Encrypted Client Hello (ECH) - Issues with internal network

1. The problem I’m having:

I’ve been having issues with Caddy, my domain (on Cloudflare) and ECH.
First of all, please be aware that there is no port forwarding.
This website is only supposed to be available internally.
I’m using Caddy with Cloudflare’s DNS challenge plugin to get the SSL certificates.

It looks like the Encrypted Client Hello (ECH) is what’s failing here.

When I start Caddy, it successfully creates the HTTPS records on my Cloudflare domain Dashboard, so it looks like that part is working fine. But still ECH is failing because 99% of the time, when I try to access the site, I get this error: ERR_SSL_PROTOCOL_ERROR

Unless I’m missing something about ECH… Is it supposed to only work for externally accessible domains? I don’t think so. Otherwise it wouldn’t need the Cloudflare DNS plugin.

When I visit the site from Chrome, Firefox and Edge, sometimes it goes through, but 99% of the time it fails and results in this error: ERR_SSL_PROTOCOL_ERROR

DuckDuckGo Browser works fine all the time.

What am I doing wrong?

Here’s the curl -vL output:


curl -vL https://www.SelfHosted.pp.ua

*   Trying 192.168.0.15:443...
* Connected to www.SelfHosted.pp.ua (192.168.0.15) port 443 (#0)
* ALPN: offers h2,http/1.1
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
*  CAfile: /etc/ssl/certs/ca-certificates.crt
*  CApath: /etc/ssl/certs
* TLSv1.3 (IN), TLS handshake, Server hello (2):
* TLSv1.3 (IN), TLS handshake, Encrypted Extensions (8):
* TLSv1.3 (IN), TLS handshake, Certificate (11):
* TLSv1.3 (IN), TLS handshake, CERT verify (15):
* TLSv1.3 (IN), TLS handshake, Finished (20):
* TLSv1.3 (OUT), TLS change cipher, Change cipher spec (1):
* TLSv1.3 (OUT), TLS handshake, Finished (20):
* SSL connection using TLSv1.3 / TLS_CHACHA20_POLY1305_SHA256
* ALPN: server accepted h2
* Server certificate:
*  subject: CN=*.selfhosted.pp.ua
*  start date: May 25 02:01:43 2025 GMT
*  expire date: Aug 23 02:01:42 2025 GMT
*  subjectAltName: host "www.SelfHosted.pp.ua" matched cert's "*.selfhosted.pp.ua"
*  issuer: C=US; O=Let's Encrypt; CN=E6
*  SSL certificate verify ok.
* using HTTP/2
* h2h3 [:method: GET]
* h2h3 [:path: /]
* h2h3 [:scheme: https]
* h2h3 [:authority: www.SelfHosted.pp.ua]
* h2h3 [user-agent: curl/7.88.1]
* h2h3 [accept: */*]
* Using Stream ID: 1 (easy handle 0x55d4307c27a0)
> GET / HTTP/2
> Host: www.SelfHosted.pp.ua
> user-agent: curl/7.88.1
> accept: */*
>
* TLSv1.3 (IN), TLS handshake, Newsession Ticket (4):
< HTTP/2 302
< alt-svc: h3=":443"; ma=2592000
< content-type: text/plain; charset=utf-8
< date: Mon, 26 May 2025 01:31:02 GMT
< location: /status/services
< vary: Accept
< via: 1.1 Caddy
< x-frame-options: SAMEORIGIN
< content-length: 38
<
* Ignoring the response-body
* Connection #0 to host www.SelfHosted.pp.ua left intact
* Issue another request to this URL: 'https://www.SelfHosted.pp.ua/status/services'
* Found bundle for host: 0x55d4307bc440 [can multiplex]
* Re-using existing connection #0 with host www.SelfHosted.pp.ua
* h2h3 [:method: GET]
* h2h3 [:path: /status/services]
* h2h3 [:scheme: https]
* h2h3 [:authority: www.SelfHosted.pp.ua]
* h2h3 [user-agent: curl/7.88.1]
* h2h3 [accept: */*]
* Using Stream ID: 3 (easy handle 0x55d4307c27a0)
> GET /status/services HTTP/2
> Host: www.SelfHosted.pp.ua
> user-agent: curl/7.88.1
> accept: */*
>
< HTTP/2 200
< alt-svc: h3=":443"; ma=2592000
< content-type: text/html; charset=utf-8
< date: Mon, 26 May 2025 01:31:02 GMT
< etag: W/"ba9-/T3XoCbFPywxqTam0YxDAHgYwaY"
< via: 1.1 Caddy
< x-frame-options: SAMEORIGIN
< content-length: 2985
<
<!DOCTYPE html><html lang="en"><head>
    <meta charset="UTF-8">
    <meta name="viewport" content="width=device-width, initial-scale=1.0, viewport-fit=cover">

    <link rel="icon" href="/icon.svg">
    <link rel="manifest" href="/api/status-page/services/manifest.json">
    <meta name="theme-color" id="theme-color" content="">
    <meta name="description" content="">
    <title>Services</title>
    <style>        .noscript-message {
            font-size: 20px;
            text-align: center;
            padding: 10px;
            max-width: 500px;
            margin: 0 auto;
        }
    </style>
  <script type="module" crossorigin="" src="/assets/index-B_z9mVlf.js"></script>
  <link rel="stylesheet" crossorigin="" href="/assets/index-bOVKKa1O.css">
  <script type="module">import.meta.url;import("_").catch(()=>1);async function* g(){};if(location.protocol!="file:"){window.__vite_is_modern_browser=true}</script>
  <script type="module">!function(){if(window.__vite_is_modern_browser)return;console.warn("vite: loading legacy chunks, syntax error above and the same error below should be ignored");var e=document.getElementById("vite-legacy-polyfill"),n=document.createElement("script");n.src=e.src,n.onload=function(){System.import(document.getElementById('vite-legacy-entry').getAttribute('data-src'))},document.body.appendChild(n)}();</script>
<meta property="og:title" content="Services"><meta property="og:description" content="">
            <script id="preload-data" data-json="{}">
                window.preloadData = {'config':{'slug':'services','title':'Services','description':null,'icon':'/icon.svg','theme':'auto','published':true,'showTags':false,'customCSS':'body {\n  \n}\n','footerText':null,'showPoweredBy':true,'googleAnalyticsId':null,'showCertificateExpiry':false},'incident':null,'publicGroupList':[{'id':2,'name':'Services','weight':1,'monitorList':[{'id':8,'name':'Debian','sendUrl':0,'type':'ping'}]}],'maintenanceList':[]};
            </script>
        </head>
<body>
<noscript>
<div class="noscript-message">
    Sorry, you don't seem to have JavaScript enabled or your browser
    doesn't support it.<br />This website requires JavaScript to function.
    Please enable JavaScript in your browser settings to continue.
</div>
</noscript>
<div id="app"></div>
  <script nomodule="">!function(){var e=document,t=e.createElement("script");if(!("noModule"in t)&&"onbeforeload"in t){var n=!1;e.addEventListener("beforeload",(function(e){if(e.target===t)n=!0;else if(!e.target.hasAttribute("nomodule")||!n)return;e.preventDefault()}),!0),t.type="module",t.src=".",e.head.appendChild(t),t.remove()}}();</script>
  <script nomodule="" crossorigin="" id="vite-legacy-polyfill" src="/assets/polyfills-legacy-CProAAlf.js"></script>
  <script nomodule="" crossorigin="" id="vite-legacy-entry" data-src="/assets/index-legacy-PIuZWdNf.js">System.import(document.getElementById('vite-legacy-entry').getAttribute('data-src'))</script>


* Connection #0 to host www.SelfHosted.pp.ua left intact
</body></html>


2. Error messages and/or full log output:


caddy  | {"level":"info","ts":1748193304.3745239,"msg":"maxprocs: Leaving GOMAXPROCS=4: CPU quota undefined"}
caddy  | {"level":"info","ts":1748193304.3746724,"msg":"GOMEMLIMIT is updated","package":"github.com/KimMachineGun/automemlimit/memlimit","GOMEMLIMIT":7493758156,"previous":9223372036854775807}
caddy  | {"level":"info","ts":1748193304.3747456,"msg":"using config from file","file":"/etc/caddy/Caddyfile"}
caddy  | {"level":"info","ts":1748193304.3759706,"msg":"adapted config to JSON","adapter":"caddyfile"}
caddy  | {"level":"warn","ts":1748193304.3760104,"msg":"Caddyfile input is not formatted; run 'caddy fmt --overwrite' to fix inconsistencies","adapter":"caddyfile","file":"/etc/caddy/Caddyfile","line":10}
caddy  | {"level":"info","ts":1748193304.3768759,"logger":"admin","msg":"admin endpoint started","address":"localhost:2019","enforce_origin":false,"origins":["//localhost:2019","//[::1]:2019","//127.0.0.1:2019"]}
caddy  | {"level":"info","ts":1748193304.3771596,"logger":"tls.cache.maintenance","msg":"started background certificate maintenance","cache":"0xc000138c80"}
caddy  | {"level":"debug","ts":1748193304.4226127,"logger":"tls.ech","msg":"generated new ECH config","public_name":"ech.selfhosted.pp.ua","id":131}
caddy  | {"level":"info","ts":1748193304.4249513,"logger":"http.auto_https","msg":"server is listening only on the HTTPS port but has no TLS connection policies; adding one to enable TLS","server_name":"srv0","https_port":443}
caddy  | {"level":"info","ts":1748193304.42506,"logger":"http.auto_https","msg":"enabling automatic HTTP->HTTPS redirects","server_name":"srv0"}
caddy  | {"level":"debug","ts":1748193304.425129,"logger":"http.auto_https","msg":"adjusted config","tls":{"automation":{"policies":[{"subjects":["www.selfhosted.pp.ua","yt.selfhosted.pp.ua","selfhosted.pp.ua","*.selfhosted.pp.ua"]},{"subjects":["ech.SelfHosted.pp.ua"]},{}]},"encrypted_client_hello":{"configs":[{"public_name":"ech.SelfHosted.pp.ua"}]}},"http":{"servers":{"remaining_auto_https_redirects":{"listen":[":80"],"routes":[{},{}]},"srv0":{"listen":[":443"],"routes":[{"handle":[{"handler":"subroute","routes":[{"handle":[{"handler":"reverse_proxy","upstreams":[{"dial":"192.168.0.50:3001"}]}]}]}],"terminal":true},{"handle":[{"handler":"subroute","routes":[{"handle":[{"handler":"reverse_proxy","upstreams":[{"dial":"192.168.0.50:3000"}]}]}]}],"terminal":true},{"handle":[{"handler":"subroute","routes":[{"handle":[{"handler":"reverse_proxy","upstreams":[{"dial":"192.168.0.50:3001"}]}]}]}],"terminal":true},{"handle":[{"handler":"subroute","routes":[{"handle":[{"handler":"reverse_proxy","upstreams":[{"dial":"192.168.0.50:3001"}]}]}]}],"terminal":true}],"tls_connection_policies":[{}],"automatic_https":{}}}}}
caddy  | {"level":"debug","ts":1748193304.425642,"logger":"http","msg":"starting server loop","address":"[::]:443","tls":true,"http3":false}
caddy  | {"level":"info","ts":1748193304.4256914,"logger":"http","msg":"enabling HTTP/3 listener","addr":":443"}
caddy  | {"level":"info","ts":1748193304.4258146,"msg":"failed to sufficiently increase receive buffer size (was: 208 kiB, wanted: 7168 kiB, got: 416 kiB). See https://github.com/quic-go/quic-go/wiki/UDP-Buffer-Sizes for details."}
caddy  | {"level":"info","ts":1748193304.4259522,"logger":"http.log","msg":"server running","name":"srv0","protocols":["h1","h2","h3"]}
caddy  | {"level":"debug","ts":1748193304.42615,"logger":"http","msg":"starting server loop","address":"[::]:80","tls":false,"http3":false}
caddy  | {"level":"warn","ts":1748193304.4262114,"logger":"http","msg":"HTTP/2 skipped because it requires TLS","network":"tcp","addr":":80"}
caddy  | {"level":"warn","ts":1748193304.4262323,"logger":"http","msg":"HTTP/3 skipped because it requires TLS","network":"tcp","addr":":80"}
caddy  | {"level":"info","ts":1748193304.426251,"logger":"http.log","msg":"server running","name":"remaining_auto_https_redirects","protocols":["h1","h2","h3"]}
caddy  | {"level":"info","ts":1748193304.426301,"logger":"http","msg":"enabling automatic TLS certificate management","domains":["www.selfhosted.pp.ua","yt.selfhosted.pp.ua","selfhosted.pp.ua","*.selfhosted.pp.ua"]}
caddy  | {"level":"warn","ts":1748193304.4266412,"logger":"tls","msg":"stapling OCSP","error":"no OCSP stapling for [selfhosted.pp.ua]: no OCSP server specified in certificate","identifiers":["selfhosted.pp.ua"]}
caddy  | {"level":"debug","ts":1748193304.42673,"logger":"tls.cache","msg":"added certificate to cache","subjects":["selfhosted.pp.ua"],"expiration":1755914507,"managed":true,"issuer_key":"acme-v02.api.letsencrypt.org-directory","hash":"341bf291c7690f98c099c1580d338dedd14ed1d9165f5f431c4f3519c0273e8a","cache_size":1,"cache_capacity":10000}
caddy  | {"level":"debug","ts":1748193304.4267805,"logger":"events","msg":"event","name":"cached_managed_cert","id":"b3d46d8d-06e9-4771-b882-9d7e0ff80969","origin":"tls","data":{"sans":["selfhosted.pp.ua"]}}
caddy  | {"level":"warn","ts":1748193304.4271464,"logger":"tls","msg":"stapling OCSP","error":"no OCSP stapling for [*.selfhosted.pp.ua]: no OCSP server specified in certificate","identifiers":["*.selfhosted.pp.ua"]}
caddy  | {"level":"debug","ts":1748193304.4272,"logger":"tls.cache","msg":"added certificate to cache","subjects":["*.selfhosted.pp.ua"],"expiration":1755914503,"managed":true,"issuer_key":"acme-v02.api.letsencrypt.org-directory","hash":"4bcaf06663bca5c003e07abd20a99bdcf72b47eb8950928c06083340caf2467d","cache_size":2,"cache_capacity":10000}
caddy  | {"level":"debug","ts":1748193304.4272316,"logger":"events","msg":"event","name":"cached_managed_cert","id":"d40aa68b-dafb-4da2-b5c5-0182dfd52d76","origin":"tls","data":{"sans":["*.selfhosted.pp.ua"]}}
caddy  | {"level":"warn","ts":1748193304.4275224,"logger":"tls","msg":"stapling OCSP","error":"no OCSP stapling for [ech.selfhosted.pp.ua]: no OCSP server specified in certificate","identifiers":["ech.selfhosted.pp.ua"]}
caddy  | {"level":"debug","ts":1748193304.427601,"logger":"tls.cache","msg":"added certificate to cache","subjects":["ech.selfhosted.pp.ua"],"expiration":1755914503,"managed":true,"issuer_key":"acme-v02.api.letsencrypt.org-directory","hash":"2a0b71a34009dfc38b35f77fb4f88bfc8759ff09e1d89ee3049358962e17e3d4","cache_size":3,"cache_capacity":10000}
caddy  | {"level":"debug","ts":1748193304.427645,"logger":"events","msg":"event","name":"cached_managed_cert","id":"87f04afe-ac42-4c32-9d70-fb1df2915e15","origin":"tls","data":{"sans":["ech.selfhosted.pp.ua"]}}
caddy  | {"level":"debug","ts":1748193304.4277093,"logger":"events","msg":"event","name":"started","id":"3b381260-2d52-42fd-a3e3-f4d45713c498","origin":"","data":null}
caddy  | {"level":"info","ts":1748193304.4286346,"msg":"autosaved config (load with --resume flag)","file":"/config/caddy/autosave.json"}
caddy  | {"level":"info","ts":1748193304.428686,"msg":"serving initial configuration"}
caddy  | {"level":"debug","ts":1748193304.439168,"logger":"tls.ech","msg":"publishing ECH config list","domains":["www.selfhosted.pp.ua","yt.selfhosted.pp.ua","selfhosted.pp.ua","*.selfhosted.pp.ua"],"config_ids":[131]}
caddy  | {"level":"debug","ts":1748193304.4402435,"logger":"tls.soa_lookup","msg":"fetched SOA","msg":";; opcode: QUERY, status: NOERROR, id: 31038\n;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1\n\n;; OPT PSEUDOSECTION:\n; EDNS: version 0; flags:; udp: 1232\n\n;; QUESTION SECTION:\n;www.selfhosted.pp.ua.\tIN\t SOA\n\n;; AUTHORITY SECTION:\nselfhosted.pp.ua.\t1094\tIN\tSOA\thoward.ns.cloudflare.com. dns.cloudflare.com. 2373640417 10000 2400 604800 1800\n"}
caddy  | {"level":"debug","ts":1748193304.440983,"logger":"tls.soa_lookup","msg":"fetched SOA","msg":";; opcode: QUERY, status: NOERROR, id: 44449\n;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1\n\n;; OPT PSEUDOSECTION:\n; EDNS: version 0; flags:; udp: 1232\n\n;; QUESTION SECTION:\n;selfhosted.pp.ua.\tIN\t SOA\n\n;; ANSWER SECTION:\nselfhosted.pp.ua.\t1094\tIN\tSOA\thoward.ns.cloudflare.com. dns.cloudflare.com. 2373640417 10000 2400 604800 1800\n"}
caddy  | {"level":"info","ts":1748193304.4774373,"logger":"tls","msg":"storage cleaning happened too recently; skipping for now","storage":"FileStorage:/data/caddy","instance":"aae20edd-ca84-4b58-af5a-fccb411b6a18","try_again":1748279704.4774346,"try_again_in":86399.999999555}
caddy  | {"level":"info","ts":1748193304.4776158,"logger":"tls","msg":"finished cleaning storage units"}
caddy  | {"level":"debug","ts":1748193305.9060032,"logger":"tls.soa_lookup","msg":"fetched SOA","msg":";; opcode: QUERY, status: NOERROR, id: 14287\n;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1\n\n;; OPT PSEUDOSECTION:\n; EDNS: version 0; flags:; udp: 1232\n\n;; QUESTION SECTION:\n;yt.selfhosted.pp.ua.\tIN\t SOA\n\n;; AUTHORITY SECTION:\nselfhosted.pp.ua.\t1093\tIN\tSOA\thoward.ns.cloudflare.com. dns.cloudflare.com. 2373640417 10000 2400 604800 1800\n"}
caddy  | {"level":"debug","ts":1748193305.9070034,"logger":"tls.soa_lookup","msg":"fetched SOA","msg":";; opcode: QUERY, status: NOERROR, id: 19100\n;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1\n\n;; OPT PSEUDOSECTION:\n; EDNS: version 0; flags:; udp: 1232\n\n;; QUESTION SECTION:\n;selfhosted.pp.ua.\tIN\t SOA\n\n;; ANSWER SECTION:\nselfhosted.pp.ua.\t1093\tIN\tSOA\thoward.ns.cloudflare.com. dns.cloudflare.com. 2373640417 10000 2400 604800 1800\n"}
caddy  | {"level":"debug","ts":1748193307.0978634,"logger":"tls.soa_lookup","msg":"fetched SOA","msg":";; opcode: QUERY, status: NOERROR, id: 39940\n;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1\n\n;; OPT PSEUDOSECTION:\n; EDNS: version 0; flags:; udp: 1232\n\n;; QUESTION SECTION:\n;selfhosted.pp.ua.\tIN\t SOA\n\n;; ANSWER SECTION:\nselfhosted.pp.ua.\t1091\tIN\tSOA\thoward.ns.cloudflare.com. dns.cloudflare.com. 2373640417 10000 2400 604800 1800\n"}
caddy  | {"level":"debug","ts":1748193308.4273028,"logger":"tls.soa_lookup","msg":"fetched SOA","msg":";; opcode: QUERY, status: NOERROR, id: 46285\n;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1\n\n;; OPT PSEUDOSECTION:\n; EDNS: version 0; flags:; udp: 1232\n\n;; QUESTION SECTION:\n;*.selfhosted.pp.ua.\tIN\t SOA\n\n;; AUTHORITY SECTION:\nselfhosted.pp.ua.\t1090\tIN\tSOA\thoward.ns.cloudflare.com. dns.cloudflare.com. 2373640417 10000 2400 604800 1800\n"}
caddy  | {"level":"debug","ts":1748193308.4294531,"logger":"tls.soa_lookup","msg":"fetched SOA","msg":";; opcode: QUERY, status: NOERROR, id: 17499\n;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1\n\n;; OPT PSEUDOSECTION:\n; EDNS: version 0; flags:; udp: 1232\n\n;; QUESTION SECTION:\n;selfhosted.pp.ua.\tIN\t SOA\n\n;; ANSWER SECTION:\nselfhosted.pp.ua.\t1090\tIN\tSOA\thoward.ns.cloudflare.com. dns.cloudflare.com. 2373640417 10000 2400 604800 1800\n"}
caddy  | {"level":"info","ts":1748193308.972385,"logger":"tls","msg":"published ECH configuration list","domains":["www.selfhosted.pp.ua","yt.selfhosted.pp.ua","selfhosted.pp.ua","*.selfhosted.pp.ua"],"config_ids":[131]}
caddy  | {"level":"debug","ts":1748193326.1701038,"logger":"events","msg":"event","name":"tls_get_certificate","id":"432ad294-142b-4582-82c2-b14cbf40f89f","origin":"tls","data":{"client_hello":{"CipherSuites":[10794,4865,4866,4867,49195,49199,49196,49200,52393,52392,49171,49172,156,157,47,53],"ServerName":"cloudflare-ech.com","SupportedCurves":[56026,4588,29,23,24],"SupportedPoints":"AA==","SignatureSchemes":[1027,2052,1025,1283,2053,1281,2054,1537],"SupportedProtos":["h2","http/1.1"],"SupportedVersions":[31354,772,771],"RemoteAddr":{"IP":"192.168.0.60","Port":47040,"Zone":""},"LocalAddr":{"IP":"172.18.0.2","Port":443,"Zone":""}}}}
caddy  | {"level":"debug","ts":1748193326.1701834,"logger":"tls.handshake","msg":"no matching certificates and no custom selection logic","identifier":"cloudflare-ech.com"}
caddy  | {"level":"debug","ts":1748193326.1701896,"logger":"tls.handshake","msg":"no matching certificates and no custom selection logic","identifier":"*.com"}
caddy  | {"level":"debug","ts":1748193326.170193,"logger":"tls.handshake","msg":"no matching certificates and no custom selection logic","identifier":"*.*"}
caddy  | {"level":"debug","ts":1748193326.1702318,"logger":"tls.handshake","msg":"no certificate matching TLS ClientHello","remote_ip":"192.168.0.60","remote_port":"47040","server_name":"cloudflare-ech.com","remote":"192.168.0.60:47040","identifier":"cloudflare-ech.com","cipher_suites":[10794,4865,4866,4867,49195,49199,49196,49200,52393,52392,49171,49172,156,157,47,53],"cert_cache_fill":0.0003,"load_or_obtain_if_necessary":true,"on_demand":false}
caddy  | {"level":"debug","ts":1748193326.170298,"logger":"http.stdlib","msg":"http: TLS handshake error from 192.168.0.60:47040: no certificate available for 'cloudflare-ech.com'"}
caddy  | {"level":"debug","ts":1748193326.194233,"logger":"events","msg":"event","name":"tls_get_certificate","id":"1b1a774c-0804-4d8b-88d8-073491a93244","origin":"tls","data":{"client_hello":{"CipherSuites":[35466,4865,4866,4867,49195,49199,49196,49200,52393,52392,49171,49172,156,157,47,53],"ServerName":"cloudflare-ech.com","SupportedCurves":[51914,4588,29,23,24],"SupportedPoints":"AA==","SignatureSchemes":[1027,2052,1025,1283,2053,1281,2054,1537],"SupportedProtos":["h2","http/1.1"],"SupportedVersions":[39578,772,771],"RemoteAddr":{"IP":"192.168.0.60","Port":47050,"Zone":""},"LocalAddr":{"IP":"172.18.0.2","Port":443,"Zone":""}}}}
caddy  | {"level":"debug","ts":1748193326.1942956,"logger":"tls.handshake","msg":"no matching certificates and no custom selection logic","identifier":"cloudflare-ech.com"}
caddy  | {"level":"debug","ts":1748193326.194304,"logger":"tls.handshake","msg":"no matching certificates and no custom selection logic","identifier":"*.com"}
caddy  | {"level":"debug","ts":1748193326.1943078,"logger":"tls.handshake","msg":"no matching certificates and no custom selection logic","identifier":"*.*"}
caddy  | {"level":"debug","ts":1748193326.1943197,"logger":"tls.handshake","msg":"no certificate matching TLS ClientHello","remote_ip":"192.168.0.60","remote_port":"47050","server_name":"cloudflare-ech.com","remote":"192.168.0.60:47050","identifier":"cloudflare-ech.com","cipher_suites":[35466,4865,4866,4867,49195,49199,49196,49200,52393,52392,49171,49172,156,157,47,53],"cert_cache_fill":0.0003,"load_or_obtain_if_necessary":true,"on_demand":false}
caddy  | {"level":"debug","ts":1748193326.1944108,"logger":"http.stdlib","msg":"http: TLS handshake error from 192.168.0.60:47050: no certificate available for 'cloudflare-ech.com'"}

3. Caddy version:

v2.10.0

4. How I installed and ran Caddy:

I used the xcaddy builder and Docker Compose.
Here’s my Dockerfile:

FROM caddy:builder AS builder

RUN xcaddy build \
    --with github.com/caddy-dns/cloudflare

FROM caddy:latest

COPY --from=builder /usr/bin/caddy /usr/bin/caddy

a. System environment:

Debian 12.11 - x64
Docker 28.1.1

b. Command:

docker compose up -d

c. Service/unit/compose file:

services:
  caddy:
    build:
      context: .
      dockerfile: Dockerfile
    container_name: caddy
    restart: unless-stopped
    env_file:
      - .env
    environment:
      - TZ=America/New_York
      - CLOUDFLARE_API_TOKEN=${CF_API_TOKEN}
    ports:
      - 80:80
      - 443:443
    volumes:
      - ./caddy-config:/config
      - ./caddy-data:/data
      - ./Caddyfile:/etc/caddy/Caddyfile

volumes:
  caddy-data:
  caddy-config:

d. My complete Caddy config:


{
        debug
        dns cloudflare {env.CF_API_TOKEN}
        ech ech.SelfHosted.pp.ua
}

# ============================================================

SelfHosted.pp.ua {

        tls {
                dns cloudflare {env.CF_API_TOKEN}
        }
        reverse_proxy http://192.168.0.50:3001
}

*.SelfHosted.pp.ua {
        tls {
                dns cloudflare {env.CF_API_TOKEN}
        }
        reverse_proxy http://192.168.0.50:3001
}

www.SelfHosted.pp.ua {
        tls {
                dns cloudflare {env.CF_API_TOKEN}
        }
        reverse_proxy http://192.168.0.50:3001
}

YT.SelfHosted.pp.ua {
        tls {
                dns cloudflare {env.CF_API_TOKEN}
        }
        reverse_proxy http://192.168.0.50:3000
}

5. Links to relevant resources:

Hello there @matt
Apologies for the mention.
Since I’ve seen you commenting about ECH related issues on the Caddy GitHub.
Do you have any idea of what I’m doing wrong?

The HTTPS record for your domains include:

ech=“AEX+DQBB6wAgACCyWuLbPHx6sAE43fE8/bHV9ZP5RaQK2icRrAQQQt0gAQAEAAEAAQASY2xvdWRmbGFyZS1lY2guY29tAAA=”

which is a config for cloudflare-ech.com. Are you sure nothing else is managing ECH for your domain?

1 Like

Thanks a lot for your response!

Only Caddy is managing ECH on my domain.
However, for the sake of testing, I deleted all the ECH/HTTPS records on the Cloudflare Dashboard, rolled the API key and deleted this directory: /caddy-data/caddy/ech
I then started the Caddy container again.

New records were added on my Cloudflare Dashboard as soon as the container started.
I then tried to navigate to the website: www.SelfHosted.pp.ua, SelfHosted.pp.ua and YT.SelfHosted.pp.ua but got the same ERR_SSSL_PROTOCOL_ERROR.

Here are the logs after I started the Caddy container.
I added a few spaces to be able to see what was going to happen before I tried to go to www.SelfHosted.pp.ua and then did the same the same thing for SelfHosted.pp.ua and YT.SelfHosted.pp.ua


[+] Running 1/1
 ✔ Container caddy  Created                                                                                                                                             0.0s
Attaching to caddy
caddy  | {"level":"info","ts":1748283402.8966646,"msg":"maxprocs: Leaving GOMAXPROCS=4: CPU quota undefined"}
caddy  | {"level":"info","ts":1748283402.8968017,"msg":"GOMEMLIMIT is updated","package":"github.com/KimMachineGun/automemlimit/memlimit","GOMEMLIMIT":7493747097,"previous":9223372036854775807}
caddy  | {"level":"info","ts":1748283402.8968446,"msg":"using config from file","file":"/etc/caddy/Caddyfile"}
caddy  | {"level":"info","ts":1748283402.8981662,"msg":"adapted config to JSON","adapter":"caddyfile"}
caddy  | {"level":"warn","ts":1748283402.8981783,"msg":"Caddyfile input is not formatted; run 'caddy fmt --overwrite' to fix inconsistencies","adapter":"caddyfile","file":"/etc/caddy/Caddyfile","line":10}
caddy  | {"level":"info","ts":1748283402.8989413,"logger":"admin","msg":"admin endpoint started","address":"localhost:2019","enforce_origin":false,"origins":["//localhost:2019","//[::1]:2019","//127.0.0.1:2019"]}
caddy  | {"level":"info","ts":1748283402.8991687,"logger":"tls.cache.maintenance","msg":"started background certificate maintenance","cache":"0xc00052b800"}
caddy  | {"level":"debug","ts":1748283402.944845,"logger":"tls.ech","msg":"generated new ECH config","public_name":"ech.selfhosted.pp.ua","id":247}
caddy  | {"level":"info","ts":1748283402.945,"logger":"http.auto_https","msg":"server is listening only on the HTTPS port but has no TLS connection policies; adding one to enable TLS","server_name":"srv0","https_port":443}
caddy  | {"level":"info","ts":1748283402.9451246,"logger":"http.auto_https","msg":"enabling automatic HTTP->HTTPS redirects","server_name":"srv0"}
caddy  | {"level":"debug","ts":1748283402.945187,"logger":"http.auto_https","msg":"adjusted config","tls":{"automation":{"policies":[{"subjects":["www.selfhosted.pp.ua","yt.selfhosted.pp.ua","selfhosted.pp.ua","*.selfhosted.pp.ua"]},{"subjects":["ech.SelfHosted.pp.ua"]},{}]},"encrypted_client_hello":{"configs":[{"public_name":"ech.SelfHosted.pp.ua"}]}},"http":{"servers":{"remaining_auto_https_redirects":{"listen":[":80"],"routes":[{},{}]},"srv0":{"listen":[":443"],"routes":[{"handle":[{"handler":"subroute","routes":[{"handle":[{"handler":"reverse_proxy","upstreams":[{"dial":"192.168.0.50:3001"}]}]}]}],"terminal":true},{"handle":[{"handler":"subroute","routes":[{"handle":[{"handler":"reverse_proxy","upstreams":[{"dial":"192.168.0.50:3000"}]}]}]}],"terminal":true},{"handle":[{"handler":"subroute","routes":[{"handle":[{"handler":"reverse_proxy","upstreams":[{"dial":"192.168.0.50:3001"}]}]}]}],"terminal":true},{"handle":[{"handler":"subroute","routes":[{"handle":[{"handler":"reverse_proxy","upstreams":[{"dial":"192.168.0.50:3001"}]}]}]}],"terminal":true}],"tls_connection_policies":[{}],"automatic_https":{}}}}}
caddy  | {"level":"debug","ts":1748283402.9458096,"logger":"http","msg":"starting server loop","address":"[::]:443","tls":true,"http3":false}
caddy  | {"level":"info","ts":1748283402.9458716,"logger":"http","msg":"enabling HTTP/3 listener","addr":":443"}
caddy  | {"level":"info","ts":1748283402.9459655,"msg":"failed to sufficiently increase receive buffer size (was: 208 kiB, wanted: 7168 kiB, got: 416 kiB). See https://github.com/quic-go/quic-go/wiki/UDP-Buffer-Sizes for details."}
caddy  | {"level":"info","ts":1748283402.9461071,"logger":"http.log","msg":"server running","name":"srv0","protocols":["h1","h2","h3"]}
caddy  | {"level":"debug","ts":1748283402.9461832,"logger":"http","msg":"starting server loop","address":"[::]:80","tls":false,"http3":false}
caddy  | {"level":"warn","ts":1748283402.9462235,"logger":"http","msg":"HTTP/2 skipped because it requires TLS","network":"tcp","addr":":80"}
caddy  | {"level":"warn","ts":1748283402.9462473,"logger":"http","msg":"HTTP/3 skipped because it requires TLS","network":"tcp","addr":":80"}
caddy  | {"level":"info","ts":1748283402.9462702,"logger":"http.log","msg":"server running","name":"remaining_auto_https_redirects","protocols":["h1","h2","h3"]}
caddy  | {"level":"info","ts":1748283402.9462879,"logger":"http","msg":"enabling automatic TLS certificate management","domains":["yt.selfhosted.pp.ua","selfhosted.pp.ua","*.selfhosted.pp.ua","www.selfhosted.pp.ua"]}
caddy  | {"level":"warn","ts":1748283402.9486847,"logger":"tls","msg":"stapling OCSP","error":"no OCSP stapling for [selfhosted.pp.ua]: no OCSP server specified in certificate","identifiers":["selfhosted.pp.ua"]}
caddy  | {"level":"debug","ts":1748283402.9488704,"logger":"tls.cache","msg":"added certificate to cache","subjects":["selfhosted.pp.ua"],"expiration":1755914507,"managed":true,"issuer_key":"acme-v02.api.letsencrypt.org-directory","hash":"341bf291c7690f98c099c1580d338dedd14ed1d9165f5f431c4f3519c0273e8a","cache_size":1,"cache_capacity":10000}
caddy  | {"level":"debug","ts":1748283402.9489849,"logger":"events","msg":"event","name":"cached_managed_cert","id":"730f368f-4e42-4d11-a35e-c6549265c32f","origin":"tls","data":{"sans":["selfhosted.pp.ua"]}}
caddy  | {"level":"warn","ts":1748283402.9493885,"logger":"tls","msg":"stapling OCSP","error":"no OCSP stapling for [*.selfhosted.pp.ua]: no OCSP server specified in certificate","identifiers":["*.selfhosted.pp.ua"]}
caddy  | {"level":"debug","ts":1748283402.949543,"logger":"tls.cache","msg":"added certificate to cache","subjects":["*.selfhosted.pp.ua"],"expiration":1755914503,"managed":true,"issuer_key":"acme-v02.api.letsencrypt.org-directory","hash":"4bcaf06663bca5c003e07abd20a99bdcf72b47eb8950928c06083340caf2467d","cache_size":2,"cache_capacity":10000}
caddy  | {"level":"debug","ts":1748283402.949621,"logger":"events","msg":"event","name":"cached_managed_cert","id":"d92576f8-44e4-4db0-ac86-cb786a021ee8","origin":"tls","data":{"sans":["*.selfhosted.pp.ua"]}}
caddy  | {"level":"warn","ts":1748283402.949949,"logger":"tls","msg":"stapling OCSP","error":"no OCSP stapling for [ech.selfhosted.pp.ua]: no OCSP server specified in certificate","identifiers":["ech.selfhosted.pp.ua"]}
caddy  | {"level":"debug","ts":1748283402.9500916,"logger":"tls.cache","msg":"added certificate to cache","subjects":["ech.selfhosted.pp.ua"],"expiration":1755914503,"managed":true,"issuer_key":"acme-v02.api.letsencrypt.org-directory","hash":"2a0b71a34009dfc38b35f77fb4f88bfc8759ff09e1d89ee3049358962e17e3d4","cache_size":3,"cache_capacity":10000}
caddy  | {"level":"debug","ts":1748283402.9501848,"logger":"events","msg":"event","name":"cached_managed_cert","id":"4cb377c0-79a0-41b2-b77e-1ac6980b82f4","origin":"tls","data":{"sans":["ech.selfhosted.pp.ua"]}}
caddy  | {"level":"debug","ts":1748283402.9504533,"logger":"events","msg":"event","name":"started","id":"ddb133e9-4c1b-44b7-b007-cae7ed6f9657","origin":"","data":null}
caddy  | {"level":"info","ts":1748283402.951402,"msg":"autosaved config (load with --resume flag)","file":"/config/caddy/autosave.json"}
caddy  | {"level":"info","ts":1748283402.9515927,"msg":"serving initial configuration"}
caddy  | {"level":"debug","ts":1748283402.9611416,"logger":"tls.ech","msg":"publishing ECH config list","domains":["yt.selfhosted.pp.ua","selfhosted.pp.ua","*.selfhosted.pp.ua","www.selfhosted.pp.ua"],"config_ids":[247]}
caddy  | {"level":"debug","ts":1748283402.9620836,"logger":"tls.soa_lookup","msg":"fetched SOA","msg":";; opcode: QUERY, status: NOERROR, id: 28759\n;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1\n\n;; OPT PSEUDOSECTION:\n; EDNS: version 0; flags:; udp: 1232\n\n;; QUESTION SECTION:\n;yt.selfhosted.pp.ua.\tIN\t SOA\n\n;; AUTHORITY SECTION:\nselfhosted.pp.ua.\t232\tIN\tSOA\thoward.ns.cloudflare.com. dns.cloudflare.com. 2373767518 10000 2400 604800 1800\n"}
caddy  | {"level":"debug","ts":1748283402.962787,"logger":"tls.soa_lookup","msg":"fetched SOA","msg":";; opcode: QUERY, status: NOERROR, id: 30282\n;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1\n\n;; OPT PSEUDOSECTION:\n; EDNS: version 0; flags:; udp: 1232\n\n;; QUESTION SECTION:\n;selfhosted.pp.ua.\tIN\t SOA\n\n;; ANSWER SECTION:\nselfhosted.pp.ua.\t232\tIN\tSOA\thoward.ns.cloudflare.com. dns.cloudflare.com. 2373767518 10000 2400 604800 1800\n"}
caddy  | {"level":"info","ts":1748283402.971264,"logger":"tls","msg":"storage cleaning happened too recently; skipping for now","storage":"FileStorage:/data/caddy","instance":"aae20edd-ca84-4b58-af5a-fccb411b6a18","try_again":1748369802.9712625,"try_again_in":86399.999999577}
caddy  | {"level":"info","ts":1748283402.971412,"logger":"tls","msg":"finished cleaning storage units"}
caddy  | {"level":"debug","ts":1748283403.9747376,"logger":"tls.soa_lookup","msg":"fetched SOA","msg":";; opcode: QUERY, status: NOERROR, id: 17956\n;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1\n\n;; OPT PSEUDOSECTION:\n; EDNS: version 0; flags:; udp: 1232\n\n;; QUESTION SECTION:\n;selfhosted.pp.ua.\tIN\t SOA\n\n;; ANSWER SECTION:\nselfhosted.pp.ua.\t231\tIN\tSOA\thoward.ns.cloudflare.com. dns.cloudflare.com. 2373767518 10000 2400 604800 1800\n"}
caddy  | {"level":"debug","ts":1748283404.6647892,"logger":"tls.soa_lookup","msg":"fetched SOA","msg":";; opcode: QUERY, status: NOERROR, id: 22057\n;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1\n\n;; OPT PSEUDOSECTION:\n; EDNS: version 0; flags:; udp: 1232\n\n;; QUESTION SECTION:\n;*.selfhosted.pp.ua.\tIN\t SOA\n\n;; AUTHORITY SECTION:\nselfhosted.pp.ua.\t230\tIN\tSOA\thoward.ns.cloudflare.com. dns.cloudflare.com. 2373767518 10000 2400 604800 1800\n"}
caddy  | {"level":"debug","ts":1748283404.6664627,"logger":"tls.soa_lookup","msg":"fetched SOA","msg":";; opcode: QUERY, status: NOERROR, id: 60179\n;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1\n\n;; OPT PSEUDOSECTION:\n; EDNS: version 0; flags:; udp: 1232\n\n;; QUESTION SECTION:\n;selfhosted.pp.ua.\tIN\t SOA\n\n;; ANSWER SECTION:\nselfhosted.pp.ua.\t230\tIN\tSOA\thoward.ns.cloudflare.com. dns.cloudflare.com. 2373767518 10000 2400 604800 1800\n"}
caddy  | {"level":"debug","ts":1748283405.185732,"logger":"tls.soa_lookup","msg":"fetched SOA","msg":";; opcode: QUERY, status: NOERROR, id: 60927\n;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1\n\n;; OPT PSEUDOSECTION:\n; EDNS: version 0; flags:; udp: 1232\n\n;; QUESTION SECTION:\n;www.selfhosted.pp.ua.\tIN\t SOA\n\n;; AUTHORITY SECTION:\nselfhosted.pp.ua.\t229\tIN\tSOA\thoward.ns.cloudflare.com. dns.cloudflare.com. 2373767518 10000 2400 604800 1800\n"}
caddy  | {"level":"debug","ts":1748283405.1872692,"logger":"tls.soa_lookup","msg":"fetched SOA","msg":";; opcode: QUERY, status: NOERROR, id: 53026\n;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1\n\n;; OPT PSEUDOSECTION:\n; EDNS: version 0; flags:; udp: 1232\n\n;; QUESTION SECTION:\n;selfhosted.pp.ua.\tIN\t SOA\n\n;; ANSWER SECTION:\nselfhosted.pp.ua.\t229\tIN\tSOA\thoward.ns.cloudflare.com. dns.cloudflare.com. 2373767518 10000 2400 604800 1800\n"}
caddy  | {"level":"info","ts":1748283405.6945117,"logger":"tls","msg":"published ECH configuration list","domains":["yt.selfhosted.pp.ua","selfhosted.pp.ua","*.selfhosted.pp.ua","www.selfhosted.pp.ua"],"config_ids":[247]}





caddy  | {"level":"debug","ts":1748283426.5703206,"logger":"events","msg":"event","name":"tls_get_certificate","id":"c5a757e1-c2e8-4e34-b3cc-a87eb7d93b52","origin":"tls","data":{"client_hello":{"CipherSuites":[43690,4865,4866,4867,49195,49199,49196,49200,52393,52392,49171,49172,156,157,47,53],"ServerName":"cloudflare-ech.com","SupportedCurves":[47802,4588,29,23,24],"SupportedPoints":"AA==","SignatureSchemes":[1027,2052,1025,1283,2053,1281,2054,1537],"SupportedProtos":["h2","http/1.1"],"SupportedVersions":[6682,772,771],"RemoteAddr":{"IP":"192.168.0.10","Port":58011,"Zone":""},"LocalAddr":{"IP":"172.18.0.2","Port":443,"Zone":""}}}}
caddy  | {"level":"debug","ts":1748283426.570446,"logger":"tls.handshake","msg":"no matching certificates and no custom selection logic","identifier":"cloudflare-ech.com"}
caddy  | {"level":"debug","ts":1748283426.5704517,"logger":"tls.handshake","msg":"no matching certificates and no custom selection logic","identifier":"*.com"}
caddy  | {"level":"debug","ts":1748283426.5704548,"logger":"tls.handshake","msg":"no matching certificates and no custom selection logic","identifier":"*.*"}
caddy  | {"level":"debug","ts":1748283426.5704627,"logger":"tls.handshake","msg":"no certificate matching TLS ClientHello","remote_ip":"192.168.0.10","remote_port":"58011","server_name":"cloudflare-ech.com","remote":"192.168.0.10:58011","identifier":"cloudflare-ech.com","cipher_suites":[43690,4865,4866,4867,49195,49199,49196,49200,52393,52392,49171,49172,156,157,47,53],"cert_cache_fill":0.0003,"load_or_obtain_if_necessary":true,"on_demand":false}
caddy  | {"level":"debug","ts":1748283426.570515,"logger":"http.stdlib","msg":"http: TLS handshake error from 192.168.0.10:58011: no certificate available for 'cloudflare-ech.com'"}
caddy  | {"level":"debug","ts":1748283426.572984,"logger":"events","msg":"event","name":"tls_get_certificate","id":"b81fb0a5-724f-4698-8388-61b87f24853e","origin":"tls","data":{"client_hello":{"CipherSuites":[31354,4865,4866,4867,49195,49199,49196,49200,52393,52392,49171,49172,156,157,47,53],"ServerName":"cloudflare-ech.com","SupportedCurves":[6682,4588,29,23,24],"SupportedPoints":"AA==","SignatureSchemes":[1027,2052,1025,1283,2053,1281,2054,1537],"SupportedProtos":["h2","http/1.1"],"SupportedVersions":[6682,772,771],"RemoteAddr":{"IP":"192.168.0.10","Port":52002,"Zone":""},"LocalAddr":{"IP":"172.18.0.2","Port":443,"Zone":""}}}}
caddy  | {"level":"debug","ts":1748283426.573008,"logger":"tls.handshake","msg":"no matching certificates and no custom selection logic","identifier":"cloudflare-ech.com"}
caddy  | {"level":"debug","ts":1748283426.5730302,"logger":"tls.handshake","msg":"no matching certificates and no custom selection logic","identifier":"*.com"}
caddy  | {"level":"debug","ts":1748283426.5730338,"logger":"tls.handshake","msg":"no matching certificates and no custom selection logic","identifier":"*.*"}
caddy  | {"level":"debug","ts":1748283426.5730402,"logger":"tls.handshake","msg":"no certificate matching TLS ClientHello","remote_ip":"192.168.0.10","remote_port":"52002","server_name":"cloudflare-ech.com","remote":"192.168.0.10:52002","identifier":"cloudflare-ech.com","cipher_suites":[31354,4865,4866,4867,49195,49199,49196,49200,52393,52392,49171,49172,156,157,47,53],"cert_cache_fill":0.0003,"load_or_obtain_if_necessary":true,"on_demand":false}
caddy  | {"level":"debug","ts":1748283426.573077,"logger":"http.stdlib","msg":"http: TLS handshake error from 192.168.0.10:52002: no certificate available for 'cloudflare-ech.com'"}
caddy  | {"level":"debug","ts":1748283426.581691,"logger":"events","msg":"event","name":"tls_get_certificate","id":"eac9b020-aa20-4aa9-b537-8daba37b77dc","origin":"tls","data":{"client_hello":{"CipherSuites":[43690,4865,4866,4867,49195,49199,49196,49200,52393,52392,49171,49172,156,157,47,53],"ServerName":"cloudflare-ech.com","SupportedCurves":[64250,4588,29,23,24],"SupportedPoints":"AA==","SignatureSchemes":[1027,2052,1025,1283,2053,1281,2054,1537],"SupportedProtos":["h2","http/1.1"],"SupportedVersions":[35466,772,771],"RemoteAddr":{"IP":"192.168.0.10","Port":52009,"Zone":""},"LocalAddr":{"IP":"172.18.0.2","Port":443,"Zone":""}}}}
caddy  | {"level":"debug","ts":1748283426.5817194,"logger":"tls.handshake","msg":"no matching certificates and no custom selection logic","identifier":"cloudflare-ech.com"}
caddy  | {"level":"debug","ts":1748283426.581724,"logger":"tls.handshake","msg":"no matching certificates and no custom selection logic","identifier":"*.com"}
caddy  | {"level":"debug","ts":1748283426.581727,"logger":"tls.handshake","msg":"no matching certificates and no custom selection logic","identifier":"*.*"}
caddy  | {"level":"debug","ts":1748283426.5817337,"logger":"tls.handshake","msg":"no certificate matching TLS ClientHello","remote_ip":"192.168.0.10","remote_port":"52009","server_name":"cloudflare-ech.com","remote":"192.168.0.10:52009","identifier":"cloudflare-ech.com","cipher_suites":[43690,4865,4866,4867,49195,49199,49196,49200,52393,52392,49171,49172,156,157,47,53],"cert_cache_fill":0.0003,"load_or_obtain_if_necessary":true,"on_demand":false}
caddy  | {"level":"debug","ts":1748283426.581766,"logger":"http.stdlib","msg":"http: TLS handshake error from 192.168.0.10:52009: no certificate available for 'cloudflare-ech.com'"}
caddy  | {"level":"debug","ts":1748283426.5832808,"logger":"events","msg":"event","name":"tls_get_certificate","id":"d7fb265f-c2e8-4284-8389-afc6ae5717a8","origin":"tls","data":{"client_hello":{"CipherSuites":[14906,4865,4866,4867,49195,49199,49196,49200,52393,52392,49171,49172,156,157,47,53],"ServerName":"cloudflare-ech.com","SupportedCurves":[19018,4588,29,23,24],"SupportedPoints":"AA==","SignatureSchemes":[1027,2052,1025,1283,2053,1281,2054,1537],"SupportedProtos":["h2","http/1.1"],"SupportedVersions":[60138,772,771],"RemoteAddr":{"IP":"192.168.0.10","Port":52008,"Zone":""},"LocalAddr":{"IP":"172.18.0.2","Port":443,"Zone":""}}}}
caddy  | {"level":"debug","ts":1748283426.5833075,"logger":"tls.handshake","msg":"no matching certificates and no custom selection logic","identifier":"cloudflare-ech.com"}
caddy  | {"level":"debug","ts":1748283426.5833127,"logger":"tls.handshake","msg":"no matching certificates and no custom selection logic","identifier":"*.com"}
caddy  | {"level":"debug","ts":1748283426.5833163,"logger":"tls.handshake","msg":"no matching certificates and no custom selection logic","identifier":"*.*"}
caddy  | {"level":"debug","ts":1748283426.5833225,"logger":"tls.handshake","msg":"no certificate matching TLS ClientHello","remote_ip":"192.168.0.10","remote_port":"52008","server_name":"cloudflare-ech.com","remote":"192.168.0.10:52008","identifier":"cloudflare-ech.com","cipher_suites":[14906,4865,4866,4867,49195,49199,49196,49200,52393,52392,49171,49172,156,157,47,53],"cert_cache_fill":0.0003,"load_or_obtain_if_necessary":true,"on_demand":false}
caddy  | {"level":"debug","ts":1748283426.5833688,"logger":"http.stdlib","msg":"http: TLS handshake error from 192.168.0.10:52008: no certificate available for 'cloudflare-ech.com'"}





caddy  | {"level":"debug","ts":1748283440.29772,"logger":"events","msg":"event","name":"tls_get_certificate","id":"94aa6c16-b6c9-4417-abbb-28f333a3091c","origin":"tls","data":{"client_hello":{"CipherSuites":[64250,4865,4866,4867,49195,49199,49196,49200,52393,52392,49171,49172,156,157,47,53],"ServerName":"cloudflare-ech.com","SupportedCurves":[10794,4588,29,23,24],"SupportedPoints":"AA==","SignatureSchemes":[1027,2052,1025,1283,2053,1281,2054,1537],"SupportedProtos":["h2","http/1.1"],"SupportedVersions":[51914,772,771],"RemoteAddr":{"IP":"192.168.0.10","Port":58028,"Zone":""},"LocalAddr":{"IP":"172.18.0.2","Port":443,"Zone":""}}}}
caddy  | {"level":"debug","ts":1748283440.297763,"logger":"tls.handshake","msg":"no matching certificates and no custom selection logic","identifier":"cloudflare-ech.com"}
caddy  | {"level":"debug","ts":1748283440.297769,"logger":"tls.handshake","msg":"no matching certificates and no custom selection logic","identifier":"*.com"}
caddy  | {"level":"debug","ts":1748283440.2977781,"logger":"tls.handshake","msg":"no matching certificates and no custom selection logic","identifier":"*.*"}
caddy  | {"level":"debug","ts":1748283440.2977874,"logger":"tls.handshake","msg":"no certificate matching TLS ClientHello","remote_ip":"192.168.0.10","remote_port":"58028","server_name":"cloudflare-ech.com","remote":"192.168.0.10:58028","identifier":"cloudflare-ech.com","cipher_suites":[64250,4865,4866,4867,49195,49199,49196,49200,52393,52392,49171,49172,156,157,47,53],"cert_cache_fill":0.0003,"load_or_obtain_if_necessary":true,"on_demand":false}
caddy  | {"level":"debug","ts":1748283440.2978652,"logger":"http.stdlib","msg":"http: TLS handshake error from 192.168.0.10:58028: no certificate available for 'cloudflare-ech.com'"}
caddy  | {"level":"debug","ts":1748283440.2995965,"logger":"events","msg":"event","name":"tls_get_certificate","id":"340df934-caa7-435b-a40e-8d984b836d7c","origin":"tls","data":{"client_hello":{"CipherSuites":[2570,4865,4866,4867,49195,49199,49196,49200,52393,52392,49171,49172,156,157,47,53],"ServerName":"cloudflare-ech.com","SupportedCurves":[27242,4588,29,23,24],"SupportedPoints":"AA==","SignatureSchemes":[1027,2052,1025,1283,2053,1281,2054,1537],"SupportedProtos":["h2","http/1.1"],"SupportedVersions":[35466,772,771],"RemoteAddr":{"IP":"192.168.0.10","Port":58034,"Zone":""},"LocalAddr":{"IP":"172.18.0.2","Port":443,"Zone":""}}}}
caddy  | {"level":"debug","ts":1748283440.2996223,"logger":"tls.handshake","msg":"no matching certificates and no custom selection logic","identifier":"cloudflare-ech.com"}
caddy  | {"level":"debug","ts":1748283440.2996275,"logger":"tls.handshake","msg":"no matching certificates and no custom selection logic","identifier":"*.com"}
caddy  | {"level":"debug","ts":1748283440.2996309,"logger":"tls.handshake","msg":"no matching certificates and no custom selection logic","identifier":"*.*"}
caddy  | {"level":"debug","ts":1748283440.2996373,"logger":"tls.handshake","msg":"no certificate matching TLS ClientHello","remote_ip":"192.168.0.10","remote_port":"58034","server_name":"cloudflare-ech.com","remote":"192.168.0.10:58034","identifier":"cloudflare-ech.com","cipher_suites":[2570,4865,4866,4867,49195,49199,49196,49200,52393,52392,49171,49172,156,157,47,53],"cert_cache_fill":0.0003,"load_or_obtain_if_necessary":true,"on_demand":false}
caddy  | {"level":"debug","ts":1748283440.299812,"logger":"http.stdlib","msg":"http: TLS handshake error from 192.168.0.10:58034: no certificate available for 'cloudflare-ech.com'"}





caddy  | {"level":"debug","ts":1748283450.4171965,"logger":"events","msg":"event","name":"tls_get_certificate","id":"aa2563cc-803b-4a6f-b498-49d9e84678d4","origin":"tls","data":{"client_hello":{"CipherSuites":[14906,4865,4866,4867,49195,49199,49196,49200,52393,52392,49171,49172,156,157,47,53],"ServerName":"cloudflare-ech.com","SupportedCurves":[43690,4588,29,23,24],"SupportedPoints":"AA==","SignatureSchemes":[1027,2052,1025,1283,2053,1281,2054,1537],"SupportedProtos":["h2","http/1.1"],"SupportedVersions":[35466,772,771],"RemoteAddr":{"IP":"192.168.0.10","Port":52010,"Zone":""},"LocalAddr":{"IP":"172.18.0.2","Port":443,"Zone":""}}}}
caddy  | {"level":"debug","ts":1748283450.4172757,"logger":"tls.handshake","msg":"no matching certificates and no custom selection logic","identifier":"cloudflare-ech.com"}
caddy  | {"level":"debug","ts":1748283450.417281,"logger":"tls.handshake","msg":"no matching certificates and no custom selection logic","identifier":"*.com"}
caddy  | {"level":"debug","ts":1748283450.4172843,"logger":"tls.handshake","msg":"no matching certificates and no custom selection logic","identifier":"*.*"}
caddy  | {"level":"debug","ts":1748283450.4172928,"logger":"tls.handshake","msg":"no certificate matching TLS ClientHello","remote_ip":"192.168.0.10","remote_port":"52010","server_name":"cloudflare-ech.com","remote":"192.168.0.10:52010","identifier":"cloudflare-ech.com","cipher_suites":[14906,4865,4866,4867,49195,49199,49196,49200,52393,52392,49171,49172,156,157,47,53],"cert_cache_fill":0.0003,"load_or_obtain_if_necessary":true,"on_demand":false}
caddy  | {"level":"debug","ts":1748283450.417351,"logger":"http.stdlib","msg":"http: TLS handshake error from 192.168.0.10:52010: no certificate available for 'cloudflare-ech.com'"}
caddy  | {"level":"debug","ts":1748283450.4196198,"logger":"events","msg":"event","name":"tls_get_certificate","id":"12d7bd65-e063-425d-92bc-0d09c28792ab","origin":"tls","data":{"client_hello":{"CipherSuites":[47802,4865,4866,4867,49195,49199,49196,49200,52393,52392,49171,49172,156,157,47,53],"ServerName":"cloudflare-ech.com","SupportedCurves":[47802,4588,29,23,24],"SupportedPoints":"AA==","SignatureSchemes":[1027,2052,1025,1283,2053,1281,2054,1537],"SupportedProtos":["h2","http/1.1"],"SupportedVersions":[64250,772,771],"RemoteAddr":{"IP":"192.168.0.10","Port":52011,"Zone":""},"LocalAddr":{"IP":"172.18.0.2","Port":443,"Zone":""}}}}
caddy  | {"level":"debug","ts":1748283450.4196663,"logger":"tls.handshake","msg":"no matching certificates and no custom selection logic","identifier":"cloudflare-ech.com"}
caddy  | {"level":"debug","ts":1748283450.4196713,"logger":"tls.handshake","msg":"no matching certificates and no custom selection logic","identifier":"*.com"}
caddy  | {"level":"debug","ts":1748283450.4196746,"logger":"tls.handshake","msg":"no matching certificates and no custom selection logic","identifier":"*.*"}
caddy  | {"level":"debug","ts":1748283450.4196813,"logger":"tls.handshake","msg":"no certificate matching TLS ClientHello","remote_ip":"192.168.0.10","remote_port":"52011","server_name":"cloudflare-ech.com","remote":"192.168.0.10:52011","identifier":"cloudflare-ech.com","cipher_suites":[47802,4865,4866,4867,49195,49199,49196,49200,52393,52392,49171,49172,156,157,47,53],"cert_cache_fill":0.0003,"load_or_obtain_if_necessary":true,"on_demand":false}
caddy  | {"level":"debug","ts":1748283450.4197345,"logger":"http.stdlib","msg":"http: TLS handshake error from 192.168.0.10:52011: no certificate available for 'cloudflare-ech.com'"}
Gracefully stopping... (press Ctrl+C again to force)
[+] Stopping 1/1
 ✔ Container caddy  Stopped 

Here is the list of my local DNS records (Pi-hole):

I don’t know if it matters but my Pi-hole uses Cloudflared for DoH.

If you need me to try something else, let me know.

You can delete DNS records but you also have to clear your local resolvers’ DNS caches, so they don’t remember the old values.

See: Automatic HTTPS — Caddy Documentation

1 Like

Yes, between tests, I always use a new Windows Sandbox.
Inside the Sandbox, I disable IPv6 and change the IPv4 DNS to my Pi-hole IP.
Then I open Windows PowerShell and run ipconfig /flushdns
Finally, I open Edge and Clear Browsing Data (All time) before navigating to the website.

Now I was thinking, maybe ECH just doesn’t work the way I think.
Maybe it only works with External DNS. Because it’s using DoH.

What I mean with this is that, with ECH you can’t have a local website that is accessible inside the local network and at the same time having a completely different website that is only accessible outside of the network.

Could that be the reason why ECH is failing in this case?
Maybe Caddy is ignoring the local DNS records and is going directly with the A records from Cloudflare (which are different than the local ones) and that’s why cloudflare-ech.com show up on my Caddy logs.

If that’s the way it works, is there a way to disable ECH on Caddy?

Just as I was mentioning in my previous comment, it looks like you can’t have two different websites on the same domain: an internal only website and an external only website if ECH is enabled on Caddy Server or Cloudflare.

I changed the A records on my Cloudflare Dashboard and pointed them to the local/internal IP of my Caddy Server instead of the one I had before. Now it matches the DNS records of my Pi-hole.

After doing that, I deleted the HTTPS records and also the caddy-data/caddy/ech directory and started the Caddy container.

Now it looks like it’s working. No more ERR_SSL_PROTOCOL_ERROR when visiting www.SelfHosted.pp.ua, SelfHosted.pp.ua and YT.SelfHosted.pp.ua

Here are the logs:


[+] Running 1/1
 ✔ Container caddy  Created                                                                                                                                             0.0s
Attaching to caddy
caddy  | {"level":"info","ts":1748323804.7826538,"msg":"maxprocs: Leaving GOMAXPROCS=4: CPU quota undefined"}
caddy  | {"level":"info","ts":1748323804.7828882,"msg":"GOMEMLIMIT is updated","package":"github.com/KimMachineGun/automemlimit/memlimit","GOMEMLIMIT":7493747097,"previous":9223372036854775807}
caddy  | {"level":"info","ts":1748323804.7829723,"msg":"using config from file","file":"/etc/caddy/Caddyfile"}
caddy  | {"level":"info","ts":1748323804.784184,"msg":"adapted config to JSON","adapter":"caddyfile"}
caddy  | {"level":"warn","ts":1748323804.7841957,"msg":"Caddyfile input is not formatted; run 'caddy fmt --overwrite' to fix inconsistencies","adapter":"caddyfile","file":"/etc/caddy/Caddyfile","line":10}
caddy  | {"level":"info","ts":1748323804.785301,"logger":"admin","msg":"admin endpoint started","address":"localhost:2019","enforce_origin":false,"origins":["//localhost:2019","//[::1]:2019","//127.0.0.1:2019"]}
caddy  | {"level":"info","ts":1748323804.7857306,"logger":"tls.cache.maintenance","msg":"started background certificate maintenance","cache":"0xc0001b7000"}
caddy  | {"level":"debug","ts":1748323804.8309402,"logger":"tls.ech","msg":"generated new ECH config","public_name":"ech.selfhosted.pp.ua","id":127}
caddy  | {"level":"info","ts":1748323804.8312216,"logger":"http.auto_https","msg":"server is listening only on the HTTPS port but has no TLS connection policies; adding one to enable TLS","server_name":"srv0","https_port":443}
caddy  | {"level":"info","ts":1748323804.8312843,"logger":"http.auto_https","msg":"enabling automatic HTTP->HTTPS redirects","server_name":"srv0"}
caddy  | {"level":"debug","ts":1748323804.8313742,"logger":"http.auto_https","msg":"adjusted config","tls":{"automation":{"policies":[{"subjects":["www.selfhosted.pp.ua","yt.selfhosted.pp.ua","selfhosted.pp.ua","*.selfhosted.pp.ua"]},{"subjects":["ech.SelfHosted.pp.ua"]},{}]},"encrypted_client_hello":{"configs":[{"public_name":"ech.SelfHosted.pp.ua"}]}},"http":{"servers":{"remaining_auto_https_redirects":{"listen":[":80"],"routes":[{},{}]},"srv0":{"listen":[":443"],"routes":[{"handle":[{"handler":"subroute","routes":[{"handle":[{"handler":"reverse_proxy","upstreams":[{"dial":"192.168.0.15:3001"}]}]}]}],"terminal":true},{"handle":[{"handler":"subroute","routes":[{"handle":[{"handler":"reverse_proxy","upstreams":[{"dial":"192.168.0.15:3001"}]}]}]}],"terminal":true},{"handle":[{"handler":"subroute","routes":[{"handle":[{"handler":"reverse_proxy","upstreams":[{"dial":"192.168.0.15:3001"}]}]}]}],"terminal":true},{"handle":[{"handler":"subroute","routes":[{"handle":[{"handler":"reverse_proxy","upstreams":[{"dial":"192.168.0.15:3001"}]}]}]}],"terminal":true}],"tls_connection_policies":[{}],"automatic_https":{}}}}}
caddy  | {"level":"debug","ts":1748323804.831938,"logger":"http","msg":"starting server loop","address":"[::]:443","tls":true,"http3":false}
caddy  | {"level":"info","ts":1748323804.832105,"logger":"http","msg":"enabling HTTP/3 listener","addr":":443"}
caddy  | {"level":"info","ts":1748323804.8322458,"msg":"failed to sufficiently increase receive buffer size (was: 208 kiB, wanted: 7168 kiB, got: 416 kiB). See https://github.com/quic-go/quic-go/wiki/UDP-Buffer-Sizes for details."}
caddy  | {"level":"info","ts":1748323804.832554,"logger":"http.log","msg":"server running","name":"srv0","protocols":["h1","h2","h3"]}
caddy  | {"level":"debug","ts":1748323804.832664,"logger":"http","msg":"starting server loop","address":"[::]:80","tls":false,"http3":false}
caddy  | {"level":"warn","ts":1748323804.8327382,"logger":"http","msg":"HTTP/2 skipped because it requires TLS","network":"tcp","addr":":80"}
caddy  | {"level":"warn","ts":1748323804.832802,"logger":"http","msg":"HTTP/3 skipped because it requires TLS","network":"tcp","addr":":80"}
caddy  | {"level":"info","ts":1748323804.8328729,"logger":"http.log","msg":"server running","name":"remaining_auto_https_redirects","protocols":["h1","h2","h3"]}
caddy  | {"level":"info","ts":1748323804.832935,"logger":"http","msg":"enabling automatic TLS certificate management","domains":["selfhosted.pp.ua","*.selfhosted.pp.ua","www.selfhosted.pp.ua","yt.selfhosted.pp.ua"]}
caddy  | {"level":"warn","ts":1748323804.833423,"logger":"tls","msg":"stapling OCSP","error":"no OCSP stapling for [selfhosted.pp.ua]: no OCSP server specified in certificate","identifiers":["selfhosted.pp.ua"]}
caddy  | {"level":"debug","ts":1748323804.8335922,"logger":"tls.cache","msg":"added certificate to cache","subjects":["selfhosted.pp.ua"],"expiration":1755914507,"managed":true,"issuer_key":"acme-v02.api.letsencrypt.org-directory","hash":"341bf291c7690f98c099c1580d338dedd14ed1d9165f5f431c4f3519c0273e8a","cache_size":1,"cache_capacity":10000}
caddy  | {"level":"debug","ts":1748323804.8336852,"logger":"events","msg":"event","name":"cached_managed_cert","id":"7e40fa3c-95d3-453e-bd42-7c1257034029","origin":"tls","data":{"sans":["selfhosted.pp.ua"]}}
caddy  | {"level":"warn","ts":1748323804.8340666,"logger":"tls","msg":"stapling OCSP","error":"no OCSP stapling for [*.selfhosted.pp.ua]: no OCSP server specified in certificate","identifiers":["*.selfhosted.pp.ua"]}
caddy  | {"level":"debug","ts":1748323804.8342364,"logger":"tls.cache","msg":"added certificate to cache","subjects":["*.selfhosted.pp.ua"],"expiration":1755914503,"managed":true,"issuer_key":"acme-v02.api.letsencrypt.org-directory","hash":"4bcaf06663bca5c003e07abd20a99bdcf72b47eb8950928c06083340caf2467d","cache_size":2,"cache_capacity":10000}
caddy  | {"level":"debug","ts":1748323804.8343256,"logger":"events","msg":"event","name":"cached_managed_cert","id":"8c73278f-a84a-4e8c-8945-e48f25f69175","origin":"tls","data":{"sans":["*.selfhosted.pp.ua"]}}
caddy  | {"level":"warn","ts":1748323804.8347776,"logger":"tls","msg":"stapling OCSP","error":"no OCSP stapling for [ech.selfhosted.pp.ua]: no OCSP server specified in certificate","identifiers":["ech.selfhosted.pp.ua"]}
caddy  | {"level":"debug","ts":1748323804.8348954,"logger":"tls.cache","msg":"added certificate to cache","subjects":["ech.selfhosted.pp.ua"],"expiration":1755914503,"managed":true,"issuer_key":"acme-v02.api.letsencrypt.org-directory","hash":"2a0b71a34009dfc38b35f77fb4f88bfc8759ff09e1d89ee3049358962e17e3d4","cache_size":3,"cache_capacity":10000}
caddy  | {"level":"debug","ts":1748323804.8349755,"logger":"events","msg":"event","name":"cached_managed_cert","id":"a2df25f2-e663-48e1-9c33-fd1cc8b4b9de","origin":"tls","data":{"sans":["ech.selfhosted.pp.ua"]}}
caddy  | {"level":"debug","ts":1748323804.8351486,"logger":"events","msg":"event","name":"started","id":"62465aef-9744-4e01-9380-ed2782d40cbd","origin":"","data":null}
caddy  | {"level":"info","ts":1748323804.8353355,"msg":"autosaved config (load with --resume flag)","file":"/config/caddy/autosave.json"}
caddy  | {"level":"info","ts":1748323804.8354063,"msg":"serving initial configuration"}
caddy  | {"level":"info","ts":1748323804.8470654,"logger":"tls","msg":"storage cleaning happened too recently; skipping for now","storage":"FileStorage:/data/caddy","instance":"aae20edd-ca84-4b58-af5a-fccb411b6a18","try_again":1748410204.847064,"try_again_in":86399.999999592}
caddy  | {"level":"info","ts":1748323804.847239,"logger":"tls","msg":"finished cleaning storage units"}
caddy  | {"level":"debug","ts":1748323804.8576515,"logger":"tls.ech","msg":"publishing ECH config list","domains":["www.selfhosted.pp.ua","yt.selfhosted.pp.ua","selfhosted.pp.ua","*.selfhosted.pp.ua"],"config_ids":[127]}
caddy  | {"level":"debug","ts":1748323804.85843,"logger":"tls.soa_lookup","msg":"fetched SOA","msg":";; opcode: QUERY, status: NOERROR, id: 41545\n;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1\n\n;; OPT PSEUDOSECTION:\n; EDNS: version 0; flags:; udp: 1232\n\n;; QUESTION SECTION:\n;www.selfhosted.pp.ua.\tIN\t SOA\n\n;; AUTHORITY SECTION:\nselfhosted.pp.ua.\t1411\tIN\tSOA\thoward.ns.cloudflare.com. dns.cloudflare.com. 2373808913 10000 2400 604800 1800\n"}
caddy  | {"level":"debug","ts":1748323804.8589752,"logger":"tls.soa_lookup","msg":"fetched SOA","msg":";; opcode: QUERY, status: NOERROR, id: 44274\n;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1\n\n;; OPT PSEUDOSECTION:\n; EDNS: version 0; flags:; udp: 1232\n\n;; QUESTION SECTION:\n;selfhosted.pp.ua.\tIN\t SOA\n\n;; ANSWER SECTION:\nselfhosted.pp.ua.\t1411\tIN\tSOA\thoward.ns.cloudflare.com. dns.cloudflare.com. 2373808913 10000 2400 604800 1800\n"}
caddy  | {"level":"debug","ts":1748323807.5260882,"logger":"tls.soa_lookup","msg":"fetched SOA","msg":";; opcode: QUERY, status: NOERROR, id: 54399\n;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1\n\n;; OPT PSEUDOSECTION:\n; EDNS: version 0; flags:; udp: 1232\n\n;; QUESTION SECTION:\n;yt.selfhosted.pp.ua.\tIN\t SOA\n\n;; AUTHORITY SECTION:\nselfhosted.pp.ua.\t1408\tIN\tSOA\thoward.ns.cloudflare.com. dns.cloudflare.com. 2373808913 10000 2400 604800 1800\n"}
caddy  | {"level":"debug","ts":1748323807.5269575,"logger":"tls.soa_lookup","msg":"fetched SOA","msg":";; opcode: QUERY, status: NOERROR, id: 18053\n;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1\n\n;; OPT PSEUDOSECTION:\n; EDNS: version 0; flags:; udp: 1232\n\n;; QUESTION SECTION:\n;selfhosted.pp.ua.\tIN\t SOA\n\n;; ANSWER SECTION:\nselfhosted.pp.ua.\t1408\tIN\tSOA\thoward.ns.cloudflare.com. dns.cloudflare.com. 2373808913 10000 2400 604800 1800\n"}
caddy  | {"level":"debug","ts":1748323808.2066503,"logger":"tls.soa_lookup","msg":"fetched SOA","msg":";; opcode: QUERY, status: NOERROR, id: 57584\n;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1\n\n;; OPT PSEUDOSECTION:\n; EDNS: version 0; flags:; udp: 1232\n\n;; QUESTION SECTION:\n;selfhosted.pp.ua.\tIN\t SOA\n\n;; ANSWER SECTION:\nselfhosted.pp.ua.\t1407\tIN\tSOA\thoward.ns.cloudflare.com. dns.cloudflare.com. 2373808913 10000 2400 604800 1800\n"}
caddy  | {"level":"debug","ts":1748323808.7875547,"logger":"tls.soa_lookup","msg":"fetched SOA","msg":";; opcode: QUERY, status: NXDOMAIN, id: 9454\n;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1\n\n;; OPT PSEUDOSECTION:\n; EDNS: version 0; flags:; udp: 1232\n\n;; QUESTION SECTION:\n;*.selfhosted.pp.ua.\tIN\t SOA\n\n;; AUTHORITY SECTION:\nselfhosted.pp.ua.\t1407\tIN\tSOA\thoward.ns.cloudflare.com. dns.cloudflare.com. 2373808913 10000 2400 604800 1800\n"}
caddy  | {"level":"debug","ts":1748323808.7886686,"logger":"tls.soa_lookup","msg":"fetched SOA","msg":";; opcode: QUERY, status: NOERROR, id: 13512\n;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1\n\n;; OPT PSEUDOSECTION:\n; EDNS: version 0; flags:; udp: 1232\n\n;; QUESTION SECTION:\n;selfhosted.pp.ua.\tIN\t SOA\n\n;; ANSWER SECTION:\nselfhosted.pp.ua.\t1407\tIN\tSOA\thoward.ns.cloudflare.com. dns.cloudflare.com. 2373808913 10000 2400 604800 1800\n"}
caddy  | {"level":"warn","ts":1748323808.9738617,"logger":"tls","msg":"domain does not have any existing records, so skipping publication of HTTPS record","domain":"*.selfhosted.pp.ua","relative_name":"*","zone":"selfhosted.pp.ua."}
caddy  | {"level":"info","ts":1748323808.9738967,"logger":"tls","msg":"published ECH configuration list","domains":["www.selfhosted.pp.ua","yt.selfhosted.pp.ua","selfhosted.pp.ua","*.selfhosted.pp.ua"],"config_ids":[127]}





caddy  | {"level":"debug","ts":1748323828.0861006,"logger":"events","msg":"event","name":"tls_get_certificate","id":"9ddccc4e-ac03-420c-9998-dc7814e4c75e","origin":"tls","data":{"client_hello":{"CipherSuites":[2570,4865,4866,4867,49195,49199,49196,49200,52393,52392,49171,49172,156,157,47,53],"ServerName":"www.selfhosted.pp.ua","SupportedCurves":[47802,4588,29,23,24],"SupportedPoints":"AA==","SignatureSchemes":[1027,2052,1025,1283,2053,1281,2054,1537],"SupportedProtos":["h2","http/1.1"],"SupportedVersions":[35466,772,771],"RemoteAddr":{"IP":"192.168.0.10","Port":53038,"Zone":""},"LocalAddr":{"IP":"172.18.0.2","Port":443,"Zone":""}}}}
caddy  | {"level":"debug","ts":1748323828.0861928,"logger":"tls.handshake","msg":"no matching certificates and no custom selection logic","identifier":"www.selfhosted.pp.ua"}
caddy  | {"level":"debug","ts":1748323828.0862036,"logger":"tls.handshake","msg":"choosing certificate","identifier":"*.selfhosted.pp.ua","num_choices":1}
caddy  | {"level":"debug","ts":1748323828.0862086,"logger":"tls.handshake","msg":"default certificate selection results","identifier":"*.selfhosted.pp.ua","subjects":["*.selfhosted.pp.ua"],"managed":true,"issuer_key":"acme-v02.api.letsencrypt.org-directory","hash":"4bcaf06663bca5c003e07abd20a99bdcf72b47eb8950928c06083340caf2467d"}
caddy  | {"level":"debug","ts":1748323828.086214,"logger":"tls.handshake","msg":"matched certificate in cache","remote_ip":"192.168.0.10","remote_port":"53038","subjects":["*.selfhosted.pp.ua"],"managed":true,"expiration":1755914503,"hash":"4bcaf06663bca5c003e07abd20a99bdcf72b47eb8950928c06083340caf2467d"}
caddy  | {"level":"debug","ts":1748323828.0882335,"logger":"http.handlers.reverse_proxy","msg":"selected upstream","dial":"192.168.0.15:3001","total_upstreams":1}
caddy  | {"level":"debug","ts":1748323828.0909705,"logger":"http.handlers.reverse_proxy","msg":"upstream roundtrip","upstream":"192.168.0.15:3001","duration":0.002675122,"request":{"remote_ip":"192.168.0.10","remote_port":"53038","client_ip":"192.168.0.10","proto":"HTTP/2.0","method":"GET","host":"www.selfhosted.pp.ua","uri":"/","headers":{"Priority":["u=0, i"],"Sec-Fetch-User":["?1"],"Upgrade-Insecure-Requests":["1"],"Accept-Encoding":["gzip, deflate, br, zstd"],"User-Agent":["Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/136.0.0.0 Safari/537.36 Edg/136.0.0.0"],"Sec-Fetch-Dest":["document"],"X-Forwarded-Host":["www.selfhosted.pp.ua"],"Via":["2.0 Caddy"],"Sec-Fetch-Site":["none"],"Accept":["text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7"],"Sec-Ch-Ua":["\"Chromium\";v=\"136\", \"Microsoft Edge\";v=\"136\", \"Not.A/Brand\";v=\"99\""],"Sec-Fetch-Mode":["navigate"],"X-Forwarded-For":["192.168.0.10"],"Sec-Ch-Ua-Mobile":["?0"],"Sec-Ch-Ua-Platform":["\"Windows\""],"Accept-Language":["en-US,en;q=0.9"],"X-Forwarded-Proto":["https"]},"tls":{"resumed":false,"version":772,"cipher_suite":4867,"proto":"h2","server_name":"www.selfhosted.pp.ua"}},"headers":{"Vary":["Accept"],"Content-Type":["text/html; charset=utf-8"],"Content-Length":["45"],"Date":["Tue, 27 May 2025 05:30:28 GMT"],"Connection":["keep-alive"],"Keep-Alive":["timeout=5"],"X-Frame-Options":["SAMEORIGIN"],"Location":["/status/services"]},"status":302}
caddy  | {"level":"debug","ts":1748323828.0959253,"logger":"http.handlers.reverse_proxy","msg":"selected upstream","dial":"192.168.0.15:3001","total_upstreams":1}
caddy  | {"level":"debug","ts":1748323828.097119,"logger":"http.handlers.reverse_proxy","msg":"upstream roundtrip","upstream":"192.168.0.15:3001","duration":0.001146346,"request":{"remote_ip":"192.168.0.10","remote_port":"53038","client_ip":"192.168.0.10","proto":"HTTP/2.0","method":"GET","host":"www.selfhosted.pp.ua","uri":"/status/services","headers":{"Upgrade-Insecure-Requests":["1"],"Sec-Fetch-Site":["none"],"Sec-Ch-Ua":["\"Chromium\";v=\"136\", \"Microsoft Edge\";v=\"136\", \"Not.A/Brand\";v=\"99\""],"Sec-Ch-Ua-Platform":["\"Windows\""],"Priority":["u=0, i"],"X-Forwarded-Host":["www.selfhosted.pp.ua"],"Via":["2.0 Caddy"],"Accept":["text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7"],"Sec-Fetch-User":["?1"],"Sec-Fetch-Mode":["navigate"],"Accept-Language":["en-US,en;q=0.9"],"User-Agent":["Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/136.0.0.0 Safari/537.36 Edg/136.0.0.0"],"Sec-Ch-Ua-Mobile":["?0"],"Accept-Encoding":["gzip, deflate, br, zstd"],"X-Forwarded-Proto":["https"],"Sec-Fetch-Dest":["document"],"X-Forwarded-For":["192.168.0.10"]},"tls":{"resumed":false,"version":772,"cipher_suite":4867,"proto":"h2","server_name":"www.selfhosted.pp.ua"}},"headers":{"X-Frame-Options":["SAMEORIGIN"],"Content-Type":["text/html; charset=utf-8"],"Content-Length":["2881"],"Etag":["W/\"b41-xwT7yyFx3t7QJVBd3If6QxuNttM\""],"Date":["Tue, 27 May 2025 05:30:28 GMT"],"Connection":["keep-alive"],"Keep-Alive":["timeout=5"]},"status":200}
caddy  | {"level":"debug","ts":1748323828.14299,"logger":"http.handlers.reverse_proxy","msg":"selected upstream","dial":"192.168.0.15:3001","total_upstreams":1}
caddy  | {"level":"debug","ts":1748323828.14299,"logger":"http.handlers.reverse_proxy","msg":"selected upstream","dial":"192.168.0.15:3001","total_upstreams":1}
caddy  | {"level":"debug","ts":1748323828.1454394,"logger":"http.handlers.reverse_proxy","msg":"upstream roundtrip","upstream":"192.168.0.15:3001","duration":0.002352865,"request":{"remote_ip":"192.168.0.10","remote_port":"53038","client_ip":"192.168.0.10","proto":"HTTP/2.0","method":"GET","host":"www.selfhosted.pp.ua","uri":"/assets/index-B_z9mVlf.js","headers":{"Sec-Ch-Ua":["\"Chromium\";v=\"136\", \"Microsoft Edge\";v=\"136\", \"Not.A/Brand\";v=\"99\""],"Sec-Ch-Ua-Mobile":["?0"],"Referer":["https://www.selfhosted.pp.ua/status/services"],"Accept-Language":["en-US,en;q=0.9"],"Accept":["*/*"],"Priority":["u=1"],"User-Agent":["Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/136.0.0.0 Safari/537.36 Edg/136.0.0.0"],"Accept-Encoding":["gzip, deflate, br, zstd"],"X-Forwarded-For":["192.168.0.10"],"X-Forwarded-Proto":["https"],"X-Forwarded-Host":["www.selfhosted.pp.ua"],"Origin":["https://www.selfhosted.pp.ua"],"Sec-Fetch-Site":["same-origin"],"Sec-Fetch-Mode":["cors"],"Sec-Ch-Ua-Platform":["\"Windows\""],"Sec-Fetch-Dest":["script"],"Via":["2.0 Caddy"]},"tls":{"resumed":false,"version":772,"cipher_suite":4867,"proto":"h2","server_name":"www.selfhosted.pp.ua"}},"headers":{"Last-Modified":["Fri, 20 Dec 2024 07:16:41 GMT"],"Content-Length":["489902"],"Date":["Tue, 27 May 2025 05:30:28 GMT"],"Connection":["keep-alive"],"Keep-Alive":["timeout=5"],"X-Frame-Options":["SAMEORIGIN"],"Content-Encoding":["gzip"],"Accept-Ranges":["bytes"],"Cache-Control":["public, max-age=0"],"Etag":["W/\"779ae-193e2ecf7a8\""],"Vary":["Accept-Encoding"],"Content-Type":["application/javascript; charset=UTF-8"]},"status":200}
caddy  | {"level":"debug","ts":1748323828.1463554,"logger":"http.handlers.reverse_proxy","msg":"upstream roundtrip","upstream":"192.168.0.15:3001","duration":0.003121606,"request":{"remote_ip":"192.168.0.10","remote_port":"53038","client_ip":"192.168.0.10","proto":"HTTP/2.0","method":"GET","host":"www.selfhosted.pp.ua","uri":"/assets/index-bOVKKa1O.css","headers":{"Sec-Ch-Ua":["\"Chromium\";v=\"136\", \"Microsoft Edge\";v=\"136\", \"Not.A/Brand\";v=\"99\""],"Sec-Fetch-Site":["same-origin"],"Accept":["text/css,*/*;q=0.1"],"X-Forwarded-Proto":["https"],"Origin":["https://www.selfhosted.pp.ua"],"Accept-Encoding":["gzip, deflate, br, zstd"],"User-Agent":["Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/136.0.0.0 Safari/537.36 Edg/136.0.0.0"],"Sec-Ch-Ua-Mobile":["?0"],"X-Forwarded-Host":["www.selfhosted.pp.ua"],"Via":["2.0 Caddy"],"Sec-Fetch-Dest":["style"],"Accept-Language":["en-US,en;q=0.9"],"X-Forwarded-For":["192.168.0.10"],"Sec-Ch-Ua-Platform":["\"Windows\""],"Sec-Fetch-Mode":["cors"],"Referer":["https://www.selfhosted.pp.ua/status/services"],"Priority":["u=0"]},"tls":{"resumed":false,"version":772,"cipher_suite":4867,"proto":"h2","server_name":"www.selfhosted.pp.ua"}},"headers":{"Accept-Ranges":["bytes"],"Cache-Control":["public, max-age=0"],"Last-Modified":["Fri, 20 Dec 2024 07:16:41 GMT"],"Etag":["W/\"afc3-193e2ecf7a8\""],"Content-Length":["44995"],"Connection":["keep-alive"],"X-Frame-Options":["SAMEORIGIN"],"Vary":["Accept-Encoding"],"Date":["Tue, 27 May 2025 05:30:28 GMT"],"Keep-Alive":["timeout=5"],"Content-Encoding":["gzip"],"Content-Type":["text/css; charset=UTF-8"]},"status":200}
caddy  | {"level":"debug","ts":1748323828.2896636,"logger":"http.handlers.reverse_proxy","msg":"selected upstream","dial":"192.168.0.15:3001","total_upstreams":1}
caddy  | {"level":"debug","ts":1748323828.2908545,"logger":"http.handlers.reverse_proxy","msg":"upstream roundtrip","upstream":"192.168.0.15:3001","duration":0.001127293,"request":{"remote_ip":"192.168.0.10","remote_port":"53038","client_ip":"192.168.0.10","proto":"HTTP/2.0","method":"GET","host":"www.selfhosted.pp.ua","uri":"/icon.svg","headers":{"Sec-Fetch-Dest":["image"],"Accept-Encoding":["gzip, deflate, br, zstd"],"User-Agent":["Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/136.0.0.0 Safari/537.36 Edg/136.0.0.0"],"Accept":["image/avif,image/webp,image/apng,image/svg+xml,image/*,*/*;q=0.8"],"Priority":["i"],"Via":["2.0 Caddy"],"Sec-Ch-Ua-Platform":["\"Windows\""],"Sec-Fetch-Site":["same-origin"],"Origin":["https://www.selfhosted.pp.ua"],"X-Forwarded-Proto":["https"],"Sec-Fetch-Mode":["cors"],"Referer":["https://www.selfhosted.pp.ua/status/services"],"Accept-Language":["en-US,en;q=0.9"],"Sec-Ch-Ua":["\"Chromium\";v=\"136\", \"Microsoft Edge\";v=\"136\", \"Not.A/Brand\";v=\"99\""],"X-Forwarded-Host":["www.selfhosted.pp.ua"],"Sec-Ch-Ua-Mobile":["?0"],"X-Forwarded-For":["192.168.0.10"]},"tls":{"resumed":false,"version":772,"cipher_suite":4867,"proto":"h2","server_name":"www.selfhosted.pp.ua"}},"headers":{"Date":["Tue, 27 May 2025 05:30:28 GMT"],"Connection":["keep-alive"],"Keep-Alive":["timeout=5"],"X-Frame-Options":["SAMEORIGIN"],"Vary":["Accept-Encoding"],"Content-Encoding":["gzip"],"Content-Type":["image/svg+xml"],"Accept-Ranges":["bytes"],"Cache-Control":["public, max-age=0"],"Last-Modified":["Fri, 20 Dec 2024 07:16:41 GMT"],"Content-Length":["617"],"Etag":["W/\"269-193e2ecf7a8\""]},"status":200}
caddy  | {"level":"debug","ts":1748323828.2957182,"logger":"http.handlers.reverse_proxy","msg":"selected upstream","dial":"192.168.0.15:3001","total_upstreams":1}
caddy  | {"level":"debug","ts":1748323828.299268,"logger":"http.handlers.reverse_proxy","msg":"upstream roundtrip","upstream":"192.168.0.15:3001","duration":0.003501041,"request":{"remote_ip":"192.168.0.10","remote_port":"53038","client_ip":"192.168.0.10","proto":"HTTP/2.0","method":"GET","host":"www.selfhosted.pp.ua","uri":"/api/status-page/heartbeat/services","headers":{"Sec-Ch-Ua-Mobile":["?0"],"Accept-Encoding":["gzip, deflate, br, zstd"],"Sec-Ch-Ua-Platform":["\"Windows\""],"Sec-Fetch-Dest":["empty"],"Accept-Language":["en-US,en;q=0.9"],"X-Forwarded-Host":["www.selfhosted.pp.ua"],"Accept":["application/json, text/plain, */*"],"Referer":["https://www.selfhosted.pp.ua/status/services"],"Priority":["u=1, i"],"Sec-Fetch-Site":["same-origin"],"Sec-Fetch-Mode":["cors"],"Sec-Ch-Ua":["\"Chromium\";v=\"136\", \"Microsoft Edge\";v=\"136\", \"Not.A/Brand\";v=\"99\""],"User-Agent":["Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/136.0.0.0 Safari/537.36 Edg/136.0.0.0"],"X-Forwarded-For":["192.168.0.10"],"X-Forwarded-Proto":["https"],"Via":["2.0 Caddy"]},"tls":{"resumed":false,"version":772,"cipher_suite":4867,"proto":"h2","server_name":"www.selfhosted.pp.ua"}},"headers":{"Content-Type":["application/json; charset=utf-8"],"Content-Length":["36"],"Etag":["W/\"24-EsPVtSRb2MavNViD7fIuXL0bd5o\""],"Date":["Tue, 27 May 2025 05:30:28 GMT"],"Connection":["keep-alive"],"Keep-Alive":["timeout=5"],"X-Frame-Options":["SAMEORIGIN"],"Cache-Control":["no-cache"]},"status":200}
caddy  | {"level":"debug","ts":1748323828.3162637,"logger":"http.handlers.reverse_proxy","msg":"selected upstream","dial":"192.168.0.15:3001","total_upstreams":1}
caddy  | {"level":"debug","ts":1748323828.317582,"logger":"http.handlers.reverse_proxy","msg":"upstream roundtrip","upstream":"192.168.0.15:3001","duration":0.001256937,"request":{"remote_ip":"192.168.0.10","remote_port":"53038","client_ip":"192.168.0.10","proto":"HTTP/2.0","method":"GET","host":"www.selfhosted.pp.ua","uri":"/icon.svg","headers":{"Accept-Encoding":["gzip, deflate, br, zstd"],"Sec-Fetch-Site":["same-origin"],"Accept-Language":["en-US,en;q=0.9"],"Priority":["i"],"Sec-Ch-Ua-Platform":["\"Windows\""],"Accept":["image/avif,image/webp,image/apng,image/svg+xml,image/*,*/*;q=0.8"],"Via":["2.0 Caddy"],"Sec-Ch-Ua-Mobile":["?0"],"Referer":["https://www.selfhosted.pp.ua/status/services"],"User-Agent":["Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/136.0.0.0 Safari/537.36 Edg/136.0.0.0"],"Sec-Ch-Ua":["\"Chromium\";v=\"136\", \"Microsoft Edge\";v=\"136\", \"Not.A/Brand\";v=\"99\""],"If-Modified-Since":["Fri, 20 Dec 2024 07:16:41 GMT"],"X-Forwarded-Proto":["https"],"Sec-Fetch-Mode":["no-cors"],"If-None-Match":["W/\"269-193e2ecf7a8\""],"Sec-Fetch-Dest":["image"],"X-Forwarded-For":["192.168.0.10"],"X-Forwarded-Host":["www.selfhosted.pp.ua"]},"tls":{"resumed":false,"version":772,"cipher_suite":4867,"proto":"h2","server_name":"www.selfhosted.pp.ua"}},"headers":{"Vary":["Accept-Encoding"],"Etag":["W/\"269-193e2ecf7a8\""],"Date":["Tue, 27 May 2025 05:30:28 GMT"],"Connection":["keep-alive"],"Keep-Alive":["timeout=5"],"X-Frame-Options":["SAMEORIGIN"],"Accept-Ranges":["bytes"],"Cache-Control":["public, max-age=0"],"Last-Modified":["Fri, 20 Dec 2024 07:16:41 GMT"]},"status":304}
caddy  | {"level":"debug","ts":1748323828.3803103,"logger":"events","msg":"event","name":"tls_get_certificate","id":"1938d3f6-69f4-4901-a3c8-849856f74129","origin":"tls","data":{"client_hello":{"CipherSuites":[60138,4865,4866,4867,49195,49199,49196,49200,52393,52392,49171,49172,156,157,47,53],"ServerName":"www.selfhosted.pp.ua","SupportedCurves":[64250,4588,29,23,24],"SupportedPoints":"AA==","SignatureSchemes":[1027,2052,1025,1283,2053,1281,2054,1537],"SupportedProtos":["h2","http/1.1"],"SupportedVersions":[19018,772,771],"RemoteAddr":{"IP":"192.168.0.10","Port":53040,"Zone":""},"LocalAddr":{"IP":"172.18.0.2","Port":443,"Zone":""}}}}
caddy  | {"level":"debug","ts":1748323828.38035,"logger":"tls.handshake","msg":"no matching certificates and no custom selection logic","identifier":"www.selfhosted.pp.ua"}
caddy  | {"level":"debug","ts":1748323828.3803568,"logger":"tls.handshake","msg":"choosing certificate","identifier":"*.selfhosted.pp.ua","num_choices":1}
caddy  | {"level":"debug","ts":1748323828.3803623,"logger":"tls.handshake","msg":"default certificate selection results","identifier":"*.selfhosted.pp.ua","subjects":["*.selfhosted.pp.ua"],"managed":true,"issuer_key":"acme-v02.api.letsencrypt.org-directory","hash":"4bcaf06663bca5c003e07abd20a99bdcf72b47eb8950928c06083340caf2467d"}
caddy  | {"level":"debug","ts":1748323828.3803682,"logger":"tls.handshake","msg":"matched certificate in cache","remote_ip":"192.168.0.10","remote_port":"53040","subjects":["*.selfhosted.pp.ua"],"managed":true,"expiration":1755914503,"hash":"4bcaf06663bca5c003e07abd20a99bdcf72b47eb8950928c06083340caf2467d"}
caddy  | {"level":"debug","ts":1748323828.3820775,"logger":"http.handlers.reverse_proxy","msg":"selected upstream","dial":"192.168.0.15:3001","total_upstreams":1}
caddy  | {"level":"debug","ts":1748323828.3886638,"logger":"http.handlers.reverse_proxy","msg":"upstream roundtrip","upstream":"192.168.0.15:3001","duration":0.006486126,"request":{"remote_ip":"192.168.0.10","remote_port":"53040","client_ip":"192.168.0.10","proto":"HTTP/2.0","method":"GET","host":"www.selfhosted.pp.ua","uri":"/api/status-page/services/manifest.json","headers":{"Sec-Ch-Ua":["\"Chromium\";v=\"136\", \"Microsoft Edge\";v=\"136\", \"Not.A/Brand\";v=\"99\""],"Sec-Ch-Ua-Platform":["\"Windows\""],"Referer":["https://www.selfhosted.pp.ua/status/services"],"X-Forwarded-For":["192.168.0.10"],"Accept":["*/*"],"Sec-Ch-Ua-Mobile":["?0"],"Accept-Language":["en-US,en;q=0.9"],"Sec-Fetch-Dest":["manifest"],"X-Forwarded-Proto":["https"],"X-Forwarded-Host":["www.selfhosted.pp.ua"],"Via":["2.0 Caddy"],"Priority":["u=2"],"User-Agent":["Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/136.0.0.0 Safari/537.36 Edg/136.0.0.0"],"Accept-Encoding":["gzip, deflate, br, zstd"],"Sec-Fetch-Site":["same-origin"],"Sec-Fetch-Mode":["cors"]},"tls":{"resumed":false,"version":772,"cipher_suite":4867,"proto":"h2","server_name":"www.selfhosted.pp.ua"}},"headers":{"Date":["Tue, 27 May 2025 05:30:28 GMT"],"Connection":["keep-alive"],"Keep-Alive":["timeout=5"],"X-Frame-Options":["SAMEORIGIN"],"Content-Type":["application/json; charset=utf-8"],"Content-Length":["140"],"Etag":["W/\"8c-f17kptaqJBKJeGnpABfbUHe3VJQ\""]},"status":200}





caddy  | {"level":"debug","ts":1748323862.4814973,"logger":"events","msg":"event","name":"tls_get_certificate","id":"cc31c3ad-e16a-4efc-92b8-845ecb7d7475","origin":"tls","data":{"client_hello":{"CipherSuites":[27242,4865,4866,4867,49195,49199,49196,49200,52393,52392,49171,49172,156,157,47,53],"ServerName":"selfhosted.pp.ua","SupportedCurves":[64250,4588,29,23,24],"SupportedPoints":"AA==","SignatureSchemes":[1027,2052,1025,1283,2053,1281,2054,1537],"SupportedProtos":["h2","http/1.1"],"SupportedVersions":[19018,772,771],"RemoteAddr":{"IP":"192.168.0.10","Port":53056,"Zone":""},"LocalAddr":{"IP":"172.18.0.2","Port":443,"Zone":""}}}}
caddy  | {"level":"debug","ts":1748323862.4815354,"logger":"tls.handshake","msg":"choosing certificate","identifier":"selfhosted.pp.ua","num_choices":1}
caddy  | {"level":"debug","ts":1748323862.4815423,"logger":"tls.handshake","msg":"default certificate selection results","identifier":"selfhosted.pp.ua","subjects":["selfhosted.pp.ua"],"managed":true,"issuer_key":"acme-v02.api.letsencrypt.org-directory","hash":"341bf291c7690f98c099c1580d338dedd14ed1d9165f5f431c4f3519c0273e8a"}
caddy  | {"level":"debug","ts":1748323862.4815476,"logger":"tls.handshake","msg":"matched certificate in cache","remote_ip":"192.168.0.10","remote_port":"53056","subjects":["selfhosted.pp.ua"],"managed":true,"expiration":1755914507,"hash":"341bf291c7690f98c099c1580d338dedd14ed1d9165f5f431c4f3519c0273e8a"}
caddy  | {"level":"debug","ts":1748323862.4828134,"logger":"http.handlers.reverse_proxy","msg":"selected upstream","dial":"192.168.0.15:3001","total_upstreams":1}
caddy  | {"level":"debug","ts":1748323862.4854336,"logger":"http.handlers.reverse_proxy","msg":"upstream roundtrip","upstream":"192.168.0.15:3001","duration":0.002576025,"request":{"remote_ip":"192.168.0.10","remote_port":"53056","client_ip":"192.168.0.10","proto":"HTTP/2.0","method":"GET","host":"selfhosted.pp.ua","uri":"/","headers":{"Sec-Fetch-User":["?1"],"Upgrade-Insecure-Requests":["1"],"Sec-Ch-Ua":["\"Chromium\";v=\"136\", \"Microsoft Edge\";v=\"136\", \"Not.A/Brand\";v=\"99\""],"Sec-Ch-Ua-Mobile":["?0"],"Accept-Encoding":["gzip, deflate, br, zstd"],"X-Forwarded-For":["192.168.0.10"],"X-Forwarded-Host":["selfhosted.pp.ua"],"Via":["2.0 Caddy"],"Sec-Ch-Ua-Platform":["\"Windows\""],"Sec-Fetch-Site":["none"],"Sec-Fetch-Mode":["navigate"],"X-Forwarded-Proto":["https"],"Accept-Language":["en-US,en;q=0.9"],"Accept":["text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7"],"Sec-Fetch-Dest":["document"],"Priority":["u=0, i"],"User-Agent":["Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/136.0.0.0 Safari/537.36 Edg/136.0.0.0"]},"tls":{"resumed":false,"version":772,"cipher_suite":4867,"proto":"h2","server_name":"selfhosted.pp.ua"}},"headers":{"Connection":["keep-alive"],"Keep-Alive":["timeout=5"],"X-Frame-Options":["SAMEORIGIN"],"Location":["/status/services"],"Vary":["Accept"],"Content-Type":["text/html; charset=utf-8"],"Content-Length":["45"],"Date":["Tue, 27 May 2025 05:31:02 GMT"]},"status":302}
caddy  | {"level":"debug","ts":1748323862.4887595,"logger":"http.handlers.reverse_proxy","msg":"selected upstream","dial":"192.168.0.15:3001","total_upstreams":1}
caddy  | {"level":"debug","ts":1748323862.489637,"logger":"http.handlers.reverse_proxy","msg":"upstream roundtrip","upstream":"192.168.0.15:3001","duration":0.000838304,"request":{"remote_ip":"192.168.0.10","remote_port":"53056","client_ip":"192.168.0.10","proto":"HTTP/2.0","method":"GET","host":"selfhosted.pp.ua","uri":"/status/services","headers":{"Accept-Language":["en-US,en;q=0.9"],"Sec-Ch-Ua-Mobile":["?0"],"Accept":["text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7"],"X-Forwarded-Host":["selfhosted.pp.ua"],"Upgrade-Insecure-Requests":["1"],"Sec-Fetch-Site":["none"],"Sec-Ch-Ua":["\"Chromium\";v=\"136\", \"Microsoft Edge\";v=\"136\", \"Not.A/Brand\";v=\"99\""],"Sec-Fetch-Dest":["document"],"Accept-Encoding":["gzip, deflate, br, zstd"],"X-Forwarded-Proto":["https"],"Priority":["u=0, i"],"User-Agent":["Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/136.0.0.0 Safari/537.36 Edg/136.0.0.0"],"Sec-Fetch-User":["?1"],"Sec-Ch-Ua-Platform":["\"Windows\""],"Sec-Fetch-Mode":["navigate"],"X-Forwarded-For":["192.168.0.10"],"Via":["2.0 Caddy"]},"tls":{"resumed":false,"version":772,"cipher_suite":4867,"proto":"h2","server_name":"selfhosted.pp.ua"}},"headers":{"Keep-Alive":["timeout=5"],"X-Frame-Options":["SAMEORIGIN"],"Content-Type":["text/html; charset=utf-8"],"Content-Length":["2881"],"Etag":["W/\"b41-xwT7yyFx3t7QJVBd3If6QxuNttM\""],"Date":["Tue, 27 May 2025 05:31:02 GMT"],"Connection":["keep-alive"]},"status":200}
caddy  | {"level":"debug","ts":1748323862.5304708,"logger":"http.handlers.reverse_proxy","msg":"selected upstream","dial":"192.168.0.15:3001","total_upstreams":1}
caddy  | {"level":"debug","ts":1748323862.5304844,"logger":"http.handlers.reverse_proxy","msg":"selected upstream","dial":"192.168.0.15:3001","total_upstreams":1}
caddy  | {"level":"debug","ts":1748323862.533708,"logger":"http.handlers.reverse_proxy","msg":"upstream roundtrip","upstream":"192.168.0.15:3001","duration":0.003171708,"request":{"remote_ip":"192.168.0.10","remote_port":"53056","client_ip":"192.168.0.10","proto":"HTTP/2.0","method":"GET","host":"selfhosted.pp.ua","uri":"/assets/index-B_z9mVlf.js","headers":{"Accept-Language":["en-US,en;q=0.9"],"Origin":["https://selfhosted.pp.ua"],"Sec-Ch-Ua-Platform":["\"Windows\""],"Sec-Fetch-Dest":["script"],"User-Agent":["Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/136.0.0.0 Safari/537.36 Edg/136.0.0.0"],"X-Forwarded-For":["192.168.0.10"],"Priority":["u=1"],"Sec-Ch-Ua":["\"Chromium\";v=\"136\", \"Microsoft Edge\";v=\"136\", \"Not.A/Brand\";v=\"99\""],"Accept":["*/*"],"Sec-Fetch-Site":["same-origin"],"X-Forwarded-Proto":["https"],"Via":["2.0 Caddy"],"Sec-Ch-Ua-Mobile":["?0"],"Sec-Fetch-Mode":["cors"],"Accept-Encoding":["gzip, deflate, br, zstd"],"Referer":["https://selfhosted.pp.ua/status/services"],"X-Forwarded-Host":["selfhosted.pp.ua"]},"tls":{"resumed":false,"version":772,"cipher_suite":4867,"proto":"h2","server_name":"selfhosted.pp.ua"}},"headers":{"Last-Modified":["Fri, 20 Dec 2024 07:16:41 GMT"],"Date":["Tue, 27 May 2025 05:31:02 GMT"],"Vary":["Accept-Encoding"],"Accept-Ranges":["bytes"],"Etag":["W/\"779ae-193e2ecf7a8\""],"Content-Length":["489902"],"Connection":["keep-alive"],"Keep-Alive":["timeout=5"],"X-Frame-Options":["SAMEORIGIN"],"Content-Encoding":["gzip"],"Content-Type":["application/javascript; charset=UTF-8"],"Cache-Control":["public, max-age=0"]},"status":200}
caddy  | {"level":"debug","ts":1748323862.5351355,"logger":"http.handlers.reverse_proxy","msg":"upstream roundtrip","upstream":"192.168.0.15:3001","duration":0.004527467,"request":{"remote_ip":"192.168.0.10","remote_port":"53056","client_ip":"192.168.0.10","proto":"HTTP/2.0","method":"GET","host":"selfhosted.pp.ua","uri":"/assets/index-bOVKKa1O.css","headers":{"X-Forwarded-For":["192.168.0.10"],"X-Forwarded-Host":["selfhosted.pp.ua"],"Sec-Fetch-Dest":["style"],"Accept-Language":["en-US,en;q=0.9"],"Sec-Fetch-Site":["same-origin"],"Sec-Fetch-Mode":["cors"],"Sec-Ch-Ua-Mobile":["?0"],"User-Agent":["Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/136.0.0.0 Safari/537.36 Edg/136.0.0.0"],"Accept-Encoding":["gzip, deflate, br, zstd"],"Accept":["text/css,*/*;q=0.1"],"Referer":["https://selfhosted.pp.ua/status/services"],"X-Forwarded-Proto":["https"],"Via":["2.0 Caddy"],"Priority":["u=0"],"Origin":["https://selfhosted.pp.ua"],"Sec-Ch-Ua-Platform":["\"Windows\""],"Sec-Ch-Ua":["\"Chromium\";v=\"136\", \"Microsoft Edge\";v=\"136\", \"Not.A/Brand\";v=\"99\""]},"tls":{"resumed":false,"version":772,"cipher_suite":4867,"proto":"h2","server_name":"selfhosted.pp.ua"}},"headers":{"Content-Type":["text/css; charset=UTF-8"],"Cache-Control":["public, max-age=0"],"Last-Modified":["Fri, 20 Dec 2024 07:16:41 GMT"],"Etag":["W/\"afc3-193e2ecf7a8\""],"Vary":["Accept-Encoding"],"Content-Encoding":["gzip"],"Accept-Ranges":["bytes"],"Content-Length":["44995"],"Date":["Tue, 27 May 2025 05:31:02 GMT"],"Connection":["keep-alive"],"Keep-Alive":["timeout=5"],"X-Frame-Options":["SAMEORIGIN"]},"status":200}
caddy  | {"level":"debug","ts":1748323862.66775,"logger":"http.handlers.reverse_proxy","msg":"selected upstream","dial":"192.168.0.15:3001","total_upstreams":1}
caddy  | {"level":"debug","ts":1748323862.670038,"logger":"http.handlers.reverse_proxy","msg":"upstream roundtrip","upstream":"192.168.0.15:3001","duration":0.002244095,"request":{"remote_ip":"192.168.0.10","remote_port":"53056","client_ip":"192.168.0.10","proto":"HTTP/2.0","method":"GET","host":"selfhosted.pp.ua","uri":"/icon.svg","headers":{"Sec-Fetch-Dest":["image"],"Referer":["https://selfhosted.pp.ua/status/services"],"User-Agent":["Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/136.0.0.0 Safari/537.36 Edg/136.0.0.0"],"X-Forwarded-Host":["selfhosted.pp.ua"],"Sec-Ch-Ua-Mobile":["?0"],"Accept":["image/avif,image/webp,image/apng,image/svg+xml,image/*,*/*;q=0.8"],"Origin":["https://selfhosted.pp.ua"],"X-Forwarded-For":["192.168.0.10"],"Sec-Fetch-Site":["same-origin"],"Accept-Encoding":["gzip, deflate, br, zstd"],"Accept-Language":["en-US,en;q=0.9"],"Priority":["i"],"Via":["2.0 Caddy"],"Sec-Ch-Ua-Platform":["\"Windows\""],"Sec-Ch-Ua":["\"Chromium\";v=\"136\", \"Microsoft Edge\";v=\"136\", \"Not.A/Brand\";v=\"99\""],"X-Forwarded-Proto":["https"],"Sec-Fetch-Mode":["cors"]},"tls":{"resumed":false,"version":772,"cipher_suite":4867,"proto":"h2","server_name":"selfhosted.pp.ua"}},"headers":{"Etag":["W/\"269-193e2ecf7a8\""],"Connection":["keep-alive"],"Keep-Alive":["timeout=5"],"Vary":["Accept-Encoding"],"Content-Encoding":["gzip"],"Accept-Ranges":["bytes"],"Last-Modified":["Fri, 20 Dec 2024 07:16:41 GMT"],"Content-Length":["617"],"Date":["Tue, 27 May 2025 05:31:02 GMT"],"X-Frame-Options":["SAMEORIGIN"],"Content-Type":["image/svg+xml"],"Cache-Control":["public, max-age=0"]},"status":200}
caddy  | {"level":"debug","ts":1748323862.6728804,"logger":"http.handlers.reverse_proxy","msg":"selected upstream","dial":"192.168.0.15:3001","total_upstreams":1}
caddy  | {"level":"debug","ts":1748323862.6737251,"logger":"http.handlers.reverse_proxy","msg":"upstream roundtrip","upstream":"192.168.0.15:3001","duration":0.000804379,"request":{"remote_ip":"192.168.0.10","remote_port":"53056","client_ip":"192.168.0.10","proto":"HTTP/2.0","method":"GET","host":"selfhosted.pp.ua","uri":"/api/status-page/heartbeat/services","headers":{"Sec-Ch-Ua-Mobile":["?0"],"Priority":["u=1, i"],"User-Agent":["Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/136.0.0.0 Safari/537.36 Edg/136.0.0.0"],"X-Forwarded-Proto":["https"],"Sec-Fetch-Dest":["empty"],"Referer":["https://selfhosted.pp.ua/status/services"],"Sec-Fetch-Mode":["cors"],"X-Forwarded-For":["192.168.0.10"],"Sec-Fetch-Site":["same-origin"],"Accept-Encoding":["gzip, deflate, br, zstd"],"Sec-Ch-Ua":["\"Chromium\";v=\"136\", \"Microsoft Edge\";v=\"136\", \"Not.A/Brand\";v=\"99\""],"Sec-Ch-Ua-Platform":["\"Windows\""],"Accept":["application/json, text/plain, */*"],"Accept-Language":["en-US,en;q=0.9"],"X-Forwarded-Host":["selfhosted.pp.ua"],"Via":["2.0 Caddy"]},"tls":{"resumed":false,"version":772,"cipher_suite":4867,"proto":"h2","server_name":"selfhosted.pp.ua"}},"headers":{"Content-Length":["36"],"Etag":["W/\"24-EsPVtSRb2MavNViD7fIuXL0bd5o\""],"Date":["Tue, 27 May 2025 05:31:02 GMT"],"Connection":["keep-alive"],"Keep-Alive":["timeout=5"],"X-Frame-Options":["SAMEORIGIN"],"Content-Type":["application/json; charset=utf-8"]},"status":200}
caddy  | {"level":"debug","ts":1748323862.6955147,"logger":"http.handlers.reverse_proxy","msg":"selected upstream","dial":"192.168.0.15:3001","total_upstreams":1}
caddy  | {"level":"debug","ts":1748323862.6964982,"logger":"http.handlers.reverse_proxy","msg":"upstream roundtrip","upstream":"192.168.0.15:3001","duration":0.000910165,"request":{"remote_ip":"192.168.0.10","remote_port":"53056","client_ip":"192.168.0.10","proto":"HTTP/2.0","method":"GET","host":"selfhosted.pp.ua","uri":"/icon.svg","headers":{"Sec-Fetch-Dest":["image"],"Accept-Encoding":["gzip, deflate, br, zstd"],"Sec-Ch-Ua-Platform":["\"Windows\""],"User-Agent":["Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/136.0.0.0 Safari/537.36 Edg/136.0.0.0"],"Via":["2.0 Caddy"],"Sec-Ch-Ua-Mobile":["?0"],"Sec-Ch-Ua":["\"Chromium\";v=\"136\", \"Microsoft Edge\";v=\"136\", \"Not.A/Brand\";v=\"99\""],"Referer":["https://selfhosted.pp.ua/status/services"],"If-Modified-Since":["Fri, 20 Dec 2024 07:16:41 GMT"],"X-Forwarded-Proto":["https"],"X-Forwarded-Host":["selfhosted.pp.ua"],"Accept":["image/avif,image/webp,image/apng,image/svg+xml,image/*,*/*;q=0.8"],"Priority":["i"],"Sec-Fetch-Mode":["no-cors"],"X-Forwarded-For":["192.168.0.10"],"Sec-Fetch-Site":["same-origin"],"Accept-Language":["en-US,en;q=0.9"],"If-None-Match":["W/\"269-193e2ecf7a8\""]},"tls":{"resumed":false,"version":772,"cipher_suite":4867,"proto":"h2","server_name":"selfhosted.pp.ua"}},"headers":{"Accept-Ranges":["bytes"],"Cache-Control":["public, max-age=0"],"Last-Modified":["Fri, 20 Dec 2024 07:16:41 GMT"],"Etag":["W/\"269-193e2ecf7a8\""],"Date":["Tue, 27 May 2025 05:31:02 GMT"],"Connection":["keep-alive"],"Keep-Alive":["timeout=5"],"X-Frame-Options":["SAMEORIGIN"],"Vary":["Accept-Encoding"]},"status":304}
caddy  | {"level":"debug","ts":1748323862.7603009,"logger":"events","msg":"event","name":"tls_get_certificate","id":"1a03c699-4e8a-4b9d-91a7-7250b80ad5ca","origin":"tls","data":{"client_hello":{"CipherSuites":[64250,4865,4866,4867,49195,49199,49196,49200,52393,52392,49171,49172,156,157,47,53],"ServerName":"selfhosted.pp.ua","SupportedCurves":[2570,4588,29,23,24],"SupportedPoints":"AA==","SignatureSchemes":[1027,2052,1025,1283,2053,1281,2054,1537],"SupportedProtos":["h2","http/1.1"],"SupportedVersions":[14906,772,771],"RemoteAddr":{"IP":"192.168.0.10","Port":53039,"Zone":""},"LocalAddr":{"IP":"172.18.0.2","Port":443,"Zone":""}}}}
caddy  | {"level":"debug","ts":1748323862.7603526,"logger":"tls.handshake","msg":"choosing certificate","identifier":"selfhosted.pp.ua","num_choices":1}
caddy  | {"level":"debug","ts":1748323862.7603588,"logger":"tls.handshake","msg":"default certificate selection results","identifier":"selfhosted.pp.ua","subjects":["selfhosted.pp.ua"],"managed":true,"issuer_key":"acme-v02.api.letsencrypt.org-directory","hash":"341bf291c7690f98c099c1580d338dedd14ed1d9165f5f431c4f3519c0273e8a"}
caddy  | {"level":"debug","ts":1748323862.7603652,"logger":"tls.handshake","msg":"matched certificate in cache","remote_ip":"192.168.0.10","remote_port":"53039","subjects":["selfhosted.pp.ua"],"managed":true,"expiration":1755914507,"hash":"341bf291c7690f98c099c1580d338dedd14ed1d9165f5f431c4f3519c0273e8a"}
caddy  | {"level":"debug","ts":1748323862.763761,"logger":"http.handlers.reverse_proxy","msg":"selected upstream","dial":"192.168.0.15:3001","total_upstreams":1}
caddy  | {"level":"debug","ts":1748323862.7650912,"logger":"http.handlers.reverse_proxy","msg":"upstream roundtrip","upstream":"192.168.0.15:3001","duration":0.001249087,"request":{"remote_ip":"192.168.0.10","remote_port":"53039","client_ip":"192.168.0.10","proto":"HTTP/2.0","method":"GET","host":"selfhosted.pp.ua","uri":"/api/status-page/services/manifest.json","headers":{"Accept-Language":["en-US,en;q=0.9"],"Priority":["u=2"],"Sec-Ch-Ua-Platform":["\"Windows\""],"Via":["2.0 Caddy"],"Sec-Fetch-Site":["same-origin"],"Sec-Fetch-Dest":["manifest"],"Accept-Encoding":["gzip, deflate, br, zstd"],"X-Forwarded-For":["192.168.0.10"],"Sec-Fetch-Mode":["cors"],"Accept":["*/*"],"User-Agent":["Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/136.0.0.0 Safari/537.36 Edg/136.0.0.0"],"X-Forwarded-Proto":["https"],"Sec-Ch-Ua-Mobile":["?0"],"Sec-Ch-Ua":["\"Chromium\";v=\"136\", \"Microsoft Edge\";v=\"136\", \"Not.A/Brand\";v=\"99\""],"X-Forwarded-Host":["selfhosted.pp.ua"],"Referer":["https://selfhosted.pp.ua/status/services"]},"tls":{"resumed":false,"version":772,"cipher_suite":4867,"proto":"h2","server_name":"selfhosted.pp.ua"}},"headers":{"X-Frame-Options":["SAMEORIGIN"],"Content-Type":["application/json; charset=utf-8"],"Content-Length":["140"],"Etag":["W/\"8c-f17kptaqJBKJeGnpABfbUHe3VJQ\""],"Date":["Tue, 27 May 2025 05:31:02 GMT"],"Connection":["keep-alive"],"Keep-Alive":["timeout=5"]},"status":200}





caddy  | {"level":"debug","ts":1748323913.4599836,"logger":"http.handlers.reverse_proxy","msg":"selected upstream","dial":"192.168.0.15:3001","total_upstreams":1}
caddy  | {"level":"debug","ts":1748323913.463358,"logger":"http.handlers.reverse_proxy","msg":"upstream roundtrip","upstream":"192.168.0.15:3001","duration":0.003293697,"request":{"remote_ip":"192.168.0.10","remote_port":"53038","client_ip":"192.168.0.10","proto":"HTTP/2.0","method":"GET","host":"yt.selfhosted.pp.ua","uri":"/","headers":{"Accept":["text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7"],"Upgrade-Insecure-Requests":["1"],"Via":["2.0 Caddy"],"Sec-Ch-Ua-Mobile":["?0"],"X-Forwarded-For":["192.168.0.10"],"Sec-Ch-Ua-Platform":["\"Windows\""],"Sec-Fetch-Dest":["document"],"X-Forwarded-Host":["yt.selfhosted.pp.ua"],"Accept-Encoding":["gzip, deflate, br, zstd"],"Priority":["u=0, i"],"User-Agent":["Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/136.0.0.0 Safari/537.36 Edg/136.0.0.0"],"Sec-Ch-Ua":["\"Chromium\";v=\"136\", \"Microsoft Edge\";v=\"136\", \"Not.A/Brand\";v=\"99\""],"Sec-Fetch-Site":["none"],"Sec-Fetch-User":["?1"],"X-Forwarded-Proto":["https"],"Sec-Fetch-Mode":["navigate"],"Accept-Language":["en-US,en;q=0.9"]},"tls":{"resumed":false,"version":772,"cipher_suite":4867,"proto":"h2","server_name":"www.selfhosted.pp.ua"}},"headers":{"Connection":["keep-alive"],"Keep-Alive":["timeout=5"],"X-Frame-Options":["SAMEORIGIN"],"Location":["/status/services"],"Vary":["Accept"],"Content-Type":["text/html; charset=utf-8"],"Content-Length":["45"],"Date":["Tue, 27 May 2025 05:31:53 GMT"]},"status":302}
caddy  | {"level":"debug","ts":1748323913.4668758,"logger":"http.handlers.reverse_proxy","msg":"selected upstream","dial":"192.168.0.15:3001","total_upstreams":1}
caddy  | {"level":"debug","ts":1748323913.4685206,"logger":"http.handlers.reverse_proxy","msg":"upstream roundtrip","upstream":"192.168.0.15:3001","duration":0.001598699,"request":{"remote_ip":"192.168.0.10","remote_port":"53038","client_ip":"192.168.0.10","proto":"HTTP/2.0","method":"GET","host":"yt.selfhosted.pp.ua","uri":"/status/services","headers":{"Upgrade-Insecure-Requests":["1"],"Priority":["u=0, i"],"User-Agent":["Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/136.0.0.0 Safari/537.36 Edg/136.0.0.0"],"Sec-Ch-Ua":["\"Chromium\";v=\"136\", \"Microsoft Edge\";v=\"136\", \"Not.A/Brand\";v=\"99\""],"Via":["2.0 Caddy"],"Sec-Fetch-Dest":["document"],"Sec-Fetch-Site":["none"],"X-Forwarded-For":["192.168.0.10"],"X-Forwarded-Proto":["https"],"Accept":["text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7"],"Sec-Fetch-Mode":["navigate"],"Sec-Ch-Ua-Platform":["\"Windows\""],"Accept-Language":["en-US,en;q=0.9"],"Sec-Ch-Ua-Mobile":["?0"],"Sec-Fetch-User":["?1"],"Accept-Encoding":["gzip, deflate, br, zstd"],"X-Forwarded-Host":["yt.selfhosted.pp.ua"]},"tls":{"resumed":false,"version":772,"cipher_suite":4867,"proto":"h2","server_name":"www.selfhosted.pp.ua"}},"headers":{"Connection":["keep-alive"],"Keep-Alive":["timeout=5"],"X-Frame-Options":["SAMEORIGIN"],"Content-Type":["text/html; charset=utf-8"],"Content-Length":["2881"],"Etag":["W/\"b41-xwT7yyFx3t7QJVBd3If6QxuNttM\""],"Date":["Tue, 27 May 2025 05:31:53 GMT"]},"status":200}
caddy  | {"level":"debug","ts":1748323913.5187948,"logger":"http.handlers.reverse_proxy","msg":"selected upstream","dial":"192.168.0.15:3001","total_upstreams":1}
caddy  | {"level":"debug","ts":1748323913.5188057,"logger":"http.handlers.reverse_proxy","msg":"selected upstream","dial":"192.168.0.15:3001","total_upstreams":1}
caddy  | {"level":"debug","ts":1748323913.5215786,"logger":"http.handlers.reverse_proxy","msg":"upstream roundtrip","upstream":"192.168.0.15:3001","duration":0.002723503,"request":{"remote_ip":"192.168.0.10","remote_port":"53038","client_ip":"192.168.0.10","proto":"HTTP/2.0","method":"GET","host":"yt.selfhosted.pp.ua","uri":"/assets/index-bOVKKa1O.css","headers":{"Accept-Language":["en-US,en;q=0.9"],"X-Forwarded-For":["192.168.0.10"],"X-Forwarded-Proto":["https"],"X-Forwarded-Host":["yt.selfhosted.pp.ua"],"Origin":["https://yt.selfhosted.pp.ua"],"User-Agent":["Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/136.0.0.0 Safari/537.36 Edg/136.0.0.0"],"Sec-Ch-Ua-Mobile":["?0"],"Sec-Fetch-Dest":["style"],"Via":["2.0 Caddy"],"Sec-Ch-Ua-Platform":["\"Windows\""],"Accept":["text/css,*/*;q=0.1"],"Referer":["https://yt.selfhosted.pp.ua/status/services"],"Priority":["u=0"],"Sec-Ch-Ua":["\"Chromium\";v=\"136\", \"Microsoft Edge\";v=\"136\", \"Not.A/Brand\";v=\"99\""],"Sec-Fetch-Mode":["cors"],"Accept-Encoding":["gzip, deflate, br, zstd"],"Sec-Fetch-Site":["same-origin"]},"tls":{"resumed":false,"version":772,"cipher_suite":4867,"proto":"h2","server_name":"www.selfhosted.pp.ua"}},"headers":{"Date":["Tue, 27 May 2025 05:31:53 GMT"],"Vary":["Accept-Encoding"],"Cache-Control":["public, max-age=0"],"Connection":["keep-alive"],"Keep-Alive":["timeout=5"],"X-Frame-Options":["SAMEORIGIN"],"Content-Encoding":["gzip"],"Content-Type":["text/css; charset=UTF-8"],"Accept-Ranges":["bytes"],"Last-Modified":["Fri, 20 Dec 2024 07:16:41 GMT"],"Etag":["W/\"afc3-193e2ecf7a8\""],"Content-Length":["44995"]},"status":200}
caddy  | {"level":"debug","ts":1748323913.522392,"logger":"http.handlers.reverse_proxy","msg":"upstream roundtrip","upstream":"192.168.0.15:3001","duration":0.003474065,"request":{"remote_ip":"192.168.0.10","remote_port":"53038","client_ip":"192.168.0.10","proto":"HTTP/2.0","method":"GET","host":"yt.selfhosted.pp.ua","uri":"/assets/index-B_z9mVlf.js","headers":{"Origin":["https://yt.selfhosted.pp.ua"],"User-Agent":["Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/136.0.0.0 Safari/537.36 Edg/136.0.0.0"],"Accept":["*/*"],"X-Forwarded-Proto":["https"],"Sec-Ch-Ua":["\"Chromium\";v=\"136\", \"Microsoft Edge\";v=\"136\", \"Not.A/Brand\";v=\"99\""],"Referer":["https://yt.selfhosted.pp.ua/status/services"],"Accept-Encoding":["gzip, deflate, br, zstd"],"X-Forwarded-Host":["yt.selfhosted.pp.ua"],"Sec-Ch-Ua-Platform":["\"Windows\""],"Sec-Fetch-Site":["same-origin"],"Accept-Language":["en-US,en;q=0.9"],"X-Forwarded-For":["192.168.0.10"],"Priority":["u=1"],"Sec-Ch-Ua-Mobile":["?0"],"Sec-Fetch-Mode":["cors"],"Sec-Fetch-Dest":["script"],"Via":["2.0 Caddy"]},"tls":{"resumed":false,"version":772,"cipher_suite":4867,"proto":"h2","server_name":"www.selfhosted.pp.ua"}},"headers":{"Content-Encoding":["gzip"],"Accept-Ranges":["bytes"],"Last-Modified":["Fri, 20 Dec 2024 07:16:41 GMT"],"Etag":["W/\"779ae-193e2ecf7a8\""],"Date":["Tue, 27 May 2025 05:31:53 GMT"],"Keep-Alive":["timeout=5"],"X-Frame-Options":["SAMEORIGIN"],"Vary":["Accept-Encoding"],"Content-Type":["application/javascript; charset=UTF-8"],"Cache-Control":["public, max-age=0"],"Content-Length":["489902"],"Connection":["keep-alive"]},"status":200}
caddy  | {"level":"debug","ts":1748323913.6563601,"logger":"http.handlers.reverse_proxy","msg":"selected upstream","dial":"192.168.0.15:3001","total_upstreams":1}
caddy  | {"level":"debug","ts":1748323913.6589122,"logger":"http.handlers.reverse_proxy","msg":"upstream roundtrip","upstream":"192.168.0.15:3001","duration":0.002492498,"request":{"remote_ip":"192.168.0.10","remote_port":"53038","client_ip":"192.168.0.10","proto":"HTTP/2.0","method":"GET","host":"yt.selfhosted.pp.ua","uri":"/icon.svg","headers":{"Accept-Language":["en-US,en;q=0.9"],"Priority":["i"],"Sec-Ch-Ua-Platform":["\"Windows\""],"Origin":["https://yt.selfhosted.pp.ua"],"X-Forwarded-For":["192.168.0.10"],"X-Forwarded-Proto":["https"],"User-Agent":["Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/136.0.0.0 Safari/537.36 Edg/136.0.0.0"],"Sec-Ch-Ua":["\"Chromium\";v=\"136\", \"Microsoft Edge\";v=\"136\", \"Not.A/Brand\";v=\"99\""],"Accept":["image/avif,image/webp,image/apng,image/svg+xml,image/*,*/*;q=0.8"],"Via":["2.0 Caddy"],"Sec-Ch-Ua-Mobile":["?0"],"Sec-Fetch-Mode":["cors"],"Sec-Fetch-Dest":["image"],"Referer":["https://yt.selfhosted.pp.ua/status/services"],"X-Forwarded-Host":["yt.selfhosted.pp.ua"],"Sec-Fetch-Site":["same-origin"],"Accept-Encoding":["gzip, deflate, br, zstd"]},"tls":{"resumed":false,"version":772,"cipher_suite":4867,"proto":"h2","server_name":"www.selfhosted.pp.ua"}},"headers":{"Vary":["Accept-Encoding"],"Content-Encoding":["gzip"],"Accept-Ranges":["bytes"],"Cache-Control":["public, max-age=0"],"Last-Modified":["Fri, 20 Dec 2024 07:16:41 GMT"],"Content-Length":["617"],"Connection":["keep-alive"],"Keep-Alive":["timeout=5"],"X-Frame-Options":["SAMEORIGIN"],"Content-Type":["image/svg+xml"],"Etag":["W/\"269-193e2ecf7a8\""],"Date":["Tue, 27 May 2025 05:31:53 GMT"]},"status":200}
caddy  | {"level":"debug","ts":1748323913.6621,"logger":"http.handlers.reverse_proxy","msg":"selected upstream","dial":"192.168.0.15:3001","total_upstreams":1}
caddy  | {"level":"debug","ts":1748323913.6645565,"logger":"http.handlers.reverse_proxy","msg":"upstream roundtrip","upstream":"192.168.0.15:3001","duration":0.00240717,"request":{"remote_ip":"192.168.0.10","remote_port":"53038","client_ip":"192.168.0.10","proto":"HTTP/2.0","method":"GET","host":"yt.selfhosted.pp.ua","uri":"/api/status-page/heartbeat/services","headers":{"Sec-Fetch-Site":["same-origin"],"Sec-Fetch-Mode":["cors"],"X-Forwarded-Host":["yt.selfhosted.pp.ua"],"Priority":["u=1, i"],"Sec-Ch-Ua-Platform":["\"Windows\""],"Sec-Ch-Ua":["\"Chromium\";v=\"136\", \"Microsoft Edge\";v=\"136\", \"Not.A/Brand\";v=\"99\""],"Sec-Fetch-Dest":["empty"],"Accept-Language":["en-US,en;q=0.9"],"Accept":["application/json, text/plain, */*"],"Referer":["https://yt.selfhosted.pp.ua/status/services"],"X-Forwarded-Proto":["https"],"User-Agent":["Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/136.0.0.0 Safari/537.36 Edg/136.0.0.0"],"Sec-Ch-Ua-Mobile":["?0"],"Accept-Encoding":["gzip, deflate, br, zstd"],"X-Forwarded-For":["192.168.0.10"],"Via":["2.0 Caddy"]},"tls":{"resumed":false,"version":772,"cipher_suite":4867,"proto":"h2","server_name":"www.selfhosted.pp.ua"}},"headers":{"Date":["Tue, 27 May 2025 05:31:53 GMT"],"Connection":["keep-alive"],"Keep-Alive":["timeout=5"],"X-Frame-Options":["SAMEORIGIN"],"Cache-Control":["no-cache"],"Content-Type":["application/json; charset=utf-8"],"Content-Length":["36"],"Etag":["W/\"24-EsPVtSRb2MavNViD7fIuXL0bd5o\""]},"status":200}
caddy  | {"level":"debug","ts":1748323913.6844797,"logger":"http.handlers.reverse_proxy","msg":"selected upstream","dial":"192.168.0.15:3001","total_upstreams":1}
caddy  | {"level":"debug","ts":1748323913.6858447,"logger":"http.handlers.reverse_proxy","msg":"upstream roundtrip","upstream":"192.168.0.15:3001","duration":0.001307523,"request":{"remote_ip":"192.168.0.10","remote_port":"53038","client_ip":"192.168.0.10","proto":"HTTP/2.0","method":"GET","host":"yt.selfhosted.pp.ua","uri":"/icon.svg","headers":{"X-Forwarded-Proto":["https"],"Sec-Ch-Ua":["\"Chromium\";v=\"136\", \"Microsoft Edge\";v=\"136\", \"Not.A/Brand\";v=\"99\""],"Sec-Fetch-Dest":["image"],"Accept-Language":["en-US,en;q=0.9"],"X-Forwarded-Host":["yt.selfhosted.pp.ua"],"Priority":["i"],"Referer":["https://yt.selfhosted.pp.ua/status/services"],"If-Modified-Since":["Fri, 20 Dec 2024 07:16:41 GMT"],"Sec-Ch-Ua-Mobile":["?0"],"Accept":["image/avif,image/webp,image/apng,image/svg+xml,image/*,*/*;q=0.8"],"Sec-Fetch-Site":["same-origin"],"Accept-Encoding":["gzip, deflate, br, zstd"],"X-Forwarded-For":["192.168.0.10"],"Via":["2.0 Caddy"],"If-None-Match":["W/\"269-193e2ecf7a8\""],"Sec-Ch-Ua-Platform":["\"Windows\""],"User-Agent":["Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/136.0.0.0 Safari/537.36 Edg/136.0.0.0"],"Sec-Fetch-Mode":["no-cors"]},"tls":{"resumed":false,"version":772,"cipher_suite":4867,"proto":"h2","server_name":"www.selfhosted.pp.ua"}},"headers":{"X-Frame-Options":["SAMEORIGIN"],"Vary":["Accept-Encoding"],"Accept-Ranges":["bytes"],"Cache-Control":["public, max-age=0"],"Last-Modified":["Fri, 20 Dec 2024 07:16:41 GMT"],"Etag":["W/\"269-193e2ecf7a8\""],"Date":["Tue, 27 May 2025 05:31:53 GMT"],"Connection":["keep-alive"],"Keep-Alive":["timeout=5"]},"status":304}
caddy  | {"level":"debug","ts":1748323913.7460625,"logger":"http.handlers.reverse_proxy","msg":"selected upstream","dial":"192.168.0.15:3001","total_upstreams":1}
caddy  | {"level":"debug","ts":1748323913.7472038,"logger":"http.handlers.reverse_proxy","msg":"upstream roundtrip","upstream":"192.168.0.15:3001","duration":0.001069656,"request":{"remote_ip":"192.168.0.10","remote_port":"53040","client_ip":"192.168.0.10","proto":"HTTP/2.0","method":"GET","host":"yt.selfhosted.pp.ua","uri":"/api/status-page/services/manifest.json","headers":{"Referer":["https://yt.selfhosted.pp.ua/status/services"],"Priority":["u=2"],"X-Forwarded-For":["192.168.0.10"],"X-Forwarded-Host":["yt.selfhosted.pp.ua"],"Via":["2.0 Caddy"],"Sec-Fetch-Dest":["manifest"],"User-Agent":["Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/136.0.0.0 Safari/537.36 Edg/136.0.0.0"],"Sec-Fetch-Mode":["cors"],"Sec-Ch-Ua-Mobile":["?0"],"Accept":["*/*"],"Accept-Encoding":["gzip, deflate, br, zstd"],"Sec-Ch-Ua":["\"Chromium\";v=\"136\", \"Microsoft Edge\";v=\"136\", \"Not.A/Brand\";v=\"99\""],"Accept-Language":["en-US,en;q=0.9"],"X-Forwarded-Proto":["https"],"Sec-Fetch-Site":["same-origin"],"Sec-Ch-Ua-Platform":["\"Windows\""]},"tls":{"resumed":false,"version":772,"cipher_suite":4867,"proto":"h2","server_name":"www.selfhosted.pp.ua"}},"headers":{"Date":["Tue, 27 May 2025 05:31:53 GMT"],"Connection":["keep-alive"],"Keep-Alive":["timeout=5"],"X-Frame-Options":["SAMEORIGIN"],"Content-Type":["application/json; charset=utf-8"],"Content-Length":["140"],"Etag":["W/\"8c-f17kptaqJBKJeGnpABfbUHe3VJQ\""]},"status":200}

Gracefully stopping... (press Ctrl+C again to force)
[+] Stopping 1/1
 ✔ Container caddy  Stopped


Is there a way to disable ECH on Caddy?
That would be the only way of doing what I want to do: using the same domain serving a public website that can be accessed when I’m outside of the home network and a different private website that can only be accessed when I’m connected to the local home network.

While I know I can disable Cloudflare’s ECH using the API, I would prefer not to disable it that way. I want the external/public website to have ECH enabled. I would be using a different Caddy Server instance for that one. And since I don’t think ECH is necessary (or am I wrong?) on a private network, I think disabling it on the local Caddy Server would solve it.

Hey @matt
I hope everything is going well
Please don’t forget to take a look to this post

I guess I don’t follow… (I’m also not at 100% cognitive ability yet, getting over sickness):

ECH is disabled by default on Caddy, you have to enable it.

I have the very same issue. It’s very annoying. I wish someone can find a solution that doesn’t mean disabling ECH in Cloudflare side.

By the way I am baking Caddy as local proxy companion for cloudflared in Home Assistant. My use case is precisely the same as yours, @Darknicks.

This error happens when using an incorrectly configured local DNS override

At one end of the spectrum, overriding any DNS records gives problems with the DNS challenges, while only overriding the A and AAAA records means this ECH problems. You want to make empty HTTPS records for the domains you overwrote in the local DNS server

2 Likes

Thanks a lot for replying, @ferrybig. But could you please elaborate on what you mean by “You want to make empty HTTPS records for the domains you overwrote in the local DNS server”?

Let’s say my website is ha.example.com, which is publicly pointing to Cloudflare, but internally is pointing to 192.168.1.10 through an A record.

Do you mean I should create an additional record for ha.example.com within my local DNS server with HTTPS type and set it to blank?

I reported this as an issue in Caddy’s GitHub. It may not be an issue in Caddy at the end of the day, but I guess it’s better to discuss it in a single place:

1 Like

Settings a record to blank might not work.

From a device in the local network, run dig +noall +answer HTTPS example.com to see what is returned.

You could set your router to return example.com. 7016 IN HTTPS 1 . alpn="h2,h3" instead of blank so it overrides the record of your domain properly

2 Likes

Ok, that’s interesting.

❯ dig +noall +answer A ha.example.com
ha.example.com.     0       IN      A       192.168.1.10

❯ dig +noall +answer HTTPS ha.example.com
ha.example.com.     277     IN      HTTPS   1 . alpn="h3,h2" ipv4hint=104.21.48.163,172.67.154.87 ipv6hint=2606:4700:3032::6815:30a3,2606:4700:3033::ac43:9a57

I just need to figure out how to set such record in OpenWrt now.

I couldn’t configure the HTTPS record yet.

However, I can confirm that once I make OpenWrt no longer include the HTTPS record in the DNS response, I no longer have such problem.

To make that happen, I needed to not only set my DNS record in OpenWrt > Network > DHCP and DNS > DNS Records > Hostnames, but also add the /lan/<domain>/ record in OpenWrt > Network > DHCP and DNS > General > Addresses.

This isn’t ideal yet because without the HTTPS record, HTTP/2 and HTTP/3 between my browser and Caddy cannot be established as optimally as otherwise.

2 Likes

Turns out OpenWrt doesn’t support configuring HTTPS records yet, specifically LuCI.

But thanks to an amazing guy named systemcrash this is already in the works, and I was able to patch my device locally (more details here).

I was able to test the early work and confirm it to be working:

❯ dig @192.168.1.1 +noall +answer HTTPS ha.example.com
ha.example.com.     0       IN      HTTPS   1 ha.example.com. alpn="h3,h2" ipv4hint=192.168.1.10

And it’s working great, no more cloudflare-ech.com requests going to Caddy, and HTTP/2 and HTTP/3 connection can be established right away without requiring the initial HTTP/1.1 connection.

I supposed I could even go ahead and enable ECH in Caddy as well. I’d just need to make sure my HTTPS record points to it similar to how the Cloudflare one does:

❯ dig @1.1.1.1 +noall +answer HTTPS ha.example.com
ha.example.com.     300     IN      HTTPS   1 . alpn="h3,h2" ipv4hint=104.21.48.163,172.67.154.87 ech=AEX+DQBBcgAgACCuudXVeqy1b7VjHm3+N5rJppj+yAvIrV3DfAS5RT2teQAEAAEAAQASY2xvdWRmbGFyZS1lY2guY29tAAA= ipv6hint=2606:4700:3032::6815:30a3,2606:4700:3033::ac43:9a57

But ECH within my local network doesn’t really make sense. I control the DNS resolver anyway; it’s not leaking to my ISP or something like that.

Conclusion:

Make sure your local DNS server is serving both the A/AAAA and HTTPS records for your domain. If you serve just A/AAAA, then your browser will probably end up receiving the HTTPS record from the public DNS server, which is going to confuse the browser and cause the ERR_SSL_PROTOCOL_ERROR down the line.

2 Likes