1. Caddy version (caddy version
):
v2.5.0 h1:eRHzZ4l3X6Ag3kUt8nj5IxATprhqKq/wToP7OHlXWA0=
2. How I run Caddy:
systemd unit
a. System environment:
ubuntu 22.04, systemd 249 (249.11-0ubuntu3.1)
b. Command:
c. Service/unit/compose file:
stock
d. My complete Caddyfile or JSON config:
{
servers :443 {
protocol {
experimental_http3
}
}
# ...
}
(proxy) {
header_down Location "http://" "https://"
header_down -Strict-Transport-Security
header_down -Server
}
(common) {
tls {
key_type p256
issuer acme {
dir https://acme-v02.api.letsencrypt.org/directory
test_dir https://acme-staging-v02.api.letsencrypt.org/directory
email ...
}
issuer acme {
dir https://dv.acme-v02.api.pki.goog/directory
test_dir https://dv.acme-v02.test-api.pki.goog/directory
email ...
eab ...
}
issuer acme {
dir https://api.buypass.com/acme/directory
test_dir https://api.test4.buypass.no/acme/directory
email ...
}
issuer acme {
dir https://acme.zerossl.com/v2/DV90
eab ...
email ...
}
}
header Strict-Transport-Security "max-age=31536000; includeSubDomains"
header Expect-CT "max-age=31536000, enforce"
header ?Content-Security-Policy "upgrade-insecure-requests; default-src 'self'; img-src https:; style-src 'self' 'unsafe-inline'"
header ?X-Content-Type-Options "nosniff"
header ?X-Frame-Options "DENY"
header ?Referrer-Policy "same-origin"
header ?Permissions-Policy "accelerometer=(), ambient-light-sensor=(), autoplay=(), battery=(), camera=(), cross-origin-isolated=(), display-captur\
e=(), document-domain=(), encrypted-media=(), execution-while-not-rendered=(), execution-while-out-of-viewport=(), fullscreen=(), geolocation=(), gyr\
oscope=(), keyboard-map=(), magnetometer=(), microphone=(), midi=(), navigation-override=(), payment=(), picture-in-picture=(), publickey-credentials\
-get=(), screen-wake-lock=(), sync-xhr=(), usb=(), web-share=(), xr-spatial-tracking=()"
header ?X-XSS-Protection "0"
}
qualcuno.xyz {
import common
respond "Nothing to see here ;)"
}
nc.qualcuno.xyz {
reverse_proxy localhost:8081 {
import proxy
max_buffer_size 512000
header_down Permissions-Policy "accelerometer=(), ambient-light-sensor=(), autoplay=(self), battery=(), camera=(self), cross-origin-isolated=(), \
display-capture=(), document-domain=(), encrypted-media=(), execution-while-not-rendered=(), execution-while-out-of-viewport=(), fullscreen=(self), g\
eolocation=(), gyroscope=(), keyboard-map=(), magnetometer=(), microphone=(self), midi=(), navigation-override=(), payment=(), picture-in-picture=(),\
publickey-credentials-get=(), screen-wake-lock=(), sync-xhr=(), usb=(), web-share=(), xr-spatial-tracking=()"
}
import common
}
wallabag.qualcuno.xyz {
reverse_proxy localhost:8082 {
import proxy
header_down Set-Cookie "$" "; secure; SameSite=lax"
}
header Content-Security-Policy "upgrade-insecure-requests; default-src 'none'; img-src https:; style-src 'self' 'unsafe-inline'; script-src 'self' \
'unsafe-inline'; form-action 'self'; base-uri 'self'; frame-ancestors 'none'; font-src 'self'"
import common
}
reader.qualcuno.xyz {
redir /index.php /
reverse_proxy localhost:8084 {
import proxy
}
import common
header Content-Security-Policy ""
}
quake.qualcuno.xyz {
reverse_proxy localhost:8083 {
import proxy
}
header Content-Security-Policy ""
import common
}
lampone.qualcuno.xyz {
file_server {
root /var/www/html
}
import common
}
# and more site blocks...
3. The problem I’m having:
Apex, quake and lampone respond over http/3, reader, wallabag, and nc do not, and stay on http 2.
Apex and lampone are served directly by caddy, quake proxies a node.js app, reader, wallabag and nc should be nginx-in-docker upstreams (wallabag might be apache).
I am using Firefox 100.0
4. Error messages and/or full log output:
5. What I already tried:
I tried reading documentation and other site blocks, it’s how I discovered that reverse_proxy works with http/3 on quake.qualcuno.xyz.