How to reverse proxy non-tls upstreams

1. Caddy version :

v2.1.1 h1:X9k1+ehZPYYrSqBvf/ocUgdLSRIuiNiMo7CvyGUQKeA=

2. How I run Caddy:

a. System environment:

Linux 4.18.0-147.5.1.el8_1.x86_64

b. Command:

./caddy run -config caddy.json

c. Service/unit/compose file:

None

d. My complete Caddyfile or JSON config:

{
	"admin": {
		"disabled": true
	},
	"logging": {
		"logs": {
			"default": {
				"writer": {
					"output": "file",
					"filename": "caddy.log",
					"roll": true,
					"roll_size_mb": 5,
					"roll_gzip": true,
					"roll_local_time": true,
					"roll_keep": 50,
					"roll_keep_days": 90
				},
				"encoder": {
					"format": "console"
				},
				"level": "DEBUG"
			}
		}
	},
	"storage": {
		"module": "file_system",
		"root": "data"
	},
	"apps": {
		"http": {
			"http_port": 9442,
			"https_port": 9443,
			"servers": {
				"my-server": {
					"listen": [
						"0.0.0.0:443"
					],
					"automatic_https": {
						"disable": true
					},
					"strict_sni_host": false,
					"routes": [{
						"match": [{
							"path": ["/server/*"]
						}],
						"handle": [{
							"handler": "rewrite",
							"strip_path_prefix": "/server"
						},
						{
							"handler": "reverse_proxy",
							"buffer_requests": false,
							"transport": {
								"protocol": "http",
								"tls": {
									"insecure_skip_verify": true
								}
							},
							"upstreams": [{
								"dial": "127.0.0.1:8443"
							}]
						}],
						"terminal": true
					}, {
						"match": [{"path":["/api/*"]}],
						"handle": [{
							"handler": "reverse_proxy",
							"buffer_requests": false,
							"transport": {
								"protocol": "http",
								"tls": {
									"insecure_skip_verify": true
								}
							},
							"upstreams": [{
								"dial": "127.0.0.1:8444"
							}]
						}],
						"terminal": true
					}, {
						"match": [{
							"path": ["*"]
						}],
						"handle": [{
							"handler": "file_server",
							"root": "dist",
							"index_names": ["index.html", "index.htm", "test.html"]
						}]
					}],
					"tls_connection_policies": [{
						"match": {
							"sni": ["", "localhost"]
						},
						"certificate_selection": {
							"any_tag": ["only"]
						}
					}],
					"logs": {}
				}
			}
		},
		"tls": {
			"certificates": {
				"load_files": [
					{
						"certificate": "domain.crt",
						"key": "domain.key",
						"format": "pem",
						"tags": ["only"]
					}
				]
			}
		}
	}
}

3. The problem I’m having:

the 8443 upstream is a https server with self-signed certificate, it works with no problem.
the 8444 upstream is a http server(no tls), and it responses with 502-bad-gate-way .

4. Error messages and/or full log output:

1.6042869409409404e+09	debug	http.handlers.reverse_proxy	upstream roundtrip	{"upstream": "127.0.0.1:8444", "request": {"method": "POST", "uri": "/api/user", "proto": "HTTP/1.1", "remote_addr": "146.32.26.253:58771", "host": "31.28.53.72:443", "headers": {"Content-Length": ["272"], "Content-Type": ["application/json"], "User-Agent": ["PostmanRuntime/7.26.5"], "Accept": ["*/*"], "X-Forwarded-For": ["146.32.26.253"], "Accept-Encoding": ["gzip, deflate, br"], "X-Forwarded-Proto": ["https"]}, "tls": {"resumed": false, "version": 772, "ciphersuite": 4865, "proto": "", "proto_mutual": true, "server_name": ""}}, "duration": 0.000534244, "error": "tls: first record does not look like a TLS handshake"}
1.604286940941026e+09	error	http.log.error	tls: first record does not look like a TLS handshake	{"request": {"method": "POST", "uri": "/api/user", "proto": "HTTP/1.1", "remote_addr": "146.32.26.253:58771", "host": "31.28.53.72:443", "headers": {"Accept-Encoding": ["gzip, deflate, br"], "Connection": ["keep-alive"], "Content-Length": ["272"], "Content-Type": ["application/json"], "User-Agent": ["PostmanRuntime/7.26.5"], "Accept": ["*/*"]}, "tls": {"resumed": false, "version": 772, "ciphersuite": 4865, "proto": "", "proto_mutual": true, "server_name": ""}}, "duration": 0.000645926, "status": 502, "err_id": "d941441hg", "err_trace": "reverseproxy.(*Handler).ServeHTTP (reverseproxy.go:411)"}
1.6042869409410634e+09	error	http.log.access	handled request	{"request": {"method": "POST", "uri": "/api/user", "proto": "HTTP/1.1", "remote_addr": "146.32.26.253:58771", "host": "31.28.53.72:443", "headers": {"Accept": ["*/*"], "Accept-Encoding": ["gzip, deflate, br"], "Connection": ["keep-alive"], "Content-Length": ["272"], "Content-Type": ["application/json"], "User-Agent": ["PostmanRuntime/7.26.5"]}, "tls": {"resumed": false, "version": 772, "ciphersuite": 4865, "proto": "", "proto_mutual": true, "server_name": ""}}, "common_log": "146.32.26.253 - - [02/Nov/2020:11:15:40 +0800] \"POST /api/user HTTP/1.1\" 502 0", "duration": 0.000645926, "size": 0, "status": 502, "resp_headers": {"Server": ["Caddy"]}}

5. What I already tried:

I tried to set upstream like

"upstreams": [{"dial": "http://127.0.0.1:8444"}]

the log errors:

"error": "dial http:: unknown network http:"

6. Links to relevant resources:

This can be done in nginx:
proxy-https-requests-to-a-http-backend-with-nginx

Remove this bit from that one:

								"tls": {
									"insecure_skip_verify": true
								}

If you configure the tls field, then Caddy will try to connect with TLS.

This topic was automatically closed after 30 days. New replies are no longer allowed.