Getting http 502 when trying to access webserver

1. The problem I’m having:

I’m using caddy to act as a reverse proxy for a webserver on another machine in my local network. When trying to access the website I’m getting a HTTP ERROR 502.

Using this as an example :

I tried to install certificate on my webserver with the following command :

[07:43][octopi] : sudo ./caddy trust --address
2023/03/21 06:43:50.244 WARN    installing root certificate (you might be prompted for password)  {"path": ""}
2023/03/21 06:43:50.245 INFO    not NSS security databases found
2023/03/21 06:43:50.245 INFO    define JAVA_HOME environment variable to use the Java trust
2023/03/21 06:43:52.053 INFO    certificate installed properly in linux trusts

But I’m getting the same error

2. Error messages and/or full log output:

I can’t post the caddy logs as I’m getting an error while submitting this form. But here are the relevant bits

Mar 21 07:14:42 piwall caddy[509]: {"level":"debug","ts":1679379282.7036712,"logger":"http.handlers.reverse_proxy",  [ ... ]   :["https"],"X-Forwarded-Host":[""]},"tls":{"resumed":true,"version":772,"cipher_suite":4867,"proto":"h3","server_name":""}},"error":"tls: failed to verify certificate: x509: certificate signed by unknown authority"}

Mar 21 07:14:42 piwall caddy[509]: {"level":"error","ts":1679379282.714907,"logger":"http.log.error.log0","msg":"tls: failed to verify certificate: x509: certificate signed by unknown authority","request":  [ ... ]  ,"tls":{"resumed":true,"version":772,"cipher_suite":4867,"proto":"h3","server_name":""}},"duration":0.123664963,"status":502,"err_id":"4fwet2xnu","err_trace":"reverseproxy.statusError (reverseproxy.go:1299)"}

3. Caddy version:

v2.6.4 h1:2hwYqiRwk1tf3VruhMpLcYTg+11fCdr8S3jhNAdnPy8=

4. How I installed and ran Caddy:

a. System environment:

Raspberry pi (armv6l) with raspbian

b. Command:

I’m using a custom static binary

c. Service/unit/compose file:


ExecStart=/usr/bin/caddy run --environ --config /etc/caddy/Caddyfile
ExecReload=/usr/bin/caddy reload --config /etc/caddy/Caddyfile --force


d. My complete Caddy config:

        admin :2019 

        security {
                local identity store localdb {
                        realm local
                        path /home/paul/.local/caddy/localauth/users.json
                authentication portal myportal {
                        crypto default token lifetime 3600
                        crypto key sign-verify secret
                        enable identity store localdb
                        ui {
                                links {
                                        "Octoprint" "/print" icon "las la-star"
                                        "WhoAmI" "/auth/whoami" icon "las la-star"
                        transform user {
                                match origin local
                                action add role authp/user
                        transform user {
                                match origin local
                                match roles authp/user
                                ui link "Portal Settings" "/auth/settings" icon "las la-cog"
                authorization policy users_policy {
                        set auth url
                        allow roles authp/admin authp/user
                        crypto key verify secret
                        acl rule {
                                comment allow users
                                match role authp/user
                                allow stop log info
                        acl rule {
                                comment default deny
                                match role any
                                deny log warn
} {
        @mygeofilter {  
                maxmind_geolocation {
                        db_path "/usr/share/GeoIP/GeoLite2-Country.mmdb"
                        allow_countries FR
        route /auth* {
                authenticate with myportal

        route /print* {
                authorize with users_policy
                uri strip_prefix /print
                reverse_proxy @mygeofilter https://octopi 

        route {
                redir https://{hostport}/auth/login 302
        log {
                format transform `{request>remote_addr} - {request>user_id} [{ts}] "{request>method} {requ
est>uri} {request>proto}" {status} {size} "{request>headers>Referer>[0]}" "{request>headers>User-Agent>[0]
}"` {
        time_format "02/Jan/2006 15:04:05 -0700"

                output file /var/log/caddy/caddy.log


Thanks for your help !

You’re proxying over HTTPS. Caddy doesn’t trust the certificate from your upstream app, so it’s failing to connect to your upstream.

Try proxying over HTTP instead, if the upstream app is in your local network.

I did just that, and I came across another problem: the web app on the other machine was redirecting to another login page. This interfered with the redir I had set up, and I was not going anywhere. I needed to add a X-Script-Name header to the mix and now it works perfectly.
Here is my final config :

route /print* {
                authorize with users_policy
                uri strip_prefix /print
                reverse_proxy @mygeofilter {
                        header_up X-Scheme {scheme}
                        header_up X-Script-Name /print

Thanks a lot for your help!

1 Like

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.