger":"tls.handshake","msg":"no matching certificates and no custom selection logic","identifier":"cloudflare-ech.com"}
caddy  | {"level":"debug","ts":1748193326.194304,"logger":"tls.handshake","msg":"no matching certificates and no custom selection logic","identifier":"*.com"}
caddy  | {"level":"debug","ts":1748193326.1943078,"logger":"tls.handshake","msg":"no matching certificates and no custom selection logic","identifier":"*.*"}
caddy  | {"level":"debug","ts":1748193326.1943197,"logger":"tls.handshake","msg":"no certificate matching TLS ClientHello","remote_ip":"192.168.0.60","remote_port":"47050","server_name":"cloudflare-ech.com","remote":"192.168.0.60:47050","identifier":"cloudflare-ech.com","cipher_suites":[35466,4865,4866,4867,49195,49199,49196,49200,52393,52392,49171,49172,156,157,47,53],"cert_cache_fill":0.0003,"load_or_obtain_if_necessary":true,"on_demand":false}
caddy  | {"level":"debug","ts":1748193326.1944108,"logger":"http.stdlib","msg":"http: TLS handshake error from 192.168.0.60:47050: no certificate available for 'cloudflare-ech.com'"}

3. Caddy version:

v2.10.0

4. How I installed and ran Caddy:

I used the xcaddy builder and Docker Compose.
Here’s my Dockerfile:

FROM caddy:builder AS builder

RUN xcaddy build \
    --with github.com/caddy-dns/cloudflare

FROM caddy:latest

COPY --from=builder /usr/bin/caddy /usr/bin/caddy

a. System environment:

Debian 12.11 - x64
Docker 28.1.1

b. Command:

docker compose up -d

c. Service/unit/compose file:

services:
  caddy:
    build:
      context: .
      dockerfile: Dockerfile
    container_name: caddy
    restart: unless-stopped
    env_file:
      - .env
    environment:
      - TZ=America/New_York
      - CLOUDFLARE_API_TOKEN=${CF_API_TOKEN}
    ports:
      - 80:80
      - 443:443
    volumes:
      - ./caddy-config:/config
      - ./caddy-data:/data
      - ./Caddyfile:/etc/caddy/Caddyfile

volumes:
  caddy-data:
  caddy-config:

d. My complete Caddy config:


{
        debug
        dns cloudflare {env.CF_API_TOKEN}
        ech ech.SelfHosted.pp.ua
}

# ============================================================

SelfHosted.pp.ua {

        tls {
                dns cloudflare {env.CF_API_TOKEN}
        }
        reverse_proxy http://192.168.0.50:3001
}

*.SelfHosted.pp.ua {
        tls {
                dns cloudflare {env.CF_API_TOKEN}
        }
        reverse_proxy http://192.168.0.50:3001
}

www.SelfHosted.pp.ua {
        tls {
                dns cloudflare {env.CF_API_TOKEN}
        }
        reverse_proxy http://192.168.0.50:3001
}

YT.SelfHosted.pp.ua {
        tls {
                dns cloudflare {env.CF_API_TOKEN}
        }
        reverse_proxy http://192.168.0.50:3000
}

5. Links to relevant resources:

Darknicks · May 26, 2025, 1:43am

Hello there @matt
Apologies for the mention.
Since I’ve seen you commenting about ECH related issues on the Caddy GitHub.
Do you have any idea of what I’m doing wrong?

matt · May 26, 2025, 3:47pm

The HTTPS record for your domains include:

ech=“AEX+DQBB6wAgACCyWuLbPHx6sAE43fE8/bHV9ZP5RaQK2icRrAQQQt0gAQAEAAEAAQASY2xvdWRmbGFyZS1lY2guY29tAAA=”

which is a config for cloudflare-ech.com. Are you sure nothing else is managing ECH for your domain?

Darknicks · May 26, 2025, 6:26pm

Thanks a lot for your response!

Only Caddy is managing ECH on my domain.
However, for the sake of testing, I deleted all the ECH/HTTPS records on the Cloudflare Dashboard, rolled the API key and deleted this directory: /caddy-data/caddy/ech
I then started the Caddy container again.

New records were added on my Cloudflare Dashboard as soon as the container started.
I then tried to navigate to the website: www.SelfHosted.pp.ua, SelfHosted.pp.ua and YT.SelfHosted.pp.ua but got the same ERR_SSSL_PROTOCOL_ERROR.

Here are the logs after I started the Caddy container.
I added a few spaces to be able to see what was going to happen before I tried to go to www.SelfHosted.pp.ua and then did the same the same thing for SelfHosted.pp.ua and YT.SelfHosted.pp.ua


[+] Running 1/1
 ✔ Container caddy  Created                                                                                                                                             0.0s
Attaching to caddy
caddy  | {"level":"info","ts":1748283402.8966646,"msg":"maxprocs: Leaving GOMAXPROCS=4: CPU quota undefined"}
caddy  | {"level":"info","ts":1748283402.8968017,"msg":"GOMEMLIMIT is updated","package":"github.com/KimMachineGun/automemlimit/memlimit","GOMEMLIMIT":7493747097,"previous":9223372036854775807}
caddy  | {"level":"info","ts":1748283402.8968446,"msg":"using config from file","file":"/etc/caddy/Caddyfile"}
caddy  | {"level":"info","ts":1748283402.8981662,"msg":"adapted config to JSON","adapter":"caddyfile"}
caddy  | {"level":"warn","ts":1748283402.8981783,"msg":"Caddyfile input is not formatted; run 'caddy fmt --overwrite' to fix inconsistencies","adapter":"caddyfile","file":"/etc/caddy/Caddyfile","line":10}
caddy  | {"level":"info","ts":1748283402.8989413,"logger":"admin","msg":"admin endpoint started","address":"localhost:2019","enforce_origin":false,"origins":["//localhost:2019","//[::1]:2019","//127.0.0.1:2019"]}
caddy  | {"level":"info","ts":1748283402.8991687,"logger":"tls.cache.maintenance","msg":"started background certificate maintenance","cache":"0xc00052b800"}
caddy  | {"level":"debug","ts":1748283402.944845,"logger":"tls.ech","msg":"generated new ECH config","public_name":"ech.selfhosted.pp.ua","id":247}
caddy  | {"level":"info","ts":1748283402.945,"logger":"http.auto_https","msg":"server is listening only on the HTTPS port but has no TLS connection policies; adding one to enable TLS","server_name":"srv0","https_port":443}
caddy  | {"level":"info","ts":1748283402.9451246,"logger":"http.auto_https","msg":"enabling automatic HTTP->HTTPS redirects","server_name":"srv0"}
caddy  | {"level":"debug","ts":1748283402.945187,"logger":"http.auto_https","msg":"adjusted config","tls":{"automation":{"policies":[{"subjects":["www.selfhosted.pp.ua","yt.selfhosted.pp.ua","selfhosted.pp.ua","*.selfhosted.pp.ua"]},{"subjects":["ech.SelfHosted.pp.ua"]},{}]},"encrypted_client_hello":{"configs":[{"public_name":"ech.SelfHosted.pp.ua"}]}},"http":{"servers":{"remaining_auto_https_redirects":{"listen":[":80"],"routes":[{},{}]},"srv0":{"listen":[":443"],"routes":[{"handle":[{"handler":"subroute","routes":[{"handle":[{"handler":"reverse_proxy","upstreams":[{"dial":"192.168.0.50:3001"}]}]}]}],"terminal":true},{"handle":[{"handler":"subroute","routes":[{"handle":[{"handler":"reverse_proxy","upstreams":[{"dial":"192.168.0.50:3000"}]}]}]}],"terminal":true},{"handle":[{"handler":"subroute","routes":[{"handle":[{"handler":"reverse_proxy","upstreams":[{"dial":"192.168.0.50:3001"}]}]}]}],"terminal":true},{"handle":[{"handler":"subroute","routes":[{"handle":[{"handler":"reverse_proxy","upstreams":[{"dial":"192.168.0.50:3001"}]}]}]}],"terminal":true}],"tls_connection_policies":[{}],"automatic_https":{}}}}}
caddy  | {"level":"debug","ts":1748283402.9458096,"logger":"http","msg":"starting server loop","address":"[::]:443","tls":true,"http3":false}
caddy  | {"level":"info","ts":1748283402.9458716,"logger":"http","msg":"enabling HTTP/3 listener","addr":":443"}
caddy  | {"level":"info","ts":1748283402.9459655,"msg":"failed to sufficiently increase receive buffer size (was: 208 kiB, wanted: 7168 kiB, got: 416 kiB). See https://github.com/quic-go/quic-go/wiki/UDP-Buffer-Sizes for details."}
caddy  | {"level":"info","ts":1748283402.9461071,"logger":"http.log","msg":"server running","name":"srv0","protocols":["h1","h2","h3"]}
caddy  | {"level":"debug","ts":1748283402.9461832,"logger":"http","msg":"starting server loop","address":"[::]:80","tls":false,"http3":false}
caddy  | {"level":"warn","ts":1748283402.9462235,"logger":"http","msg":"HTTP/2 skipped because it requires TLS","network":"tcp","addr":":80"}
caddy  | {"level":"warn","ts":1748283402.9462473,"logger":"http","msg":"HTTP/3 skipped because it requires TLS","network":"tcp","addr":":80"}
caddy  | {"level":"info","ts":1748283402.9462702,"logger":"http.log","msg":"server running","name":"remaining_auto_https_redirects","protocols":["h1","h2","h3"]}
caddy  | {"level":"info","ts":1748283402.9462879,"logger":"http","msg":"enabling automatic TLS certificate management","domains":["yt.selfhosted.pp.ua","selfhosted.pp.ua","*.selfhosted.pp.ua","www.selfhosted.pp.ua"]}
caddy  | {"level":"warn","ts":1748283402.9486847,"logger":"tls","msg":"stapling OCSP","error":"no OCSP stapling for [selfhosted.pp.ua]: no OCSP server specified in certificate","identifiers":["selfhosted.pp.ua"]}
caddy  | {"level":"debug","ts":1748283402.9488704,"logger":"tls.cache","msg":"added certificate to cache","subjects":["selfhosted.pp.ua"],"expiration":1755914507,"managed":true,"issuer_key":"acme-v02.api.letsencrypt.org-directory","hash":"341bf291c7690f98c099c1580d338dedd14ed1d9165f5f431c4f3519c0273e8a","cache_size":1,"cache_capacity":10000}
caddy  | {"level":"debug","ts":1748283402.9489849,"logger":"events","msg":"event","name":"cached_managed_cert","id":"730f368f-4e42-4d11-a35e-c6549265c32f","origin":"tls","data":{"sans":["selfhosted.pp.ua"]}}
caddy  | {"level":"warn","ts":1748283402.9493885,"logger":"tls","msg":"stapling OCSP","error":"no OCSP stapling for [*.selfhosted.pp.ua]: no OCSP server specified in certificate","identifiers":["*.selfhosted.pp.ua"]}
caddy  | {"level":"debug","ts":1748283402.949543,"logger":"tls.cache","msg":"added certificate to cache","subjects":["*.selfhosted.pp.ua"],"expiration":1755914503,"managed":true,"issuer_key":"acme-v02.api.letsencrypt.org-directory","hash":"4bcaf06663bca5c003e07abd20a99bdcf72b47eb8950928c06083340caf2467d","cache_size":2,"cache_capacity":10000}
caddy  | {"level":"debug","ts":1748283402.949621,"logger":"events","msg":"event","name":"cached_managed_cert","id":"d92576f8-44e4-4db0-ac86-cb786a021ee8","origin":"tls","data":{"sans":["*.selfhosted.pp.ua"]}}
caddy  | {"level":"warn","ts":1748283402.949949,"logger":"tls","msg":"stapling OCSP","error":"no OCSP stapling for [ech.selfhosted.pp.ua]: no OCSP server specified in certificate","identifiers":["ech.selfhosted.pp.ua"]}
caddy  | {"level":"debug","ts":1748283402.9500916,"logger":"tls.cache","msg":"added certificate to cache","subjects":["ech.selfhosted.pp.ua"],"expiration":1755914503,"managed":true,"issuer_key":"acme-v02.api.letsencrypt.org-directory","hash":"2a0b71a34009dfc38b35f77fb4f88bfc8759ff09e1d89ee3049358962e17e3d4","cache_size":3,"cache_capacity":10000}
caddy  | {"level":"debug","ts":1748283402.9501848,"logger":"events","msg":"event","name":"cached_managed_cert","id":"4cb377c0-79a0-41b2-b77e-1ac6980b82f4","origin":"tls","data":{"sans":["ech.selfhosted.pp.ua"]}}
caddy  | {"level":"debug","ts":1748283402.9504533,"logger":"events","msg":"event","name":"started","id":"ddb133e9-4c1b-44b7-b007-cae7ed6f9657","origin":"","data":null}
caddy  | {"level":"info","ts":1748283402.951402,"msg":"autosaved config (load with --resume flag)","file":"/config/caddy/autosave.json"}
caddy  | {"level":"info","ts":1748283402.9515927,"msg":"serving initial configuration"}
caddy  | {"level":"debug","ts":1748283402.9611416,"logger":"tls.ech","msg":"publishing ECH config list","domains":["yt.selfhosted.pp.ua","selfhosted.pp.ua","*.selfhosted.pp.ua","www.selfhosted.pp.ua"],"config_ids":[247]}
caddy  | {"level":"debug","ts":1748283402.9620836,"logger":"tls.soa_lookup","msg":"fetched SOA","msg":";; opcode: QUERY, status: NOERROR, id: 28759\n;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1\n\n;; OPT PSEUDOSECTION:\n; EDNS: version 0; flags:; udp: 1232\n\n;; QUESTION SECTION:\n;yt.selfhosted.pp.ua.\tIN\t SOA\n\n;; AUTHORITY SECTION:\nselfhosted.pp.ua.\t232\tIN\tSOA\thoward.ns.cloudflare.com. dns.cloudflare.com. 2373767518 10000 2400 604800 1800\n"}
caddy  | {"level":"debug","ts":1748283402.962787,"logger":"tls.soa_lookup","msg":"fetched SOA","msg":";; opcode: QUERY, status: NOERROR, id: 30282\n;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1\n\n;; OPT PSEUDOSECTION:\n; EDNS: version 0; flags:; udp: 1232\n\n;; QUESTION SECTION:\n;selfhosted.pp.ua.\tIN\t SOA\n\n;; ANSWER SECTION:\nselfhosted.pp.ua.\t232\tIN\tSOA\thoward.ns.cloudflare.com. dns.cloudflare.com. 2373767518 10000 2400 604800 1800\n"}
caddy  | {"level":"info","ts":1748283402.971264,"logger":"tls","msg":"storage cleaning happened too recently; skipping for now","storage":"FileStorage:/data/caddy","instance":"aae20edd-ca84-4b58-af5a-fccb411b6a18","try_again":1748369802.9712625,"try_again_in":86399.999999577}
caddy  | {"level":"info","ts":1748283402.971412,"logger":"tls","msg":"finished cleaning storage units"}
caddy  | {"level":"debug","ts":1748283403.9747376,"logger":"tls.soa_lookup","msg":"fetched SOA","msg":";; opcode: QUERY, status: NOERROR, id: 17956\n;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1\n\n;; OPT PSEUDOSECTION:\n; EDNS: version 0; flags:; udp: 1232\n\n;; QUESTION SECTION:\n;selfhosted.pp.ua.\tIN\t SOA\n\n;; ANSWER SECTION:\nselfhosted.pp.ua.\t231\tIN\tSOA\thoward.ns.cloudflare.com. dns.cloudflare.com. 2373767518 10000 2400 604800 1800\n"}
caddy  | {"level":"debug","ts":1748283404.6647892,"logger":"tls.soa_lookup","msg":"fetched SOA","msg":";; opcode: QUERY, status: NOERROR, id: 22057\n;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1\n\n;; OPT PSEUDOSECTION:\n; EDNS: version 0; flags:; udp: 1232\n\n;; QUESTION SECTION:\n;*.selfhosted.pp.ua.\tIN\t SOA\n\n;; AUTHORITY SECTION:\nselfhosted.pp.ua.\t230\tIN\tSOA\thoward.ns.cloudflare.com. dns.cloudflare.com. 2373767518 10000 2400 604800 1800\n"}
caddy  | {"level":"debug","ts":1748283404.6664627,"logger":"tls.soa_lookup","msg":"fetched SOA","msg":";; opcode: QUERY, status: NOERROR, id: 60179\n;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1\n\n;; OPT PSEUDOSECTION:\n; EDNS: version 0; flags:; udp: 1232\n\n;; QUESTION SECTION:\n;selfhosted.pp.ua.\tIN\t SOA\n\n;; ANSWER SECTION:\nselfhosted.pp.ua.\t230\tIN\tSOA\thoward.ns.cloudflare.com. dns.cloudflare.com. 2373767518 10000 2400 604800 1800\n"}
caddy  | {"level":"debug","ts":1748283405.185732,"logger":"tls.soa_lookup","msg":"fetched SOA","msg":";; opcode: QUERY, status: NOERROR, id: 60927\n;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1\n\n;; OPT PSEUDOSECTION:\n; EDNS: version 0; flags:; udp: 1232\n\n;; QUESTION SECTION:\n;www.selfhosted.pp.ua.\tIN\t SOA\n\n;; AUTHORITY SECTION:\nselfhosted.pp.ua.\t229\tIN\tSOA\thoward.ns.cloudflare.com. dns.cloudflare.com. 2373767518 10000 2400 604800 1800\n"}
caddy  | {"level":"debug","ts":1748283405.1872692,"logger":"tls.soa_lookup","msg":"fetched SOA","msg":";; opcode: QUERY, status: NOERROR, id: 53026\n;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1\n\n;; OPT PSEUDOSECTION:\n; EDNS: version 0; flags:; udp: 1232\n\n;; QUESTION SECTION:\n;selfhosted.pp.ua.\tIN\t SOA\n\n;; ANSWER SECTION:\nselfhosted.pp.ua.\t229\tIN\tSOA\thoward.ns.cloudflare.com. dns.cloudflare.com. 2373767518 10000 2400 604800 1800\n"}
caddy  | {"level":"info","ts":1748283405.6945117,"logger":"tls","msg":"published ECH configuration list","domains":["yt.selfhosted.pp.ua","selfhosted.pp.ua","*.selfhosted.pp.ua","www.selfhosted.pp.ua"],"config_ids":[247]}





caddy  | {"level":"debug","ts":1748283426.5703206,"logger":"events","msg":"event","name":"tls_get_certificate","id":"c5a757e1-c2e8-4e34-b3cc-a87eb7d93b52","origin":"tls","data":{"client_hello":{"CipherSuites":[43690,4865,4866,4867,49195,49199,49196,49200,52393,52392,49171,49172,156,157,47,53],"ServerName":"cloudflare-ech.com","SupportedCurves":[47802,4588,29,23,24],"SupportedPoints":"AA==","SignatureSchemes":[1027,2052,1025,1283,2053,1281,2054,1537],"SupportedProtos":["h2","http/1.1"],"SupportedVersions":[6682,772,771],"RemoteAddr":{"IP":"192.168.0.10","Port":58011,"Zone":""},"LocalAddr":{"IP":"172.18.0.2","Port":443,"Zone":""}}}}
caddy  | {"level":"debug","ts":1748283426.570446,"logger":"tls.handshake","msg":"no matching certificates and no custom selection logic","identifier":"cloudflare-ech.com"}
caddy  | {"level":"debug","ts":1748283426.5704517,"logger":"tls.handshake","msg":"no matching certificates and no custom selection logic","identifier":"*.com"}
caddy  | {"level":"debug","ts":1748283426.5704548,"logger":"tls.handshake","msg":"no matching certificates and no custom selection logic","identifier":"*.*"}
caddy  | {"level":"debug","ts":1748283426.5704627,"logger":"tls.handshake","msg":"no certificate matching TLS ClientHello","remote_ip":"192.168.0.10","remote_port":"58011","server_name":"cloudflare-ech.com","remote":"192.168.0.10:58011","identifier":"cloudflare-ech.com","cipher_suites":[43690,4865,4866,4867,49195,49199,49196,49200,52393,52392,49171,49172,156,157,47,53],"cert_cache_fill":0.0003,"load_or_obtain_if_necessary":true,"on_demand":false}
caddy  | {"level":"debug","ts":1748283426.570515,"logger":"http.stdlib","msg":"http: TLS handshake error from 192.168.0.10:58011: no certificate available for 'cloudflare-ech.com'"}
caddy  | {"level":"debug","ts":1748283426.572984,"logger":"events","msg":"event","name":"tls_get_certificate","id":"b81fb0a5-724f-4698-8388-61b87f24853e","origin":"tls","data":{"client_hello":{"CipherSuites":[31354,4865,4866,4867,49195,49199,49196,49200,52393,52392,49171,49172,156,157,47,53],"ServerName":"cloudflare-ech.com","SupportedCurves":[6682,4588,29,23,24],"SupportedPoints":"AA==","SignatureSchemes":[1027,2052,1025,1283,2053,1281,2054,1537],"SupportedProtos":["h2","http/1.1"],"SupportedVersions":[6682,772,771],"RemoteAddr":{"IP":"192.168.0.10","Port":52002,"Zone":""},"LocalAddr":{"IP":"172.18.0.2","Port":443,"Zone":""}}}}
caddy  | {"level":"debug","ts":1748283426.573008,"logger":"tls.handshake","msg":"no matching certificates and no custom selection logic","identifier":"cloudflare-ech.com"}
caddy  | {"level":"debug","ts":1748283426.5730302,"logger":"tls.handshake","msg":"no matching certificates and no custom selection logic","identifier":"*.com"}
caddy  | {"level":"debug","ts":1748283426.5730338,"logger":"tls.handshake","msg":"no matching certificates and no custom selection logic","identifier":"*.*"}
caddy  | {"level":"debug","ts":1748283426.5730402,"logger":"tls.handshake","msg":"no certificate matching TLS ClientHello","remote_ip":"192.168.0.10","remote_port":"52002","server_name":"cloudflare-ech.com","remote":"192.168.0.10:52002","identifier":"cloudflare-ech.com","cipher_suites":[31354,4865,4866,4867,49195,49199,49196,49200,52393,52392,49171,49172,156,157,47,53],"cert_cache_fill":0.0003,"load_or_obtain_if_necessary":true,"on_demand":false}
caddy  | {"level":"debug","ts":1748283426.573077,"logger":"http.stdlib","msg":"http: TLS handshake error from 192.168.0.10:52002: no certificate available for 'cloudflare-ech.com'"}
caddy  | {"level":"debug","ts":1748283426.581691,"logger":"events","msg":"event","name":"tls_get_certificate","id":"eac9b020-aa20-4aa9-b537-8daba37b77dc","origin":"tls","data":{"client_hello":{"CipherSuites":[43690,4865,4866,4867,49195,49199,49196,49200,52393,52392,49171,49172,156,157,47,53],"ServerName":"cloudflare-ech.com","SupportedCurves":[64250,4588,29,23,24],"SupportedPoints":"AA==","SignatureSchemes":[1027,2052,1025,1283,2053,1281,2054,1537],"SupportedProtos":["h2","http/1.1"],"SupportedVersions":[35466,772,771],"RemoteAddr":{"IP":"192.168.0.10","Port":52009,"Zone":""},"LocalAddr":{"IP":"172.18.0.2","Port":443,"Zone":""}}}}
caddy  | {"level":"debug","ts":1748283426.5817194,"logger":"tls.handshake","msg":"no matching certificates and no custom selection logic","identifier":"cloudflare-ech.com"}
caddy  | {"level":"debug","ts":1748283426.581724,"logger":"tls.handshake","msg":"no matching certificates and no custom selection logic","identifier":"*.com"}
caddy  | {"level":"debug","ts":1748283426.581727,"logger":"tls.handshake","msg":"no matching certificates and no custom selection logic","identifier":"*.*"}
caddy  | {"level":"debug","ts":1748283426.5817337,"logger":"tls.handshake","msg":"no certificate matching TLS ClientHello","remote_ip":"192.168.0.10","remote_port":"52009","server_name":"cloudflare-ech.com","remote":"192.168.0.10:52009","identifier":"cloudflare-ech.com","cipher_suites":[43690,4865,4866,4867,49195,49199,49196,49200,52393,52392,49171,49172,156,157,47,53],"cert_cache_fill":0.0003,"load_or_obtain_if_necessary":true,"on_demand":false}
caddy  | {"level":"debug","ts":1748283426.581766,"logger":"http.stdlib","msg":"http: TLS handshake error from 192.168.0.10:52009: no certificate available for 'cloudflare-ech.com'"}
caddy  | {"level":"debug","ts":1748283426.5832808,"logger":"events","msg":"event","name":"tls_get_certificate","id":"d7fb265f-c2e8-4284-8389-afc6ae5717a8","origin":"tls","data":{"client_hello":{"CipherSuites":[14906,4865,4866,4867,49195,49199,49196,49200,52393,52392,49171,49172,156,157,47,53],"ServerName":"cloudflare-ech.com","SupportedCurves":[19018,4588,29,23,24],"SupportedPoints":"AA==","SignatureSchemes":[1027,2052,1025,1283,2053,1281,2054,1537],"SupportedProtos":["h2","http/1.1"],"SupportedVersions":[60138,772,771],"RemoteAddr":{"IP":"192.168.0.10","Port":52008,"Zone":""},"LocalAddr":{"IP":"172.18.0.2","Port":443,"Zone":""}}}}
caddy  | {"level":"debug","ts":1748283426.5833075,"logger":"tls.handshake","msg":"no matching certificates and no custom selection logic","identifier":"cloudflare-ech.com"}
caddy  | {"level":"debug","ts":1748283426.5833127,"logger":"tls.handshake","msg":"no matching certificates and no custom selection logic","identifier":"*.com"}
caddy  | {"level":"debug","ts":1748283426.5833163,"logger":"tls.handshake","msg":"no matching certificates and no custom selection logic","identifier":"*.*"}
caddy  | {"level":"debug","ts":1748283426.5833225,"logger":"tls.handshake","msg":"no certificate matching TLS ClientHello","remote_ip":"192.168.0.10","remote_port":"52008","server_name":"cloudflare-ech.com","remote":"192.168.0.10:52008","identifier":"cloudflare-ech.com","cipher_suites":[14906,4865,4866,4867,49195,49199,49196,49200,52393,52392,49171,49172,156,157,47,53],"cert_cache_fill":0.0003,"load_or_obtain_if_necessary":true,"on_demand":false}
caddy  | {"level":"debug","ts":1748283426.5833688,"logger":"http.stdlib","msg":"http: TLS handshake error from 192.168.0.10:52008: no certificate available for 'cloudflare-ech.com'"}





caddy  | {"level":"debug","ts":1748283440.29772,"logger":"events","msg":"event","name":"tls_get_certificate","id":"94aa6c16-b6c9-4417-abbb-28f333a3091c","origin":"tls","data":{"client_hello":{"CipherSuites":[64250,4865,4866,4867,49195,49199,49196,49200,52393,52392,49171,49172,156,157,47,53],"ServerName":"cloudflare-ech.com","SupportedCurves":[10794,4588,29,23,24],"SupportedPoints":"AA==","SignatureSchemes":[1027,2052,1025,1283,2053,1281,2054,1537],"SupportedProtos":["h2","http/1.1"],"SupportedVersions":[51914,772,771],"RemoteAddr":{"IP":"192.168.0.10","Port":58028,"Zone":""},"LocalAddr":{"IP":"172.18.0.2","Port":443,"Zone":""}}}}
caddy  | {"level":"debug","ts":1748283440.297763,"logger":"tls.handshake","msg":"no matching certificates and no custom selection logic","identifier":"cloudflare-ech.com"}
caddy  | {"level":"debug","ts":1748283440.297769,"logger":"tls.handshake","msg":"no matching certificates and no custom selection logic","identifier":"*.com"}
caddy  | {"level":"debug","ts":1748283440.2977781,"logger":"tls.handshake","msg":"no matching certificates and no custom selection logic","identifier":"*.*"}
caddy  | {"level":"debug","ts":1748283440.2977874,"logger":"tls.handshake","msg":"no certificate matching TLS ClientHello","remote_ip":"192.168.0.10","remote_port":"58028","server_name":"cloudflare-ech.com","remote":"192.168.0.10:58028","identifier":"cloudflare-ech.com","cipher_suites":[64250,4865,4866,4867,49195,49199,49196,49200,52393,52392,49171,49172,156,157,47,53],"cert_cache_fill":0.0003,"load_or_obtain_if_necessary":true,"on_demand":false}
caddy  | {"level":"debug","ts":1748283440.2978652,"logger":"http.stdlib","msg":"http: TLS handshake error from 192.168.0.10:58028: no certificate available for 'cloudflare-ech.com'"}
caddy  | {"level":"debug","ts":1748283440.2995965,"logger":"events","msg":"event","name":"tls_get_certificate","id":"340df934-caa7-435b-a40e-8d984b836d7c","origin":"tls","data":{"client_hello":{"CipherSuites":[2570,4865,4866,4867,49195,49199,49196,49200,52393,52392,49171,49172,156,157,47,53],"ServerName":"cloudflare-ech.com","SupportedCurves":[27242,4588,29,23,24],"SupportedPoints":"AA==","SignatureSchemes":[1027,2052,1025,1283,2053,1281,2054,1537],"SupportedProtos":["h2","http/1.1"],"SupportedVersions":[35466,772,771],"RemoteAddr":{"IP":"192.168.0.10","Port":58034,"Zone":""},"LocalAddr":{"IP":"172.18.0.2","Port":443,"Zone":""}}}}
caddy  | {"level":"debug","ts":1748283440.2996223,"logger":"tls.handshake","msg":"no matching certificates and no custom selection logic","identifier":"cloudflare-ech.com"}
caddy  | {"level":"debug","ts":1748283440.2996275,"logger":"tls.handshake","msg":"no matching certificates and no custom selection logic","identifier":"*.com"}
caddy  | {"level":"debug","ts":1748283440.2996309,"logger":"tls.handshake","msg":"no matching certificates and no custom selection logic","identifier":"*.*"}
caddy  | {"level":"debug","ts":1748283440.2996373,"logger":"tls.handshake","msg":"no certificate matching TLS ClientHello","remote_ip":"192.168.0.10","remote_port":"58034","server_name":"cloudflare-ech.com","remote":"192.168.0.10:58034","identifier":"cloudflare-ech.com","cipher_suites":[2570,4865,4866,4867,49195,49199,49196,49200,52393,52392,49171,49172,156,157,47,53],"cert_cache_fill":0.0003,"load_or_obtain_if_necessary":true,"on_demand":false}
caddy  | {"level":"debug","ts":1748283440.299812,"logger":"http.stdlib","msg":"http: TLS handshake error from 192.168.0.10:58034: no certificate available for 'cloudflare-ech.com'"}





caddy  | {"level":"debug","ts":1748283450.4171965,"logger":"events","msg":"event","name":"tls_get_certificate","id":"aa2563cc-803b-4a6f-b498-49d9e84678d4","origin":"tls","data":{"client_hello":{"CipherSuites":[14906,4865,4866,4867,49195,49199,49196,49200,52393,52392,49171,49172,156,157,47,53],"ServerName":"cloudflare-ech.com","SupportedCurves":[43690,4588,29,23,24],"SupportedPoints":"AA==","SignatureSchemes":[1027,2052,1025,1283,2053,1281,2054,1537],"SupportedProtos":["h2","http/1.1"],"SupportedVersions":[35466,772,771],"RemoteAddr":{"IP":"192.168.0.10","Port":52010,"Zone":""},"LocalAddr":{"IP":"172.18.0.2","Port":443,"Zone":""}}}}
caddy  | {"level":"debug","ts":1748283450.4172757,"logger":"tls.handshake","msg":"no matching certificates and no custom selection logic","identifier":"cloudflare-ech.com"}
caddy  | {"level":"debug","ts":1748283450.417281,"logger":"tls.handshake","msg":"no matching certificates and no custom selection logic","identifier":"*.com"}
caddy  | {"level":"debug","ts":1748283450.4172843,"logger":"tls.handshake","msg":"no matching certificates and no custom selection logic","identifier":"*.*"}
caddy  | {"level":"debug","ts":1748283450.4172928,"logger":"tls.handshake","msg":"no certificate matching TLS ClientHello","remote_ip":"192.168.0.10","remote_port":"52010","server_name":"cloudflare-ech.com","remote":"192.168.0.10:52010","identifier":"cloudflare-ech.com","cipher_suites":[14906,4865,4866,4867,49195,49199,49196,49200,52393,52392,49171,49172,156,157,47,53],"cert_cache_fill":0.0003,"load_or_obtain_if_necessary":true,"on_demand":false}
caddy  | {"level":"debug","ts":1748283450.417351,"logger":"http.stdlib","msg":"http: TLS handshake error from 192.168.0.10:52010: no certificate available for 'cloudflare-ech.com'"}
caddy  | {"level":"debug","ts":1748283450.4196198,"logger":"events","msg":"event","name":"tls_get_certificate","id":"12d7bd65-e063-425d-92bc-0d09c28792ab","origin":"tls","data":{"client_hello":{"CipherSuites":[47802,4865,4866,4867,49195,49199,49196,49200,52393,52392,49171,49172,156,157,47,53],"ServerName":"cloudflare-ech.com","SupportedCurves":[47802,4588,29,23,24],"SupportedPoints":"AA==","SignatureSchemes":[1027,2052,1025,1283,2053,1281,2054,1537],"SupportedProtos":["h2","http/1.1"],"SupportedVersions":[64250,772,771],"RemoteAddr":{"IP":"192.168.0.10","Port":52011,"Zone":""},"LocalAddr":{"IP":"172.18.0.2","Port":443,"Zone":""}}}}
caddy  | {"level":"debug","ts":1748283450.4196663,"logger":"tls.handshake","msg":"no matching certificates and no custom selection logic","identifier":"cloudflare-ech.com"}
caddy  | {"level":"debug","ts":1748283450.4196713,"logger":"tls.handshake","msg":"no matching certificates and no custom selection logic","identifier":"*.com"}
caddy  | {"level":"debug","ts":1748283450.4196746,"logger":"tls.handshake","msg":"no matching certificates and no custom selection logic","identifier":"*.*"}
caddy  | {"level":"debug","ts":1748283450.4196813,"logger":"tls.handshake","msg":"no certificate matching TLS ClientHello","remote_ip":"192.168.0.10","remote_port":"52011","server_name":"cloudflare-ech.com","remote":"192.168.0.10:52011","identifier":"cloudflare-ech.com","cipher_suites":[47802,4865,4866,4867,49195,49199,49196,49200,52393,52392,49171,49172,156,157,47,53],"cert_cache_fill":0.0003,"load_or_obtain_if_necessary":true,"on_demand":false}
caddy  | {"level":"debug","ts":1748283450.4197345,"logger":"http.stdlib","msg":"http: TLS handshake error from 192.168.0.10:52011: no certificate available for 'cloudflare-ech.com'"}
Gracefully stopping... (press Ctrl+C again to force)
[+] Stopping 1/1
 ✔ Container caddy  Stopped

Here is the list of my local DNS records (Pi-hole):

I don’t know if it matters but my Pi-hole uses Cloudflared for DoH.

If you need me to try something else, let me know.

matt · May 26, 2025, 6:44pm

You can delete DNS records but you also have to clear your local resolvers’ DNS caches, so they don’t remember the old values.

See: Automatic HTTPS — Caddy Documentation

Darknicks · May 26, 2025, 7:15pm

Yes, between tests, I always use a new Windows Sandbox.
Inside the Sandbox, I disable IPv6 and change the IPv4 DNS to my Pi-hole IP.
Then I open Windows PowerShell and run ipconfig /flushdns
Finally, I open Edge and Clear Browsing Data (All time) before navigating to the website.

Now I was thinking, maybe ECH just doesn’t work the way I think.
Maybe it only works with External DNS. Because it’s using DoH.

What I mean with this is that, with ECH you can’t have a local website that is accessible inside the local network and at the same time having a completely different website that is only accessible outside of the network.

Could that be the reason why ECH is failing in this case?
Maybe Caddy is ignoring the local DNS records and is going directly with the A records from Cloudflare (which are different than the local ones) and that’s why cloudflare-ech.com show up on my Caddy logs.

If that’s the way it works, is there a way to disable ECH on Caddy?

Darknicks · May 27, 2025, 5:46am

Just as I was mentioning in my previous comment, it looks like you can’t have two different websites on the same domain: an internal only website and an external only website if ECH is enabled on Caddy Server or Cloudflare.

I changed the A records on my Cloudflare Dashboard and pointed them to the local/internal IP of my Caddy Server instead of the one I had before. Now it matches the DNS records of my Pi-hole.

After doing that, I deleted the HTTPS records and also the caddy-data/caddy/ech directory and started the Caddy container.

Now it looks like it’s working. No more ERR_SSL_PROTOCOL_ERROR when visiting www.SelfHosted.pp.ua, SelfHosted.pp.ua and YT.SelfHosted.pp.ua

Here are the logs:


[+] Running 1/1
 ✔ Container caddy  Created                                                                                                                                             0.0s
Attaching to caddy
caddy  | {"level":"info","ts":1748323804.7826538,"msg":"maxprocs: Leaving GOMAXPROCS=4: CPU quota undefined"}
caddy  | {"level":"info","ts":1748323804.7828882,"msg":"GOMEMLIMIT is updated","package":"github.com/KimMachineGun/automemlimit/memlimit","GOMEMLIMIT":7493747097,"previous":9223372036854775807}
caddy  | {"level":"info","ts":1748323804.7829723,"msg":"using config from file","file":"/etc/caddy/Caddyfile"}
caddy  | {"level":"info","ts":1748323804.784184,"msg":"adapted config to JSON","adapter":"caddyfile"}
caddy  | {"level":"warn","ts":1748323804.7841957,"msg":"Caddyfile input is not formatted; run 'caddy fmt --overwrite' to fix inconsistencies","adapter":"caddyfile","file":"/etc/caddy/Caddyfile","line":10}
caddy  | {"level":"info","ts":1748323804.785301,"logger":"admin","msg":"admin endpoint started","address":"localhost:2019","enforce_origin":false,"origins":["//localhost:2019","//[::1]:2019","//127.0.0.1:2019"]}
caddy  | {"level":"info","ts":1748323804.7857306,"logger":"tls.cache.maintenance","msg":"started background certificate maintenance","cache":"0xc0001b7000"}
caddy  | {"level":"debug","ts":1748323804.8309402,"logger":"tls.ech","msg":"generated new ECH config","public_name":"ech.selfhosted.pp.ua","id":127}
caddy  | {"level":"info","ts":1748323804.8312216,"logger":"http.auto_https","msg":"server is listening only on the HTTPS port but has no TLS connection policies; adding one to enable TLS","server_name":"srv0","https_port":443}
caddy  | {"level":"info","ts":1748323804.8312843,"logger":"http.auto_https","msg":"enabling automatic HTTP->HTTPS redirects","server_name":"srv0"}
caddy  | {"level":"debug","ts":1748323804.8313742,"logger":"http.auto_https","msg":"adjusted config","tls":{"automation":{"policies":[{"subjects":["www.selfhosted.pp.ua","yt.selfhosted.pp.ua","selfhosted.pp.ua","*.selfhosted.pp.ua"]},{"subjects":["ech.SelfHosted.pp.ua"]},{}]},"encrypted_client_hello":{"configs":[{"public_name":"ech.SelfHosted.pp.ua"}]}},"http":{"servers":{"remaining_auto_https_redirects":{"listen":[":80"],"routes":[{},{}]},"srv0":{"listen":[":443"],"routes":[{"handle":[{"handler":"subroute","routes":[{"handle":[{"handler":"reverse_proxy","upstreams":[{"dial":"192.168.0.15:3001"}]}]}]}],"terminal":true},{"handle":[{"handler":"subroute","routes":[{"handle":[{"handler":"reverse_proxy","upstreams":[{"dial":"192.168.0.15:3001"}]}]}]}],"terminal":true},{"handle":[{"handler":"subroute","routes":[{"handle":[{"handler":"reverse_proxy","upstreams":[{"dial":"192.168.0.15:3001"}]}]}]}],"terminal":true},{"handle":[{"handler":"subroute","routes":[{"handle":[{"handler":"reverse_proxy","upstreams":[{"dial":"192.168.0.15:3001"}]}]}]}],"terminal":true}],"tls_connection_policies":[{}],"automatic_https":{}}}}}
caddy  | {"level":"debug","ts":1748323804.831938,"logger":"http","msg":"starting server loop","address":"[::]:443","tls":true,"http3":false}
caddy  | {"level":"info","ts":1748323804.832105,"logger":"http","msg":"enabling HTTP/3 listener","addr":":443"}
caddy  | {"level":"info","ts":1748323804.8322458,"msg":"failed to sufficiently increase receive buffer size (was: 208 kiB, wanted: 7168 kiB, got: 416 kiB). See https://github.com/quic-go/quic-go/wiki/UDP-Buffer-Sizes for details."}
caddy  | {"level":"info","ts":1748323804.832554,"logger":"http.log","msg":"server running","name":"srv0","protocols":["h1","h2","h3"]}
caddy  | {"level":"debug","ts":1748323804.832664,"logger":"http","msg":"starting server loop","address":"[::]:80","tls":false,"http3":false}
caddy  | {"level":"warn","ts":1748323804.8327382,"logger":"http","msg":"HTTP/2 skipped because it requires TLS","network":"tcp","addr":":80"}
caddy  | {"level":"warn","ts":1748323804.832802,"logger":"http","msg":"HTTP/3 skipped because it requires TLS","network":"tcp","addr":":80"}
caddy  | {"level":"info","ts":1748323804.8328729,"logger":"http.log","msg":"server running","name":"remaining_auto_https_redirects","protocols":["h1","h2","h3"]}
caddy  | {"level":"info","ts":1748323804.832935,"logger":"http","msg":"enabling automatic TLS certificate management","domains":["selfhosted.pp.ua","*.selfhosted.pp.ua","www.selfhosted.pp.ua","yt.selfhosted.pp.ua"]}
caddy  | {"level":"warn","ts":1748323804.833423,"logger":"tls","msg":"stapling OCSP","error":"no OCSP stapling for [selfhosted.pp.ua]: no OCSP server specified in certificate","identifiers":["selfhosted.pp.ua"]}
caddy  | {"level":"debug","ts":1748323804.8335922,"logger":"tls.cache","msg":"added certificate to cache","subjects":["selfhosted.pp.ua"],"expiration":1755914507,"managed":true,"issuer_key":"acme-v02.api.letsencrypt.org-directory","hash":"341bf291c7690f98c099c1580d338dedd14ed1d9165f5f431c4f3519c0273e8a","cache_size":1,"cache_capacity":10000}
caddy  | {"level":"debug","ts":1748323804.8336852,"logger":"events","msg":"event","name":"cached_managed_cert","id":"7e40fa3c-95d3-453e-bd42-7c1257034029","origin":"tls","data":{"sans":["selfhosted.pp.ua"]}}
caddy  | {"level":"warn","ts":1748323804.8340666,"logger":"tls","msg":"stapling OCSP","error":"no OCSP stapling for [*.selfhosted.pp.ua]: no OCSP server specified in certificate","identifiers":["*.selfhosted.pp.ua"]}
caddy  | {"level":"debug","ts":1748323804.8342364,"logger":"tls.cache","msg":"added certificate to cache","subjects":["*.selfhosted.pp.ua"],"expiration":1755914503,"managed":true,"issuer_key":"acme-v02.api.letsencrypt.org-directory","hash":"4bcaf06663bca5c003e07abd20a99bdcf72b47eb8950928c06083340caf2467d","cache_size":2,"cache_capacity":10000}
caddy  | {"level":"debug","ts":1748323804.8343256,"logger":"events","msg":"event","name":"cached_managed_cert","id":"8c73278f-a84a-4e8c-8945-e48f25f69175","origin":"tls","data":{"sans":["*.selfhosted.pp.ua"]}}
caddy  | {"level":"warn","ts":1748323804.8347776,"logger":"tls","msg":"stapling OCSP","error":"no OCSP stapling for [ech.selfhosted.pp.ua]: no OCSP server specified in certificate","identifiers":["ech.selfhosted.pp.ua"]}
caddy  | {"level":"debug","ts":1748323804.8348954,"logger":"tls.cache","msg":"added certificate to cache","subjects":["ech.selfhosted.pp.ua"],"expiration":1755914503,"managed":true,"issuer_key":"acme-v02.api.letsencrypt.org-directory","hash":"2a0b71a34009dfc38b35f77fb4f88bfc8759ff09e1d89ee3049358962e17e3d4","cache_size":3,"cache_capacity":10000}
caddy  | {"level":"debug","ts":1748323804.8349755,"logger":"events","msg":"event","name":"cached_managed_cert","id":"a2df25f2-e663-48e1-9c33-fd1cc8b4b9de","origin":"tls","data":{"sans":["ech.selfhosted.pp.ua"]}}
caddy  | {"level":"debug","ts":1748323804.8351486,"logger":"events","msg":"event","name":"started","id":"62465aef-9744-4e01-9380-ed2782d40cbd","origin":"","data":null}
caddy  | {"level":"info","ts":1748323804.8353355,"msg":"autosaved config (load with --resume flag)","file":"/config/caddy/autosave.json"}
caddy  | {"level":"info","ts":1748323804.8354063,"msg":"serving initial configuration"}
caddy  | {"level":"info","ts":1748323804.8470654,"logger":"tls","msg":"storage cleaning happened too recently; skipping for now","storage":"FileStorage:/data/caddy","instance":"aae20edd-ca84-4b58-af5a-fccb411b6a18","try_again":1748410204.847064,"try_again_in":86399.999999592}
caddy  | {"level":"info","ts":1748323804.847239,"logger":"tls","msg":"finished cleaning storage units"}
caddy  | {"level":"debug","ts":1748323804.8576515,"logger":"tls.ech","msg":"publishing ECH config list","domains":["www.selfhosted.pp.ua","yt.selfhosted.pp.ua","selfhosted.pp.ua","*.selfhosted.pp.ua"],"config_ids":[127]}
caddy  | {"level":"debug","ts":1748323804.85843,"logger":"tls.soa_lookup","msg":"fetched SOA","msg":";; opcode: QUERY, status: NOERROR, id: 41545\n;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1\n\n;; OPT PSEUDOSECTION:\n; EDNS: version 0; flags:; udp: 1232\n\n;; QUESTION SECTION:\n;www.selfhosted.pp.ua.\tIN\t SOA\n\n;; AUTHORITY SECTION:\nselfhosted.pp.ua.\t1411\tIN\tSOA\thoward.ns.cloudflare.com. dns.cloudflare.com. 2373808913 10000 2400 604800 1800\n"}
caddy  | {"level":"debug","ts":1748323804.8589752,"logger":"tls.soa_lookup","msg":"fetched SOA","msg":";; opcode: QUERY, status: NOERROR, id: 44274\n;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1\n\n;; OPT PSEUDOSECTION:\n; EDNS: version 0; flags:; udp: 1232\n\n;; QUESTION SECTION:\n;selfhosted.pp.ua.\tIN\t SOA\n\n;; ANSWER SECTION:\nselfhosted.pp.ua.\t1411\tIN\tSOA\thoward.ns.cloudflare.com. dns.cloudflare.com. 2373808913 10000 2400 604800 1800\n"}
caddy  | {"level":"debug","ts":1748323807.5260882,"logger":"tls.soa_lookup","msg":"fetched SOA","msg":";; opcode: QUERY, status: NOERROR, id: 54399\n;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1\n\n;; OPT PSEUDOSECTION:\n; EDNS: version 0; flags:; udp: 1232\n\n;; QUESTION SECTION:\n;yt.selfhosted.pp.ua.\tIN\t SOA\n\n;; AUTHORITY SECTION:\nselfhosted.pp.ua.\t1408\tIN\tSOA\thoward.ns.cloudflare.com. dns.cloudflare.com. 2373808913 10000 2400 604800 1800\n"}
caddy  | {"level":"debug","ts":1748323807.5269575,"logger":"tls.soa_lookup","msg":"fetched SOA","msg":";; opcode: QUERY, status: NOERROR, id: 18053\n;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1\n\n;; OPT PSEUDOSECTION:\n; EDNS: version 0; flags:; udp: 1232\n\n;; QUESTION SECTION:\n;selfhosted.pp.ua.\tIN\t SOA\n\n;; ANSWER SECTION:\nselfhosted.pp.ua.\t1408\tIN\tSOA\thoward.ns.cloudflare.com. dns.cloudflare.com. 2373808913 10000 2400 604800 1800\n"}
caddy  | {"level":"debug","ts":1748323808.2066503,"logger":"tls.soa_lookup","msg":"fetched SOA","msg":";; opcode: QUERY, status: NOERROR, id: 57584\n;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1\n\n;; OPT PSEUDOSECTION:\n; EDNS: version 0; flags:; udp: 1232\n\n;; QUESTION SECTION:\n;selfhosted.pp.ua.\tIN\t SOA\n\n;; ANSWER SECTION:\nselfhosted.pp.ua.\t1407\tIN\tSOA\thoward.ns.cloudflare.com. dns.cloudflare.com. 2373808913 10000 2400 604800 1800\n"}
caddy  | {"level":"debug","ts":1748323808.7875547,"logger":"tls.soa_lookup","msg":"fetched SOA","msg":";; opcode: QUERY, status: NXDOMAIN, id: 9454\n;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1\n\n;; OPT PSEUDOSECTION:\n; EDNS: version 0; flags:; udp: 1232\n\n;; QUESTION SECTION:\n;*.selfhosted.pp.ua.\tIN\t SOA\n\n;; AUTHORITY SECTION:\nselfhosted.pp.ua.\t1407\tIN\tSOA\thoward.ns.cloudflare.com. dns.cloudflare.com. 2373808913 10000 2400 604800 1800\n"}
caddy  | {"level":"debug","ts":1748323808.7886686,"logger":"tls.soa_lookup","msg":"fetched SOA","msg":";; opcode: QUERY, status: NOERROR, id: 13512\n;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1\n\n;; OPT PSEUDOSECTION:\n; EDNS: version 0; flags:; udp: 1232\n\n;; QUESTION SECTION:\n;selfhosted.pp.ua.\tIN\t SOA\n\n;; ANSWER SECTION:\nselfhosted.pp.ua.\t1407\tIN\tSOA\thoward.ns.cloudflare.com. dns.cloudflare.com. 2373808913 10000 2400 604800 1800\n"}
caddy  | {"level":"warn","ts":1748323808.9738617,"logger":"tls","msg":"domain does not have any existing records, so skipping publication of HTTPS record","domain":"*.selfhosted.pp.ua","relative_name":"*","zone":"selfhosted.pp.ua."}
caddy  | {"level":"info","ts":1748323808.9738967,"logger":"tls","msg":"published ECH configuration list","domains":["www.selfhosted.pp.ua","yt.selfhosted.pp.ua","selfhosted.pp.ua","*.selfhosted.pp.ua"],"config_ids":[127]}





caddy  | {"level":"debug","ts":1748323828.0861006,"logger":"events","msg":"event","name":"tls_get_certificate","id":"9ddccc4e-ac03-420c-9998-dc7814e4c75e","origin":"tls","data":{"client_hello":{"CipherSuites":[2570,4865,4866,4867,49195,49199,49196,49200,52393,52392,49171,49172,156,157,47,53],"ServerName":"www.selfhosted.pp.ua","SupportedCurves":[47802,4588,29,23,24],"SupportedPoints":"AA==","SignatureSchemes":[1027,2052,1025,1283,2053,1281,2054,1537],"SupportedProtos":["h2","http/1.1"],"SupportedVersions":[35466,772,771],"RemoteAddr":{"IP":"192.168.0.10","Port":53038,"Zone":""},"LocalAddr":{"IP":"172.18.0.2","Port":443,"Zone":""}}}}
caddy  | {"level":"debug","ts":1748323828.0861928,"logger":"tls.handshake","msg":"no matching certificates and no custom selection logic","identifier":"www.selfhosted.pp.ua"}
caddy  | {"level":"debug","ts":1748323828.0862036,"logger":"tls.handshake","msg":"choosing certificate","identifier":"*.selfhosted.pp.ua","num_choices":1}
caddy  | {"level":"debug","ts":1748323828.0862086,"logger":"tls.handshake","msg":"default certificate selection results","identifier":"*.selfhosted.pp.ua","subjects":["*.selfhosted.pp.ua"],"managed":true,"issuer_key":"acme-v02.api.letsencrypt.org-directory","hash":"4bcaf06663bca5c003e07abd20a99bdcf72b47eb8950928c06083340caf2467d"}
caddy  | {"level":"debug","ts":1748323828.086214,"logger":"tls.handshake","msg":"matched certificate in cache","remote_ip":"192.168.0.10","remote_port":"53038","subjects":["*.selfhosted.pp.ua"],"managed":true,"expiration":1755914503,"hash":"4bcaf06663bca5c003e07abd20a99bdcf72b47eb8950928c06083340caf2467d"}
caddy  | {"level":"debug","ts":1748323828.0882335,"logger":"http.handlers.reverse_proxy","msg":"selected upstream","dial":"192.168.0.15:3001","total_upstreams":1}
caddy  | {"level":"debug","ts":1748323828.0909705,"logger":"http.handlers.reverse_proxy","msg":"upstream roundtrip","upstream":"192.168.0.15:3001","duration":0.002675122,"request":{"remote_ip":"192.168.0.10","remote_port":"53038","client_ip":"192.168.0.10","proto":"HTTP/2.0","method":"GET","host":"www.selfhosted.pp.ua","uri":"/","headers":{"Priority":["u=0, i"],"Sec-Fetch-User":["?1"],"Upgrade-Insecure-Requests":["1"],"Accept-Encoding":["gzip, deflate, br, zstd"],"User-Agent":["Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/136.0.0.0 Safari/537.36 Edg/136.0.0.0"],"Sec-Fetch-Dest":["document"],"X-Forwarded-Host":["www.selfhosted.pp.ua"],"Via":["2.0 Caddy"],"Sec-Fetch-Site":["none"],"Accept":["text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7"],"Sec-Ch-Ua":["\"Chromium\";v=\"136\", \"Microsoft Edge\";v=\"136\", \"Not.A/Brand\";v=\"99\""],"Sec-Fetch-Mode":["navigate"],"X-Forwarded-For":["192.168.0.10"],"Sec-Ch-Ua-Mobile":["?0"],"Sec-Ch-Ua-Platform":["\"Windows\""],"Accept-Language":["en-US,en;q=0.9"],"X-Forwarded-Proto":["https"]},"tls":{"resumed":false,"version":772,"cipher_suite":4867,"proto":"h2","server_name":"www.selfhosted.pp.ua"}},"headers":{"Vary":["Accept"],"Content-Type":["text/html; charset=utf-8"],"Content-Length":["45"],"Date":["Tue, 27 May 2025 05:30:28 GMT"],"Connection":["keep-alive"],"Keep-Alive":["timeout=5"],"X-Frame-Options":["SAMEORIGIN"],"Location":["/status/services"]},"status":302}
caddy  | {"level":"debug","ts":1748323828.0959253,"logger":"http.handlers.reverse_proxy","msg":"selected upstream","dial":"192.168.0.15:3001","total_upstreams":1}
caddy  | {"level":"debug","ts":1748323828.097119,"logger":"http.handlers.reverse_proxy","msg":"upstream roundtrip","upstream":"192.168.0.15:3001","duration":0.001146346,"request":{"remote_ip":"192.168.0.10","remote_port":"53038","client_ip":"192.168.0.10","proto":"HTTP/2.0","method":"GET","host":"www.selfhosted.pp.ua","uri":"/status/services","headers":{"Upgrade-Insecure-Requests":["1"],"Sec-Fetch-Site":["none"],"Sec-Ch-Ua":["\"Chromium\";v=\"136\", \"Microsoft Edge\";v=\"136\", \"Not.A/Brand\";v=\"99\""],"Sec-Ch-Ua-Platform":["\"Windows\""],"Priority":["u=0, i"],"X-Forwarded-Host":["www.selfhosted.pp.ua"],"Via":["2.0 Caddy"],"Accept":["text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7"],"Sec-Fetch-User":["?1"],"Sec-Fetch-Mode":["navigate"],"Accept-Language":["en-US,en;q=0.9"],"User-Agent":["Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/136.0.0.0 Safari/537.36 Edg/136.0.0.0"],"Sec-Ch-Ua-Mobile":["?0"],"Accept-Encoding":["gzip, deflate, br, zstd"],"X-Forwarded-Proto":["https"],"Sec-Fetch-Dest":["document"],"X-Forwarded-For":["192.168.0.10"]},"tls":{"resumed":false,"version":772,"cipher_suite":4867,"proto":"h2","server_name":"www.selfhosted.pp.ua"}},"headers":{"X-Frame-Options":["SAMEORIGIN"],"Content-Type":["text/html; charset=utf-8"],"Content-Length":["2881"],"Etag":["W/\"b41-xwT7yyFx3t7QJVBd3If6QxuNttM\""],"Date":["Tue, 27 May 2025 05:30:28 GMT"],"Connection":["keep-alive"],"Keep-Alive":["timeout=5"]},"status":200}
caddy  | {"level":"debug","ts":1748323828.14299,"logger":"http.handlers.reverse_proxy","msg":"selected upstream","dial":"192.168.0.15:3001","total_upstreams":1}
caddy  | {"level":"debug","ts":1748323828.14299,"logger":"http.handlers.reverse_proxy","msg":"selected upstream","dial":"192.168.0.15:3001","total_upstreams":1}
caddy  | {"level":"debug","ts":1748323828.1454394,"logger":"http.handlers.reverse_proxy","msg":"upstream roundtrip","upstream":"192.168.0.15:3001","duration":0.002352865,"request":{"remote_ip":"192.168.0.10","remote_port":"53038","client_ip":"192.168.0.10","proto":"HTTP/2.0","method":"GET","host":"www.selfhosted.pp.ua","uri":"/assets/index-B_z9mVlf.js","headers":{"Sec-Ch-Ua":["\"Chromium\";v=\"136\", \"Microsoft Edge\";v=\"136\", \"Not.A/Brand\";v=\"99\""],"Sec-Ch-Ua-Mobile":["?0"],"Referer":["https://www.selfhosted.pp.ua/status/services"],"Accept-Language":["en-US,en;q=0.9"],"Accept":["*/*"],"Priority":["u=1"],"User-Agent":["Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/136.0.0.0 Safari/537.36 Edg/136.0.0.0"],"Accept-Encoding":["gzip, deflate, br, zstd"],"X-Forwarded-For":["192.168.0.10"],"X-Forwarded-Proto":["https"],"X-Forwarded-Host":["www.selfhosted.pp.ua"],"Origin":["https://www.selfhosted.pp.ua"],"Sec-Fetch-Site":["same-origin"],"Sec-Fetch-Mode":["cors"],"Sec-Ch-Ua-Platform":["\"Windows\""],"Sec-Fetch-Dest":["script"],"Via":["2.0 Caddy"]},"tls":{"resumed":false,"version":772,"cipher_suite":4867,"proto":"h2","server_name":"www.selfhosted.pp.ua"}},"headers":{"Last-Modified":["Fri, 20 Dec 2024 07:16:41 GMT"],"Content-Length":["489902"],"Date":["Tue, 27 May 2025 05:30:28 GMT"],"Connection":["keep-alive"],"Keep-Alive":["timeout=5"],"X-Frame-Options":["SAMEORIGIN"],"Content-Encoding":["gzip"],"Accept-Ranges":["bytes"],"Cache-Control":["public, max-age=0"],"Etag":["W/\"779ae-193e2ecf7a8\""],"Vary":["Accept-Encoding"],"Content-Type":["application/javascript; charset=UTF-8"]},"status":200}
caddy  | {"level":"debug","ts":1748323828.1463554,"logger":"http.handlers.reverse_proxy","msg":"upstream roundtrip","upstream":"192.168.0.15:3001","duration":0.003121606,"request":{"remote_ip":"192.168.0.10","remote_port":"53038","client_ip":"192.168.0.10","proto":"HTTP/2.0","method":"GET","host":"www.selfhosted.pp.ua","uri":"/assets/index-bOVKKa1O.css","headers":{"Sec-Ch-Ua":["\"Chromium\";v=\"136\", \"Microsoft Edge\";v=\"136\", \"Not.A/Brand\";v=\"99\""],"Sec-Fetch-Site":["same-origin"],"Accept":["text/css,*/*;q=0.1"],"X-Forwarded-Proto":["https"],"Origin":["https://www.selfhosted.pp.ua"],"Accept-Encoding":["gzip, deflate, br, zstd"],"User-Agent":["Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/136.0.0.0 Safari/537.36 Edg/136.0.0.0"],"Sec-Ch-Ua-Mobile":["?0"],"X-Forwarded-Host":["www.selfhosted.pp.ua"],"Via":["2.0 Caddy"],"Sec-Fetch-Dest":["style"],"Accept-Language":["en-US,en;q=0.9"],"X-Forwarded-For":["192.168.0.10"],"Sec-Ch-Ua-Platform":["\"Windows\""],"Sec-Fetch-Mode":["cors"],"Referer":["https://www.selfhosted.pp.ua/status/services"],"Priority":["u=0"]},"tls":{"resumed":false,"version":772,"cipher_suite":4867,"proto":"h2","server_name":"www.selfhosted.pp.ua"}},"headers":{"Accept-Ranges":["bytes"],"Cache-Control":["public, max-age=0"],"Last-Modified":["Fri, 20 Dec 2024 07:16:41 GMT"],"Etag":["W/\"afc3-193e2ecf7a8\""],"Content-Length":["44995"],"Connection":["keep-alive"],"X-Frame-Options":["SAMEORIGIN"],"Vary":["Accept-Encoding"],"Date":["Tue, 27 May 2025 05:30:28 GMT"],"Keep-Alive":["timeout=5"],"Content-Encoding":["gzip"],"Content-Type":["text/css; charset=UTF-8"]},"status":200}
caddy  | {"level":"debug","ts":1748323828.2896636,"logger":"http.handlers.reverse_proxy","msg":"selected upstream","dial":"192.168.0.15:3001","total_upstreams":1}
caddy  | {"level":"debug","ts":1748323828.2908545,"logger":"http.handlers.reverse_proxy","msg":"upstream roundtrip","upstream":"192.168.0.15:3001","duration":0.001127293,"request":{"remote_ip":"192.168.0.10","remote_port":"53038","client_ip":"192.168.0.10","proto":"HTTP/2.0","method":"GET","host":"www.selfhosted.pp.ua","uri":"/icon.svg","headers":{"Sec-Fetch-Dest":["image"],"Accept-Encoding":["gzip, deflate, br, zstd"],"User-Agent":["Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/136.0.0.0 Safari/537.36 Edg/136.0.0.0"],"Accept":["image/avif,image/webp,image/apng,image/svg+xml,image/*,*/*;q=0.8"],"Priority":["i"],"Via":["2.0 Caddy"],"Sec-Ch-Ua-Platform":["\"Windows\""],"Sec-Fetch-Site":["same-origin"],"Origin":["https://www.selfhosted.pp.ua"],"X-Forwarded-Proto":["https"],"Sec-Fetch-Mode":["cors"],"Referer":["https://www.selfhosted.pp.ua/status/services"],"Accept-Language":["en-US,en;q=0.9"],"Sec-Ch-Ua":["\"Chromium\";v=\"136\", \"Microsoft Edge\";v=\"136\", \"Not.A/Brand\";v=\"99\""],"X-Forwarded-Host":["www.selfhosted.pp.ua"],"Sec-Ch-Ua-Mobile":["?0"],"X-Forwarded-For":["192.168.0.10"]},"tls":{"resumed":false,"version":772,"cipher_suite":4867,"proto":"h2","server_name":"www.selfhosted.pp.ua"}},"headers":{"Date":["Tue, 27 May 2025 05:30:28 GMT"],"Connection":["keep-alive"],"Keep-Alive":["timeout=5"],"X-Frame-Options":["SAMEORIGIN"],"Vary":["Accept-Encoding"],"Content-Encoding":["gzip"],"Content-Type":["image/svg+xml"],"Accept-Ranges":["bytes"],"Cache-Control":["public, max-age=0"],"Last-Modified":["Fri, 20 Dec 2024 07:16:41 GMT"],"Content-Length":["617"],"Etag":["W/\"269-193e2ecf7a8\""]},"status":200}
caddy  | {"level":"debug","ts":1748323828.2957182,"logger":"http.handlers.reverse_proxy","msg":"selected upstream","dial":"192.168.0.15:3001","total_upstreams":1}
caddy  | {"level":"debug","ts":1748323828.299268,"logger":"http.handlers.reverse_proxy","msg":"upstream roundtrip","upstream":"192.168.0.15:3001","duration":0.003501041,"request":{"remote_ip":"192.168.0.10","remote_port":"53038","client_ip":"192.168.0.10","proto":"HTTP/2.0","method":"GET","host":"www.selfhosted.pp.ua","uri":"/api/status-page/heartbeat/services","headers":{"Sec-Ch-Ua-Mobile":["?0"],"Accept-Encoding":["gzip, deflate, br, zstd"],"Sec-Ch-Ua-Platform":["\"Windows\""],"Sec-Fetch-Dest":["empty"],"Accept-Language":["en-US,en;q=0.9"],"X-Forwarded-Host":["www.selfhosted.pp.ua"],"Accept":["application/json, text/plain, */*"],"Referer":["https://www.selfhosted.pp.ua/status/services"],"Priority":["u=1, i"],"Sec-Fetch-Site":["same-origin"],"Sec-Fetch-Mode":["cors"],"Sec-Ch-Ua":["\"Chromium\";v=\"136\", \"Microsoft Edge\";v=\"136\", \"Not.A/Brand\";v=\"99\""],"User-Agent":["Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/136.0.0.0 Safari/537.36 Edg/136.0.0.0"],"X-Forwarded-For":["192.168.0.10"],"X-Forwarded-Proto":["https"],"Via":["2.0 Caddy"]},"tls":{"resumed":false,"version":772,"cipher_suite":4867,"proto":"h2","server_name":"www.selfhosted.pp.ua"}},"headers":{"Content-Type":["application/json; charset=utf-8"],"Content-Length":["36"],"Etag":["W/\"24-EsPVtSRb2MavNViD7fIuXL0bd5o\""],"Date":["Tue, 27 May 2025 05:30:28 GMT"],"Connection":["keep-alive"],"Keep-Alive":["timeout=5"],"X-Frame-Options":["SAMEORIGIN"],"Cache-Control":["no-cache"]},"status":200}
caddy  | {"level":"debug","ts":1748323828.3162637,"logger":"http.handlers.reverse_proxy","msg":"selected upstream","dial":"192.168.0.15:3001","total_upstreams":1}
caddy  | {"level":"debug","ts":1748323828.317582,"logger":"http.handlers.reverse_proxy","msg":"upstream roundtrip","upstream":"192.168.0.15:3001","duration":0.001256937,"request":{"remote_ip":"192.168.0.10","remote_port":"53038","client_ip":"192.168.0.10","proto":"HTTP/2.0","method":"GET","host":"www.selfhosted.pp.ua","uri":"/icon.svg","headers":{"Accept-Encoding":["gzip, deflate, br, zstd"],"Sec-Fetch-Site":["same-origin"],"Accept-Language":["en-US,en;q=0.9"],"Priority":["i"],"Sec-Ch-Ua-Platform":["\"Windows\""],"Accept":["image/avif,image/webp,image/apng,image/svg+xml,image/*,*/*;q=0.8"],"Via":["2.0 Caddy"],"Sec-Ch-Ua-Mobile":["?0"],"Referer":["https://www.selfhosted.pp.ua/status/services"],"User-Agent":["Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/136.0.0.0 Safari/537.36 Edg/136.0.0.0"],"Sec-Ch-Ua":["\"Chromium\";v=\"136\", \"Microsoft Edge\";v=\"136\", \"Not.A/Brand\";v=\"99\""],"If-Modified-Since":["Fri, 20 Dec 2024 07:16:41 GMT"],"X-Forwarded-Proto":["https"],"Sec-Fetch-Mode":["no-cors"],"If-None-Match":["W/\"269-193e2ecf7a8\""],"Sec-Fetch-Dest":["image"],"X-Forwarded-For":["192.168.0.10"],"X-Forwarded-Host":["www.selfhosted.pp.ua"]},"tls":{"resumed":false,"version":772,"cipher_suite":4867,"proto":"h2","server_name":"www.selfhosted.pp.ua"}},"headers":{"Vary":["Accept-Encoding"],"Etag":["W/\"269-193e2ecf7a8\""],"Date":["Tue, 27 May 2025 05:30:28 GMT"],"Connection":["keep-alive"],"Keep-Alive":["timeout=5"],"X-Frame-Options":["SAMEORIGIN"],"Accept-Ranges":["bytes"],"Cache-Control":["public, max-age=0"],"Last-Modified":["Fri, 20 Dec 2024 07:16:41 GMT"]},"status":304}
caddy  | {"level":"debug","ts":1748323828.3803103,"logger":"events","msg":"event","name":"tls_get_certificate","id":"1938d3f6-69f4-4901-a3c8-849856f74129","origin":"tls","data":{"client_hello":{"CipherSuites":[60138,4865,4866,4867,49195,49199,49196,49200,52393,52392,49171,49172,156,157,47,53],"ServerName":"www.selfhosted.pp.ua","SupportedCurves":[64250,4588,29,23,24],"SupportedPoints":"AA==","SignatureSchemes":[1027,2052,1025,1283,2053,1281,2054,1537],"SupportedProtos":["h2","http/1.1"],"SupportedVersions":[19018,772,771],"RemoteAddr":{"IP":"192.168.0.10","Port":53040,"Zone":""},"LocalAddr":{"IP":"172.18.0.2","Port":443,"Zone":""}}}}
caddy  | {"level":"debug","ts":1748323828.38035,"logger":"tls.handshake","msg":"no matching certificates and no custom selection logic","identifier":"www.selfhosted.pp.ua"}
caddy  | {"level":"debug","ts":1748323828.3803568,"logger":"tls.handshake","msg":"choosing certificate","identifier":"*.selfhosted.pp.ua","num_choices":1}
caddy  | {"level":"debug","ts":1748323828.3803623,"logger":"tls.handshake","msg":"default certificate selection results","identifier":"*.selfhosted.pp.ua","subjects":["*.selfhosted.pp.ua"],"managed":true,"issuer_key":"acme-v02.api.letsencrypt.org-directory","hash":"4bcaf06663bca5c003e07abd20a99bdcf72b47eb8950928c06083340caf2467d"}
caddy  | {"level":"debug","ts":1748323828.3803682,"logger":"tls.handshake","msg":"matched certificate in cache","remote_ip":"192.168.0.10","remote_port":"53040","subjects":["*.selfhosted.pp.ua"],"managed":true,"expiration":1755914503,"hash":"4bcaf06663bca5c003e07abd20a99bdcf72b47eb8950928c06083340caf2467d"}
caddy  | {"level":"debug","ts":1748323828.3820775,"logger":"http.handlers.reverse_proxy","msg":"selected upstream","dial":"192.168.0.15:3001","total_upstreams":1}
caddy  | {"level":"debug","ts":1748323828.3886638,"logger":"http.handlers.reverse_proxy","msg":"upstream roundtrip","upstream":"192.168.0.15:3001","duration":0.006486126,"request":{"remote_ip":"192.168.0.10","remote_port":"53040","client_ip":"192.168.0.10","proto":"HTTP/2.0","method":"GET","host":"www.selfhosted.pp.ua","uri":"/api/status-page/services/manifest.json","headers":{"Sec-Ch-Ua":["\"Chromium\";v=\"136\", \"Microsoft Edge\";v=\"136\", \"Not.A/Brand\";v=\"99\""],"Sec-Ch-Ua-Platform":["\"Windows\""],"Referer":["https://www.selfhosted.pp.ua/status/services"],"X-Forwarded-For":["192.168.0.10"],"Accept":["*/*"],"Sec-Ch-Ua-Mobile":["?0"],"Accept-Language":["en-US,en;q=0.9"],"Sec-Fetch-Dest":["manifest"],"X-Forwarded-Proto":["https"],"X-Forwarded-Host":["www.selfhosted.pp.ua"],"Via":["2.0 Caddy"],"Priority":["u=2"],"User-Agent":["Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/136.0.0.0 Safari/537.36 Edg/136.0.0.0"],"Accept-Encoding":["gzip, deflate, br, zstd"],"Sec-Fetch-Site":["same-origin"],"Sec-Fetch-Mode":["cors"]},"tls":{"resumed":false,"version":772,"cipher_suite":4867,"proto":"h2","server_name":"www.selfhosted.pp.ua"}},"headers":{"Date":["Tue, 27 May 2025 05:30:28 GMT"],"Connection":["keep-alive"],"Keep-Alive":["timeout=5"],"X-Frame-Options":["SAMEORIGIN"],"Content-Type":["application/json; charset=utf-8"],"Content-Length":["140"],"Etag":["W/\"8c-f17kptaqJBKJeGnpABfbUHe3VJQ\""]},"status":200}





caddy  | {"level":"debug","ts":1748323862.4814973,"logger":"events","msg":"event","name":"tls_get_certificate","id":"cc31c3ad-e16a-4efc-92b8-845ecb7d7475","origin":"tls","data":{"client_hello":{"CipherSuites":[27242,4865,4866,4867,49195,49199,49196,49200,52393,52392,49171,49172,156,157,47,53],"ServerName":"selfhosted.pp.ua","SupportedCurves":[64250,4588,29,23,24],"SupportedPoints":"AA==","SignatureSchemes":[1027,2052,1025,1283,2053,1281,2054,1537],"SupportedProtos":["h2","http/1.1"],"SupportedVersions":[19018,772,771],"RemoteAddr":{"IP":"192.168.0.10","Port":53056,"Zone":""},"LocalAddr":{"IP":"172.18.0.2","Port":443,"Zone":""}}}}
caddy  | {"level":"debug","ts":1748323862.4815354,"logger":"tls.handshake","msg":"choosing certificate","identifier":"selfhosted.pp.ua","num_choices":1}
caddy  | {"level":"debug","ts":1748323862.4815423,"logger":"tls.handshake","msg":"default certificate selection results","identifier":"selfhosted.pp.ua","subjects":["selfhosted.pp.ua"],"managed":true,"issuer_key":"acme-v02.api.letsencrypt.org-directory","hash":"341bf291c7690f98c099c1580d338dedd14ed1d9165f5f431c4f3519c0273e8a"}
caddy  | {"level":"debug","ts":1748323862.4815476,"logger":"tls.handshake","msg":"matched certificate in cache","remote_ip":"192.168.0.10","remote_port":"53056","subjects":["selfhosted.pp.ua"],"managed":true,"expiration":1755914507,"hash":"341bf291c7690f98c099c1580d338dedd14ed1d9165f5f431c4f3519c0273e8a"}
caddy  | {"level":"debug","ts":1748323862.4828134,"logger":"http.handlers.reverse_proxy","msg":"selected upstream","dial":"192.168.0.15:3001","total_upstreams":1}
caddy  | {"level":"debug","ts":1748323862.4854336,"logger":"http.handlers.reverse_proxy","msg":"upstream roundtrip","upstream":"192.168.0.15:3001","duration":0.002576025,"request":{"remote_ip":"192.168.0.10","remote_port":"53056","client_ip":"192.168.0.10","proto":"HTTP/2.0","method":"GET","host":"selfhosted.pp.ua","uri":"/","headers":{"Sec-Fetch-User":["?1"],"Upgrade-Insecure-Requests":["1"],"Sec-Ch-Ua":["\"Chromium\";v=\"136\", \"Microsoft Edge\";v=\"136\", \"Not.A/Brand\";v=\"99\""],"Sec-Ch-Ua-Mobile":["?0"],"Accept-Encoding":["gzip, deflate, br, zstd"],"X-Forwarded-For":["192.168.0.10"],"X-Forwarded-Host":["selfhosted.pp.ua"],"Via":["2.0 Caddy"],"Sec-Ch-Ua-Platform":["\"Windows\""],"Sec-Fetch-Site":["none"],"Sec-Fetch-Mode":["navigate"],"X-Forwarded-Proto":["https"],"Accept-Language":["en-US,en;q=0.9"],"Accept":["text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7"],"Sec-Fetch-Dest":["document"],"Priority":["u=0, i"],"User-Agent":["Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/136.0.0.0 Safari/537.36 Edg/136.0.0.0"]},"tls":{"resumed":false,"version":772,"cipher_suite":4867,"proto":"h2","server_name":"selfhosted.pp.ua"}},"headers":{"Connection":["keep-alive"],"Keep-Alive":["timeout=5"],"X-Frame-Options":["SAMEORIGIN"],"Location":["/status/services"],"Vary":["Accept"],"Content-Type":["text/html; charset=utf-8"],"Content-Length":["45"],"Date":["Tue, 27 May 2025 05:31:02 GMT"]},"status":302}
caddy  | {"level":"debug","ts":1748323862.4887595,"logger":"http.handlers.reverse_proxy","msg":"selected upstream","dial":"192.168.0.15:3001","total_upstreams":1}
caddy  | {"level":"debug","ts":1748323862.489637,"logger":"http.handlers.reverse_proxy","msg":"upstream roundtrip","upstream":"192.168.0.15:3001","duration":0.000838304,"request":{"remote_ip":"192.168.0.10","remote_port":"53056","client_ip":"192.168.0.10","proto":"HTTP/2.0","method":"GET","host":"selfhosted.pp.ua","uri":"/status/services","headers":{"Accept-Language":["en-US,en;q=0.9"],"Sec-Ch-Ua-Mobile":["?0"],"Accept":["text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7"],"X-Forwarded-Host":["selfhosted.pp.ua"],"Upgrade-Insecure-Requests":["1"],"Sec-Fetch-Site":["none"],"Sec-Ch-Ua":["\"Chromium\";v=\"136\", \"Microsoft Edge\";v=\"136\", \"Not.A/Brand\";v=\"99\""],"Sec-Fetch-Dest":["document"],"Accept-Encoding":["gzip, deflate, br, zstd"],"X-Forwarded-Proto":["https"],"Priority":["u=0, i"],"User-Agent":["Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/136.0.0.0 Safari/537.36 Edg/136.0.0.0"],"Sec-Fetch-User":["?1"],"Sec-Ch-Ua-Platform":["\"Windows\""],"Sec-Fetch-Mode":["navigate"],"X-Forwarded-For":["192.168.0.10"],"Via":["2.0 Caddy"]},"tls":{"resumed":false,"version":772,"cipher_suite":4867,"proto":"h2","server_name":"selfhosted.pp.ua"}},"headers":{"Keep-Alive":["timeout=5"],"X-Frame-Options":["SAMEORIGIN"],"Content-Type":["text/html; charset=utf-8"],"Content-Length":["2881"],"Etag":["W/\"b41-xwT7yyFx3t7QJVBd3If6QxuNttM\""],"Date":["Tue, 27 May 2025 05:31:02 GMT"],"Connection":["keep-alive"]},"status":200}
caddy  | {"level":"debug","ts":1748323862.5304708,"logger":"http.handlers.reverse_proxy","msg":"selected upstream","dial":"192.168.0.15:3001","total_upstreams":1}
caddy  | {"level":"debug","ts":1748323862.5304844,"logger":"http.handlers.reverse_proxy","msg":"selected upstream","dial":"192.168.0.15:3001","total_upstreams":1}
caddy  | {"level":"debug","ts":1748323862.533708,"logger":"http.handlers.reverse_proxy","msg":"upstream roundtrip","upstream":"192.168.0.15:3001","duration":0.003171708,"request":{"remote_ip":"192.168.0.10","remote_port":"53056","client_ip":"192.168.0.10","proto":"HTTP/2.0","method":"GET","host":"selfhosted.pp.ua","uri":"/assets/index-B_z9mVlf.js","headers":{"Accept-Language":["en-US,en;q=0.9"],"Origin":["https://selfhosted.pp.ua"],"Sec-Ch-Ua-Platform":["\"Windows\""],"Sec-Fetch-Dest":["script"],"User-Agent":["Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/136.0.0.0 Safari/537.36 Edg/136.0.0.0"],"X-Forwarded-For":["192.168.0.10"],"Priority":["u=1"],"Sec-Ch-Ua":["\"Chromium\";v=\"136\", \"Microsoft Edge\";v=\"136\", \"Not.A/Brand\";v=\"99\""],"Accept":["*/*"],"Sec-Fetch-Site":["same-origin"],"X-Forwarded-Proto":["https"],"Via":["2.0 Caddy"],"Sec-Ch-Ua-Mobile":["?0"],"Sec-Fetch-Mode":["cors"],"Accept-Encoding":["gzip, deflate, br, zstd"],"Referer":["https://selfhosted.pp.ua/status/services"],"X-Forwarded-Host":["selfhosted.pp.ua"]},"tls":{"resumed":false,"version":772,"cipher_suite":4867,"proto":"h2","server_name":"selfhosted.pp.ua"}},"headers":{"Last-Modified":["Fri, 20 Dec 2024 07:16:41 GMT"],"Date":["Tue, 27 May 2025 05:31:02 GMT"],"Vary":["Accept-Encoding"],"Accept-Ranges":["bytes"],"Etag":["W/\"779ae-193e2ecf7a8\""],"Content-Length":["489902"],"Connection":["keep-alive"],"Keep-Alive":["timeout=5"],"X-Frame-Options":["SAMEORIGIN"],"Content-Encoding":["gzip"],"Content-Type":["application/javascript; charset=UTF-8"],"Cache-Control":["public, max-age=0"]},"status":200}
caddy  | {"level":"debug","ts":1748323862.5351355,"logger":"http.handlers.reverse_proxy","msg":"upstream roundtrip","upstream":"192.168.0.15:3001","duration":0.004527467,"request":{"remote_ip":"192.168.0.10","remote_port":"53056","client_ip":"192.168.0.10","proto":"HTTP/2.0","method":"GET","host":"selfhosted.pp.ua","uri":"/assets/index-bOVKKa1O.css","headers":{"X-Forwarded-For":["192.168.0.10"],"X-Forwarded-Host":["selfhosted.pp.ua"],"Sec-Fetch-Dest":["style"],"Accept-Language":["en-US,en;q=0.9"],"Sec-Fetch-Site":["same-origin"],"Sec-Fetch-Mode":["cors"],"Sec-Ch-Ua-Mobile":["?0"],"User-Agent":["Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/136.0.0.0 Safari/537.36 Edg/136.0.0.0"],"Accept-Encoding":["gzip, deflate, br, zstd"],"Accept":["text/css,*/*;q=0.1"],"Referer":["https://selfhosted.pp.ua/status/services"],"X-Forwarded-Proto":["https"],"Via":["2.0 Caddy"],"Priority":["u=0"],"Origin":["https://selfhosted.pp.ua"],"Sec-Ch-Ua-Platform":["\"Windows\""],"Sec-Ch-Ua":["\"Chromium\";v=\"136\", \"Microsoft Edge\";v=\"136\", \"Not.A/Brand\";v=\"99\""]},"tls":{"resumed":false,"version":772,"cipher_suite":4867,"proto":"h2","server_name":"selfhosted.pp.ua"}},"headers":{"Content-Type":["text/css; charset=UTF-8"],"Cache-Control":["public, max-age=0"],"Last-Modified":["Fri, 20 Dec 2024 07:16:41 GMT"],"Etag":["W/\"afc3-193e2ecf7a8\""],"Vary":["Accept-Encoding"],"Content-Encoding":["gzip"],"Accept-Ranges":["bytes"],"Content-Length":["44995"],"Date":["Tue, 27 May 2025 05:31:02 GMT"],"Connection":["keep-alive"],"Keep-Alive":["timeout=5"],"X-Frame-Options":["SAMEORIGIN"]},"status":200}
caddy  | {"level":"debug","ts":1748323862.66775,"logger":"http.handlers.reverse_proxy","msg":"selected upstream","dial":"192.168.0.15:3001","total_upstreams":1}
caddy  | {"level":"debug","ts":1748323862.670038,"logger":"http.handlers.reverse_proxy","msg":"upstream roundtrip","upstream":"192.168.0.15:3001","duration":0.002244095,"request":{"remote_ip":"192.168.0.10","remote_port":"53056","client_ip":"192.168.0.10","proto":"HTTP/2.0","method":"GET","host":"selfhosted.pp.ua","uri":"/icon.svg","headers":{"Sec-Fetch-Dest":["image"],"Referer":["https://selfhosted.pp.ua/status/services"],"User-Agent":["Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/136.0.0.0 Safari/537.36 Edg/136.0.0.0"],"X-Forwarded-Host":["selfhosted.pp.ua"],"Sec-Ch-Ua-Mobile":["?0"],"Accept":["image/avif,image/webp,image/apng,image/svg+xml,image/*,*/*;q=0.8"],"Origin":["https://selfhosted.pp.ua"],"X-Forwarded-For":["192.168.0.10"],"Sec-Fetch-Site":["same-origin"],"Accept-Encoding":["gzip, deflate, br, zstd"],"Accept-Language":["en-US,en;q=0.9"],"Priority":["i"],"Via":["2.0 Caddy"],"Sec-Ch-Ua-Platform":["\"Windows\""],"Sec-Ch-Ua":["\"Chromium\";v=\"136\", \"Microsoft Edge\";v=\"136\", \"Not.A/Brand\";v=\"99\""],"X-Forwarded-Proto":["https"],"Sec-Fetch-Mode":["cors"]},"tls":{"resumed":false,"version":772,"cipher_suite":4867,"proto":"h2","server_name":"selfhosted.pp.ua"}},"headers":{"Etag":["W/\"269-193e2ecf7a8\""],"Connection":["keep-alive"],"Keep-Alive":["timeout=5"],"Vary":["Accept-Encoding"],"Content-Encoding":["gzip"],"Accept-Ranges":["bytes"],"Last-Modified":["Fri, 20 Dec 2024 07:16:41 GMT"],"Content-Length":["617"],"Date":["Tue, 27 May 2025 05:31:02 GMT"],"X-Frame-Options":["SAMEORIGIN"],"Content-Type":["image/svg+xml"],"Cache-Control":["public, max-age=0"]},"status":200}
caddy  | {"level":"debug","ts":1748323862.6728804,"logger":"http.handlers.reverse_proxy","msg":"selected upstream","dial":"192.168.0.15:3001","total_upstreams":1}
caddy  | {"level":"debug","ts":1748323862.6737251,"logger":"http.handlers.reverse_proxy","msg":"upstream roundtrip","upstream":"192.168.0.15:3001","duration":0.000804379,"request":{"remote_ip":"192.168.0.10","remote_port":"53056","client_ip":"192.168.0.10","proto":"HTTP/2.0","method":"GET","host":"selfhosted.pp.ua","uri":"/api/status-page/heartbeat/services","headers":{"Sec-Ch-Ua-Mobile":["?0"],"Priority":["u=1, i"],"User-Agent":["Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/136.0.0.0 Safari/537.36 Edg/136.0.0.0"],"X-Forwarded-Proto":["https"],"Sec-Fetch-Dest":["empty"],"Referer":["https://selfhosted.pp.ua/status/services"],"Sec-Fetch-Mode":["cors"],"X-Forwarded-For":["192.168.0.10"],"Sec-Fetch-Site":["same-origin"],"Accept-Encoding":["gzip, deflate, br, zstd"],"Sec-Ch-Ua":["\"Chromium\";v=\"136\", \"Microsoft Edge\";v=\"136\", \"Not.A/Brand\";v=\"99\""],"Sec-Ch-Ua-Platform":["\"Windows\""],"Accept":["application/json, text/plain, */*"],"Accept-Language":["en-US,en;q=0.9"],"X-Forwarded-Host":["selfhosted.pp.ua"],"Via":["2.0 Caddy"]},"tls":{"resumed":false,"version":772,"cipher_suite":4867,"proto":"h2","server_name":"selfhosted.pp.ua"}},"headers":{"Content-Length":["36"],"Etag":["W/\"24-EsPVtSRb2MavNViD7fIuXL0bd5o\""],"Date":["Tue, 27 May 2025 05:31:02 GMT"],"Connection":["keep-alive"],"Keep-Alive":["timeout=5"],"X-Frame-Options":["SAMEORIGIN"],"Content-Type":["application/json; charset=utf-8"]},"status":200}
caddy  | {"level":"debug","ts":1748323862.6955147,"logger":"http.handlers.reverse_proxy","msg":"selected upstream","dial":"192.168.0.15:3001","total_upstreams":1}
caddy  | {"level":"debug","ts":1748323862.6964982,"logger":"http.handlers.reverse_proxy","msg":"upstream roundtrip","upstream":"192.168.0.15:3001","duration":0.000910165,"request":{"remote_ip":"192.168.0.10","remote_port":"53056","client_ip":"192.168.0.10","proto":"HTTP/2.0","method":"GET","host":"selfhosted.pp.ua","uri":"/icon.svg","headers":{"Sec-Fetch-Dest":["image"],"Accept-Encoding":["gzip, deflate, br, zstd"],"Sec-Ch-Ua-Platform":["\"Windows\""],"User-Agent":["Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/136.0.0.0 Safari/537.36 Edg/136.0.0.0"],"Via":["2.0 Caddy"],"Sec-Ch-Ua-Mobile":["?0"],"Sec-Ch-Ua":["\"Chromium\";v=\"136\", \"Microsoft Edge\";v=\"136\", \"Not.A/Brand\";v=\"99\""],"Referer":["https://selfhosted.pp.ua/status/services"],"If-Modified-Since":["Fri, 20 Dec 2024 07:16:41 GMT"],"X-Forwarded-Proto":["https"],"X-Forwarded-Host":["selfhosted.pp.ua"],"Accept":["image/avif,image/webp,image/apng,image/svg+xml,image/*,*/*;q=0.8"],"Priority":["i"],"Sec-Fetch-Mode":["no-cors"],"X-Forwarded-For":["192.168.0.10"],"Sec-Fetch-Site":["same-origin"],"Accept-Language":["en-US,en;q=0.9"],"If-None-Match":["W/\"269-193e2ecf7a8\""]},"tls":{"resumed":false,"version":772,"cipher_suite":4867,"proto":"h2","server_name":"selfhosted.pp.ua"}},"headers":{"Accept-Ranges":["bytes"],"Cache-Control":["public, max-age=0"],"Last-Modified":["Fri, 20 Dec 2024 07:16:41 GMT"],"Etag":["W/\"269-193e2ecf7a8\""],"Date":["Tue, 27 May 2025 05:31:02 GMT"],"Connection":["keep-alive"],"Keep-Alive":["timeout=5"],"X-Frame-Options":["SAMEORIGIN"],"Vary":["Accept-Encoding"]},"status":304}
caddy  | {"level":"debug","ts":1748323862.7603009,"logger":"events","msg":"event","name":"tls_get_certificate","id":"1a03c699-4e8a-4b9d-91a7-7250b80ad5ca","origin":"tls","data":{"client_hello":{"CipherSuites":[64250,4865,4866,4867,49195,49199,49196,49200,52393,52392,49171,49172,156,157,47,53],"ServerName":"selfhosted.pp.ua","SupportedCurves":[2570,4588,29,23,24],"SupportedPoints":"AA==","SignatureSchemes":[1027,2052,1025,1283,2053,1281,2054,1537],"SupportedProtos":["h2","http/1.1"],"SupportedVersions":[14906,772,771],"RemoteAddr":{"IP":"192.168.0.10","Port":53039,"Zone":""},"LocalAddr":{"IP":"172.18.0.2","Port":443,"Zone":""}}}}
caddy  | {"level":"debug","ts":1748323862.7603526,"logger":"tls.handshake","msg":"choosing certificate","identifier":"selfhosted.pp.ua","num_choices":1}
caddy  | {"level":"debug","ts":1748323862.7603588,"logger":"tls.handshake","msg":"default certificate selection results","identifier":"selfhosted.pp.ua","subjects":["selfhosted.pp.ua"],"managed":true,"issuer_key":"acme-v02.api.letsencrypt.org-directory","hash":"341bf291c7690f98c099c1580d338dedd14ed1d9165f5f431c4f3519c0273e8a"}
caddy  | {"level":"debug","ts":1748323862.7603652,"logger":"tls.handshake","msg":"matched certificate in cache","remote_ip":"192.168.0.10","remote_port":"53039","subjects":["selfhosted.pp.ua"],"managed":true,"expiration":1755914507,"hash":"341bf291c7690f98c099c1580d338dedd14ed1d9165f5f431c4f3519c0273e8a"}
caddy  | {"level":"debug","ts":1748323862.763761,"logger":"http.handlers.reverse_proxy","msg":"selected upstream","dial":"192.168.0.15:3001","total_upstreams":1}
caddy  | {"level":"debug","ts":1748323862.7650912,"logger":"http.handlers.reverse_proxy","msg":"upstream roundtrip","upstream":"192.168.0.15:3001","duration":0.001249087,"request":{"remote_ip":"192.168.0.10","remote_port":"53039","client_ip":"192.168.0.10","proto":"HTTP/2.0","method":"GET","host":"selfhosted.pp.ua","uri":"/api/status-page/services/manifest.json","headers":{"Accept-Language":["en-US,en;q=0.9"],"Priority":["u=2"],"Sec-Ch-Ua-Platform":["\"Windows\""],"Via":["2.0 Caddy"],"Sec-Fetch-Site":["same-origin"],"Sec-Fetch-Dest":["manifest"],"Accept-Encoding":["gzip, deflate, br, zstd"],"X-Forwarded-For":["192.168.0.10"],"Sec-Fetch-Mode":["cors"],"Accept":["*/*"],"User-Agent":["Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/136.0.0.0 Safari/537.36 Edg/136.0.0.0"],"X-Forwarded-Proto":["https"],"Sec-Ch-Ua-Mobile":["?0"],"Sec-Ch-Ua":["\"Chromium\";v=\"136\", \"Microsoft Edge\";v=\"136\", \"Not.A/Brand\";v=\"99\""],"X-Forwarded-Host":["selfhosted.pp.ua"],"Referer":["https://selfhosted.pp.ua/status/services"]},"tls":{"resumed":false,"version":772,"cipher_suite":4867,"proto":"h2","server_name":"selfhosted.pp.ua"}},"headers":{"X-Frame-Options":["SAMEORIGIN"],"Content-Type":["application/json; charset=utf-8"],"Content-Length":["140"],"Etag":["W/\"8c-f17kptaqJBKJeGnpABfbUHe3VJQ\""],"Date":["Tue, 27 May 2025 05:31:02 GMT"],"Connection":["keep-alive"],"Keep-Alive":["timeout=5"]},"status":200}





caddy  | {"level":"debug","ts":1748323913.4599836,"logger":"http.handlers.reverse_proxy","msg":"selected upstream","dial":"192.168.0.15:3001","total_upstreams":1}
caddy  | {"level":"debug","ts":1748323913.463358,"logger":"http.handlers.reverse_proxy","msg":"upstream roundtrip","upstream":"192.168.0.15:3001","duration":0.003293697,"request":{"remote_ip":"192.168.0.10","remote_port":"53038","client_ip":"192.168.0.10","proto":"HTTP/2.0","method":"GET","host":"yt.selfhosted.pp.ua","uri":"/","headers":{"Accept":["text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7"],"Upgrade-Insecure-Requests":["1"],"Via":["2.0 Caddy"],"Sec-Ch-Ua-Mobile":["?0"],"X-Forwarded-For":["192.168.0.10"],"Sec-Ch-Ua-Platform":["\"Windows\""],"Sec-Fetch-Dest":["document"],"X-Forwarded-Host":["yt.selfhosted.pp.ua"],"Accept-Encoding":["gzip, deflate, br, zstd"],"Priority":["u=0, i"],"User-Agent":["Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/136.0.0.0 Safari/537.36 Edg/136.0.0.0"],"Sec-Ch-Ua":["\"Chromium\";v=\"136\", \"Microsoft Edge\";v=\"136\", \"Not.A/Brand\";v=\"99\""],"Sec-Fetch-Site":["none"],"Sec-Fetch-User":["?1"],"X-Forwarded-Proto":["https"],"Sec-Fetch-Mode":["navigate"],"Accept-Language":["en-US,en;q=0.9"]},"tls":{"resumed":false,"version":772,"cipher_suite":4867,"proto":"h2","server_name":"www.selfhosted.pp.ua"}},"headers":{"Connection":["keep-alive"],"Keep-Alive":["timeout=5"],"X-Frame-Options":["SAMEORIGIN"],"Location":["/status/services"],"Vary":["Accept"],"Content-Type":["text/html; charset=utf-8"],"Content-Length":["45"],"Date":["Tue, 27 May 2025 05:31:53 GMT"]},"status":302}
caddy  | {"level":"debug","ts":1748323913.4668758,"logger":"http.handlers.reverse_proxy","msg":"selected upstream","dial":"192.168.0.15:3001","total_upstreams":1}
caddy  | {"level":"debug","ts":1748323913.4685206,"logger":"http.handlers.reverse_proxy","msg":"upstream roundtrip","upstream":"192.168.0.15:3001","duration":0.001598699,"request":{"remote_ip":"192.168.0.10","remote_port":"53038","client_ip":"192.168.0.10","proto":"HTTP/2.0","method":"GET","host":"yt.selfhosted.pp.ua","uri":"/status/services","headers":{"Upgrade-Insecure-Requests":["1"],"Priority":["u=0, i"],"User-Agent":["Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/136.0.0.0 Safari/537.36 Edg/136.0.0.0"],"Sec-Ch-Ua":["\"Chromium\";v=\"136\", \"Microsoft Edge\";v=\"136\", \"Not.A/Brand\";v=\"99\""],"Via":["2.0 Caddy"],"Sec-Fetch-Dest":["document"],"Sec-Fetch-Site":["none"],"X-Forwarded-For":["192.168.0.10"],"X-Forwarded-Proto":["https"],"Accept":["text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7"],"Sec-Fetch-Mode":["navigate"],"Sec-Ch-Ua-Platform":["\"Windows\""],"Accept-Language":["en-US,en;q=0.9"],"Sec-Ch-Ua-Mobile":["?0"],"Sec-Fetch-User":["?1"],"Accept-Encoding":["gzip, deflate, br, zstd"],"X-Forwarded-Host":["yt.selfhosted.pp.ua"]},"tls":{"resumed":false,"version":772,"cipher_suite":4867,"proto":"h2","server_name":"www.selfhosted.pp.ua"}},"headers":{"Connection":["keep-alive"],"Keep-Alive":["timeout=5"],"X-Frame-Options":["SAMEORIGIN"],"Content-Type":["text/html; charset=utf-8"],"Content-Length":["2881"],"Etag":["W/\"b41-xwT7yyFx3t7QJVBd3If6QxuNttM\""],"Date":["Tue, 27 May 2025 05:31:53 GMT"]},"status":200}
caddy  | {"level":"debug","ts":1748323913.5187948,"logger":"http.handlers.reverse_proxy","msg":"selected upstream","dial":"192.168.0.15:3001","total_upstreams":1}
caddy  | {"level":"debug","ts":1748323913.5188057,"logger":"http.handlers.reverse_proxy","msg":"selected upstream","dial":"192.168.0.15:3001","total_upstreams":1}
caddy  | {"level":"debug","ts":1748323913.5215786,"logger":"http.handlers.reverse_proxy","msg":"upstream roundtrip","upstream":"192.168.0.15:3001","duration":0.002723503,"request":{"remote_ip":"192.168.0.10","remote_port":"53038","client_ip":"192.168.0.10","proto":"HTTP/2.0","method":"GET","host":"yt.selfhosted.pp.ua","uri":"/assets/index-bOVKKa1O.css","headers":{"Accept-Language":["en-US,en;q=0.9"],"X-Forwarded-For":["192.168.0.10"],"X-Forwarded-Proto":["https"],"X-Forwarded-Host":["yt.selfhosted.pp.ua"],"Origin":["https://yt.selfhosted.pp.ua"],"User-Agent":["Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/136.0.0.0 Safari/537.36 Edg/136.0.0.0"],"Sec-Ch-Ua-Mobile":["?0"],"Sec-Fetch-Dest":["style"],"Via":["2.0 Caddy"],"Sec-Ch-Ua-Platform":["\"Windows\""],"Accept":["text/css,*/*;q=0.1"],"Referer":["https://yt.selfhosted.pp.ua/status/services"],"Priority":["u=0"],"Sec-Ch-Ua":["\"Chromium\";v=\"136\", \"Microsoft Edge\";v=\"136\", \"Not.A/Brand\";v=\"99\""],"Sec-Fetch-Mode":["cors"],"Accept-Encoding":["gzip, deflate, br, zstd"],"Sec-Fetch-Site":["same-origin"]},"tls":{"resumed":false,"version":772,"cipher_suite":4867,"proto":"h2","server_name":"www.selfhosted.pp.ua"}},"headers":{"Date":["Tue, 27 May 2025 05:31:53 GMT"],"Vary":["Accept-Encoding"],"Cache-Control":["public, max-age=0"],"Connection":["keep-alive"],"Keep-Alive":["timeout=5"],"X-Frame-Options":["SAMEORIGIN"],"Content-Encoding":["gzip"],"Content-Type":["text/css; charset=UTF-8"],"Accept-Ranges":["bytes"],"Last-Modified":["Fri, 20 Dec 2024 07:16:41 GMT"],"Etag":["W/\"afc3-193e2ecf7a8\""],"Content-Length":["44995"]},"status":200}
caddy  | {"level":"debug","ts":1748323913.522392,"logger":"http.handlers.reverse_proxy","msg":"upstream roundtrip","upstream":"192.168.0.15:3001","duration":0.003474065,"request":{"remote_ip":"192.168.0.10","remote_port":"53038","client_ip":"192.168.0.10","proto":"HTTP/2.0","method":"GET","host":"yt.selfhosted.pp.ua","uri":"/assets/index-B_z9mVlf.js","headers":{"Origin":["https://yt.selfhosted.pp.ua"],"User-Agent":["Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/136.0.0.0 Safari/537.36 Edg/136.0.0.0"],"Accept":["*/*"],"X-Forwarded-Proto":["https"],"Sec-Ch-Ua":["\"Chromium\";v=\"136\", \"Microsoft Edge\";v=\"136\", \"Not.A/Brand\";v=\"99\""],"Referer":["https://yt.selfhosted.pp.ua/status/services"],"Accept-Encoding":["gzip, deflate, br, zstd"],"X-Forwarded-Host":["yt.selfhosted.pp.ua"],"Sec-Ch-Ua-Platform":["\"Windows\""],"Sec-Fetch-Site":["same-origin"],"Accept-Language":["en-US,en;q=0.9"],"X-Forwarded-For":["192.168.0.10"],"Priority":["u=1"],"Sec-Ch-Ua-Mobile":["?0"],"Sec-Fetch-Mode":["cors"],"Sec-Fetch-Dest":["script"],"Via":["2.0 Caddy"]},"tls":{"resumed":false,"version":772,"cipher_suite":4867,"proto":"h2","server_name":"www.selfhosted.pp.ua"}},"headers":{"Content-Encoding":["gzip"],"Accept-Ranges":["bytes"],"Last-Modified":["Fri, 20 Dec 2024 07:16:41 GMT"],"Etag":["W/\"779ae-193e2ecf7a8\""],"Date":["Tue, 27 May 2025 05:31:53 GMT"],"Keep-Alive":["timeout=5"],"X-Frame-Options":["SAMEORIGIN"],"Vary":["Accept-Encoding"],"Content-Type":["application/javascript; charset=UTF-8"],"Cache-Control":["public, max-age=0"],"Content-Length":["489902"],"Connection":["keep-alive"]},"status":200}
caddy  | {"level":"debug","ts":1748323913.6563601,"logger":"http.handlers.reverse_proxy","msg":"selected upstream","dial":"192.168.0.15:3001","total_upstreams":1}
caddy  | {"level":"debug","ts":1748323913.6589122,"logger":"http.handlers.reverse_proxy","msg":"upstream roundtrip","upstream":"192.168.0.15:3001","duration":0.002492498,"request":{"remote_ip":"192.168.0.10","remote_port":"53038","client_ip":"192.168.0.10","proto":"HTTP/2.0","method":"GET","host":"yt.selfhosted.pp.ua","uri":"/icon.svg","headers":{"Accept-Language":["en-US,en;q=0.9"],"Priority":["i"],"Sec-Ch-Ua-Platform":["\"Windows\""],"Origin":["https://yt.selfhosted.pp.ua"],"X-Forwarded-For":["192.168.0.10"],"X-Forwarded-Proto":["https"],"User-Agent":["Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/136.0.0.0 Safari/537.36 Edg/136.0.0.0"],"Sec-Ch-Ua":["\"Chromium\";v=\"136\", \"Microsoft Edge\";v=\"136\", \"Not.A/Brand\";v=\"99\""],"Accept":["image/avif,image/webp,image/apng,image/svg+xml,image/*,*/*;q=0.8"],"Via":["2.0 Caddy"],"Sec-Ch-Ua-Mobile":["?0"],"Sec-Fetch-Mode":["cors"],"Sec-Fetch-Dest":["image"],"Referer":["https://yt.selfhosted.pp.ua/status/services"],"X-Forwarded-Host":["yt.selfhosted.pp.ua"],"Sec-Fetch-Site":["same-origin"],"Accept-Encoding":["gzip, deflate, br, zstd"]},"tls":{"resumed":false,"version":772,"cipher_suite":4867,"proto":"h2","server_name":"www.selfhosted.pp.ua"}},"headers":{"Vary":["Accept-Encoding"],"Content-Encoding":["gzip"],"Accept-Ranges":["bytes"],"Cache-Control":["public, max-age=0"],"Last-Modified":["Fri, 20 Dec 2024 07:16:41 GMT"],"Content-Length":["617"],"Connection":["keep-alive"],"Keep-Alive":["timeout=5"],"X-Frame-Options":["SAMEORIGIN"],"Content-Type":["image/svg+xml"],"Etag":["W/\"269-193e2ecf7a8\""],"Date":["Tue, 27 May 2025 05:31:53 GMT"]},"status":200}
caddy  | {"level":"debug","ts":1748323913.6621,"logger":"http.handlers.reverse_proxy","msg":"selected upstream","dial":"192.168.0.15:3001","total_upstreams":1}
caddy  | {"level":"debug","ts":1748323913.6645565,"logger":"http.handlers.reverse_proxy","msg":"upstream roundtrip","upstream":"192.168.0.15:3001","duration":0.00240717,"request":{"remote_ip":"192.168.0.10","remote_port":"53038","client_ip":"192.168.0.10","proto":"HTTP/2.0","method":"GET","host":"yt.selfhosted.pp.ua","uri":"/api/status-page/heartbeat/services","headers":{"Sec-Fetch-Site":["same-origin"],"Sec-Fetch-Mode":["cors"],"X-Forwarded-Host":["yt.selfhosted.pp.ua"],"Priority":["u=1, i"],"Sec-Ch-Ua-Platform":["\"Windows\""],"Sec-Ch-Ua":["\"Chromium\";v=\"136\", \"Microsoft Edge\";v=\"136\", \"Not.A/Brand\";v=\"99\""],"Sec-Fetch-Dest":["empty"],"Accept-Language":["en-US,en;q=0.9"],"Accept":["application/json, text/plain, */*"],"Referer":["https://yt.selfhosted.pp.ua/status/services"],"X-Forwarded-Proto":["https"],"User-Agent":["Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/136.0.0.0 Safari/537.36 Edg/136.0.0.0"],"Sec-Ch-Ua-Mobile":["?0"],"Accept-Encoding":["gzip, deflate, br, zstd"],"X-Forwarded-For":["192.168.0.10"],"Via":["2.0 Caddy"]},"tls":{"resumed":false,"version":772,"cipher_suite":4867,"proto":"h2","server_name":"www.selfhosted.pp.ua"}},"headers":{"Date":["Tue, 27 May 2025 05:31:53 GMT"],"Connection":["keep-alive"],"Keep-Alive":["timeout=5"],"X-Frame-Options":["SAMEORIGIN"],"Cache-Control":["no-cache"],"Content-Type":["application/json; charset=utf-8"],"Content-Length":["36"],"Etag":["W/\"24-EsPVtSRb2MavNViD7fIuXL0bd5o\""]},"status":200}
caddy  | {"level":"debug","ts":1748323913.6844797,"logger":"http.handlers.reverse_proxy","msg":"selected upstream","dial":"192.168.0.15:3001","total_upstreams":1}
caddy  | {"level":"debug","ts":1748323913.6858447,"logger":"http.handlers.reverse_proxy","msg":"upstream roundtrip","upstream":"192.168.0.15:3001","duration":0.001307523,"request":{"remote_ip":"192.168.0.10","remote_port":"53038","client_ip":"192.168.0.10","proto":"HTTP/2.0","method":"GET","host":"yt.selfhosted.pp.ua","uri":"/icon.svg","headers":{"X-Forwarded-Proto":["https"],"Sec-Ch-Ua":["\"Chromium\";v=\"136\", \"Microsoft Edge\";v=\"136\", \"Not.A/Brand\";v=\"99\""],"Sec-Fetch-Dest":["image"],"Accept-Language":["en-US,en;q=0.9"],"X-Forwarded-Host":["yt.selfhosted.pp.ua"],"Priority":["i"],"Referer":["https://yt.selfhosted.pp.ua/status/services"],"If-Modified-Since":["Fri, 20 Dec 2024 07:16:41 GMT"],"Sec-Ch-Ua-Mobile":["?0"],"Accept":["image/avif,image/webp,image/apng,image/svg+xml,image/*,*/*;q=0.8"],"Sec-Fetch-Site":["same-origin"],"Accept-Encoding":["gzip, deflate, br, zstd"],"X-Forwarded-For":["192.168.0.10"],"Via":["2.0 Caddy"],"If-None-Match":["W/\"269-193e2ecf7a8\""],"Sec-Ch-Ua-Platform":["\"Windows\""],"User-Agent":["Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/136.0.0.0 Safari/537.36 Edg/136.0.0.0"],"Sec-Fetch-Mode":["no-cors"]},"tls":{"resumed":false,"version":772,"cipher_suite":4867,"proto":"h2","server_name":"www.selfhosted.pp.ua"}},"headers":{"X-Frame-Options":["SAMEORIGIN"],"Vary":["Accept-Encoding"],"Accept-Ranges":["bytes"],"Cache-Control":["public, max-age=0"],"Last-Modified":["Fri, 20 Dec 2024 07:16:41 GMT"],"Etag":["W/\"269-193e2ecf7a8\""],"Date":["Tue, 27 May 2025 05:31:53 GMT"],"Connection":["keep-alive"],"Keep-Alive":["timeout=5"]},"status":304}
caddy  | {"level":"debug","ts":1748323913.7460625,"logger":"http.handlers.reverse_proxy","msg":"selected upstream","dial":"192.168.0.15:3001","total_upstreams":1}
caddy  | {"level":"debug","ts":1748323913.7472038,"logger":"http.handlers.reverse_proxy","msg":"upstream roundtrip","upstream":"192.168.0.15:3001","duration":0.001069656,"request":{"remote_ip":"192.168.0.10","remote_port":"53040","client_ip":"192.168.0.10","proto":"HTTP/2.0","method":"GET","host":"yt.selfhosted.pp.ua","uri":"/api/status-page/services/manifest.json","headers":{"Referer":["https://yt.selfhosted.pp.ua/status/services"],"Priority":["u=2"],"X-Forwarded-For":["192.168.0.10"],"X-Forwarded-Host":["yt.selfhosted.pp.ua"],"Via":["2.0 Caddy"],"Sec-Fetch-Dest":["manifest"],"User-Agent":["Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/136.0.0.0 Safari/537.36 Edg/136.0.0.0"],"Sec-Fetch-Mode":["cors"],"Sec-Ch-Ua-Mobile":["?0"],"Accept":["*/*"],"Accept-Encoding":["gzip, deflate, br, zstd"],"Sec-Ch-Ua":["\"Chromium\";v=\"136\", \"Microsoft Edge\";v=\"136\", \"Not.A/Brand\";v=\"99\""],"Accept-Language":["en-US,en;q=0.9"],"X-Forwarded-Proto":["https"],"Sec-Fetch-Site":["same-origin"],"Sec-Ch-Ua-Platform":["\"Windows\""]},"tls":{"resumed":false,"version":772,"cipher_suite":4867,"proto":"h2","server_name":"www.selfhosted.pp.ua"}},"headers":{"Date":["Tue, 27 May 2025 05:31:53 GMT"],"Connection":["keep-alive"],"Keep-Alive":["timeout=5"],"X-Frame-Options":["SAMEORIGIN"],"Content-Type":["application/json; charset=utf-8"],"Content-Length":["140"],"Etag":["W/\"8c-f17kptaqJBKJeGnpABfbUHe3VJQ\""]},"status":200}

Gracefully stopping... (press Ctrl+C again to force)
[+] Stopping 1/1
 ✔ Container caddy  Stopped

Is there a way to disable ECH on Caddy?
That would be the only way of doing what I want to do: using the same domain serving a public website that can be accessed when I’m outside of the home network and a different private website that can only be accessed when I’m connected to the local home network.

While I know I can disable Cloudflare’s ECH using the API, I would prefer not to disable it that way. I want the external/public website to have ECH enabled. I would be using a different Caddy Server instance for that one. And since I don’t think ECH is necessary (or am I wrong?) on a private network, I think disabling it on the local Caddy Server would solve it.

Darknicks · June 2, 2025, 3:35am

Hey @matt
I hope everything is going well
Please don’t forget to take a look to this post

matt · June 3, 2025, 4:06pm

I guess I don’t follow… (I’m also not at 100% cognitive ability yet, getting over sickness):

ECH is disabled by default on Caddy, you have to enable it.

felipecrs · June 14, 2025, 10:19pm

I have the very same issue. It’s very annoying. I wish someone can find a solution that doesn’t mean disabling ECH in Cloudflare side.

By the way I am baking Caddy as local proxy companion for cloudflared in Home Assistant. My use case is precisely the same as yours, @Darknicks.

github.com/brenner-tobias/addon-cloudflared

Act as a local network reverse proxy

main ← caddy-internal-proxy

opened 03:36AM - 21 May 25 UTC

felipecrs

+472 -432

# Proposed Changes This is extremely work in progress and should not be revie…wed. I just wanted to save my working before going to bed. But it's working! The caddy server listens to port 80 and 443, is configured with all the same hosts as cloudflared itself and handles automatic HTTPs through HTTP challenge. Without requiring any extra user configuration like tokens, email, and whatnot. User just have to choose to expose the add-on's 80/443, and then configure their internal DNS server to serve Home Assistant IP for the domains proxied. With this, when user is inside home: - Client -> https://ha.mydomain.com -> 192.168.1.10 -> Caddy -> Home Assistant Core When outside home: - Client -> https://ha.mydomain.com -> Cloudflare IPs -> Cloudflared -> Caddy -> Home Assistant Core Without needing to learn anything new or having to use Nginx Proxy Manager. ## Related Issues Refs https://github.com/brenner-tobias/addon-cloudflared/discussions/292#discussioncomment-13209116 ## TODOs - [x] Test live logs - [x] Allow to configure internal-only hostnames (that cannot be accessed through cloudflared) - [x] Add NET_ADMIN cap - [x] Add 443/udp (needed by HTTP/3 I think) - [x] Disable auto_https and ports 80/443 when user has not exposed these ports - [x] Handle Home Assistant serving with SSL - [x] Fix Caddyfile formatting (handle go templates properly) - [x] Handle catch-all - [x] Adapt to https://github.com/brenner-tobias/addon-cloudflared/pull/852 - [x] Enable HTTP/2 between Cloudflared and Caddy - [x] Avoid using noTLSVerify between Cloudflared and Caddy - [x] Disable unused features like admin API, json config persistence, auto install of root CA - [x] Improve logging format to make them more human readable, including colors - [x] Configure catch all handler with HTTPS to enable HTTP/2 and HTTP/3 - [ ] Map addon log option to Caddy ([ref](https://caddyserver.com/docs/caddyfile/options#log)) - [ ] Test when auto_https is disabled (i.e. HTTPS port not exposed) - [ ] Explore HA [ssl_peer_certificate](https://www.home-assistant.io/integrations/http/#ssl_peer_certificate) - [ ] Investigate how to include email for ACME - [ ] Re-evaluate usage of tls on_demand for catch-all service ([ref](https://github.com/caddyserver/caddy/issues/7062#issuecomment-2966973184)) - [ ] Think of more TODOs ## Summary by CodeRabbit - **New Features** - Introduced an optional built-in Caddy proxy replacing the previous Nginx proxy for routing connections to Home Assistant and additional hosts. - Added a configuration option to enable or disable the built-in Caddy proxy. - Added support for restricting additional hosts to local network access only. - Exposed new ports: 80/tcp, 443/tcp, and 443/udp for proxy and HTTP/3 support. - **Improvements** - Simplified and streamlined build and deployment configurations. - Enhanced documentation with detailed instructions for using the built-in Caddy proxy and local network access. - Updated translations and configuration descriptions to reflect the switch to Caddy. - **Removals** - Removed Nginx proxy and related configuration files and scripts.

ferrybig · June 16, 2025, 6:34am

This error happens when using an incorrectly configured local DNS override

At one end of the spectrum, overriding any DNS records gives problems with the DNS challenges, while only overriding the A and AAAA records means this ECH problems. You want to make empty HTTPS records for the domains you overwrote in the local DNS server

felipecrs · June 16, 2025, 1:49pm

Thanks a lot for replying, @ferrybig. But could you please elaborate on what you mean by “You want to make empty HTTPS records for the domains you overwrote in the local DNS server”?

Let’s say my website is ha.example.com, which is publicly pointing to Cloudflare, but internally is pointing to 192.168.1.10 through an A record.

Do you mean I should create an additional record for ha.example.com within my local DNS server with HTTPS type and set it to blank?

felipecrs · June 17, 2025, 8:25pm

I reported this as an issue in Caddy’s GitHub. It may not be an issue in Caddy at the end of the day, but I guess it’s better to discuss it in a single place:

github.com/caddyserver/caddy

How to handle `cloudflare-ech.com` requests?

opened 06:32AM - 15 Jun 25 UTC

felipecrs

This is driving me crazy. I have spent several hours trying things and reading s…everal issues and threads about it, and I can't find a definitive solution. Here's my setup: - https://github.com/brenner-tobias/addon-cloudflared/pull/843 1. I run Caddy and Cloudflared in a single container. Cloudflared communicates with Caddy at 127.0.0.1, tunneling the traffic to Cloudflare. Caddy reverse proxies my Home Assistant server. 1. When someone accesses `ha.example.com` from the internet, Cloudflare will serve it. 2. When someone accesses `ha.example.com` from my local network (through router DNS), Caddy will serve it. However, I keep bumping into `ERR_SSL_PROTOCOL_ERROR` when accessing `ha.example.com` through my local network (Chrome). This is my Caddyfile (caddy 2.10.0): ```caddyfile { debug admin off persist_config off skip_install_trust log { format console } } # Used for communication between Cloudflared and Caddy https://caddy.localhost { tls internal # Used to ensure Caddy is ready before starting Cloudflared respond /healthz 200 respond 403 } ha.example.com { @cloudflared remote_ip 127.0.0.1 reverse_proxy @cloudflared http://homeassistant:8123 { # https://developers.cloudflare.com/support/troubleshooting/restoring-visitor-ips/restoring-original-visitor-ips/#caddy header_up X-Forwarded-For {http.request.header.CF-Connecting-IP} } reverse_proxy http://homeassistant:8123 } ``` After enabling debug logs in Caddy, I can see: ``` 2025/06/15 06:25:34.801 DEBUG http.handlers.reverse_proxy upstream roundtrip {"upstream": "homeassistant:8123", "duration": 0.000838884, "request": {"remote_ip": "192.168.1.15", "remote_port": "39124", "client_ip": "192.168.1.15", "proto": "HTTP/1.1", "method": "GET", "host": "ha.example.com", "uri": "/api/config", "headers": {"X-Forwarded-For": ["192.168.1.15"], "X-Forwarded-Proto": ["https"], "X-Forwarded-Host": ["ha.example.com"], "Via": ["1.1 Caddy"], "Accept-Encoding": ["identity"], "Authorization": ["REDACTED"], "User-Agent": [""]}, "tls": {"resumed": false, "version": 772, "cipher_suite": 4865, "proto": "", "server_name": "ha.example.com"}}, "headers": {"X-Frame-Options": ["SAMEORIGIN"], "Content-Length": ["5255"], "Date": ["Sun, 15 Jun 2025 06:25:34 GMT"], "Content-Type": ["application/json"], "Referrer-Policy": ["no-referrer"], "X-Content-Type-Options": ["nosniff"], "Server": [""]}, "status": 200} 2025/06/15 06:25:35.113 DEBUG events event {"name": "tls_get_certificate", "id": "c5ed33f2-18cf-4b15-bd52-c956319ff2e4", "origin": "tls", "data": {"client_hello":{"CipherSuites":[4865,4866,4867],"ServerName":"cloudflare-ech.com","SupportedCurves":[4588,29,23,24],"SupportedPoints":null,"SignatureSchemes":[1027,2052,1025,1283,2053,1281,2054,1537,513],"SupportedProtos":["h3"],"SupportedVersions":[772],"RemoteAddr":{"IP":"192.168.1.15","Port":64786,"Zone":""},"LocalAddr":{"IP":"172.30.33.5","Port":443,"Zone":""}}}} 2025/06/15 06:25:35.113 DEBUG tls.handshake no matching certificates and no custom selection logic {"identifier": "cloudflare-ech.com"} 2025/06/15 06:25:35.113 DEBUG tls.handshake no matching certificates and no custom selection logic {"identifier": "*.com"} 2025/06/15 06:25:35.113 DEBUG tls.handshake no matching certificates and no custom selection logic {"identifier": "*.*"} 2025/06/15 06:25:35.113 DEBUG tls.handshake no certificate matching TLS ClientHello {"remote_ip": "192.168.1.15", "remote_port": "64786", "server_name": "cloudflare-ech.com", "remote": "192.168.1.15:64786", "identifier": "cloudflare-ech.com", "cipher_suites": [4865, 4866, 4867], "cert_cache_fill": 0.0004, "load_or_obtain_if_necessary": true, "on_demand": false} 2025/06/15 06:25:35.113 DEBUG events event {"name": "tls_get_certificate", "id": "aa3ecd01-0235-4b34-ac08-64d7cabbf078", "origin": "tls", "data": {"client_hello":{"CipherSuites":[47802,4865,4866,4867,49195,49199,49196,49200,52393,52392,49171,49172,156,157,47,53],"ServerName":"cloudflare-ech.com","SupportedCurves":[43690,4588,29,23,24],"SupportedPoints":"AA==","SignatureSchemes":[1027,2052,1025,1283,2053,1281,2054,1537],"SupportedProtos":["h2","http/1.1"],"SupportedVersions":[23130,772,771],"RemoteAddr":{"IP":"192.168.1.15","Port":39440,"Zone":""},"LocalAddr":{"IP":"172.30.33.5","Port":443,"Zone":""}}}} 2025/06/15 06:25:35.113 DEBUG tls.handshake no matching certificates and no custom selection logic {"identifier": "cloudflare-ech.com"} 2025/06/15 06:25:35.114 DEBUG tls.handshake no matching certificates and no custom selection logic {"identifier": "*.com"} 2025/06/15 06:25:35.114 DEBUG tls.handshake no matching certificates and no custom selection logic {"identifier": "*.*"} 2025/06/15 06:25:35.114 DEBUG tls.handshake no certificate matching TLS ClientHello {"remote_ip": "192.168.1.15", "remote_port": "39440", "server_name": "cloudflare-ech.com", "remote": "192.168.1.15:39440", "identifier": "cloudflare-ech.com", "cipher_suites": [47802, 4865, 4866, 4867, 49195, 49199, 49196, 49200, 52393, 52392, 49171, 49172, 156, 157, 47, 53], "cert_cache_fill": 0.0004, "load_or_obtain_if_necessary": true, "on_demand": false} 2025/06/15 06:25:35.114 DEBUG http.stdlib http: TLS handshake error from 192.168.1.15:39440: no certificate available for 'cloudflare-ech.com' ``` And the only work around I found was to [disable ECH in Cloudflare](https://neonode.cc/en/blog/how_to_disable_ech_cf/). Any ideas on what I can do to "fix" this?

ferrybig · June 19, 2025, 5:29pm

Settings a record to blank might not work.

From a device in the local network, run dig +noall +answer HTTPS example.com to see what is returned.

You could set your router to return example.com. 7016 IN HTTPS 1 . alpn="h2,h3" instead of blank so it overrides the record of your domain properly

felipecrs · June 22, 2025, 3:09pm

Ok, that’s interesting.

❯ dig +noall +answer A ha.example.com
ha.example.com.     0       IN      A       192.168.1.10

❯ dig +noall +answer HTTPS ha.example.com
ha.example.com.     277     IN      HTTPS   1 . alpn="h3,h2" ipv4hint=104.21.48.163,172.67.154.87 ipv6hint=2606:4700:3032::6815:30a3,2606:4700:3033::ac43:9a57

I just need to figure out how to set such record in OpenWrt now.

felipecrs · June 22, 2025, 5:12pm

I couldn’t configure the HTTPS record yet.

However, I can confirm that once I make OpenWrt no longer include the HTTPS record in the DNS response, I no longer have such problem.

To make that happen, I needed to not only set my DNS record in OpenWrt > Network > DHCP and DNS > DNS Records > Hostnames, but also add the /lan/<domain>/ record in OpenWrt > Network > DHCP and DNS > General > Addresses.

This isn’t ideal yet because without the HTTPS record, HTTP/2 and HTTP/3 between my browser and Caddy cannot be established as optimally as otherwise.

felipecrs · June 25, 2025, 11:52pm

Turns out OpenWrt doesn’t support configuring HTTPS records yet, specifically LuCI.

But thanks to an amazing guy named systemcrash this is already in the works, and I was able to patch my device locally (more details here).

I was able to test the early work and confirm it to be working:

❯ dig @192.168.1.1 +noall +answer HTTPS ha.example.com
ha.example.com.     0       IN      HTTPS   1 ha.example.com. alpn="h3,h2" ipv4hint=192.168.1.10

And it’s working great, no more cloudflare-ech.com requests going to Caddy, and HTTP/2 and HTTP/3 connection can be established right away without requiring the initial HTTP/1.1 connection.

I supposed I could even go ahead and enable ECH in Caddy as well. I’d just need to make sure my HTTPS record points to it similar to how the Cloudflare one does:

❯ dig @1.1.1.1 +noall +answer HTTPS ha.example.com
ha.example.com.     300     IN      HTTPS   1 . alpn="h3,h2" ipv4hint=104.21.48.163,172.67.154.87 ech=AEX+DQBBcgAgACCuudXVeqy1b7VjHm3+N5rJppj+yAvIrV3DfAS5RT2teQAEAAEAAQASY2xvdWRmbGFyZS1lY2guY29tAAA= ipv6hint=2606:4700:3032::6815:30a3,2606:4700:3033::ac43:9a57

But ECH within my local network doesn’t really make sense. I control the DNS resolver anyway; it’s not leaking to my ISP or something like that.

Conclusion:

Make sure your local DNS server is serving both the A/AAAA and HTTPS records for your domain. If you serve just A/AAAA, then your browser will probably end up receiving the HTTPS record from the public DNS server, which is going to confuse the browser and cause the ERR_SSL_PROTOCOL_ERROR down the line.