1. The problem I’m having:
I am trying to set up Caddy to work with my Nextcloud AIO containers. I followed the reverse proxy step on the Nextcloud AIO Github page. The main difference is that I do not want / cannot use the network_mode:"host" flag for Caddy. I want to portforward the Caddy container, because my OpenMediavault Dashboard is already at ports 443 and 80, and I want to keep it that way. (My router is correctly set up so that 443 and 80 direct to the Caddy Container via 446 and 82).
When I try to go to cloud.domain.tld I only see a blank page.
curl -vL
* Host cloud.domain.tld:80 was resolved.
* IPv6: (none)
* IPv4: <public_ip>
* Trying <public_ip>:80...
* Connected to cloud.domain.tld (<public_ip>) port 80
> GET / HTTP/1.1
> Host: cloud.domain.tld
> User-Agent: curl/8.5.0
> Accept: */*
>
< HTTP/1.1 308 Permanent Redirect
< Connection: close
< Location: https://cloud.domain.tld/
< Server: Caddy
< Date: Sun, 10 Dec 2023 00:44:35 GMT
< Content-Length: 0
<
* Closing connection
* Clear auth, redirects to port from 80 to 443
* Issue another request to this URL: 'https://cloud.domain.tld/'
* Host cloud.domain.tld:443 was resolved.
* IPv6: (none)
* IPv4: <public_ip>
* Trying <public_ip>:443...
* Connected to cloud.domain.tld (<public_ip>) port 443
* ALPN: curl offers h2,http/1.1
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
* CAfile: /etc/ssl/certs/ca-certificates.crt
* CApath: none
* TLSv1.3 (IN), TLS handshake, Server hello (2):
* TLSv1.3 (IN), TLS handshake, Encrypted Extensions (8):
* TLSv1.3 (IN), TLS handshake, Certificate (11):
* TLSv1.3 (IN), TLS handshake, CERT verify (15):
* TLSv1.3 (IN), TLS handshake, Finished (20):
* TLSv1.3 (OUT), TLS change cipher, Change cipher spec (1):
* TLSv1.3 (OUT), TLS handshake, Finished (20):
* SSL connection using TLSv1.3 / TLS_AES_128_GCM_SHA256 / X25519 / id-ecPublicKey
* ALPN: server accepted h2
* Server certificate:
* subject: CN=cloud.domain.tld
* start date: Dec 9 00:00:00 2023 GMT
* expire date: Mar 8 23:59:59 2024 GMT
* subjectAltName: host "cloud.domain.tld" matched cert's "cloud.domain.tld"
* issuer: C=AT; O=ZeroSSL; CN=ZeroSSL ECC Domain Secure Site CA
* SSL certificate verify ok.
* Certificate level 0: Public key type EC/prime256v1 (256/128 Bits/secBits), signed using ecdsa-with-SHA384
* Certificate level 1: Public key type EC/secp384r1 (384/192 Bits/secBits), signed using ecdsa-with-SHA384
* Certificate level 2: Public key type EC/secp384r1 (384/192 Bits/secBits), signed using ecdsa-with-SHA384
* TLSv1.3 (IN), TLS handshake, Newsession Ticket (4):
* using HTTP/2
* [HTTP/2] [1] OPENED stream for https://cloud.domain.tld/
* [HTTP/2] [1] [:method: GET]
* [HTTP/2] [1] [:scheme: https]
* [HTTP/2] [1] [:authority: cloud.domain.tld]
* [HTTP/2] [1] [:path: /]
* [HTTP/2] [1] [user-agent: curl/8.5.0]
* [HTTP/2] [1] [accept: */*]
> GET / HTTP/2
> Host: cloud.domain.tld
> User-Agent: curl/8.5.0
> Accept: */*
>
< HTTP/2 502
< alt-svc: h3=":443"; ma=2592000
< server: Caddy
< content-length: 0
< date: Sun, 10 Dec 2023 00:44:38 GMT
<
* Connection #1 to host cloud.domain.tld left intact
2. Error messages and/or full log output:
2023-12-10T00:49:38.661648167Z INF ts=1702169378.661579 logger=admin.api msg=load complete
2023-12-10T00:49:38.661855426Z INF ts=1702169378.661789 logger=docker-proxy msg=Successfully configured server=localhost
2023-12-10T00:49:38.664143325Z WRN ts=1702169378.6640377 logger=tls msg=storage cleaning happened too recently; skipping for now storage=FileStorage:/data/caddy instance=da072402-e811-4ae4-b924-9a0b595e1971 try_again=1702255778.6640358 try_again_in=86399.999999518
2023-12-10T00:49:38.664193534Z INF ts=1702169378.6641328 logger=tls msg=finished cleaning storage units
2023-12-10T00:49:38.665954435Z INF ts=1702169378.6659122 logger=admin msg=stopped previous server address=localhost:2019
2023-12-10T00:49:45.945934227Z DBG ts=1702169385.9456952 logger=events msg=event name=tls_get_certificate id=1c406831-e5b2-41d8-9f34-57a447c92670 origin=tls data={"client_hello":{"CipherSuites":[4865,4866,4867,49195,49196,52393,49199,49200,52392,49171,49172,156,157,47,53],"ServerName":"cloud.domain.tld","SupportedCurves":[29,23,24],"SupportedPoints":"AA==","SignatureSchemes":[1027,2052,1025,1283,2053,1281,2054,1537,513],"SupportedProtos":["h2","http/1.1"],"SupportedVersions":[772,771],"RemoteAddr":{"IP":"<public_ip>","Port":40384,"Zone":""},"LocalAddr":{"IP":"172.30.0.3","Port":443,"Zone":""}}}
2023-12-10T00:49:45.945998614Z DBG ts=1702169385.9458342 logger=tls.handshake msg=choosing certificate identifier=cloud.domain.tld num_choices=1
2023-12-10T00:49:45.946005010Z DBG ts=1702169385.945848 logger=tls.handshake msg=default certificate selection results identifier=cloud.domain.tld subjects=["cloud.domain.tld"] managed=true issuer_key=acme.zerossl.com-v2-DV90 hash=cda353077f262f3f98bab1589a00c304e33641e57c5f033d41f805b5ba73a6fe
2023-12-10T00:49:45.946009998Z DBG ts=1702169385.945865 logger=tls.handshake msg=matched certificate in cache remote_ip=<public_ip> remote_port=40384 subjects=["cloud.domain.tld"] managed=true expiration=1709942400 hash=cda353077f262f3f98bab1589a00c304e33641e57c5f033d41f805b5ba73a6fe
2023-12-10T00:49:46.025261465Z DBG ts=1702169386.0251641 logger=http.handlers.reverse_proxy msg=selected upstream dial=host.docker.internal:11000 total_upstreams=1
2023-12-10T00:49:49.025788750Z DBG ts=1702169389.0256371 logger=http.handlers.reverse_proxy msg=upstream roundtrip upstream=host.docker.internal:11000 duration=3.000423143 request={"remote_ip":"<public_ip>","remote_port":"40384","client_ip":"<public_ip>","proto":"HTTP/2.0","method":"GET","host":"cloud.domain.tld","uri":"/index.php/204","headers":{"X-Forwarded-Proto":["https"],"X-Forwarded-Host":["cloud.domain.tld"],"User-Agent":["Mozilla/5.0 (Android) Nextcloud-android/3.25.0"],"Http.protocol.single-Cookie-Header":["true"],"Accept-Encoding":["gzip"],"X-Forwarded-For":["<public_ip>"]},"tls":{"resumed":false,"version":772,"cipher_suite":4865,"proto":"h2","server_name":"cloud.domain.tld"}} error=dial tcp 172.17.0.1:11000: i/o timeout
2023-12-10T00:49:49.025821483Z ERR ts=1702169389.0257056 logger=http.log.error msg=dial tcp 172.17.0.1:11000: i/o timeout request={"remote_ip":"<public_ip>","remote_port":"40384","client_ip":"<public_ip>","proto":"HTTP/2.0","method":"GET","host":"cloud.domain.tld","uri":"/index.php/204","headers":{"Http.protocol.single-Cookie-Header":["true"],"Accept-Encoding":["gzip"],"User-Agent":["Mozilla/5.0 (Android) Nextcloud-android/3.25.0"]},"tls":{"resumed":false,"version":772,"cipher_suite":4865,"proto":"h2","server_name":"cloud.domain.tld"}} duration=3.000559159 status=502 err_id=cjv128dtj err_trace=reverseproxy.statusError (reverseproxy.go:1267)
2023-12-10T00:49:51.284805633Z DBG ts=1702169391.2847419 logger=http.stdlib msg=http: TLS handshake error from <public_ip>:49758: EOF
2023-12-10T00:49:53.773156867Z DBG ts=1702169393.7729933 logger=events msg=event name=tls_get_certificate id=16340c7f-6934-468b-a59e-87097ab02592 origin=tls data={"client_hello":{"CipherSuites":[4866,4867,4865,49196,49200,159,52393,52392,52394,49195,49199,158,49188,49192,107,49187,49191,103,49162,49172,57,49161,49171,51,173,171,52398,52397,52396,157,169,52395,172,170,156,168,61,60,49208,49206,183,179,149,145,53,175,141,49207,49205,182,178,148,144,47,174,140,255],"ServerName":"cloud.domain.tld","SupportedCurves":[29,23,30,25,24,256,257,258,259,260],"SupportedPoints":"AAEC","SignatureSchemes":[1027,1283,1539,2055,2056,2057,2058,2059,2052,2053,2054,1025,1281,1537,771,769,770,1026,1282,1538],"SupportedProtos":null,"SupportedVersions":[772,771],"RemoteAddr":{"IP":"<public_ip>","Port":54986,"Zone":""},"LocalAddr":{"IP":"172.30.0.3","Port":443,"Zone":""}}}
2023-12-10T00:49:53.773230387Z DBG ts=1702169393.773056 logger=tls.handshake msg=choosing certificate identifier=cloud.domain.tld num_choices=1
2023-12-10T00:49:53.773236129Z DBG ts=1702169393.7730777 logger=tls.handshake msg=default certificate selection results identifier=cloud.domain.tld subjects=["cloud.domain.tld"] managed=true issuer_key=acme.zerossl.com-v2-DV90 hash=cda353077f262f3f98bab1589a00c304e33641e57c5f033d41f805b5ba73a6fe
2023-12-10T00:49:53.773241018Z DBG ts=1702169393.7730937 logger=tls.handshake msg=matched certificate in cache remote_ip=<public_ip> remote_port=54986 subjects=["cloud.domain.tld"] managed=true expiration=1709942400 hash=cda353077f262f3f98bab1589a00c304e33641e57c5f033d41f805b5ba73a6fe
2023-12-10T00:49:53.825660575Z DBG ts=1702169393.8255477 logger=http.handlers.reverse_proxy msg=selected upstream dial=host.docker.internal:11000 total_upstreams=1
2023-12-10T00:49:55.102546432Z DBG ts=1702169395.1024628 logger=docker-proxy msg=Skipping swarm config caddyfiles because swarm is not available
2023-12-10T00:49:55.120535102Z DBG ts=1702169395.1204531 logger=docker-proxy msg=Skipping swarm services because swarm is not available
2023-12-10T00:49:59.768499429Z DBG ts=1702169399.768357 logger=events msg=event name=tls_get_certificate id=16ca63c0-ae7d-4d84-93ff-2e712543f48f origin=tls data={"client_hello":{"CipherSuites":[4866,4867,4865,49196,49200,163,159,52393,52392,52394,49327,49325,49315,49311,49245,49249,49239,49235,49188,49192,107,106,49267,49271,196,195,49162,49172,57,56,136,135,157,49313,49309,49233,61,192,53,132,49195,49199,162,158,49326,49324,49314,49310,49244,49248,49238,49234,49187,49191,103,64,49266,49270,190,189,49161,49171,51,50,154,153,69,68,156,49312,49308,49232,60,186,47,150,65,255],"ServerName":"cloud.domain.tld","SupportedCurves":[30,29,25,24,23,256,257,258,259,260],"SupportedPoints":"AAEC","SignatureSchemes":[1027,1283,1539,2055,2056,2057,2058,2059,2052,2053,2054,1025,1281,1537,771,769,770,1026,1282,1538],"SupportedProtos":null,"SupportedVersions":[772,771],"RemoteAddr":{"IP":"<public_ip>","Port":60052,"Zone":""},"LocalAddr":{"IP":"172.30.0.3","Port":443,"Zone":""}}}
2023-12-10T00:49:59.768556217Z DBG ts=1702169399.7684212 logger=tls.handshake msg=choosing certificate identifier=cloud.domain.tld num_choices=1
2023-12-10T00:49:59.768565708Z DBG ts=1702169399.768435 logger=tls.handshake msg=default certificate selection results identifier=cloud.domain.tld subjects=["cloud.domain.tld"] managed=true issuer_key=acme.zerossl.com-v2-DV90 hash=cda353077f262f3f98bab1589a00c304e33641e57c5f033d41f805b5ba73a6fe
2023-12-10T00:49:59.768574791Z DBG ts=1702169399.7684433 logger=tls.handshake msg=matched certificate in cache remote_ip=<public_ip> remote_port=60052 subjects=["cloud.domain.tld"] managed=true expiration=1709942400 hash=cda353077f262f3f98bab1589a00c304e33641e57c5f033d41f805b5ba73a6fe
2023-12-10T00:49:59.773494289Z DBG ts=1702169399.7734313 logger=http.handlers.reverse_proxy msg=selected upstream dial=host.docker.internal:11000 total_upstreams=1
2023-12-10T00:50:02.774064189Z DBG ts=1702169402.7739825 logger=http.handlers.reverse_proxy msg=upstream roundtrip upstream=host.docker.internal:11000 duration=3.000514953 request={"remote_ip":"<public_ip>","remote_port":"60052","client_ip":"<public_ip>","proto":"HTTP/1.1","method":"GET","host":"cloud.domain.tld","uri":"/apps/richdocuments/settings/fonts.json","headers":{"Date":["Sun, 10 Dec 2023 00:49:59"],"User-Agent":["COOLWSD HTTP Agent 23.05.5.4"],"X-Forwarded-For":["<public_ip>"],"X-Forwarded-Proto":["https"],"X-Forwarded-Host":["cloud.domain.tld"]},"tls":{"resumed":false,"version":772,"cipher_suite":4865,"proto":"","server_name":"cloud.domain.tld"}} error=dial tcp 172.17.0.1:11000: i/o timeout
2023-12-10T00:50:02.774103710Z ERR ts=1702169402.7740517 logger=http.log.error msg=dial tcp 172.17.0.1:11000: i/o timeout request={"remote_ip":"<public_ip>","remote_port":"60052","client_ip":"<public_ip>","proto":"HTTP/1.1","method":"GET","host":"cloud.domain.tld","uri":"/apps/richdocuments/settings/fonts.json","headers":{"User-Agent":["COOLWSD HTTP Agent 23.05.5.4"],"Date":["Sun, 10 Dec 2023 00:49:59"]},"tls":{"resumed":false,"version":772,"cipher_suite":4865,"proto":"","server_name":"cloud.domain.tld"}} duration=3.000625293 status=502 err_id=bmugv5jfj err_trace=reverseproxy.statusError (reverseproxy.go:1267)
2023-12-10T00:50:20.039739328Z DBG ts=1702169420.0395806 logger=events msg=event name=tls_get_certificate id=b644bac6-783d-4f6c-a9f9-2c678dbd4b17 origin=tls data={"client_hello":{"CipherSuites":[4865,4867,4866,49195,49199,52393,52392,49196,49200,49162,49161,49171,49172,156,157,47,53],"ServerName":"cloud.domain.tld","SupportedCurves":[29,23,24,25,256,257],"SupportedPoints":"AA==","SignatureSchemes":[1027,1283,1539,2052,2053,2054,1025,1281,1537,515,513],"SupportedProtos":["h2","http/1.1"],"SupportedVersions":[772,771],"RemoteAddr":{"IP":"<public_ip>","Port":60328,"Zone":""},"LocalAddr":{"IP":"172.30.0.3","Port":443,"Zone":""}}}
2023-12-10T00:50:20.039779281Z DBG ts=1702169420.0396478 logger=tls.handshake msg=choosing certificate identifier=cloud.domain.tld num_choices=1
2023-12-10T00:50:20.039788157Z DBG ts=1702169420.0396721 logger=tls.handshake msg=default certificate selection results identifier=cloud.domain.tld subjects=["cloud.domain.tld"] managed=true issuer_key=acme.zerossl.com-v2-DV90 hash=cda353077f262f3f98bab1589a00c304e33641e57c5f033d41f805b5ba73a6fe
2023-12-10T00:50:20.039796763Z DBG ts=1702169420.039689 logger=tls.handshake msg=matched certificate in cache remote_ip=<public_ip> remote_port=60328 subjects=["cloud.domain.tld"] managed=true expiration=1709942400 hash=cda353077f262f3f98bab1589a00c304e33641e57c5f033d41f805b5ba73a6fe
2023-12-10T00:50:20.061597710Z DBG ts=1702169420.0615163 logger=http.handlers.reverse_proxy msg=selected upstream dial=host.docker.internal:11000 total_upstreams=1
2023-12-10T00:50:21.382955373Z DBG ts=1702169421.3828876 logger=http.stdlib msg=http: TLS handshake error from <public_ip>:46354: EOF
3. Caddy version:
v2.7.6 h1:w0NymbG2m9PcvKWsrXO6EEkY9Ru4FJK8uQbYcev1p3A=
4. How I installed and ran Caddy:
a. System environment:
Docker
OpenMediaVault: 6.9.9-1 (Shaitan)
Kernel: Linux 6.1.0-0.deb11.11-amd64
b. Command:
c. Service/unit/compose file:
Dockerfile
FROM caddy:builder AS builder
RUN xcaddy build \
--with github.com/lucaslorentz/caddy-docker-proxy/v2 \
--with github.com/caddy-dns/cloudflare
FROM caddy:alpine
COPY --from=builder /usr/bin/caddy /usr/bin/caddy
CMD ["caddy", "docker-proxy"]
docker-compose
services:
# Nextcloud
nextcloud-aio-mastercontainer:
image: nextcloud/all-in-one:latest
init: true
restart: always
container_name: nextcloud-aio-mastercontainer
volumes:
- nextcloud_aio_mastercontainer:/mnt/docker-aio-config
- /var/run/docker.sock:/var/run/docker.sock:ro
ports:
- 8083:8080
environment:
- APACHE_PORT=11000
- APACHE_IP_BINDING=0.0.0.0
- SKIP_DOMAIN_VALIDATION=true
networks:
- caddy
caddy:
image: caddy-docker-proxy-cloudflare-dns
restart: always
container_name: caddy
environment:
- CADDY_DOCKER_CADDYFILE_PATH=/etc/caddy/Caddyfile
ports:
- 82:80
- 446:443
networks:
- caddy
volumes:
- ${APPDATA}/Caddy/Caddyfile:/etc/caddy/Caddyfile
- /var/run/docker.sock:/var/run/docker.sock
extra_hosts: ["host.docker.internal:host-gateway"]
networks:
caddy:
external: true
volumes:
nextcloud_aio_mastercontainer:
name: nextcloud_aio_mastercontainer
caddy_data: {}
d. My complete Caddy config:
Caddyfile
{
# Email
email <email>
# Debug
# acme_ca https://acme-staging-v02.api.letsencrypt.org/directory
debug
}
(cloudflare) {
tls {
dns cloudflare <api_token>
}
}
https://cloud.domain.tld:443 {
import cloudflare
reverse_proxy host.docker.internal:11000 {
transport http {
tls_insecure_skip_verify
}
}
}
My DNS is hosted at Cloudflare but I turned off the proxy,
5. Links to relevant resources:
Here are some sources I found trying to fix the issue:
This url made me add the tls_insecure_skip_verify line to the caddyfile.
Not sure where the problem lies, I also posted on the Nextcloud forum. To no avail up until now.