Infinite redirects to router

Help
1

1. The problem I’m having:

Hello,

I have configured Caddy with VaultWarden (pw manager) and it works flawlessly.

Now I want to make my home router accessible externally via domain “router.stevecraft.cz”.
I have two options:

  • enable it on the router itself (less secure as I cannot put any security “between”)
  • use reverse proxy and route it from custom sub-domain to Caddy

My current setup is as follows:

  • I access router.stevecraft.cz
  • DNS forwards this request to my public IP (router)
  • Via port forwarding this request on port 80 gets on my server (neccessary as I run more services on my server which are using port 80)
  • I want Caddy to handle this request and if its from router.stevecraft.cz, reverse proxy to router, effectively making me able to access my router from the outside

The problem is that when I access the subdomain via browser, I get error - too many redirects. It seems that Caddy is infinitely redirecting it, because in the response I see this:

alt-svc: h3=":443"; ma=2592000
content-length: 0
date: Sun, 05 Mar 2023 12:06:59 GMT
location: https://router.stevecraft.cz/
server: Caddy
server: Caddy

2. Error messages and/or full log output:

Here is log which I received by docker logs caddy command and then formatted it. I have shortened all the redirects, I kept only 2 first redirects. They are all the same, just repeating like 50 times or so.

{
   "level":"debug",
   "ts":1678016429.6251771,
   "logger":"events",
   "msg":"event",
   "name":"tls_get_certificate",
   "id":"c979e09a-55c7-4230-a6e8-22f647fae5bc",
   "origin":"tls",
   "data":{
      "client_hello":{
         "CipherSuites":[
            39578,
            4865,
            4866,
            4867,
            49195,
            49199,
            49196,
            49200,
            52393,
            52392,
            49171,
            49172,
            156,
            157,
            47,
            53
         ],
         "ServerName":"router.stevecraft.cz",
         "SupportedCurves":[
            10794,
            29,
            23,
            24
         ],
         "SupportedPoints":"AA==",
         "SignatureSchemes":[
            1027,
            2052,
            1025,
            1283,
            2053,
            1281,
            2054,
            1537
         ],
         "SupportedProtos":[
            "h2",
            "http/1.1"
         ],
         "SupportedVersions":[
            14906,
            772,
            771
         ],
         "Conn":{
            
         }
      }
   }
}{
   "level":"debug",
   "ts":1678016429.6252482,
   "logger":"tls.handshake",
   "msg":"choosing certificate",
   "identifier":"router.stevecraft.cz",
   "num_choices":1
}{
   "level":"debug",
   "ts":1678016429.6252596,
   "logger":"tls.handshake",
   "msg":"default certificate selection results",
   "identifier":"router.stevecraft.cz",
   "subjects":[
      "router.stevecraft.cz"
   ],
   "managed":true,
   "issuer_key":"acme.zerossl.com-v2-DV90",
   "hash":"39debcf86a6cf987ef09a94cdbb9c2d4b8069d6360552c80245b0b3bec6216b3"
}{
   "level":"debug",
   "ts":1678016429.6252651,
   "logger":"tls.handshake",
   "msg":"matched certificate in cache",
   "remote_ip":"172.17.0.1",
   "remote_port":"51434",
   "subjects":[
      "router.stevecraft.cz"
   ],
   "managed":true,
   "expiration":1685836800,
   "hash":"39debcf86a6cf987ef09a94cdbb9c2d4b8069d6360552c80245b0b3bec6216b3"
}{
   "level":"debug",
   "ts":1678016429.6294632,
   "logger":"http.handlers.reverse_proxy",
   "msg":"selected upstream",
   "dial":"192.168.0.1:80",
   "total_upstreams":1
}{
   "level":"debug",
   "ts":1678016429.6360264,
   "logger":"http.handlers.reverse_proxy",
   "msg":"upstream roundtrip",
   "upstream":"192.168.0.1:80",
   "duration":0.006494406,
   "request":{
      "remote_ip":"172.17.0.1",
      "remote_port":"51434",
      "proto":"HTTP/2.0",
      "method":"GET",
      "host":"router.stevecraft.cz",
      "uri":"/",
      "headers":{
         "Sec-Fetch-Dest":[
            "document"
         ],
         "X-Forwarded-Host":[
            "router.stevecraft.cz"
         ],
         "Sec-Fetch-User":[
            "?1"
         ],
         "Sec-Ch-Ua":[
            "\"Chromium\";v=\"110\", \"Not A(Brand\";v=\"24\", \"Google Chrome\";v=\"110\""
         ],
         "Accept":[
            "text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7"
         ],
         "Upgrade-Insecure-Requests":[
            "1"
         ],
         "X-Forwarded-Proto":[
            "https"
         ],
         "X-Forwarded-For":[
            "172.17.0.1"
         ],
         "Sec-Fetch-Mode":[
            "navigate"
         ],
         "Accept-Encoding":[
            "gzip, deflate, br"
         ],
         "User-Agent":[
            "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/110.0.0.0 Safari/537.36"
         ],
         "Sec-Fetch-Site":[
            "none"
         ],
         "Accept-Language":[
            "cs,en-GB;q=0.9,en-US;q=0.8,en;q=0.7"
         ],
         "Sec-Ch-Ua-Platform":[
            "\"Windows\""
         ],
         "Cache-Control":[
            "max-age=0"
         ],
         "Sec-Ch-Ua-Mobile":[
            "?0"
         ]
      },
      "tls":{
         "resumed":false,
         "version":772,
         "cipher_suite":4865,
         "proto":"h2",
         "server_name":"router.stevecraft.cz"
      }
   },
   "headers":{
      "Server":[
         "Caddy"
      ],
      "Date":[
         "Sun, 05 Mar 2023 11:40:29 GMT"
      ],
      "Content-Length":[
         "0"
      ],
      "Location":[
         "https://router.stevecraft.cz/"
      ]
   },
   "status":308
}{
   "level":"debug",
   "ts":1678016429.6396546,
   "logger":"http.handlers.reverse_proxy",
   "msg":"selected upstream",
   "dial":"192.168.0.1:80",
   "total_upstreams":1
}{
   "level":"debug",
   "ts":1678016429.6452146,
   "logger":"http.handlers.reverse_proxy",
   "msg":"upstream roundtrip",
   "upstream":"192.168.0.1:80",
   "duration":0.005509861,
   "request":{
      "remote_ip":"172.17.0.1",
      "remote_port":"51434",
      "proto":"HTTP/2.0",
      "method":"GET",
      "host":"router.stevecraft.cz",
      "uri":"/",
      "headers":{
         "User-Agent":[
            "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/110.0.0.0 Safari/537.36"
         ],
         "Sec-Fetch-Mode":[
            "navigate"
         ],
         "Upgrade-Insecure-Requests":[
            "1"
         ],
         "Sec-Fetch-Dest":[
            "document"
         ],
         "X-Forwarded-For":[
            "172.17.0.1"
         ],
         "X-Forwarded-Host":[
            "router.stevecraft.cz"
         ],
         "Accept":[
            "text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7"
         ],
         "Accept-Encoding":[
            "gzip, deflate, br"
         ],
         "Sec-Fetch-Site":[
            "none"
         ],
         "Sec-Fetch-User":[
            "?1"
         ],
         "Sec-Ch-Ua-Platform":[
            "\"Windows\""
         ],
         "Sec-Ch-Ua-Mobile":[
            "?0"
         ],
         "Accept-Language":[
            "cs,en-GB;q=0.9,en-US;q=0.8,en;q=0.7"
         ],
         "Cache-Control":[
            "max-age=0"
         ],
         "Sec-Ch-Ua":[
            "\"Chromium\";v=\"110\", \"Not A(Brand\";v=\"24\", \"Google Chrome\";v=\"110\""
         ],
         "X-Forwarded-Proto":[
            "https"
         ]
      },
      "tls":{
         "resumed":false,
         "version":772,
         "cipher_suite":4865,
         "proto":"h2",
         "server_name":"router.stevecraft.cz"
      }
   },
   "headers":{
      "Date":[
         "Sun, 05 Mar 2023 11:40:29 GMT"
      ],
      "Content-Length":[
         "0"
      ],
      "Location":[
         "https://router.stevecraft.cz/"
      ],
      "Server":[
         "Caddy"
      ]
   },
   "status":308
}

Here is what happens when I curl to http://router.stevecraft.cz

C:\Windows\System32>curl -vL http://router.stevecraft.cz
*   Trying 83.240.92.68:80...
* Connected to router.stevecraft.cz (83.240.92.68) port 80 (#0)
> GET / HTTP/1.1
> Host: router.stevecraft.cz
> User-Agent: curl/7.83.1
> Accept: */*
>
* Mark bundle as not supporting multiuse
< HTTP/1.1 308 Permanent Redirect
< Connection: close
< Location: https://router.stevecraft.cz/
< Server: Caddy
< Date: Sun, 05 Mar 2023 12:01:46 GMT
< Content-Length: 0
<
* Closing connection 0
* Clear auth, redirects to port from 80 to 443
* Issue another request to this URL: 'https://router.stevecraft.cz/'
*   Trying 83.240.92.68:443...
* Connected to router.stevecraft.cz (83.240.92.68) port 443 (#1)
* schannel: disabled automatic use of client certificate
* ALPN: offers http/1.1
* ALPN: server accepted http/1.1
> GET / HTTP/1.1
> Host: router.stevecraft.cz
> User-Agent: curl/7.83.1
> Accept: */*
>
* Mark bundle as not supporting multiuse
< HTTP/1.1 308 Permanent Redirect
< Alt-Svc: h3=":443"; ma=2592000
< Content-Length: 0
< Date: Sun, 05 Mar 2023 12:01:46 GMT
< Location: https://router.stevecraft.cz/
< Server: Caddy
< Server: Caddy
<
* Connection #1 to host router.stevecraft.cz left intact
* Issue another request to this URL: 'https://router.stevecraft.cz/'
* Found bundle for host: 0x1a9bb615fc0 [serially]
* Re-using existing connection #1 with host router.stevecraft.cz
* Connected to router.stevecraft.cz (83.240.92.68) port 443 (#1)
> GET / HTTP/1.1
> Host: router.stevecraft.cz
> User-Agent: curl/7.83.1
> Accept: */*
>
* Mark bundle as not supporting multiuse
< HTTP/1.1 308 Permanent Redirect
< Alt-Svc: h3=":443"; ma=2592000
< Content-Length: 0
< Date: Sun, 05 Mar 2023 12:01:46 GMT
< Location: https://router.stevecraft.cz/
< Server: Caddy
< Server: Caddy
<
* Connection #1 to host router.stevecraft.cz left intact
* Issue another request to this URL: 'https://router.stevecraft.cz/'
* Found bundle for host: 0x1a9bb615fc0 [serially]
* Re-using existing connection #1 with host router.stevecraft.cz
* Connected to router.stevecraft.cz (83.240.92.68) port 443 (#1)
> GET / HTTP/1.1
> Host: router.stevecraft.cz
> User-Agent: curl/7.83.1
> Accept: */*
>
* Mark bundle as not supporting multiuse
< HTTP/1.1 308 Permanent Redirect
< Alt-Svc: h3=":443"; ma=2592000
< Content-Length: 0
< Date: Sun, 05 Mar 2023 12:01:46 GMT
< Location: https://router.stevecraft.cz/
< Server: Caddy
< Server: Caddy
<
* Connection #1 to host router.stevecraft.cz left intact
* Issue another request to this URL: 'https://router.stevecraft.cz/'
* Found bundle for host: 0x1a9bb615fc0 [serially]
* Re-using existing connection #1 with host router.stevecraft.cz
* Connected to router.stevecraft.cz (83.240.92.68) port 443 (#1)
> GET / HTTP/1.1
> Host: router.stevecraft.cz
> User-Agent: curl/7.83.1
> Accept: */*

(shortened of repeating redirects)

3. Caddy version:

I got this version by opening Docker Desktop GUI, connecting to terminal and running caddy version command.

v2.6.4 h1:2hwYqiRwk1tf3VruhMpLcYTg+11fCdr8S3jhNAdnPy8=

4. How I installed and ran Caddy:

I’m running Caddy in Docker Desktop on Windows 11 and I’ve made container using this command

docker run --detach --name caddy --volume /d/Vaultwarden/caddy/caddyfile/Caddyfile:/etc/caddy/Caddyfile --volume /d/Vaultwarden/caddy/:/root/.local/share/caddy/ --volume /d/Vaultwarden/caddy/data/:/data/ --publish 80:80 --publish 443:443 --restart on-failure caddy:2

My complete Caddy config:

{
	debug
}

vault.stevecraft.cz {
	encode gzip

	# The negotiation endpoint is also proxied to Rocket
	reverse_proxy /notifications/hub/negotiate 172.17.0.1:8080

	# Notifications redirected to the websockets server
	reverse_proxy /notifications/hub 172.17.0.1:3012

	# Send all other traffic to the regular Vaultwarden endpoint
	reverse_proxy 172.17.0.1:8080
}

router.stevecraft.cz {
	reverse_proxy 192.168.0.1:80 
}

Disclaimer

I’m very beginner in Docker, networking, servers etc… So I’m sorry if I did something clearly very wrong.

2

Exposing your router externally seems like a terrible idea. I’d suggest instead that you get remote access to a machine in your network to access it instead. That’s a more secure option.

That said, it looks like Caddy ends up connecting to itself when proxying (evidenced by the Server header). My guess is that the router is forwarding the request on port 80 to Caddy as per your port forwarding rules.

That probably happens because you’re running Caddy in Docker and that makes requests from Caddy look like they’re not coming from a 192.168 IP address but instead from Docker’s subnet, so the router doesn’t know to serve its interface and instead forwards the traffic back to Caddy.

1 Like
3

Thank you for your response.
This is interesting stuff - when I curl the router local IP from docker container terminal (Caddy), I get proper login page for the router.

4

Hi

Try changing your site config to this

router.stevecraft.cz {
	reverse_proxy 192.168.0.1:80 {
		transport http {
			tls_insecure_skip_verify
		}
	}
}
1 Like
5

I have tried it - I receive 502 bad gateway response.

This is logged error in Caddy:

{“level”:“error”,“ts”:1678723591.281027,“logger”:“http.log.error”,“msg”:“tls: first record does not look like a TLS handshake”,“request”:{“remote_ip”:“172.17.0.1”,“remote_port”:“57672”,“proto”:“HTTP/1.1”,“method”:“GET”,“host”:“router.stevecraft.cz”,“uri”:“/”,“headers”:{“Upgrade-Insecure-Requests”:[“1”],“Accept-Encoding”:[“gzip, deflate”],“Accept-Language”:[“cs,en-GB;q=0.9,en-US;q=0.8,en;q=0.7”],“Cache-Control”:[“max-age=0”],“Connection”:[“keep-alive”],“User-Agent”:[“Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/111.0.0.0 Safari/537.36”],“Accept”:[“text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7”]}},“duration”:0.002741139,“status”:502,“err_id”:“vf6qv0m6p”,“err_trace”:“reverseproxy.statusError (reverseproxy.go:1299)”}

6

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.