Reverse Proxy for Synology apps

1. Output of caddy version:

v2.4.3

2. How I run Caddy:

a. System environment:

Raspberry Pi, Bulleye using systemctl with Caddyfile

b. Command:

sudo systemctl caddy start

c. Service/unit/compose file:

Paste full file contents here.
Make sure backticks stay on their own lines,
and the post looks nice in the preview pane. -->

d. My complete Caddy config:


www.photo.website.com, photo.website.com {
reverse_proxy 192.168.25.210:8025

}

3. The problem I’m having:

The above caddyfile works fine … The port 8025 is a normal http port for the synology photos application. The problem occurs if I change the port to the https port for the Synology photos app.

reverse_proxy 192.168.25.210:8935

4. Error messages and/or full log output:

A Browser displays the message 
400 BAD Request 
The plain HTTP request was sent to HTTPS port

5. What I already tried:

I’ve tried numerous options with the transport http but no sucess.
It looks like caddy is only using https as far as the caddy server and not providing a certificate to the internal address. Is this the default and if so how do I get caddy to server https between the caddy server and the internal application.

The caddy reverse proxy is inside a dmz but I would like to use https all the way to the endpoint.

Apologies if this is a dumb question but this is an early excursion into this type of deployment, so I am trying to understand things before any live applications are deployed.

6. Links to relevant resources:

The docs have an example for reverse-proxying to an HTTPS backend: reverse_proxy (Caddyfile directive) — Caddy Documentation

reverse_proxy https://example.com {
	header_up Host {upstream_hostport}
}

So in your case:

reverse_proxy https://192.168.25.210:8935 {
	header_up Host {upstream_hostport}
}

(Make sure the certificate offered by the backend is trusted by Caddy’s system. If not, you can tell Caddy to trust it using tls_trusted_ca_certs or by installing the root into your system store.)

Btw, HTTPS on internal networks is often unnecessary if you can trust the network.

Hi Matt,

Thanks for the quick response … I’ve given it a quick try and still get the same response. I will do some more reading and try a few things.

the https on the internal side is more of an exercise in how to - more out of curiosity on my part.

Thanks for the info.