Proxy to Other SSL Website

(Alex) #1

Hello folks! I’m new to the caddy scene so I’m looking for some help.

I have Caddy .11 installed on Ubuntu 16.04. I am successfully using Caddy to reverse proxy to several sites I have behind my router on several VMs. There are all not using HTTPS on their end, (HTTP traffic locally). I have a site that is https://IP-of-server. Is it possible to get this site proxied? Even if it was just using the self-signed and not the LetsEncrypt, that’s do-able; although I would prefer the LetsEncrypt cert.

I’ve tried setting the Caddy file like: {
tls sef_signed
proxy /

Also tried the same above but using “transparent”.

The site is using a self-signed cert issued by the server itself and the software does not allow HTTP mode.


(Matthew Fay) #2

Hi @kazea182, welcome to the Caddy community!

Try something like this:

proxy / {

The insecure_skip_verify will tell Caddy not to validate the server’s certificate against a trusted authority (which naturally isn’t feasible for a self-signed certificate).

(Alex) #3

After doing that, I get 502 Bad Gateway.

This page does have a sign-in prompt.

Here is what Caddy looks like. I’ve tried it with transparent and websocket each removed. {
proxy / {

(Matthew Fay) #4

Can you post the output of curl -kIL from the Caddy host?

(Alex) #5

HTTP/1.1 401 Unauthorized
Content-Length: 0
Server: Microsoft-HTTPAPI/2.0
WWW-Authenticate: Negotiate
WWW-Authenticate: NTLM
Date: Tue, 15 May 2018 00:25:48 GMT

(Matthew Fay) #6

Hmm, Caddy shouldn’t be giving you 502s, then, unless I’m mistaken (it should be passing the 401s on to you).

Can you add errors /path/to/caddy.errors to your Caddyfile, provoke another 502 error, and then post the contents of that file?

(Alex) #7

I added it to the top of my caddy file and it killed Caddy. How do you run caddy without systemctl so I can get the log of that?

(Matthew Fay) #8

You can run it from the command line. Optionally change the line to errors stdout (for convenience), run caddy -log stdout -conf /path/to/Caddyfile in one terminal, and curl -I in another terminal. Paste the output from the Caddy terminal here.

(Alex) #9

I need to upload to a pastebin, it won’t let me post because it has Links. Give me a moment.

(Alex) #10 (Output of terminal)

This is the output of the curl:

HTTP/1.1 401 Unauthorized
Content-Length: 0
Date: Tue, 15 May 2018 00:36:31 GMT
Server: Caddy
Server: Microsoft-HTTPAPI/2.0
Www-Authenticate: Negotiate
Www-Authenticate: NTLM

(Matthew Fay) #11

There are no 502s there - looks like Caddy is proxying that site successfully now. Run it via systemctl service again and see if the issue returns?

(Alex) #12

Weird, I’m getting 502 when I go to display the page itself.

(Matthew Fay) #13

I’d suspect browser caching? The upstream server is returning a zero-length body with a valid status, so Caddy should be giving you exactly that - no body, blank page, and while I’m not familiar with NTLM, maybe a browser prompt?

(Alex) #14

Alright, so yeah. I opened incognito and I get my login prompt. However login passes but nothing is returned. Not sure if that could be looked at here or if that is something else I need to look into.

(Matthew Fay) #15

Knowing personally that my knowledge of NTLM is wanting, if it were me, I’d look there first to determine exactly what it requires. If it’s not an auth-specific problem… I’d be a bit stumped. Generally the proxy is pretty faithful - everything you send goes upstream, everything coming back makes it to your client.

(Alex) #16

Appears to be a unsupported here:

NTLM Auth requires keep-alive

(Alex) #17

I tried changing it back to http1.1 as stated here: but when I restart caddy, it doesn’t understand the directive http2, can you help?

This is what that entry looks like now: {
tls {
http2 off
proxy / {

This is the error i get:

caddy@caddy:~$ sudo caddy -log stdout -conf /etc/caddy/Caddyfile
2018/05/14 21:20:20 /etc/caddy/Caddyfile:61 - Error during parsing: Unknown subdirective ‘http2’

(Alex) #18

Curious. Do you know anything about this caddy plugin?

Looks like this might help me according to some other people using NTLM.

(Matthew Fay) #19

I’ve had passing experience with it. It can auth against LDAP, so if you’re a Microsoft shop, that might suffice… But I think you’d have to remove the auth from the upstream server anyway.