Issue with reverse_proxy to a php backend for an API: "remote error: tls: internal error"

boroth · October 9, 2024, 4:50pm

1. The problem I’m having:

I’m trying to setup a caddy reverse_proxy to a php server for an API. Intended behavior: My clientside app lives at fake-aws.leadingreach.localhost:8093. That application is served properly (see config below). However, when I make a request to fake-aws.leadingreach.localhost:8093/proxy/api, I want that request reverse proxied to :15001, which should be my PHP backend which does a php_fastcgi to port 14999.

2. Error messages and/or full log output:

This is what I see in the caddy logs when I try to hit :8093/proxy/api/login_validate:

2024/10/09 15:53:21.854 DEBUG   events  event   {"name": "tls_get_certificate", "id": "d4c07b46-fa8b-4f86-aa11-ba4f8369e512", "origin": "tls", "data": {"client_hello":{"CipherSuites":[64250,4865,4866,4867,49195,49199,49196,49200,52393,52392,49171,49172,156,157,47,53],"ServerName":"fake-aws.leadingreach.localhost","SupportedCurves":[47802,25497,29,23,24],"SupportedPoints":"AA==","SignatureSchemes":[1027,2052,1025,1283,2053,1281,2054,1537],"SupportedProtos":["h2","http/1.1"],"SupportedVersions":[47802,772,771],"RemoteAddr":{"IP":"192.168.65.1","Port":63970,"Zone":""},"LocalAddr":{"IP":"172.17.0.3","Port":8083,"Zone":""}}}}
2024/10/09 15:53:21.858 DEBUG   tls.handshake   choosing certificate    {"identifier": "fake-aws.leadingreach.localhost", "num_choices": 1}
2024/10/09 15:53:21.859 DEBUG   tls.handshake   default certificate selection results   {"identifier": "fake-aws.leadingreach.localhost", "subjects": ["fake-aws.leadingreach.localhost"], "managed": true, "issuer_key": "local", "hash": "3c02d41688f8745373cf85910877eb0401766991326185808fb110630a3a1ebe"}
2024/10/09 15:53:21.860 DEBUG   tls.handshake   matched certificate in cache    {"remote_ip": "192.168.65.1", "remote_port": "63970", "subjects": ["fake-aws.leadingreach.localhost"], "managed": true, "expiration": "2024/10/10 03:52:06.000", "hash": "3c02d41688f8745373cf85910877eb0401766991326185808fb110630a3a1ebe"}
2024/10/09 15:53:21.876 DEBUG   http.stdlib     http: TLS handshake error from 192.168.65.1:63970: remote error: tls: unknown certificate
2024/10/09 15:53:23.978 DEBUG   events  event   {"name": "tls_get_certificate", "id": "94f76c1b-318e-417f-bd29-168554cc459d", "origin": "tls", "data": {"client_hello":{"CipherSuites":[27242,4865,4866,4867,49195,49199,49196,49200,52393,52392,49171,49172,156,157,47,53],"ServerName":"fake-aws.leadingreach.localhost","SupportedCurves":[19018,25497,29,23,24],"SupportedPoints":"AA==","SignatureSchemes":[1027,2052,1025,1283,2053,1281,2054,1537],"SupportedProtos":["h2","http/1.1"],"SupportedVersions":[10794,772,771],"RemoteAddr":{"IP":"192.168.65.1","Port":47602,"Zone":""},"LocalAddr":{"IP":"172.17.0.3","Port":8083,"Zone":""}}}}
2024/10/09 15:53:23.978 DEBUG   tls.handshake   choosing certificate    {"identifier": "fake-aws.leadingreach.localhost", "num_choices": 1}
2024/10/09 15:53:23.978 DEBUG   tls.handshake   default certificate selection results   {"identifier": "fake-aws.leadingreach.localhost", "subjects": ["fake-aws.leadingreach.localhost"], "managed": true, "issuer_key": "local", "hash": "3c02d41688f8745373cf85910877eb0401766991326185808fb110630a3a1ebe"}
2024/10/09 15:53:23.978 DEBUG   tls.handshake   matched certificate in cache    {"remote_ip": "192.168.65.1", "remote_port": "47602", "subjects": ["fake-aws.leadingreach.localhost"], "managed": true, "expiration": "2024/10/10 03:52:06.000", "hash": "3c02d41688f8745373cf85910877eb0401766991326185808fb110630a3a1ebe"}
2024/10/09 15:53:23.979 DEBUG   http.stdlib     http: TLS handshake error from 192.168.65.1:47602: remote error: tls: unknown certificate
2024/10/09 15:53:23.984 DEBUG   events  event   {"name": "tls_get_certificate", "id": "eed81916-3d62-4b6b-97b2-428d13eea5a0", "origin": "tls", "data": {"client_hello":{"CipherSuites":[64250,4865,4866,4867,49195,49199,49196,49200,52393,52392,49171,49172,156,157,47,53],"ServerName":"fake-aws.leadingreach.localhost","SupportedCurves":[64250,25497,29,23,24],"SupportedPoints":"AA==","SignatureSchemes":[1027,2052,1025,1283,2053,1281,2054,1537],"SupportedProtos":["h2","http/1.1"],"SupportedVersions":[51914,772,771],"RemoteAddr":{"IP":"192.168.65.1","Port":64025,"Zone":""},"LocalAddr":{"IP":"172.17.0.3","Port":8083,"Zone":""}}}}
2024/10/09 15:53:23.984 DEBUG   tls.handshake   choosing certificate    {"identifier": "fake-aws.leadingreach.localhost", "num_choices": 1}
2024/10/09 15:53:23.984 DEBUG   tls.handshake   default certificate selection results   {"identifier": "fake-aws.leadingreach.localhost", "subjects": ["fake-aws.leadingreach.localhost"], "managed": true, "issuer_key": "local", "hash": "3c02d41688f8745373cf85910877eb0401766991326185808fb110630a3a1ebe"}
2024/10/09 15:53:23.984 DEBUG   tls.handshake   matched certificate in cache    {"remote_ip": "192.168.65.1", "remote_port": "64025", "subjects": ["fake-aws.leadingreach.localhost"], "managed": true, "expiration": "2024/10/10 03:52:06.000", "hash": "3c02d41688f8745373cf85910877eb0401766991326185808fb110630a3a1ebe"}
2024/10/09 15:53:24.031 DEBUG   http.handlers.rewrite   rewrote request {"request": {"remote_ip": "192.168.65.1", "remote_port": "64025", "client_ip": "192.168.65.1", "proto": "HTTP/2.0", "method": "GET", "host": "fake-aws.leadingreach.localhost:8083", "uri": "/", "headers": {"Sec-Fetch-Dest": ["document"], "Accept-Encoding": ["gzip, deflate, br, zstd"], "User-Agent": ["Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/129.0.0.0 Safari/537.36"], "Sec-Ch-Ua": ["\"Google Chrome\";v=\"129\", \"Not=A?Brand\";v=\"8\", \"Chromium\";v=\"129\""], "Upgrade-Insecure-Requests": ["1"], "Accept": ["text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7"], "Cache-Control": ["max-age=0"], "Sec-Ch-Ua-Platform": ["\"macOS\""], "Sec-Fetch-Site": ["none"], "Sec-Fetch-Mode": ["navigate"], "Sec-Fetch-User": ["?1"], "Sec-Ch-Ua-Mobile": ["?0"], "Priority": ["u=0, i"], "Accept-Language": ["en-US,en;q=0.9"]}, "tls": {"resumed": false, "version": 772, "cipher_suite": 4865, "proto": "h2", "server_name": "fake-aws.leadingreach.localhost"}}, "method": "GET", "uri": "/index.html"}
2024/10/09 15:53:24.034 DEBUG   http.handlers.file_server       sanitized path join     {"site_root": "/var/www/apphead/current/build_admin", "fs": "", "request_path": "/index.html", "result": "/var/www/apphead/current/build_admin/index.html"}
2024/10/09 15:53:24.035 DEBUG   http.handlers.file_server       opening file    {"filename": "/var/www/apphead/current/build_admin/index.html"}
2024/10/09 15:53:24.076 DEBUG   http.handlers.file_server       sanitized path join     {"site_root": "/var/www/apphead/current/build_admin", "fs": "", "request_path": "/assets/img/support-open.svg", "result": "/var/www/apphead/current/build_admin/assets/img/support-open.svg"}
2024/10/09 15:53:24.076 DEBUG   http.handlers.file_server       sanitized path join     {"site_root": "/var/www/apphead/current/build_admin", "fs": "", "request_path": "/assets/css/vendors-_yarn___virtual___datadog-browser-rum-virtual-25a58865cf_0_cache_datadog-browser-rum--f223b3.LeadingReach.css", "result": "/var/www/apphead/current/build_admin/assets/css/vendors-_yarn___virtual___datadog-browser-rum-virtual-25a58865cf_0_cache_datadog-browser-rum--f223b3.LeadingReach.css"}
2024/10/09 15:53:24.076 DEBUG   http.handlers.file_server       opening file    {"filename": "/var/www/apphead/current/build_admin/assets/img/support-open.svg"}
2024/10/09 15:53:24.076 DEBUG   http.handlers.file_server       sanitized path join     {"site_root": "/var/www/apphead/current/build_admin", "fs": "", "request_path": "/assets/img/support-close.svg", "result": "/var/www/apphead/current/build_admin/assets/img/support-close.svg"}
2024/10/09 15:53:24.077 DEBUG   http.handlers.file_server       opening file    {"filename": "/var/www/apphead/current/build_admin/assets/css/vendors-_yarn___virtual___datadog-browser-rum-virtual-25a58865cf_0_cache_datadog-browser-rum--f223b3.LeadingReach.css"}
2024/10/09 15:53:24.077 DEBUG   http.handlers.file_server       sanitized path join     {"site_root": "/var/www/apphead/current/build_admin", "fs": "", "request_path": "/assets/css/styles.LeadingReach.css", "result": "/var/www/apphead/current/build_admin/assets/css/styles.LeadingReach.css"}
2024/10/09 15:53:24.081 DEBUG   http.handlers.file_server       opening file    {"filename": "/var/www/apphead/current/build_admin/assets/img/support-close.svg"}
2024/10/09 15:53:24.082 DEBUG   http.handlers.file_server       opening file    {"filename": "/var/www/apphead/current/build_admin/assets/css/styles.LeadingReach.css"}
2024/10/09 15:53:24.107 DEBUG   http.handlers.file_server       sanitized path join     {"site_root": "/var/www/apphead/current/build_admin", "fs": "", "request_path": "/assets/img/support-chat.svg", "result": "/var/www/apphead/current/build_admin/assets/img/support-chat.svg"}
2024/10/09 15:53:24.107 DEBUG   http.handlers.file_server       sanitized path join     {"site_root": "/var/www/apphead/current/build_admin", "fs": "", "request_path": "/assets/img/support-helpdesk.svg", "result": "/var/www/apphead/current/build_admin/assets/img/support-helpdesk.svg"}
2024/10/09 15:53:24.108 DEBUG   http.handlers.file_server       opening file    {"filename": "/var/www/apphead/current/build_admin/assets/img/support-chat.svg"}
2024/10/09 15:53:24.108 DEBUG   http.handlers.file_server       opening file    {"filename": "/var/www/apphead/current/build_admin/assets/img/support-helpdesk.svg"}
2024/10/09 15:53:24.147 DEBUG   http.handlers.file_server       sanitized path join     {"site_root": "/var/www/apphead/current/build_admin", "fs": "", "request_path": "/assets/js-wp/leadingreach-styles.c1e0fc335b259e630130.js", "result": "/var/www/apphead/current/build_admin/assets/js-wp/leadingreach-styles.c1e0fc335b259e630130.js"}
2024/10/09 15:53:24.148 DEBUG   http.handlers.file_server       opening file    {"filename": "/var/www/apphead/current/build_admin/assets/js-wp/leadingreach-styles.c1e0fc335b259e630130.js"}
2024/10/09 15:53:24.167 DEBUG   http.handlers.file_server       sanitized path join     {"site_root": "/var/www/apphead/current/build_admin", "fs": "", "request_path": "/assets/js-wp/leadingreach-admin.e80520bcb3f21a07bb58.js", "result": "/var/www/apphead/current/build_admin/assets/js-wp/leadingreach-admin.e80520bcb3f21a07bb58.js"}
2024/10/09 15:53:24.168 DEBUG   http.handlers.file_server       opening file    {"filename": "/var/www/apphead/current/build_admin/assets/js-wp/leadingreach-admin.e80520bcb3f21a07bb58.js"}
2024/10/09 15:53:24.176 DEBUG   http.handlers.rewrite   rewrote request {"request": {"remote_ip": "192.168.65.1", "remote_port": "64025", "client_ip": "192.168.65.1", "proto": "HTTP/2.0", "method": "GET", "host": "fake-aws.leadingreach.localhost:8083", "uri": "/proxy/login_validate", "headers": {"Sec-Ch-Ua-Platform": ["\"macOS\""], "User-Agent": ["Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/129.0.0.0 Safari/537.36"], "Sec-Ch-Ua-Mobile": ["?0"], "Accept": ["*/*"], "Sec-Fetch-Site": ["same-origin"], "Accept-Encoding": ["gzip, deflate, br, zstd"], "Priority": ["u=1, i"], "Sec-Ch-Ua": ["\"Google Chrome\";v=\"129\", \"Not=A?Brand\";v=\"8\", \"Chromium\";v=\"129\""], "Sec-Fetch-Mode": ["cors"], "Sec-Fetch-Dest": ["empty"], "Referer": ["https://fake-aws.leadingreach.localhost:8083/"], "Accept-Language": ["en-US,en;q=0.9"]}, "tls": {"resumed": false, "version": 772, "cipher_suite": 4865, "proto": "h2", "server_name": "fake-aws.leadingreach.localhost"}}, "method": "GET", "uri": "/login_validate"}
2024/10/09 15:53:24.177 DEBUG   http.handlers.reverse_proxy     selected upstream       {"dial": ":15001", "total_upstreams": 1}
2024/10/09 15:53:24.179 DEBUG   http.handlers.file_server       sanitized path join     {"site_root": "/var/www/apphead/current/build_admin", "fs": "", "request_path": "/assets/js-wp/leadingreach-vendors-_yarn___virtual___datadog-browser-rum-virtual-25a58865cf_0_cache_datadog-browser-rum--f223b3.7c6e1407d13ff1b2e4cd.js", "result": "/var/www/apphead/current/build_admin/assets/js-wp/leadingreach-vendors-_yarn___virtual___datadog-browser-rum-virtual-25a58865cf_0_cache_datadog-browser-rum--f223b3.7c6e1407d13ff1b2e4cd.js"}
2024/10/09 15:53:24.180 DEBUG   http.handlers.file_server       opening file    {"filename": "/var/www/apphead/current/build_admin/assets/js-wp/leadingreach-vendors-_yarn___virtual___datadog-browser-rum-virtual-25a58865cf_0_cache_datadog-browser-rum--f223b3.7c6e1407d13ff1b2e4cd.js"}
2024/10/09 15:53:24.191 DEBUG   events  event   {"name": "tls_get_certificate", "id": "bd0957f0-b668-4c34-84b4-f379ab28932c", "origin": "tls", "data": {"client_hello":{"CipherSuites":[49195,49199,49196,49200,52393,52392,49161,49171,49162,49172,49170,4865,4866,4867],"ServerName":"","SupportedCurves":[29,23,24,25],"SupportedPoints":"AA==","SignatureSchemes":[2052,1027,2055,2053,2054,1025,1281,1537,1283,1539,513,515],"SupportedProtos":["h2","http/1.1"],"SupportedVersions":[772,771],"RemoteAddr":{"IP":"127.0.0.1","Port":51016,"Zone":""},"LocalAddr":{"IP":"127.0.0.1","Port":15001,"Zone":""}}}}
2024/10/09 15:53:24.191 DEBUG   tls.handshake   no matching certificates and no custom selection logic  {"identifier": "127.0.0.1"}
2024/10/09 15:53:24.192 DEBUG   tls.handshake   no certificate matching TLS ClientHello {"remote_ip": "127.0.0.1", "remote_port": "51016", "server_name": "", "remote": "127.0.0.1:51016", "identifier": "127.0.0.1", "cipher_suites": [49195, 49199, 49196, 49200, 52393, 52392, 49161, 49171, 49162, 49172, 49170, 4865, 4866, 4867], "cert_cache_fill": 0.0001, "load_or_obtain_if_necessary": true, "on_demand": false}
2024/10/09 15:53:24.192 DEBUG   http.stdlib     http: TLS handshake error from 127.0.0.1:51016: no certificate available for '127.0.0.1'
2024/10/09 15:53:24.193 DEBUG   http.handlers.reverse_proxy     upstream roundtrip      {"upstream": ":15001", "duration": 0.015875459, "request": {"remote_ip": "192.168.65.1", "remote_port": "64025", "client_ip": "192.168.65.1", "proto": "HTTP/2.0", "method": "GET", "host": "fake-aws.leadingreach.localhost:8083", "uri": "/login_validate", "headers": {"Sec-Ch-Ua-Platform": ["\"macOS\""], "User-Agent": ["Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/129.0.0.0 Safari/537.36"], "Sec-Ch-Ua-Mobile": ["?0"], "Sec-Ch-Ua": ["\"Google Chrome\";v=\"129\", \"Not=A?Brand\";v=\"8\", \"Chromium\";v=\"129\""], "Sec-Fetch-Dest": ["empty"], "X-Forwarded-For": ["192.168.65.1"], "X-Forwarded-Proto": ["https"], "Priority": ["u=1, i"], "Sec-Fetch-Mode": ["cors"], "Referer": ["https://fake-aws.leadingreach.localhost:8083/"], "Accept-Encoding": ["gzip, deflate, br, zstd"], "Accept": ["*/*"], "Sec-Fetch-Site": ["same-origin"], "Accept-Language": ["en-US,en;q=0.9"], "X-Forwarded-Host": ["fake-aws.leadingreach.localhost:8083"]}, "tls": {"resumed": false, "version": 772, "cipher_suite": 4865, "proto": "h2", "server_name": "fake-aws.leadingreach.localhost"}}, "error": "remote error: tls: internal error"}
2024/10/09 15:53:24.193 ERROR   http.log.error  remote error: tls: internal error       {"request": {"remote_ip": "192.168.65.1", "remote_port": "64025", "client_ip": "192.168.65.1", "proto": "HTTP/2.0", "method": "GET", "host": "fake-aws.leadingreach.localhost:8083", "uri": "/proxy/login_validate", "headers": {"Priority": ["u=1, i"], "Sec-Ch-Ua-Platform": ["\"macOS\""], "User-Agent": ["Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/129.0.0.0 Safari/537.36"], "Sec-Ch-Ua-Mobile": ["?0"], "Accept": ["*/*"], "Sec-Fetch-Site": ["same-origin"], "Accept-Encoding": ["gzip, deflate, br, zstd"], "Sec-Ch-Ua": ["\"Google Chrome\";v=\"129\", \"Not=A?Brand\";v=\"8\", \"Chromium\";v=\"129\""], "Sec-Fetch-Mode": ["cors"], "Sec-Fetch-Dest": ["empty"], "Referer": ["https://fake-aws.leadingreach.localhost:8083/"], "Accept-Language": ["en-US,en;q=0.9"]}, "tls": {"resumed": false, "version": 772, "cipher_suite": 4865, "proto": "h2", "server_name": "fake-aws.leadingreach.localhost"}}, "duration": 0.017667125, "status": 502, "err_id": "qjp4gu1tz", "err_trace": "reverseproxy.statusError (reverseproxy.go:1269)"}

I’m able to curl to my domain/port successfully, the issue seems to be specifically with the reverse_proxy? The errors below are coming from PHP, so it seems like the php_fastcgi is working as well.

root@094e336216ab:/var/www/apptail/current# curl https://fake-aws.leadingreach.localhost:15001/php-info
<!DOCTYPE html>
<html>
    <head>
        <meta charset="UTF-8" />
        <meta http-equiv="refresh" content="0;url='/'" />

        <title>Redirecting to /</title>
    </head>
    <body>
        Redirecting to <a href="/">/</a>.
    </body>
</html>
root@094e336216ab:/var/www/apptail/current# curl https://fake-aws.leadingreach.localhost:15001/privacy-policy
{"code":405,"message":"No route found for \u0022GET https:\/\/fake-aws.leadingreach.localhost:15001\/privacy-policy\u0022: Method Not Allowed (Allow: NONE, OPTIONS)"}
root@094e336216ab:/var/www/apptail/current#

3. Caddy version:

v2.8.4 h1:q3pe0wpBj1OcHFZ3n/1nl4V4bxBrYoSoab7rL9BMYNk=

4. How I installed and ran Caddy:

a. System environment:

Docker, it’s a debian-based container with shared services (don’t hate me, I was asked to do it this way for “simplicity” and “cost” reasons). Caddy is instaled

b. Command:

caddy start --config=/etc/caddy/Caddyfile

c. Service/unit/compose file:

Caddy installed in Docker image (Dockerfile):

RUN apt install -y debian-keyring debian-archive-keyring apt-transport-https curl
RUN curl -1sLf 'https://dl.cloudsmith.io/public/caddy/stable/gpg.key' | gpg --dearmor -o /usr/share/keyrings/caddy-stable-archive-keyring.gpg
RUN curl -1sLf 'https://dl.cloudsmith.io/public/caddy/stable/debian.deb.txt' | tee /etc/apt/sources.list.d/caddy-stable.list
RUN apt update
RUN apt install caddy

d. My complete Caddy config:


{
    debug
	log default {
		format console
		output file /var/log/caddy/system.log
		exclude http.log.access
	}
	servers :8083 {
		name appadmin
	}
	servers :15001 {
		name api
	}
}

fake-aws.leadingreach.localhost:8083 {
	tls internal

	handle_path /proxy/* {
		reverse_proxy :15001 {
            transport http {
                tls_insecure_skip_verify
            }
        }
	}

	handle {
		root * /var/www/apphead/current/build_admin
		file_server
		try_files {path} /index.html
	}
}

##### Backend servers
fake-aws.leadingreach.localhost:15001, :15001 {
	tls internal
	root * /var/www/apptail/current/public

	log {
		output file /var/log/caddy/apptail-api.access.log
		format console
	}

	# Encode responses in zstd or gzip, depending on the
	# availability indicated by the browser.
	encode zstd gzip

	# Configures multiple PHP-related settings
	php_fastcgi :14999

	# Prevent access to dot-files, except .well-known
	@dotFiles {
		path */.*
		not path /.well-known/*
	}
}

5. Links to relevant resources:

francislavoie · October 9, 2024, 6:45pm

Remove this. You should only have this if your upstream is HTTPS.

But your setup is strange. Don’t have Caddy proxy to itself, that adds pointless overhead.

If your goal is to deduplicate config, then use named routes to share the routes between two or more sites.

That doesn’t do anything. You just declared a matcher, but didn’t do anything with it (i.e. attach it to a handler). It gets culled from your config.

You should not use caddy start, because that has no uptime guarantees, nothing to restart it when your machine reboots etc. Use caddy run instead.

Why not use our Caddy Docker image instead? Keep Caddy Running — Caddy Documentation

boroth · October 9, 2024, 8:42pm

I’d love to avoid unnecessary proxying if I can. Essentially I have a SPA (react) served from the port 8093, and I want the :8093/proxy/* routes to be proxied to my PHP backend server. I’m playing around with something like this, and it almost seems to be working, but I’m not getting any response from my backend server, even though it redirects to the proper path:

fake-aws.leadingreach.localhost:8083 {
    tls internal

    handle_path /proxy/* {
        php_fastcgi :14999 {
            root /var/www/apptail/current/public
        }
    }

    handle {
        root * /var/www/apphead/current/build_admin
        file_server
        try_files {path} /index.html
    }
}

I get a 200 response code now, but no response data. So your initial response definitely helped. I just need to figure out why I’m not getting any data back from index.php in my php root.

2024/10/09 20:29:43.379 DEBUG   http.handlers.rewrite   rewrote request {"request": {"remote_ip": "192.168.65.1", "remote_port": "39700", "client_ip": "192.168.65.1", "proto": "HTTP/2.0", "method": "GET", "host": "fake-aws.leadingreach.localhost:8083", "uri": "/proxy/login_validate", "headers": {"User-Agent": ["Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/129.0.0.0 Safari/537.36"], "Sec-Ch-Ua": ["\"Google Chrome\";v=\"129\", \"Not=A?Brand\";v=\"8\", \"Chromium\";v=\"129\""], "Sec-Fetch-Mode": ["cors"], "Sec-Fetch-Dest": ["empty"], "Priority": ["u=1, i"], "Sec-Ch-Ua-Platform": ["\"macOS\""], "Accept": ["*/*"], "Sec-Fetch-Site": ["same-origin"], "Referer": ["https://fake-aws.leadingreach.localhost:8083/"], "Accept-Encoding": ["gzip, deflate, br, zstd"], "Accept-Language": ["en-US,en;q=0.9"], "Sec-Ch-Ua-Mobile": ["?0"]}, "tls": {"resumed": false, "version": 772, "cipher_suite": 4865, "proto": "h2", "server_name": "fake-aws.leadingreach.localhost"}}, "method": "GET", "uri": "/login_validate"}

Makes sense, I’ll make this update.

I’d much prefer to do it this way, but we’re building this image based off of a proprietary PHP image (and unfortunately needing to have Caddy installed in the same image). Mostly doing pre client/business request/requirements, but I’d rather not.

francislavoie · October 9, 2024, 8:57pm

handle_path’s prefix stripping does not affect the REQUEST_URI passed to your PHP app, because as per the CGI spec, REQUEST_URI should be the original URI sent by the client. So your app might not be handling the /proxy that appears in that URI, resulting an empty response.

boroth · October 10, 2024, 3:29pm

Good to know. I’ll look around, but I think my PHP app would throw a “route not found” error if it was trying to handle /proxy/login_validate since it’s not a valid route. Also, I’m not seeing anything in the Caddy logs to show that it’s even passing the request to fastcgi (http.reverse_proxy.transport.fastcgi). I see the rewrite from handle_path (http.handlers.rewrite) but no fastcgi in the debug logs.

2024/10/10 15:29:02.410 DEBUG   events  event   {"name": "tls_get_certificate", "id": "28b7fa95-7dec-4070-8957-09fd3d1315bf", "origin": "tls", "data": {"client_hello":{"CipherSuites":[6682,4865,4866,4867,49195,49199,49196,49200,52393,52392,49171,49172,156,157,47,53],"ServerName":"fake-aws.leadingreach.localhost","SupportedCurves":[14906,25497,29,23,24],"SupportedPoints":"AA==","SignatureSchemes":[1027,2052,1025,1283,2053,1281,2054,1537],"SupportedProtos":["h2","http/1.1"],"SupportedVersions":[60138,772,771],"RemoteAddr":{"IP":"192.168.65.1","Port":49381,"Zone":""},"LocalAddr":{"IP":"172.17.0.3","Port":8083,"Zone":""}}}}
2024/10/10 15:29:02.410 DEBUG   tls.handshake   choosing certificate    {"identifier": "fake-aws.leadingreach.localhost", "num_choices": 1}
2024/10/10 15:29:02.410 DEBUG   tls.handshake   default certificate selection results   {"identifier": "fake-aws.leadingreach.localhost", "subjects": ["fake-aws.leadingreach.localhost"], "managed": true, "issuer_key": "local", "hash": "044af6e9854006af04234bcbc4b7564388073451c539b5f72faa909830b85677"}
2024/10/10 15:29:02.411 DEBUG   tls.handshake   matched certificate in cache    {"remote_ip": "192.168.65.1", "remote_port": "49381", "subjects": ["fake-aws.leadingreach.localhost"], "managed": true, "expiration": "2024/10/11 03:26:04.000", "hash": "044af6e9854006af04234bcbc4b7564388073451c539b5f72faa909830b85677"}
2024/10/10 15:29:02.413 DEBUG   http.stdlib     http: TLS handshake error from 192.168.65.1:49381: remote error: tls: unknown certificate
2024/10/10 15:29:02.414 DEBUG   events  event   {"name": "tls_get_certificate", "id": "3b798d4e-5fb0-417e-9ee3-19b20f10bd55", "origin": "tls", "data": {"client_hello":{"CipherSuites":[60138,4865,4866,4867,49195,49199,49196,49200,52393,52392,49171,49172,156,157,47,53],"ServerName":"fake-aws.leadingreach.localhost","SupportedCurves":[19018,25497,29,23,24],"SupportedPoints":"AA==","SignatureSchemes":[1027,2052,1025,1283,2053,1281,2054,1537],"SupportedProtos":["h2","http/1.1"],"SupportedVersions":[60138,772,771],"RemoteAddr":{"IP":"192.168.65.1","Port":31071,"Zone":""},"LocalAddr":{"IP":"172.17.0.3","Port":8083,"Zone":""}}}}
2024/10/10 15:29:02.414 DEBUG   tls.handshake   choosing certificate    {"identifier": "fake-aws.leadingreach.localhost", "num_choices": 1}
2024/10/10 15:29:02.414 DEBUG   tls.handshake   default certificate selection results   {"identifier": "fake-aws.leadingreach.localhost", "subjects": ["fake-aws.leadingreach.localhost"], "managed": true, "issuer_key": "local", "hash": "044af6e9854006af04234bcbc4b7564388073451c539b5f72faa909830b85677"}
2024/10/10 15:29:02.414 DEBUG   tls.handshake   matched certificate in cache    {"remote_ip": "192.168.65.1", "remote_port": "31071", "subjects": ["fake-aws.leadingreach.localhost"], "managed": true, "expiration": "2024/10/11 03:26:04.000", "hash": "044af6e9854006af04234bcbc4b7564388073451c539b5f72faa909830b85677"}
2024/10/10 15:29:02.420 DEBUG   http.handlers.rewrite   rewrote request {"request": {"remote_ip": "192.168.65.1", "remote_port": "31071", "client_ip": "192.168.65.1", "proto": "HTTP/2.0", "method": "GET", "host": "fake-aws.leadingreach.localhost:8083", "uri": "/proxy/login_validate", "headers": {"Sec-Ch-Ua-Platform": ["\"macOS\""], "Accept": ["*/*"], "User-Agent": ["Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/129.0.0.0 Safari/537.36"], "Priority": ["u=1, i"], "Sec-Fetch-Mode": ["cors"], "Sec-Fetch-Dest": ["empty"], "Referer": ["https://fake-aws.leadingreach.localhost:8083/"], "Accept-Encoding": ["gzip, deflate, br, zstd"], "Accept-Language": ["en-US,en;q=0.9"], "Sec-Ch-Ua": ["\"Google Chrome\";v=\"129\", \"Not=A?Brand\";v=\"8\", \"Chromium\";v=\"129\""], "Sec-Ch-Ua-Mobile": ["?0"], "Sec-Fetch-Site": ["same-origin"]}, "tls": {"resumed": false, "version": 772, "cipher_suite": 4865, "proto": "h2", "server_name": "fake-aws.leadingreach.localhost"}}, "method": "GET", "uri": "/login_validate"}

boroth · October 10, 2024, 3:41pm

Started looking at your response/answer here, but I have that same/similar setup but I’m still not seeing the fastcgi in logs at all:

fake-aws.leadingreach.localhost:8083 {
    tls internal

    handle_path /proxy/* {
        # Configures multiple PHP-related settings
        root /var/www/apptail/current/public
        vars rewritten_uri {uri}

        php_fastcgi :14999 {
             env REQUEST_URI {vars.rewritten_uri}
        }
    }

    handle {
        root * /var/www/apphead/current/build_admin
        file_server
        try_files {path} /index.html
    }
}

boroth · October 10, 2024, 4:10pm

I’ve even tried just simplifying as much as possible to make a simple request to the php server directly, and still not getting anything in the logs about fastcgi.

Making a request to fake-aws.leadingreach.localhost:15000/php-info, and just getting an empty 200 response. I feel like I’m missing something very obvious.

Caddyfile:

fake-aws.leadingreach.localhost:15000 {
    root /var/www/apptail/current/public

    # Configures multiple PHP-related settings
    php_fastcgi 127.0.0.1:14999 {
        root /var/www/apptail/current/public
    }
}

Caddy logs:

2024/10/10 16:08:14.676 DEBUG   events  event   {"name": "tls_get_certificate", "id": "5454c4ce-85c2-414d-8fed-cee6cbfc0310", "origin": "tls", "data": {"client_hello":{"CipherSuites":[39578,4865,4866,4867,49195,49199,49196,49200,52393,52392,49171,49172,156,157,47,53],"ServerName":"fake-aws.leadingreach.localhost","SupportedCurves":[19018,25497,29,23,24],"SupportedPoints":"AA==","SignatureSchemes":[1027,2052,1025,1283,2053,1281,2054,1537],"SupportedProtos":["h2","http/1.1"],"SupportedVersions":[35466,772,771],"RemoteAddr":{"IP":"192.168.65.1","Port":17035,"Zone":""},"LocalAddr":{"IP":"172.17.0.3","Port":15000,"Zone":""}}}}
2024/10/10 16:08:14.676 DEBUG   tls.handshake   choosing certificate    {"identifier": "fake-aws.leadingreach.localhost", "num_choices": 1}
2024/10/10 16:08:14.676 DEBUG   tls.handshake   default certificate selection results   {"identifier": "fake-aws.leadingreach.localhost", "subjects": ["fake-aws.leadingreach.localhost"], "managed": true, "issuer_key": "local", "hash": "044af6e9854006af04234bcbc4b7564388073451c539b5f72faa909830b85677"}
2024/10/10 16:08:14.676 DEBUG   tls.handshake   matched certificate in cache    {"remote_ip": "192.168.65.1", "remote_port": "17035", "subjects": ["fake-aws.leadingreach.localhost"], "managed": true, "expiration": "2024/10/11 03:26:04.000", "hash": "044af6e9854006af04234bcbc4b7564388073451c539b5f72faa909830b85677"}
2024/10/10 16:08:14.678 DEBUG   http.stdlib     http: TLS handshake error from 192.168.65.1:17035: remote error: tls: unknown certificate
2024/10/10 16:08:14.679 DEBUG   events  event   {"name": "tls_get_certificate", "id": "94cef7f3-d08b-472b-a985-7a5c63b88daf", "origin": "tls", "data": {"client_hello":{"CipherSuites":[6682,4865,4866,4867,49195,49199,49196,49200,52393,52392,49171,49172,156,157,47,53],"ServerName":"fake-aws.leadingreach.localhost","SupportedCurves":[51914,25497,29,23,24],"SupportedPoints":"AA==","SignatureSchemes":[1027,2052,1025,1283,2053,1281,2054,1537],"SupportedProtos":["h2","http/1.1"],"SupportedVersions":[31354,772,771],"RemoteAddr":{"IP":"192.168.65.1","Port":39831,"Zone":""},"LocalAddr":{"IP":"172.17.0.3","Port":15000,"Zone":""}}}}
2024/10/10 16:08:14.679 DEBUG   tls.handshake   choosing certificate    {"identifier": "fake-aws.leadingreach.localhost", "num_choices": 1}
2024/10/10 16:08:14.679 DEBUG   tls.handshake   default certificate selection results   {"identifier": "fake-aws.leadingreach.localhost", "subjects": ["fake-aws.leadingreach.localhost"], "managed": true, "issuer_key": "local", "hash": "044af6e9854006af04234bcbc4b7564388073451c539b5f72faa909830b85677"}
2024/10/10 16:08:14.679 DEBUG   tls.handshake   matched certificate in cache    {"remote_ip": "192.168.65.1", "remote_port": "39831", "subjects": ["fake-aws.leadingreach.localhost"], "managed": true, "expiration": "2024/10/11 03:26:04.000", "hash": "044af6e9854006af04234bcbc4b7564388073451c539b5f72faa909830b85677"}

system · November 9, 2024, 4:10pm

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.