How can I match a SNI "" (YES, Servername with /tcp)

1. Output of caddy version:

v2.5.2 h1:eCJdLyEyAGzuQTa5Mh3gETnYWDClo1LjtQm2q9RNZrs=

2. How I run Caddy:

a. System environment:

  • ubuntu 22.04 (lxc container on proxmox)
  • offical caddy repo added

b. Command:

systemctl restart caddy

c. Service/unit/compose file:

# caddy.service
# For using Caddy with a config file.
# Make sure the ExecStart and ExecReload commands are correct
# for your installation.
# See for instructions.
# WARNING: This service does not use the --resume flag, so if you
# use the API to make changes, they will be overwritten by the
# Caddyfile next time the service is restarted. If you intend to
# use Caddy's API to configure it, add the --resume flag to the
# `caddy run` command or use the caddy-api.service file instead.


ExecStart=/usr/bin/caddy run --environ --config /etc/caddy/Caddyfile
ExecReload=/usr/bin/caddy reload --config /etc/caddy/Caddyfile --force


d. My complete Caddy config:

# The Caddyfile is an easy way to configure your Caddy web server.
# Unless the file starts with a global options block, the first
# uncommented line is always the address of your site.
# To use your own domain name (with automatic HTTPS), first make
# sure your domain's A/AAAA DNS records are properly pointed to
# this machine's public IP, then replace ":80" below with your
# domain name.


:80 {
	# Set this path to your site's directory.
	root * /usr/share/caddy

	# Enable the static file server.

	# Another common task is to set up a reverse proxy:
	# reverse_proxy localhost:8080

	# Or serve a PHP site through php-fpm:
	# php_fastcgi localhost:9000

# my try
:443 {
       tls internal
       reverse_proxy {
        #header_up Host {host}
       transport http {

#gucamaole {
        #rewrite / /guacamole/{uri}
        redir / /guacamole/
        reverse_proxy {
	header_up Host {host}

#vaultwaren {
}  {
       reverse_proxy {
        header_up Host {host}
       transport http {

3. The problem I’m having:

I try to use caddy as a reverse proxy in front of “Softether” (
If you disable the internal NAT-T function, the client automaticly change the hostname from $HOSTNAME to $HOSTNAME/tcp (YES, the hostname) → caddy doesn’t proxy’ing it anymore. I already tried with ‘*’ or plain :443, but nothing seems working

4. Error messages and/or full log output:

  • nothing in the log (maybe wrong log config?)
  • response is: Alert Message, Level Fatal and Description: Internal Error (80)
  • I add a pcap

5. What I already tried:

  • tried different variants with wildcard, default_sni and stuff like that.

6. Links to relevant resources:

PCAP: Nextcloud

SNI cannot contain a path. That’s invalid.

1 Like

Yeah, I know, but maybe there is a ways to handle invalid SNI? Like a catch-all?
However, I will write an bug report for softether

No. Invalid SNI means that no TLS handshake can be completed, and it’s impossible to continue. There’s no bug, that’s working as intended.

@qupfer What is the output of a curl -v request? I’m not sure I understand.

That is definitely unusual, so I’m not surprised something doesn’t work, but I also wouldn’t be surprised if there was a way to hack it together.

Also, please enable debug logging. Put:


at the top of your Caddyfile, along with log.

What is in your server logs?

Hi, thanks for your quick answers. I add some informations.
However, I “helped me” with Haproxy in front of caddy, which redirects (without termination) all beginning with to the vpn-server, and all other parts to caddy.
Not sure if softether would work behind ssl terminating proxy, but it says its HTTP-VPN :smiley:

Here is the debug output.

Aug 03 21:06:01 proxy caddy[2538]: {"level":"debug","ts":1659553561.6192992,"logger":"tls.handshake","msg":"no matching certificates and no custom selection logic","identifier":""}
Aug 03 21:06:01 proxy caddy[2538]: {"level":"debug","ts":1659553561.6193378,"logger":"tls.handshake","msg":"no matching certificates and no custom selection logic","identifier":"*"}
Aug 03 21:06:01 proxy caddy[2538]: {"level":"debug","ts":1659553561.619343,"logger":"tls.handshake","msg":"no matching certificates and no custom selection logic","identifier":"*.*.de/tcp"}
Aug 03 21:06:01 proxy caddy[2538]: {"level":"debug","ts":1659553561.6193476,"logger":"tls.handshake","msg":"no matching certificates and no custom selection logic","identifier":"*.*.*"}
Aug 03 21:06:01 proxy caddy[2538]: {"level":"debug","ts":1659553561.6193533,"logger":"tls.handshake","msg":"all external certificate managers yielded no certificates and no errors","sni":""}
Aug 03 21:06:01 proxy caddy[2538]: {"level":"debug","ts":1659553561.619362,"logger":"tls.handshake","msg":"no certificate matching TLS ClientHello","server_name":"","remote":"","identifier":"","cipher_suites":[4866,4867,4865,49196,49200,163,159,52393,52392,52394,49327,49325,49315,49311,49245,49249,49239,49235,49195,49199,162,158,49326,49324,49314,49310,49244,49248,49238,49234,49188,49192,107,106,49267,49271,196,195,49187,49191,103,64,49266,49270,190,189,49162,49172,57,56,136,135,49161,49171,51,50,154,153,69,68,49159,49169,49160,49170,22,19,157,49313,49309,49233,156,49312,49308,49232,61,192,60,186,53,132,47,150,65,7,5,10,255],"cert_cache_fill":0.0004,"load_if_necessary":true,"obtain_if_necessary":true,"on_demand":false}
Aug 03 21:06:01 proxy caddy[2538]: {"level":"debug","ts":1659553561.6194434,"logger":"http.stdlib","msg":"http: TLS handshake error from no certificate available for ''"}

I can’t deliver a curl output, as I don’t know how to set the SNI correctly. It will allways set the SNI to, which will work.

However, openssl may also be helpfull:

openssl s_client -connect -servername
802B08CA6F7F0000:error:0A000438:SSL routines:ssl3_read_bytes:tlsv1 alert internal error:../ssl/record/rec_layer_s3.c:1584:SSL alert number 80
no peer certificate available
No client certificate CA names sent
SSL handshake has read 7 bytes and written 316 bytes
Verification: OK
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
Early data was not sent
Verify return code: 0 (ok)

without the false SNI:

openssl s_client -connect -servername
depth=2 C = US, O = Internet Security Research Group, CN = ISRG Root X1
verify return:1
depth=1 C = US, O = Let's Encrypt, CN = R3
verify return:1
depth=0 CN =
verify return:1
Certificate chain
 0 s:CN =
   i:C = US, O = Let's Encrypt, CN = R3
   a:PKEY: id-ecPublicKey, 256 (bit); sigalg: RSA-SHA256
   v:NotBefore: Aug  3 06:35:49 2022 GMT; NotAfter: Nov  1 06:35:48 2022 GMT
 1 s:C = US, O = Let's Encrypt, CN = R3
   i:C = US, O = Internet Security Research Group, CN = ISRG Root X1
   a:PKEY: rsaEncryption, 2048 (bit); sigalg: RSA-SHA256
   v:NotBefore: Sep  4 00:00:00 2020 GMT; NotAfter: Sep 15 16:00:00 2025 GMT
 2 s:C = US, O = Internet Security Research Group, CN = ISRG Root X1
   i:O = Digital Signature Trust Co., CN = DST Root CA X3
   a:PKEY: rsaEncryption, 4096 (bit); sigalg: RSA-SHA256
   v:NotBefore: Jan 20 19:14:03 2021 GMT; NotAfter: Sep 30 18:14:03 2024 GMT
Server certificate
subject=CN =
issuer=C = US, O = Let's Encrypt, CN = R3
No client certificate CA names sent
Peer signing digest: SHA256
Peer signature type: ECDSA
Server Temp Key: X25519, 253 bits
SSL handshake has read 4158 bytes and written 376 bytes
Verification: OK
New, TLSv1.3, Cipher is TLS_AES_128_GCM_SHA256
Server public key is 256 bit
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
Early data was not sent
Verify return code: 0 (ok)
Post-Handshake New Session Ticket arrived:
    Protocol  : TLSv1.3
    Cipher    : TLS_AES_128_GCM_SHA256
    Session-ID: 33283B3B4EA4A2D77C5C72FDFF0C17F1FBF33CD56CD085464455FFB9B83E61BC
    Resumption PSK: 85EBFE53C3D921F5EC403979E765F4BA3E19731056EA6DA515FE59CB7B898EA2
    PSK identity: None
    PSK identity hint: None
    SRP username: None
    TLS session ticket lifetime hint: 604800 (seconds)
    TLS session ticket:
    0000 - 90 e5 40 33 25 b8 0f ec-5f 1b ff ac df 7f d5 d6   ..@3%..._.......
    0010 - 07 53 9d 62 79 74 a2 ad-94 1c cf 23 8f 78 4f 93   .S.byt.....#.xO.
    0020 - 88 2f 20 42 30 d4 d9 9a-ef df 5f e6 f2 e6 3f 42   ./ B0....._...?B
    0030 - 19 83 bc d2 5c 71 13 c7-50 03 c6 80 d4 d5 e1 b6   ....\q..P.......
    0040 - 70 1b 4e 3a f6 96 50 bc-5b ff c7 f8 ae 3c eb 4c   p.N:..P.[....<.L
    0050 - e9 07 87 00 88 ac c0 d8-d8 9b 99 3b 4b 49 16 6f   ...........;KI.o
    0060 - fd b7 a1 eb 36 d2 0a da-e7 8c 19 54 9d c2 5f 97   ....6......T.._.
    0070 - aa                                                .

    Start Time: 1659554217
    Timeout   : 7200 (sec)
    Verify return code: 0 (ok)
    Extended master secret: no
    Max Early Data: 0
read R BLOCK