Main Domain and Alias Domains showing 520 error

timscha · November 6, 2023, 10:03am

1. The problem I’m having:

Hi! I have three domains which I want to use.

example.com
example.de
example.co

.com ist die main domain which also uses two subdomains dev.example.com and staging.example.com.
The .co and .de shall be used as alias domains. I thought I can use wildcard certs to make it easier. But the problem is, the .de and .co domain is not working at all - for both I got the response " Web server is returning an unknown error Error code 520" from Cloudflare.

The subdomains for the main domain, staging and dev are working as expected. But the main domain itself is making problems also. Here I can open my wordpress instance when using www.example.com but not example.com alone. Here i also get the same error message " Web server is returning an unknown error Error code 520".

2. Error messages and/or full log output:

2023/11/06 09:58:20.805	INFO	http.log.access.log0	handled request	{"request": {"remote_ip": "162.158.yy.xx", "remote_port": "58102", "client_ip": "162.158.yy.xx", "proto": "HTTP/2.0", "method": "GET", "host": "www.example.com", "uri": "/", "headers": {"User-Agent": ["Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36"], "Sec-Fetch-User": ["?1"], "Sec-Fetch-Dest": ["document"], "Cdn-Loop": ["cloudflare"], "Upgrade-Insecure-Requests": ["1"], "X-Forwarded-Proto": ["https"], "Sec-Ch-Ua": ["\"Chromium\";v=\"119\", \"Not?A_Brand\";v=\"24\""], "Sec-Ch-Ua-Mobile": ["?0"], "Sec-Ch-Ua-Platform": ["\"macOS\""], "Sec-Fetch-Mode": ["navigate"], "Cf-Ray": ["821c7a3beb183626-FRA"], "X-Forwarded-For":

3. Caddy version:

v2.7.5 h1:HoysvZkLcN2xJExEepaFHK92Qgs7xAiCFydN5x5Hs6Q=

4. How I installed and ran Caddy:

a. System environment:

Debian 12, ARM

c. Service/unit/compose file:

# caddy.service
#
# For using Caddy with a config file.
#
# Make sure the ExecStart and ExecReload commands are correct
# for your installation.
#
# See https://caddyserver.com/docs/install for instructions.
#
# WARNING: This service does not use the --resume flag, so if you
# use the API to make changes, they will be overwritten by the
# Caddyfile next time the service is restarted. If you intend to
# use Caddy's API to configure it, add the --resume flag to the
# `caddy run` command or use the caddy-api.service file instead.

[Unit]
Description=Caddy
Documentation=https://caddyserver.com/docs/
After=network.target network-online.target
Requires=network-online.target

[Service]
User=caddy
Group=caddy
ExecStart=/usr/bin/caddy run --environ --config /etc/caddy/Caddyfile
ExecReload=/usr/bin/caddy reload --config /etc/caddy/Caddyfile
TimeoutStopSec=5s
LimitNOFILE=1048576
LimitNPROC=512
PrivateTmp=true
ProtectSystem=full
AmbientCapabilities=CAP_NET_BIND_SERVICE

[Install]
WantedBy=multi-user.target

d. My complete Caddy config:

*.example.com, *.example.de, *.example.co {
  tls {
    dns cloudflare a-TuImIakmNlEUnKNHAQG3P2VKmZYuKs48n0tERY
  }

  @wpaliases host www.example.com, *.example.de, *.example.co
  handle @wpaliases {
    redir https://example.com{uri}
  }

  @wpts-prod host example.com
  handle @wpts-prod {
    root * /var/www/vhosts/example.com/public
    encode zstd gzip
    php_fastcgi unix//var/run/php8.2-fpm-wp-ts-prod.sock
    file_server

    @disallowed {
      path /xmlrpc.php
      path *.sql
      path /wp-content/uploads/*.php
    }
    rewrite @disallowed '/index.php'
  }

  @wpts-stage host staging.example.com
  handle @wpts-stage {
    root * /var/www/vhosts/staging.example.com/public
    encode zstd gzip
    php_fastcgi unix//var/run/php8.2-fpm-wp-example-dev.sock
    file_server

    @disallowed {
      path /xmlrpc.php
      path *.sql
      path /wp-content/uploads/*.php
    }
    rewrite @disallowed '/index.php'
  }

  @wpts-dev host dev.example.com
  handle @wpts-dev {
    root * /var/www/vhosts/dev.example.com/public
    encode zstd gzip
    php_fastcgi unix//var/run/php8.3-fpm-wp-example-dev.sock
    file_server

    @disallowed {
      path /xmlrpc.php
      path *.sql
      path /wp-content/uploads/*.php
    }
    rewrite @disallowed '/index.php'
  }

  handle {
    abort
  }

  log {
    output file /var/log/caddy/example.com
    format console
  }
}

5. Links to relevant resources:

francislavoie · November 6, 2023, 10:20am

I hope that’s not your real API key you shared. That must remain secret. If so, you’ll need to invalidate that API key and generate a new one ASAP.

We’re looking for Caddy’s runtime logs (i.e. stdout). You shared a single access log (with the end part chopped off so it’s an incomplete log line). Please read Keep Caddy Running — Caddy Documentation to see how to get Caddy’s logs.

timscha · November 6, 2023, 10:29am

@francislavoie Thanks for your response. Regarding they API key, it was only one for staging - but I removed/changed it. Thanks for the hint, forgot about it.

Following is the logfile:

Nov 06 11:26:24 sys01 systemd[1]: Started caddy.service - Caddy.
Nov 06 11:26:25 sys01 caddy[423309]: caddy.HomeDir=/var/lib/caddy
Nov 06 11:26:25 sys01 caddy[423309]: caddy.AppDataDir=/var/lib/caddy/.local/share/caddy
Nov 06 11:26:25 sys01 caddy[423309]: caddy.AppConfigDir=/var/lib/caddy/.config/caddy
Nov 06 11:26:25 sys01 caddy[423309]: caddy.ConfigAutosavePath=/var/lib/caddy/.config/caddy/autosave.json
Nov 06 11:26:25 sys01 caddy[423309]: caddy.Version=v2.7.5 h1:HoysvZkLcN2xJExEepaFHK92Qgs7xAiCFydN5x5Hs6Q=
Nov 06 11:26:25 sys01 caddy[423309]: runtime.GOOS=linux
Nov 06 11:26:25 sys01 caddy[423309]: runtime.GOARCH=arm64
Nov 06 11:26:25 sys01 caddy[423309]: runtime.Compiler=gc
Nov 06 11:26:25 sys01 caddy[423309]: runtime.NumCPU=8
Nov 06 11:26:25 sys01 caddy[423309]: runtime.GOMAXPROCS=8
Nov 06 11:26:25 sys01 caddy[423309]: runtime.Version=go1.21.3
Nov 06 11:26:25 sys01 caddy[423309]: os.Getwd=/
Nov 06 11:26:25 sys01 caddy[423309]: LANG=en_US.UTF-8
Nov 06 11:26:25 sys01 caddy[423309]: PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
Nov 06 11:26:25 sys01 caddy[423309]: HOME=/var/lib/caddy
Nov 06 11:26:25 sys01 caddy[423309]: LOGNAME=caddy
Nov 06 11:26:25 sys01 caddy[423309]: USER=caddy
Nov 06 11:26:25 sys01 caddy[423309]: INVOCATION_ID=b4ce91d0b7624f2a978cd5541a609ac1
Nov 06 11:26:25 sys01 caddy[423309]: JOURNAL_STREAM=8:1807354
Nov 06 11:26:25 sys01 caddy[423309]: SYSTEMD_EXEC_PID=423309
Nov 06 11:26:25 sys01 caddy[423309]: {"level":"info","ts":1699266385.044199,"msg":"using provided configuration","config_file":"/etc/caddy/Caddyfile","config_adapter":""}
Nov 06 11:26:25 sys01 caddy[423309]: {"level":"warn","ts":1699266385.0474494,"msg":"Caddyfile input is not formatted; run 'caddy fmt --overwrite' to fix inconsistencies","adapter":"caddyfile","file":"/etc/caddy/Caddyfile","line":2}
Nov 06 11:26:25 sys01 caddy[423309]: {"level":"info","ts":1699266385.0490386,"logger":"admin","msg":"admin endpoint started","address":"localhost:2019","enforce_origin":false,"origins":["//localhost:2019","//[::1]:2019","//127.0.0.1:2019"]}
Nov 06 11:26:25 sys01 caddy[423309]: {"level":"info","ts":1699266385.0499341,"logger":"tls.cache.maintenance","msg":"started background certificate maintenance","cache":"0x400062bd80"}
Nov 06 11:26:25 sys01 caddy[423309]: {"level":"info","ts":1699266385.050826,"logger":"http.auto_https","msg":"server is listening only on the HTTPS port but has no TLS connection policies; adding one to enable TLS","server_name":"srv0","https_port":443}
Nov 06 11:26:25 sys01 caddy[423309]: {"level":"info","ts":1699266385.050883,"logger":"http.auto_https","msg":"enabling automatic HTTP->HTTPS redirects","server_name":"srv0"}
Nov 06 11:26:25 sys01 caddy[423309]: {"level":"info","ts":1699266385.058761,"logger":"tls","msg":"cleaning storage unit","description":"FileStorage:/var/lib/caddy/.local/share/caddy"}
Nov 06 11:26:25 sys01 caddy[423309]: {"level":"info","ts":1699266385.0587888,"logger":"http","msg":"enabling HTTP/3 listener","addr":":443"}
Nov 06 11:26:25 sys01 caddy[423309]: {"level":"info","ts":1699266385.0590348,"logger":"http.log","msg":"server running","name":"srv0","protocols":["h1","h2","h3"]}
Nov 06 11:26:25 sys01 caddy[423309]: {"level":"info","ts":1699266385.0590782,"logger":"http.log","msg":"server running","name":"remaining_auto_https_redirects","protocols":["h1","h2","h3"]}
Nov 06 11:26:25 sys01 caddy[423309]: {"level":"info","ts":1699266385.059085,"logger":"http","msg":"enabling automatic TLS certificate management","domains":["*.example.de","*.example.co","*.example.com"]}
Nov 06 11:26:25 sys01 caddy[423309]: {"level":"info","ts":1699266385.06263,"logger":"tls","msg":"finished cleaning storage units"}
Nov 06 11:26:25 sys01 caddy[423309]: {"level":"info","ts":1699266385.0652442,"msg":"autosaved config (load with --resume flag)","file":"/var/lib/caddy/.config/caddy/autosave.json"}
Nov 06 11:26:25 sys01 caddy[423309]: {"level":"info","ts":1699266385.0652792,"msg":"serving initial configuration"}

That’s all I got from a fresh start (and test).

francislavoie · November 6, 2023, 10:38am

From your logs it seems like Caddy started fine and already has certs issued.

What proxy mode did you set in Cloudflare?

You can also try a request in your browser with https://example.com/cdn-cgi/trace (using your actual domain of course) which may show some more details. That’s a special URL that Cloudflare handles to show some info when proxying is enabled.

timscha · November 6, 2023, 11:15am

Did you mean the SSL the encryption mode? It’s set to Full.

The response of the request looks like that:

fl=471f264
h=example.com
ip=2a02:8106:32:9f00:54b3:e014:be93:97b3
ts=1699269285.014
visit_scheme=https
uag=Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
colo=FRA
sliver=010-tier1
http=http/3
loc=DE
tls=TLSv1.3
sni=plaintext
warp=off
gateway=off
rbi=off
kex=X25519
Apollo

Also, I came from nginx, which I used before. This was working fine with the CF settings.

timscha · November 6, 2023, 1:21pm

A note. If I configure the domains individually, it works. So I assume, it must be an issue with the config.

www.example.com, example.de, www.example.de, example.co, www.example.co {
  tls {
    dns cloudflare blabla
  }
  redir https://example.com{uri}
}

example.com {
  tls {
    dns cloudflare a-TuImIakmNlEUnKNHAQG3P2VKmZYuKs48n0tERY
  }
  log {
    output file /var/log/caddy/example.com
   format console
  }
  root * /var/www/vhosts/example.com/public
  encode zstd gzip
  php_fastcgi unix//var/run/php8.2-fpm.sock
  file_server

  @cache {
    not header_regexp Cookie "comment_author|wordpress_[a-f0-9]+|wp-postpass|wordpress_logged_in"
    not path_regexp "(/wp-admin/|/xmlrpc.php|/wp-(app|cron|login|register|mail).php|wp-.*.php|/feed/|index.php|wp-comments-popup.php|wp-links-opml.php|wp-locations.php|sitemap(index)?.xml|[a-z0-9-]+-sitemap([0-9]+)?.xml)"
    not method POST
    not expression {query} != ''
  }

  route @cache {
    try_files /wp-content/cache/wp-rocket/{host}{uri}/index-https.html /wp-content/cache/wp-rocket/{host}{uri}/index.html {path} {path}/index.php?{query}
  }

  @disallowed {
    path /xmlrpc.php
    path *.sql
    path /wp-content/uploads/*.php
  }
  rewrite @disallowed '/index.php'

francislavoie · November 6, 2023, 4:29pm

Ah, in that case your problem is that *.example.com does not match example.com. A wildcard doesn’t also cover apex domains. You need to list both in your site addresses.

timscha · November 6, 2023, 5:09pm

Ahhhh! That explains it. With adding the domains without wildcard my first config is working now. Thank you!

system · December 6, 2023, 5:09pm

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.