1. Caddy version (caddy version
):
Latest 2.4 docker container
2. Caddy run via
Docker
a. System environment:
Docker running on Ubuntu 20 LTS
b. Command:
docker-compose up -d
c. Service/unit/compose file:
#docker-compose.yml
version: "3.7"
services:
caddy:
image: caddy:latest
container_name: caddy_devcon_cc
restart: always
# command: --log stdout
volumes:
- /root/docker/caddyv2/Caddyfile:/etc/caddy/Caddyfile:ro
- /root/docker/caddyv2/data:/data
- /root/docker/caddyv2/config:/config
ports:
- 192.168.2.153:80:80
- 192.168.2.153:443:443
environment:
ACME_AGREE: "true" # agree to Let's Encrypt Subscriber Agreement
# DOMAIN: "vault.devcon.cc" # CHANGE THIS! Used for Auto Let's Encrypt SSL
# EMAIL: "thomas.kofler@devcon.cc" # CHANGE THIS! Optional, provided to Let's Encrypt
#volumes:
# caddycerts:
d. My complete Caddyfile or JSON config:
www.affectedomain.com {
tls info@affectedomain.com {
}
header {
# Enable HTTP Strict Transport Security (HSTS)
Strict-Transport-Security "max-age=31536000;"
# Enable cross-site filter (XSS) and tell browser to block detected attacks
X-XSS-Protection "1; mode=block"
# Disallow the site to be rendered within a frame (clickjacking protection)
X-Frame-Options "DENY"
}
reverse_proxy https://192.168.2.107 {
transport http {
tls_insecure_skip_verify
}
}
}
3. The problem I’m having:
Websites hosted on an older webserver serviced via https via Caddy are no longer reachable. Browser shows an 502 error generated by Caddy.
Before they worked fine, we are so far not aware of any change on the webserver.
That webserver uses private expired certificates.
4. Error messages and/or full log output:
method":"GET","host":"www.affectedomain.com","uri":"/","headers":{"Upgrade-Insecure-Requests":["1"],"Accept":["text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9"],"Accept-Language":["en-US,en;q=0.9,de;q=0.8"],"Sec-Ch-Ua":["\" Not A;Brand\";v=\"99\", \"Chromium\";v=\"100\", \"Microsoft Edge\";v=\"100\""],"User-Agent":["Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/100.0.4896.127 Safari/537.36 Edg/100.0.1185.50"],"Sec-Fetch-User":["?1"],"Pragma":["no-cache"],"Sec-Ch-Ua-Mobile":["?0"],"Sec-Ch-Ua-Platform":["\"Windows\""],"Sec-Fetch-Site":["none"],"Cache-Control":["no-cache"],"Sec-Fetch-Mode":["navigate"],"Sec-Fetch-Dest":["document"],"Accept-Encoding":["gzip, deflate, br"]},"tls":{"resumed":false,"version":772,"cipher_suite":4865,"proto":"h2","server_name":"www.affectedomain.com"}},"duration":0.0011455,"status":502,"err_id":"y5w4afeqn","err_trace":"reverseproxy.statusError (reverseproxy.go:1166)"}
5. What I already tried:
Serving the backend website via http works fine
Different websites are affected, independent of the config
The Backend is up and running, its reachable from the docker host via lynx https:///same-ip-as-used-with-caddy-reverse-proxy-directive