How to configure reverse proxy for mumble/murmur?

1. The problem I’m having:

I’m trying to setup a reverse proxy to a murmur server that is running in my homenet. The machine running caddy is connected to my homenet through a wireguard vpn. This setup works very nice with caddy for most reverse proxies. However, now that I try to access my murmur server with a subdomain I always get an Server connection failed: The TLS/SSL connection has been closed. error in my mumble client.

I don’t really know what the issue here is. My murmur config is very minimal. If I understand the caddy documentation correctly then a udp proxy is supported. I run caddy in version 2.9.1.

2. Error messages and/or full log output:

As far as I can tell, this is the only error I get

Feb 02 15:44:40 personal-vps caddy[1866]: {"level":"error","ts":1738507480.1248767,"logger":"http.log.error","msg":"EOF","request":{"remote_ip":"37.209.30.113","remote_port":"62477","client_ip":"37.209.30.113","proto":"HTTP/2.0","method":"GET","host":"mumble.mydomain.com","uri":"/","headers":{"Sec-Fetch-Site":["none"],"User-Agent":["Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/131.0.0.0 Safari/537.36"],"Sec-Ch-Ua":["\"Brave\";v=\"131\", \"Chromium\";v=\"131\", \"Not_A Brand\";v=\"24\""],"Sec-Fetch-User":["?1"],"Upgrade-Insecure-Requests":["1"],"Accept-Encoding":["gzip, deflate, br, zstd"],"Accept-Language":["en-US,en;q=0.9"],"Priority":["u=0, i"],"Sec-Ch-Ua-Platform":["\"Linux\""],"Accept":["text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8"],"Sec-Fetch-Dest":["document"],"Sec-Ch-Ua-Mobile":["?0"],"Sec-Fetch-Mode":["navigate"],"Sec-Gpc":["1"]},"tls":{"resumed":false,"version":772,"cipher_suite":4865,"proto":"h2","server_name":"mumble.mydomain.com"}},"duration":0.06714513,"status":502,"err_id":"u4xrbizqv","err_trace":"reverseproxy.statusError (reverseproxy.go:1373)"}

3. Caddy version:

2.9.1

4. How I installed and ran Caddy:

As systemd with a Caddyfile

a. System environment:

Systemd on ubuntu 24.04

d. My complete Caddy config:

mumble.mydomain.com {
  reverse_proxy 10.10.10.10:64738
  #also tried this
  reverse_proxy udp/10.10.10.10:64738
}

I don’t know anything about Mumble other than the quick information I got from searching. Since it does use port 64738, that should be correct. It looks like Mumble may need the specific certificate, so you could add this to /etc/mumble-server.ini

sslCert=/var/lib/caddy/.local/share/caddy/certificates/acme-v02.api.letsencrypt.org-directory/<example>/<example>.crt
sslKey=/var/lib/caddy/.local/share/caddy/certificates/acme-v02.api.letsencrypt.org-directory/<example>/<example>.key

Just make sure the directory is correct.

Interesting, and I was thinking along the same lines. However, my mumble server is running on a different machine than the caddy server (they are connected with a wireguard vpn connection).

Therefore, I don’t have the certificate and key available for the mumble configuration…

Maybe I could somehow sync the cert and key to the machine running the mumble service (do a rsync cron job maybe?). I think caddy automatically re-news the cert, so I would have to update the file every once in a while.

Or I just bite the apple and run the mumble server on the same machine as the caddy server…

Thanks for your input!

You could set up a shared storage, like Samba, to be accessible by both Caddy and Mumble via the VPN. Or you could make a script that is triggered by certificate renewal to ssh into the Mumble server and directly add files using the scp command.

Otherwise, I’m not sure how you could do it over a VPN connection.