Reverse_proxy , it should be simple enough

1. Caddy version (caddy version):

V2.0.0

2. How I run Caddy:

a wordpress docker listen at port 86
I wan cady to help me to solve the ssl issues.
Caddyfile

a. System environment:

ubuntu 18.04 x64

b. Command:

sudo caddy run

d. My complete Caddyfile or JSON config:

w.cowbay.org {
reverse_proxy  localhost:86
}

3. The problem I’m having:

It does not work , and no error in console , the browser shows
SSL_ERROR_RX_RECORD_TOO_LONG

4. Error messages and/or full log output:

no error in console


2020-06-25 22:20:02 [chchang@ws ~]$ sudo caddy run
2020/06/25 14:20:06.348	INFO	using adjacent Caddyfile
2020/06/25 14:20:06.354	INFO	admin	admin endpoint started	{"address": "tcp/localhost:2019", "enforce_origin": false, "origins": ["127.0.0.1:2019", "localhost:2019", "[::1]:2019"]}
2020/06/25 14:20:06.357	INFO	http	server is listening only on the HTTPS port but has no TLS connection policies; adding one to enable TLS	{"server_name": "srv0", "https_port": 443}
2020/06/25 14:20:06.357	INFO	http	enabling automatic HTTP->HTTPS redirects	{"server_name": "srv0"}
2020/06/25 14:20:06.362	INFO	tls	cleaned up storage units
2020/06/25 14:20:06.363	INFO	http	enabling automatic TLS certificate management	{"domains": ["w.cowbay.org"]}
2020/06/25 22:20:06 [INFO][cache:0xc00045fd60] Started certificate maintenance routine
2020/06/25 14:20:06.389	INFO	autosaved config	{"file": "/home/chchang/.config/caddy/autosave.json"}
2020/06/25 14:20:06.390	INFO	serving initial configuration

I just foloow the document in

it should be the most easy theme to use caddy , but I dont have any idea about what’s wrong with my config ???

Howdy @changchichung, welcome to the Caddy community.

The fact there is no error in the console at all makes me concerned that your browser is not actually talking to Caddy and you’re getting a SSL_ERROR_RX_RECORD_TOO_LONG from some other server.

You could try:

  • Double check that your domain name resolves to the IP address of your Caddy server
  • If you’re port forwarding from an external IP address to Caddy, make sure port forwards are correct and functioning
  • Add debug to the global options of your Caddyfile (see https://caddyserver.com/docs/caddyfile/options)

Then run:

curl -kIL w.cowbay.org

And post the output both from the command and from Caddy itself.

I’m sure the dns records is ok.

and here is the error messages

2020/06/26 05:54:20.211	INFO	serving initial configuration
2020/06/26 13:54:24 http: TLS handshake error from 220.137.48.5:50691: no certificate available for '45.77.98.9'

and curl log

appleteki-Mac-mini:~ chchang$ curl -kIL w.cowbay.org
HTTP/1.1 308 Permanent Redirect
Connection: close
Location: https://w.cowbay.org/
Server: Caddy
Date: Fri, 26 Jun 2020 06:05:00 GMT

curl: (35) Unknown SSL protocol error in connection to w.cowbay.org:-9838
1 Like

Your client (curl, I suppose, in this case) is not sending a ServerName value (SNI) in the TLS handshake. So Caddy doesn’t know which certificate to offer. I don’t know enough about how curl works, but it might have something to do with -k.

That usually happens when the browser expects TLS but gets plaintext HTTP in response.

How can we reproduce the error you’re seeing?

1 Like

-k is curl's insecure_skip_verify analogue. It should still send SNI, I use -kiL / -kIL (skip verify, show headers, follow redirects) very frequently to get insight into what Caddy’s doing when debugging stuff.

curl -IL w.cowbay.org could also be used just to confirm that, though.

well , I already provide the Caddyfile , it should be enough to run caddy to get the same result , is’nt it ?
or I need to provide any other info ??

Caddyfile

cat Caddyfile
{
debug
}


w.cowbay.org {
    reverse_proxy http://localhost:86
    }

2020-06-26 19:05:44 [chchang@ws ~]$

console log

2020-06-26 19:05:44 [chchang@ws ~]$ sudo caddy run
2020/06/26 11:06:12.550	INFO	using adjacent Caddyfile
2020/06/26 11:06:12.554	INFO	admin	admin endpoint started	{"address": "tcp/localhost:2019", "enforce_origin": false, "origins": ["127.0.0.1:2019", "localhost:2019", "[::1]:2019"]}
2020/06/26 11:06:12.556	INFO	http	server is listening only on the HTTPS port but has no TLS connection policies; adding one to enable TLS	{"server_name": "srv0", "https_port": 443}
2020/06/26 11:06:12.557	INFO	http	enabling automatic HTTP->HTTPS redirects	{"server_name": "srv0"}
2020/06/26 11:06:12.558	INFO	tls	cleaned up storage units
2020/06/26 11:06:12.559	DEBUG	http	starting server loop	{"address": "[::]:443", "http3": false, "tls": true}
2020/06/26 11:06:12.560	DEBUG	http	starting server loop	{"address": "[::]:80", "http3": false, "tls": false}
2020/06/26 11:06:12.560	INFO	http	enabling automatic TLS certificate management	{"domains": ["w.cowbay.org"]}
2020/06/26 11:06:12.573	INFO	autosaved config	{"file": "/home/chchang/.config/caddy/autosave.json"}
2020/06/26 11:06:12.574	INFO	serving initial configuration
2020/06/26 19:06:12 [INFO][cache:0xc000455db0] Started certificate maintenance routine
2020/06/26 11:06:17.178	DEBUG	http.handlers.reverse_proxy	upstream roundtrip	{"upstream": "localhost:86", "request": {"method": "HEAD", "uri": "/", "proto": "HTTP/1.1", "remote_addr": "220.137.48.5:51301", "host": "w.cowbay.org", "headers": {"User-Agent": ["curl/7.54.0"], "Accept": ["*/*"], "X-Forwarded-Proto": ["https"], "X-Forwarded-For": ["220.137.48.5"]}, "tls": {"resumed": false, "version": 771, "ciphersuite": 49196, "proto": "", "proto_mutual": true, "server_name": "w.cowbay.org"}}, "headers": {"Date": ["Fri, 26 Jun 2020 11:06:17 GMT"], "Server": ["Apache/2.4.38 (Debian)"], "X-Powered-By": ["PHP/7.3.19"], "X-Redirect-By": ["WordPress"], "Location": ["https://w.cowbay.org:86/"], "Content-Type": ["text/html; charset=UTF-8"]}, "duration": 0.070728881, "status": 301}

Can you try the reverse-proxy command that is discussed on the page below?

What happens when you plug in your domain name and proxy backend URL?

–harris

2020-06-27 11:32:18 [chchang@ws ~]$ sudo caddy reverse-proxy --from w.cowbay.org --to localhost:86
2020/06/27 03:32:21.088	WARN	admin	admin endpoint disabled
2020/06/27 03:32:21.089	INFO	http	server is listening only on the HTTPS port but has no TLS connection policies; adding one to enable TLS	{"server_name": "proxy", "https_port": 443}
2020/06/27 03:32:21.089	INFO	http	enabling automatic HTTP->HTTPS redirects	{"server_name": "proxy"}
2020/06/27 03:32:21.094	INFO	tls	cleaned up storage units
2020/06/27 03:32:21.095	INFO	http	enabling automatic TLS certificate management	{"domains": ["w.cowbay.org"]}
2020/06/27 11:32:21 [INFO][cache:0xc00045a8c0] Started certificate maintenance routine
2020/06/27 03:32:21.112	INFO	autosaved config	{"file": "/home/chchang/.config/caddy/autosave.json"}
Caddy proxying https://w.cowbay.org -> http://localhost:86
^C2020/06/27 03:34:21.698	INFO	shutting down	{"signal": "SIGINT"}
2020/06/27 11:34:21 [INFO][cache:0xc00045a8c0] Stopped certificate maintenance routine
2020/06/27 03:34:21.702	ERROR	stopping admin endpoint	{"signal": "SIGINT", "error": "no admin server"}
2020/06/27 03:34:21.706	INFO	shutdown done	{"signal": "SIGINT"}
2020-06-27 11:34:21 [chchang@ws ~]$ vim Caddyfile
2020-06-27 11:34:30 [chchang@ws ~]$ sudo caddy reverse-proxy --from w.cowbay.org --to localhost:86
2020/06/27 03:34:32.175	WARN	admin	admin endpoint disabled
2020/06/27 03:34:32.177	INFO	http	server is listening only on the HTTPS port but has no TLS connection policies; adding one to enable TLS	{"server_name": "proxy", "https_port": 443}
2020/06/27 03:34:32.178	INFO	http	enabling automatic HTTP->HTTPS redirects	{"server_name": "proxy"}
2020/06/27 03:34:32.181	INFO	tls	cleaned up storage units
2020/06/27 03:34:32.183	INFO	http	enabling automatic TLS certificate management	{"domains": ["w.cowbay.org"]}
2020/06/27 03:34:32.201	INFO	autosaved config	{"file": "/home/chchang/.config/caddy/autosave.json"}
Caddy proxying https://w.cowbay.org -> http://localhost:86
2020/06/27 11:34:32 [INFO][cache:0xc0004588c0] Started certificate maintenance routine

curl

appleteki-Mac-mini:~ chchang$ curl -Il w.cowbay.org
HTTP/1.1 308 Permanent Redirect
Connection: close
Location: https://w.cowbay.org/
Server: Caddy
Date: Sat, 27 Jun 2020 03:35:13 GMT

appleteki-Mac-mini:~ chchang$

Browser(firefox)

This site can’t be reachedw.cowbay.org took too long to respond.
建議做法:

Checking the connection
Checking the proxy and the firewall
ERR_CONNECTION_TIMED_OUT

Something odd is going on here. When I am faced with situations like these I just start trying to rule out issues by using the most simple use cases.

First… set up the most basic use case using Caddy to rule out basic DNS connectivity and ensure TLS is working.

I have set up a reverse proxy just recently and think your issue is more on getting requests to your server not Caddy causing an issue routing to the proxy.

Try this and post a link to a working https://w.cowbay.org page that just says “Hello world”

–harris

1 Like