Reverse_proxy between valid external domain and a made up internal domain

Help
3

Thank you so much for reading through my issues and helping out!
I should have mentioned that there is nothing at root path /api which matters. It is simply to offer a quick testing check.
3. logs (below) w/ adjusted example of /api/foo yield similar result
4. /api/test yields expected 404 Route not found
5. /api/login also yields expected 404 Route not found when using a) GET, and b) username required when using POST.
But, desired behavior only works with tls_insecure_skip_verify. I’d like to make it work w/ TLS certs (issued by my local step-ca). Any pointers would be appreciated.

adjusted Caddyfile (for scenario#1-5)

liveliteandwell.com {
	log
	route {
		reverse_proxy /api/* rp-tailscale.esco.ghaar:8443 {
			transport http {
				tls_insecure_skip_verify
			}
		}
		respond 404
	}

	handle_errors {
		respond "{err.status_code} {err.status_text}"
	}
}

Adjusted Caddyfile w/ CEL

# The Caddyfile is an easy way to configure your Caddy web server.
#
# Unless the file starts with a global options block, the first
# uncommented line is always the address of your site.
#
# To use your own domain name (with automatic HTTPS), first make
# sure your domain's A/AAAA DNS records are properly pointed to
# this machine's public IP, then replace ":80" below with your
# domain name.

{
  debug
  storage file_system {
    root /opt/caddy
  }
}
liveliteandwell.com {
  log
  @cel_backend_node <<CEL
    ({method} == "GET" || {method} == "POST")
    && {path}.startsWith("/api/")
    CEL

  route {
    reverse_proxy @cel_backend_node rp-tailscale.esco.ghaar:8443 {
      transport http {
        tls_insecure_skip_verify
      }
    }
    respond 404
  }

  handle_errors {
    respond "{err.status_code} {err.status_text}"
  }
}

curl log for scenario#3

$ curl -vL https://liveliteandwell.com/api/test
*   Trying 192.168.100.17:443...
* Connected to liveliteandwell.com (192.168.100.17) port 443
* ALPN: curl offers h2,http/1.1
* (304) (OUT), TLS handshake, Client hello (1):
*  CAfile: /etc/ssl/cert.pem
*  CApath: none
* (304) (IN), TLS handshake, Server hello (2):
* (304) (IN), TLS handshake, Unknown (8):
* (304) (IN), TLS handshake, Certificate (11):
* (304) (IN), TLS handshake, CERT verify (15):
* (304) (IN), TLS handshake, Finished (20):
* (304) (OUT), TLS handshake, Finished (20):
* SSL connection using TLSv1.3 / AEAD-AES128-GCM-SHA256
* ALPN: server accepted h2
* Server certificate:
*  subject: CN=liveliteandwell.com
*  start date: Jun 17 00:50:29 2024 GMT
*  expire date: Sep 15 00:50:28 2024 GMT
*  subjectAltName: host "liveliteandwell.com" matched cert's "liveliteandwell.com"
*  issuer: C=US; O=Let's Encrypt; CN=E6
*  SSL certificate verify ok.
* using HTTP/2
* [HTTP/2] [1] OPENED stream for https://liveliteandwell.com/api/test
* [HTTP/2] [1] [:method: GET]
* [HTTP/2] [1] [:scheme: https]
* [HTTP/2] [1] [:authority: liveliteandwell.com]
* [HTTP/2] [1] [:path: /api/test]
* [HTTP/2] [1] [user-agent: curl/8.4.0]
* [HTTP/2] [1] [accept: */*]
> GET /api/test HTTP/2
> Host: liveliteandwell.com
> User-Agent: curl/8.4.0
> Accept: */*
> 
< HTTP/2 502 
< alt-svc: h3=":443"; ma=2592000
< content-type: text/plain; charset=utf-8
< server: Caddy
< content-length: 15
< date: Mon, 17 Jun 2024 15:03:02 GMT
< 
* Connection #0 to host liveliteandwell.com left intact
502 Bad Gateway(base)

caddy log for scenario#3

Jun 17 08:03:02 rp-tailscale caddy[14721]: {"level":"debug","ts":1718636582.3576386,"logger":"events","msg":"event","name":"tls_get_certificate","id":"06aa9d05-029d-4ca1-9046-7ecb05a96f3c","origin":"tls","data":{"client_hello":{"CipherSuites":[4866,4867,4865,49200,49196,49192,49188,49172,49162,159,107,57,52393,52392,52394,65413,196,136,129,157,61,53,192,132,49199,49195,49191,49187,49171,49161,158,103,51,190,69,156,60,47,186,65,49169,49159,5,4,49170,49160,22,10,255],"ServerName":"liveliteandwell.com","SupportedCurves":[29,23,24,25],"SupportedPoints":"AA==","SignatureSchemes":[2054,1537,1539,2053,1281,1283,2052,1025,1027,513,515],"SupportedProtos":["h2","http/1.1"],"SupportedVersions":[772,771,770,769],"RemoteAddr":{"IP":"192.168.0.28","Port":59188,"Zone":""},"LocalAddr":{"IP":"192.168.100.17","Port":443,"Zone":""}}}}
Jun 17 08:03:02 rp-tailscale caddy[14721]: {"level":"debug","ts":1718636582.3577335,"logger":"tls.handshake","msg":"choosing certificate","identifier":"liveliteandwell.com","num_choices":1}
Jun 17 08:03:02 rp-tailscale caddy[14721]: {"level":"debug","ts":1718636582.357763,"logger":"tls.handshake","msg":"default certificate selection results","identifier":"liveliteandwell.com","subjects":["liveliteandwell.com"],"managed":true,"issuer_key":"acme-v02.api.letsencrypt.org-directory","hash":"8e02fc2b7fd7fdf007881e7004fe00a66666501929f409bdc8344a0ab77e6baf"}
Jun 17 08:03:02 rp-tailscale caddy[14721]: {"level":"debug","ts":1718636582.3578079,"logger":"tls.handshake","msg":"matched certificate in cache","remote_ip":"192.168.0.28","remote_port":"59188","subjects":["liveliteandwell.com"],"managed":true,"expiration":1726361429,"hash":"8e02fc2b7fd7fdf007881e7004fe00a66666501929f409bdc8344a0ab77e6baf"}
Jun 17 08:03:02 rp-tailscale caddy[14721]: {"level":"debug","ts":1718636582.3829753,"logger":"http.handlers.reverse_proxy","msg":"selected upstream","dial":"rp-tailscale.esco.ghaar:8443","total_upstreams":1}
Jun 17 08:03:02 rp-tailscale caddy[14721]: {"level":"debug","ts":1718636582.3889506,"logger":"http.handlers.reverse_proxy","msg":"upstream roundtrip","upstream":"rp-tailscale.esco.ghaar:8443","duration":0.005857445,"request":{"remote_ip":"192.168.0.28","remote_port":"59188","client_ip":"192.168.0.28","proto":"HTTP/2.0","method":"GET","host":"liveliteandwell.com","uri":"/api/test","headers":{"User-Agent":["curl/8.4.0"],"Accept":["*/*"],"X-Forwarded-For":["192.168.0.28"],"X-Forwarded-Proto":["https"],"X-Forwarded-Host":["liveliteandwell.com"]},"tls":{"resumed":false,"version":772,"cipher_suite":4865,"proto":"h2","server_name":"liveliteandwell.com"}},"error":"EOF"}
Jun 17 08:03:02 rp-tailscale caddy[14721]: {"level":"debug","ts":1718636582.389124,"logger":"http.log.error","msg":"EOF","request":{"remote_ip":"192.168.0.28","remote_port":"59188","client_ip":"192.168.0.28","proto":"HTTP/2.0","method":"GET","host":"liveliteandwell.com","uri":"/api/test","headers":{"User-Agent":["curl/8.4.0"],"Accept":["*/*"]},"tls":{"resumed":false,"version":772,"cipher_suite":4865,"proto":"h2","server_name":"liveliteandwell.com"}},"duration":0.006193108,"status":502,"err_id":"y388px189","err_trace":"reverseproxy.statusError (reverseproxy.go:1269)"}
Jun 17 08:03:02 rp-tailscale caddy[14721]: {"level":"error","ts":1718636582.3891509,"logger":"http.log.access","msg":"handled request","request":{"remote_ip":"192.168.0.28","remote_port":"59188","client_ip":"192.168.0.28","proto":"HTTP/2.0","method":"GET","host":"liveliteandwell.com","uri":"/api/test","headers":{"User-Agent":["curl/8.4.0"],"Accept":["*/*"]},"tls":{"resumed":false,"version":772,"cipher_suite":4865,"proto":"h2","server_name":"liveliteandwell.com"}},"bytes_read":0,"user_id":"","duration":0.006193108,"size":15,"status":502,"resp_headers":{"Alt-Svc":["h3=\":443\"; ma=2592000"],"Content-Type":["text/plain; charset=utf-8"],"Server":["Caddy"]}}

With modification of Caddyfile to add http transport options, it now works as expected but only w/ tls_insecure_skip_verify. To make it work without this I assume would require a cascading caddy solution as per this post? Or could i employ the local step-ca certs here?

curl log for scenario#4

curl -vL https://liveliteandwell.com/api/test
*   Trying 192.168.100.17:443...
* Connected to liveliteandwell.com (192.168.100.17) port 443
* ALPN: curl offers h2,http/1.1
* (304) (OUT), TLS handshake, Client hello (1):
*  CAfile: /etc/ssl/cert.pem
*  CApath: none
* (304) (IN), TLS handshake, Server hello (2):
* (304) (IN), TLS handshake, Unknown (8):
* (304) (IN), TLS handshake, Certificate (11):
* (304) (IN), TLS handshake, CERT verify (15):
* (304) (IN), TLS handshake, Finished (20):
* (304) (OUT), TLS handshake, Finished (20):
* SSL connection using TLSv1.3 / AEAD-AES128-GCM-SHA256
* ALPN: server accepted h2
* Server certificate:
*  subject: CN=liveliteandwell.com
*  start date: Jun 17 00:50:29 2024 GMT
*  expire date: Sep 15 00:50:28 2024 GMT
*  subjectAltName: host "liveliteandwell.com" matched cert's "liveliteandwell.com"
*  issuer: C=US; O=Let's Encrypt; CN=E6
*  SSL certificate verify ok.
* using HTTP/2
* [HTTP/2] [1] OPENED stream for https://liveliteandwell.com/api/test
* [HTTP/2] [1] [:method: GET]
* [HTTP/2] [1] [:scheme: https]
* [HTTP/2] [1] [:authority: liveliteandwell.com]
* [HTTP/2] [1] [:path: /api/test]
* [HTTP/2] [1] [user-agent: curl/8.4.0]
* [HTTP/2] [1] [accept: */*]
> GET /api/test HTTP/2
> Host: liveliteandwell.com
> User-Agent: curl/8.4.0
> Accept: */*
> 
< HTTP/2 404 
< access-control-allow-origin: *
< alt-svc: h3=":443"; ma=2592000
< content-security-policy: default-src 'self';base-uri 'self';font-src 'self' https: data:;form-action 'self';frame-ancestors 'self';img-src 'self' data:;object-src 'none';script-src 'self';script-src-attr 'none';style-src 'self' https: 'unsafe-inline';upgrade-insecure-requests
< content-type: application/json; charset=utf-8
< cross-origin-opener-policy: same-origin
< cross-origin-resource-policy: same-origin
< date: Mon, 17 Jun 2024 15:05:54 GMT
< etag: W/"1a-8zibdJXT1RIHjViPh/9pjQz5GqI"
< origin-agent-cluster: ?1
< referrer-policy: no-referrer
< server: Caddy
< strict-transport-security: max-age=15552000; includeSubDomains
< x-content-type-options: nosniff
< x-dns-prefetch-control: off
< x-download-options: noopen
< x-frame-options: SAMEORIGIN
< x-permitted-cross-domain-policies: none
< x-xss-protection: 0
< content-length: 26
< 
* Connection #0 to host liveliteandwell.com left intact
{"msg":"Route not found."

caddy log for scenario#4

Jun 17 08:05:54 rp-tailscale caddy[75046]: {"level":"debug","ts":1718636754.0913277,"logger":"events","msg":"event","name":"tls_get_certificate","id":"f957f037-f9e4-434e-a5f3-76854238e571","origin":"tls","data":{"client_hello":{"CipherSuites":[4866,4867,4865,49200,49196,49192,49188,49172,49162,159,107,57,52393,52392,52394,65413,196,136,129,157,61,53,192,132,49199,49195,49191,49187,49171,49161,158,103,51,190,69,156,60,47,186,65,49169,49159,5,4,49170,49160,22,10,255],"ServerName":"liveliteandwell.com","SupportedCurves":[29,23,24,25],"SupportedPoints":"AA==","SignatureSchemes":[2054,1537,1539,2053,1281,1283,2052,1025,1027,513,515],"SupportedProtos":["h2","http/1.1"],"SupportedVersions":[772,771,770,769],"RemoteAddr":{"IP":"192.168.0.28","Port":59331,"Zone":""},"LocalAddr":{"IP":"192.168.100.17","Port":443,"Zone":""}}}}
Jun 17 08:05:54 rp-tailscale caddy[75046]: {"level":"debug","ts":1718636754.091405,"logger":"tls.handshake","msg":"choosing certificate","identifier":"liveliteandwell.com","num_choices":1}
Jun 17 08:05:54 rp-tailscale caddy[75046]: {"level":"debug","ts":1718636754.0914354,"logger":"tls.handshake","msg":"default certificate selection results","identifier":"liveliteandwell.com","subjects":["liveliteandwell.com"],"managed":true,"issuer_key":"acme-v02.api.letsencrypt.org-directory","hash":"8e02fc2b7fd7fdf007881e7004fe00a66666501929f409bdc8344a0ab77e6baf"}
Jun 17 08:05:54 rp-tailscale caddy[75046]: {"level":"debug","ts":1718636754.091454,"logger":"tls.handshake","msg":"matched certificate in cache","remote_ip":"192.168.0.28","remote_port":"59331","subjects":["liveliteandwell.com"],"managed":true,"expiration":1726361429,"hash":"8e02fc2b7fd7fdf007881e7004fe00a66666501929f409bdc8344a0ab77e6baf"}
Jun 17 08:05:54 rp-tailscale caddy[75046]: {"level":"debug","ts":1718636754.1071868,"logger":"http.handlers.reverse_proxy","msg":"selected upstream","dial":"rp-tailscale.esco.ghaar:8443","total_upstreams":1}
Jun 17 08:05:54 rp-tailscale caddy[75046]: {"level":"debug","ts":1718636754.1212757,"logger":"http.handlers.reverse_proxy","msg":"upstream roundtrip","upstream":"rp-tailscale.esco.ghaar:8443","duration":0.013919226,"request":{"remote_ip":"192.168.0.28","remote_port":"59331","client_ip":"192.168.0.28","proto":"HTTP/2.0","method":"GET","host":"liveliteandwell.com","uri":"/api/test","headers":{"X-Forwarded-For":["192.168.0.28"],"X-Forwarded-Proto":["https"],"X-Forwarded-Host":["liveliteandwell.com"],"User-Agent":["curl/8.4.0"],"Accept":["*/*"]},"tls":{"resumed":false,"version":772,"cipher_suite":4865,"proto":"h2","server_name":"liveliteandwell.com"}},"headers":{"X-Xss-Protection":["0"],"Date":["Mon, 17 Jun 2024 15:05:54 GMT"],"Access-Control-Allow-Origin":["*"],"X-Download-Options":["noopen"],"Strict-Transport-Security":["max-age=15552000; includeSubDomains"],"X-Content-Type-Options":["nosniff"],"Keep-Alive":["timeout=5"],"Cross-Origin-Resource-Policy":["same-origin"],"Origin-Agent-Cluster":["?1"],"X-Permitted-Cross-Domain-Policies":["none"],"Content-Type":["application/json; charset=utf-8"],"Content-Length":["26"],"Content-Security-Policy":["default-src 'self';base-uri 'self';font-src 'self' https: data:;form-action 'self';frame-ancestors 'self';img-src 'self' data:;object-src 'none';script-src 'self';script-src-attr 'none';style-src 'self' https: 'unsafe-inline';upgrade-insecure-requests"],"X-Dns-Prefetch-Control":["off"],"X-Frame-Options":["SAMEORIGIN"],"Etag":["W/\"1a-8zibdJXT1RIHjViPh/9pjQz5GqI\""],"Connection":["keep-alive"],"Cross-Origin-Opener-Policy":["same-origin"],"Referrer-Policy":["no-referrer"]},"status":404}
Jun 17 08:05:54 rp-tailscale caddy[75046]: {"level":"info","ts":1718636754.121969,"logger":"http.log.access","msg":"handled request","request":{"remote_ip":"192.168.0.28","remote_port":"59331","client_ip":"192.168.0.28","proto":"HTTP/2.0","method":"GET","host":"liveliteandwell.com","uri":"/api/test","headers":{"User-Agent":["curl/8.4.0"],"Accept":["*/*"]},"tls":{"resumed":false,"version":772,"cipher_suite":4865,"proto":"h2","server_name":"liveliteandwell.com"}},"bytes_read":0,"user_id":"","duration":0.014881596,"size":26,"status":404,"resp_headers":{"Access-Control-Allow-Origin":["*"],"Origin-Agent-Cluster":["?1"],"Strict-Transport-Security":["max-age=15552000; includeSubDomains"],"X-Content-Type-Options":["nosniff"],"Server":["Caddy"],"Alt-Svc":["h3=\":443\"; ma=2592000"],"Content-Type":["application/json; charset=utf-8"],"X-Download-Options":["noopen"],"Content-Security-Policy":["default-src 'self';base-uri 'self';font-src 'self' https: data:;form-action 'self';frame-ancestors 'self';img-src 'self' data:;object-src 'none';script-src 'self';script-src-attr 'none';style-src 'self' https: 'unsafe-inline';upgrade-insecure-requests"],"X-Permitted-Cross-Domain-Policies":["none"],"Cross-Origin-Opener-Policy":["same-origin"],"X-Xss-Protection":["0"],"Date":["Mon, 17 Jun 2024 15:05:54 GMT"],"Cross-Origin-Resource-Policy":["same-origin"],"Content-Length":["26"],"Referrer-Policy":["no-referrer"],"Etag":["W/\"1a-8zibdJXT1RIHjViPh/9pjQz5GqI\""],"X-Dns-Prefetch-Control":["off"],"X-Frame-Options":["SAMEORIGIN"]}}

curl log for scenario#5.a

$ curl -vL https://liveliteandwell.com/api/login
*   Trying 192.168.100.17:443...
* Connected to liveliteandwell.com (192.168.100.17) port 443
* ALPN: curl offers h2,http/1.1
* (304) (OUT), TLS handshake, Client hello (1):
*  CAfile: /etc/ssl/cert.pem
*  CApath: none
* (304) (IN), TLS handshake, Server hello (2):
* (304) (IN), TLS handshake, Unknown (8):
* (304) (IN), TLS handshake, Certificate (11):
* (304) (IN), TLS handshake, CERT verify (15):
* (304) (IN), TLS handshake, Finished (20):
* (304) (OUT), TLS handshake, Finished (20):
* SSL connection using TLSv1.3 / AEAD-AES128-GCM-SHA256
* ALPN: server accepted h2
* Server certificate:
*  subject: CN=liveliteandwell.com
*  start date: Jun 17 00:50:29 2024 GMT
*  expire date: Sep 15 00:50:28 2024 GMT
*  subjectAltName: host "liveliteandwell.com" matched cert's "liveliteandwell.com"
*  issuer: C=US; O=Let's Encrypt; CN=E6
*  SSL certificate verify ok.
* using HTTP/2
* [HTTP/2] [1] OPENED stream for https://liveliteandwell.com/api/login
* [HTTP/2] [1] [:method: GET]
* [HTTP/2] [1] [:scheme: https]
* [HTTP/2] [1] [:authority: liveliteandwell.com]
* [HTTP/2] [1] [:path: /api/login]
* [HTTP/2] [1] [user-agent: curl/8.4.0]
* [HTTP/2] [1] [accept: */*]
> GET /api/login HTTP/2
> Host: liveliteandwell.com
> User-Agent: curl/8.4.0
> Accept: */*
> 
< HTTP/2 404 
< access-control-allow-origin: *
< alt-svc: h3=":443"; ma=2592000
< content-security-policy: default-src 'self';base-uri 'self';font-src 'self' https: data:;form-action 'self';frame-ancestors 'self';img-src 'self' data:;object-src 'none';script-src 'self';script-src-attr 'none';style-src 'self' https: 'unsafe-inline';upgrade-insecure-requests
< content-type: application/json; charset=utf-8
< cross-origin-opener-policy: same-origin
< cross-origin-resource-policy: same-origin
< date: Mon, 17 Jun 2024 15:08:18 GMT
< etag: W/"1a-8zibdJXT1RIHjViPh/9pjQz5GqI"
< origin-agent-cluster: ?1
< referrer-policy: no-referrer
< server: Caddy
< strict-transport-security: max-age=15552000; includeSubDomains
< x-content-type-options: nosniff
< x-dns-prefetch-control: off
< x-download-options: noopen
< x-frame-options: SAMEORIGIN
< x-permitted-cross-domain-policies: none
< x-xss-protection: 0
< content-length: 26
< 
* Connection #0 to host liveliteandwell.com left intact
{"msg":"Route not found."}

caddy log for scenario#5.a

Jun 17 08:08:18 rp-tailscale caddy[75046]: {"level":"debug","ts":1718636898.3161995,"logger":"events","msg":"event","name":"tls_get_certificate","id":"08b30d9b-2a50-44c0-af06-29e1a1982b02","origin":"tls","data":{"client_hello":{"CipherSuites":[4866,4867,4865,49200,49196,49192,49188,49172,49162,159,107,57,52393,52392,52394,65413,196,136,129,157,61,53,192,132,49199,49195,49191,49187,49171,49161,158,103,51,190,69,156,60,47,186,65,49169,49159,5,4,49170,49160,22,10,255],"ServerName":"liveliteandwell.com","SupportedCurves":[29,23,24,25],"SupportedPoints":"AA==","SignatureSchemes":[2054,1537,1539,2053,1281,1283,2052,1025,1027,513,515],"SupportedProtos":["h2","http/1.1"],"SupportedVersions":[772,771,770,769],"RemoteAddr":{"IP":"192.168.0.28","Port":59365,"Zone":""},"LocalAddr":{"IP":"192.168.100.17","Port":443,"Zone":""}}}}
Jun 17 08:08:18 rp-tailscale caddy[75046]: {"level":"debug","ts":1718636898.3162696,"logger":"tls.handshake","msg":"choosing certificate","identifier":"liveliteandwell.com","num_choices":1}
Jun 17 08:08:18 rp-tailscale caddy[75046]: {"level":"debug","ts":1718636898.316299,"logger":"tls.handshake","msg":"default certificate selection results","identifier":"liveliteandwell.com","subjects":["liveliteandwell.com"],"managed":true,"issuer_key":"acme-v02.api.letsencrypt.org-directory","hash":"8e02fc2b7fd7fdf007881e7004fe00a66666501929f409bdc8344a0ab77e6baf"}
Jun 17 08:08:18 rp-tailscale caddy[75046]: {"level":"debug","ts":1718636898.3163176,"logger":"tls.handshake","msg":"matched certificate in cache","remote_ip":"192.168.0.28","remote_port":"59365","subjects":["liveliteandwell.com"],"managed":true,"expiration":1726361429,"hash":"8e02fc2b7fd7fdf007881e7004fe00a66666501929f409bdc8344a0ab77e6baf"}
Jun 17 08:08:18 rp-tailscale caddy[75046]: {"level":"debug","ts":1718636898.3340027,"logger":"http.handlers.reverse_proxy","msg":"selected upstream","dial":"rp-tailscale.esco.ghaar:8443","total_upstreams":1}
Jun 17 08:08:18 rp-tailscale caddy[75046]: {"level":"debug","ts":1718636898.3458438,"logger":"http.handlers.reverse_proxy","msg":"upstream roundtrip","upstream":"rp-tailscale.esco.ghaar:8443","duration":0.01174952,"request":{"remote_ip":"192.168.0.28","remote_port":"59365","client_ip":"192.168.0.28","proto":"HTTP/2.0","method":"GET","host":"liveliteandwell.com","uri":"/api/login","headers":{"X-Forwarded-Host":["liveliteandwell.com"],"User-Agent":["curl/8.4.0"],"Accept":["*/*"],"X-Forwarded-For":["192.168.0.28"],"X-Forwarded-Proto":["https"]},"tls":{"resumed":false,"version":772,"cipher_suite":4865,"proto":"h2","server_name":"liveliteandwell.com"}},"headers":{"X-Frame-Options":["SAMEORIGIN"],"Content-Type":["application/json; charset=utf-8"],"X-Download-Options":["noopen"],"Strict-Transport-Security":["max-age=15552000; includeSubDomains"],"X-Content-Type-Options":["nosniff"],"Content-Length":["26"],"Cross-Origin-Opener-Policy":["same-origin"],"Origin-Agent-Cluster":["?1"],"Referrer-Policy":["no-referrer"],"X-Xss-Protection":["0"],"Etag":["W/\"1a-8zibdJXT1RIHjViPh/9pjQz5GqI\""],"Keep-Alive":["timeout=5"],"Content-Security-Policy":["default-src 'self';base-uri 'self';font-src 'self' https: data:;form-action 'self';frame-ancestors 'self';img-src 'self' data:;object-src 'none';script-src 'self';script-src-attr 'none';style-src 'self' https: 'unsafe-inline';upgrade-insecure-requests"],"Cross-Origin-Resource-Policy":["same-origin"],"X-Dns-Prefetch-Control":["off"],"X-Permitted-Cross-Domain-Policies":["none"],"Date":["Mon, 17 Jun 2024 15:08:18 GMT"],"Connection":["keep-alive"],"Access-Control-Allow-Origin":["*"]},"status":404}
Jun 17 08:08:18 rp-tailscale caddy[75046]: {"level":"info","ts":1718636898.346188,"logger":"http.log.access","msg":"handled request","request":{"remote_ip":"192.168.0.28","remote_port":"59365","client_ip":"192.168.0.28","proto":"HTTP/2.0","method":"GET","host":"liveliteandwell.com","uri":"/api/login","headers":{"User-Agent":["curl/8.4.0"],"Accept":["*/*"]},"tls":{"resumed":false,"version":772,"cipher_suite":4865,"proto":"h2","server_name":"liveliteandwell.com"}},"bytes_read":0,"user_id":"","duration":0.012290657,"size":26,"status":404,"resp_headers":{"X-Download-Options":["noopen"],"Content-Type":["application/json; charset=utf-8"],"Content-Length":["26"],"Etag":["W/\"1a-8zibdJXT1RIHjViPh/9pjQz5GqI\""],"Alt-Svc":["h3=\":443\"; ma=2592000"],"Date":["Mon, 17 Jun 2024 15:08:18 GMT"],"Origin-Agent-Cluster":["?1"],"Referrer-Policy":["no-referrer"],"X-Xss-Protection":["0"],"Cross-Origin-Resource-Policy":["same-origin"],"X-Dns-Prefetch-Control":["off"],"X-Permitted-Cross-Domain-Policies":["none"],"Cross-Origin-Opener-Policy":["same-origin"],"Strict-Transport-Security":["max-age=15552000; includeSubDomains"],"X-Content-Type-Options":["nosniff"],"Server":["Caddy"],"Access-Control-Allow-Origin":["*"],"X-Frame-Options":["SAMEORIGIN"],"Content-Security-Policy":["default-src 'self';base-uri 'self';font-src 'self' https: data:;form-action 'self';frame-ancestors 'self';img-src 'self' data:;object-src 'none';script-src 'self';script-src-attr 'none';style-src 'self' https: 'unsafe-inline';upgrade-insecure-requests"]}}

curl log for scenario#5.b

$ curl -vL -X POST https://liveliteandwell.com/api/login
*   Trying 192.168.100.17:443...
* Connected to liveliteandwell.com (192.168.100.17) port 443
* ALPN: curl offers h2,http/1.1
* (304) (OUT), TLS handshake, Client hello (1):
*  CAfile: /etc/ssl/cert.pem
*  CApath: none
* (304) (IN), TLS handshake, Server hello (2):
* (304) (IN), TLS handshake, Unknown (8):
* (304) (IN), TLS handshake, Certificate (11):
* (304) (IN), TLS handshake, CERT verify (15):
* (304) (IN), TLS handshake, Finished (20):
* (304) (OUT), TLS handshake, Finished (20):
* SSL connection using TLSv1.3 / AEAD-AES128-GCM-SHA256
* ALPN: server accepted h2
* Server certificate:
*  subject: CN=liveliteandwell.com
*  start date: Jun 17 00:50:29 2024 GMT
*  expire date: Sep 15 00:50:28 2024 GMT
*  subjectAltName: host "liveliteandwell.com" matched cert's "liveliteandwell.com"
*  issuer: C=US; O=Let's Encrypt; CN=E6
*  SSL certificate verify ok.
* using HTTP/2
* [HTTP/2] [1] OPENED stream for https://liveliteandwell.com/api/login
* [HTTP/2] [1] [:method: POST]
* [HTTP/2] [1] [:scheme: https]
* [HTTP/2] [1] [:authority: liveliteandwell.com]
* [HTTP/2] [1] [:path: /api/login]
* [HTTP/2] [1] [user-agent: curl/8.4.0]
* [HTTP/2] [1] [accept: */*]
> POST /api/login HTTP/2
> Host: liveliteandwell.com
> User-Agent: curl/8.4.0
> Accept: */*
> 
< HTTP/2 422 
< access-control-allow-origin: *
< alt-svc: h3=":443"; ma=2592000
< content-security-policy: default-src 'self';base-uri 'self';font-src 'self' https: data:;form-action 'self';frame-ancestors 'self';img-src 'self' data:;object-src 'none';script-src 'self';script-src-attr 'none';style-src 'self' https: 'unsafe-inline';upgrade-insecure-requests
< content-type: application/json; charset=utf-8
< cross-origin-opener-policy: same-origin
< cross-origin-resource-policy: same-origin
< date: Mon, 17 Jun 2024 15:28:23 GMT
< etag: W/"22-+wDntknFT/dKSzLkU/F82EU8IG8"
< origin-agent-cluster: ?1
< referrer-policy: no-referrer
< server: Caddy
< strict-transport-security: max-age=15552000; includeSubDomains
< x-content-type-options: nosniff
< x-dns-prefetch-control: off
< x-download-options: noopen
< x-frame-options: SAMEORIGIN
< x-permitted-cross-domain-policies: none
< x-xss-protection: 0
< content-length: 34
< 
* Connection #0 to host liveliteandwell.com left intact
{"msg":"\"Username\" is required"}