How to use reverse_proxy with IP Certificates?

rinze24 · January 20, 2026, 2:10am

I’m using caddy on VPS and trying to do Reverse Proxy with IP Certificates

1. The problem I’m having:

When using reverse_proxy with IP Certificates the browser got Error code: 502 Bad Gateway.
When i use respond directive it works as expected.

2. Error messages and/or full log output:

{
   "duration": 0.000341561,
   "err_id": "01vcbnzfx",
   "err_trace": "reverseproxy.statusError (reverseproxy.go:1390)",
   "level": "error",
   "logger": "http.log.error",
   "msg": "dial tcp 127.0.0.1:8082: connect: connection refused",
   "request": {
      "client_ip": "(Client-IP Redacted)",
      "headers": {
         "Accept": [
            "text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8"
         ],
         "Accept-Encoding": [
            "gzip, deflate, br, zstd"
         ],
         "Accept-Language": [
            "en-US,en;q=0.9"
         ],
         "Priority": [
            "u=0, i"
         ],
         "Sec-Fetch-Dest": [
            "document"
         ],
         "Sec-Fetch-Mode": [
            "navigate"
         ],
         "Sec-Fetch-Site": [
            "none"
         ],
         "Sec-Fetch-User": [
            "?1"
         ],
         "Sec-Gpc": [
            "1"
         ],
         "Te": [
            "trailers"
         ],
         "Upgrade-Insecure-Requests": [
            "1"
         ],
         "User-Agent": [
            "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:147.0) Gecko/20100101 Firefox/147.0"
         ]
      },
      "host": "(Public-IP Redacted)",
      "method": "GET",
      "proto": "HTTP/2.0",
      "remote_ip": "143.44.144.17",
      "remote_port": "2204",
      "tls": {
         "cipher_suite": 4865,
         "proto": "h2",
         "resumed": false,
         "server_name": "",
         "version": 772
      },
      "uri": "/"
   },
   "status": 502,
   "ts": 1768874322.175636
}

3. Caddy version:

v2.10.2 h1:g/gTYjGMD0dec+UgMw8SnfmJ3I9+M2TdvoRL/Ovu6U8=

4. How I installed and ran Caddy:

Docker Compose

services:
  caddy:
    image: caddy:latest
    restart: unless-stopped
    ports:
      - "80:80"
      - "443:443"
      - "443:443/udp"
    volumes:
      - ./data/conf:/etc/caddy
      - ./data/site:/srv
      - ./data/caddy_data:/data
      - ./data/caddy_config:/config
  it-tools:
    container_name: it-tools
    restart: unless-stopped
    ports:
      - 127.0.0.1:8082:80
    image: ghcr.io/corentinth/it-tools:latest

a. System environment:

b. Command:

c. Service/unit/compose file:

d. My complete Caddy config:

{
        default_sni (Public-IP Redacted)
}
(Public-IP Redacted), :443 {
        tls {
                issuer acme {
                        profile shortlived
                }
        }
        # respond "It's working"
        reverse_proxy 127.0.0.1:8082
}

5. Links to relevant resources:

timelordx · January 20, 2026, 4:29am

The error message is telling you exactly what’s wrong: it can’t connect to 127.0.0.1 on port 8082 because there’s nothing listening on that port inside the Caddy container.

In the Caddyfile, any IP addresses refer to how Caddy sees that target. So 127.0.0.1 means Caddy’s own container, not your host or another container.

You can try:

reverse_proxy IP_OF_DOCKER_HOST:8082

or, in your case, you should be able to use:

reverse_proxy it-tools:80

This issue isn’t related to the IP certificate.

timelordx · January 20, 2026, 4:33am

And since you’re binding that port explicitly to your docker host’s loopback:

this won’t work either:

rinze24 · January 20, 2026, 5:59am

Still 502 bad gateway error with this.

As a testing i did use another reverse proxy using pangolin using newt tunnel.
Pangolin can use localhost:8082 and it-tools:8082 just fine.

rinze24 · January 20, 2026, 6:02am

This solve my problem.
at first I missed the :80.

Thank you!