Reverse Proxy Mime Type Issue

mt-dev · April 26, 2020, 4:44am

1. My Caddy version (`caddy version`):

v2.0.0-rc.3 h1:z2H/QnaRscip6aZJxwTbghu3zhC88Vo8l/K57WUce4Q=

2. How I run Caddy:

a. System environment:

Ubuntu 18.04, Systemd
As a reverse proxy for many devices on my LAN

b. Command:

sudo systemctl start caddy

c. Service/unit/compose file:

# caddy.service
#
# For using Caddy with a config file.
#
# Make sure the ExecStart and ExecReload commands are correct
# for your installation.
#
# WARNING: This service does not use the --resume flag, so if you
# use the API to make changes, they will be overwritten by the
# Caddyfile next time the service is restarted. If you intend to
# use Caddy's API to configure it, add the --resume flag to the
# `caddy run` command or use the caddy-api.service file instead.

[Unit]
Description=Caddy
Documentation=https://caddyserver.com/docs/
After=network.target

[Service]
User=caddy
Group=caddy
ExecStart=/usr/bin/caddy run --environ --config /etc/caddy/Caddyfile
ExecReload=/usr/bin/caddy reload --config /etc/caddy/Caddyfile
TimeoutStopSec=5s
LimitNOFILE=1048576
LimitNPROC=512
PrivateTmp=true
ProtectSystem=full
AmbientCapabilities=CAP_NET_BIND_SERVICE

[Install]
WantedBy=multi-user.target

d. My complete Caddyfile or JSON config:

https://skyview.millhousen.com/ {
	reverse_proxy 192.168.0.151:80
	encode gzip
}

https://wx.millhousen.com/ {
        reverse_proxy 192.168.0.180:80
        encode gzip
}

https://wx.millhousen.com:9001 {
        reverse_proxy 192.168.0.15:9001
}

https://jellyfin.kstr.us/ {
    reverse_proxy docker.stier.network:8096 {
	transport http {
		tls_insecure_skip_verify
        }
    }
    encode gzip
}

https://spdtst.me {
	reverse_proxy 192.168.0.55:80
}

#:8080 {
#	forwardproxy
#}

3. The problem I’m having:

I am working on moving from Caddy 1. The upgrade guide was very helpful! The only thing it didn’t mention was the change in basicauth.

Most of the reverse proxies are not functioning properly.
SPDTST.ME works fine.
The Skyview site looks strange (appears to lack CSS)
The WX site has CSS errors
Jellyfin throws a 502 error

4. Error messages and/or full log output:

Apr 26 00:25:58 caddy caddy[11064]: {"level":"error","ts":1587875158.9507868,"logger":"http.log.error","msg":"tls: first record does not look like a TLS handshake","request":{"method":"GET","uri":"/","proto":"HTTP/2.0","remote_addr":"192.168.0.1:55640","host":"jellyfin.kstr.us","headers":{"Accept-Language":["en-US,en;q=0.9"],"Upgrade-Insecure-Requests":["1"],"Accept":["text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9"],"Sec-Fetch-Site":["cross-site"],"Sec-Fetch-Mode":["navigate"],"Sec-Fetch-User":["?1"],"Accept-Encoding":["gzip, deflate, br"],"Cache-Control":["max-age=0"],"User-Agent":["Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/80.0.3987.163 Safari/537.36"],"Sec-Fetch-Dest":["document"]},"tls":{"resumed":false,"version":772,"ciphersuite":4865,"proto":"h2","proto_mutual":true,"server_name":"jellyfin.kstr.us"}},"status":502,"err_id":"iak7qgifw","err_trace":"reverseproxy.(*Handler).ServeHTTP (reverseproxy.go:362)"}

CSS-less WX site

(Twitter and Google Analytics errors are DNS blocked, thus normal)

Skyview Site Error

5. What I already tried:

I tried taking the encode directive out of one of the sites, but this did not return any different results.
I also tried accessing these domains from outside of my local network, this does not return different results either.

6. Links to relevant resources:

These sites aren’t super important, so I am going to let them run while broken. If you need to check HTTP headers, go right ahead.

francislavoie · April 26, 2020, 10:43am

Could you share what your working Caddyfile looked like in v1?

mt-dev · April 26, 2020, 2:54pm

Caddy 1 Caddyfile

https://skyview.millhousen.com/ {
	proxy / 192.168.0.151:80
	gzip
	tls webmaster@flexstart.me {
		key_type rsa4096
		protocols tls1.0 tls1.2
		must_staple
	}
}

https://wx.millhousen.com/ {
        proxy / 192.168.0.180:80
        gzip
        tls webmaster@flexstart.me {
                key_type rsa4096
                protocols tls1.0 tls1.2
                must_staple
        }
}

https://wx.millhousen.com:9001 {
        proxy / 192.168.0.15:9001 {
                transparent
        }
        proxy /mqtt http://192.168.0.15:9001 {
                websocket
        }
}


https://jellyfin.kstr.us/ {
        proxy / docker.stier.network:8096 {
                websocket
                transparent
                insecure_skip_verify
        }
        gzip
        tls webmaster@flexstart.me {
                key_type rsa4096
                protocols tls1.0 tls1.2
                must_staple
        }
}

https://spdtst.me {
	proxy / 192.168.0.55:80
}

:8080 {
	forwardproxy
}

matt · April 26, 2020, 3:21pm

CSS errors: The reverse proxy just transports the headers from upstream to downstream. If the backend isn’t sending a Content-Type header (or the wrong value for one), then the backend should probably be fixed. (You can manipulate headers in the proxy config, however – I just don’t recommend this solution.) What server is running on the backend?

Jellyfin errors: You haven’t enabled TLS on your transport. Add a tls subdirective next to tls_insecure_skip_verify. (Hmm, maybe we should do that implicitly. I’ll make a note of that for the future.)

mt-dev · April 26, 2020, 5:38pm

I added the tls subdirective to the Jellyfin config to no avail

The WX site has always been solid as a rock. The backend is actually Caddy 1 on a Raspberry Pi 4. Accessed locally (http://192.168.0.180), it was served without CSS as well because I think the software (weewx) hardcodes the domain into some of the links to stylesheets.

I think I need to start smaller maybe and switch the WX site on the Pi to Caddy 2 (because its config is very very simple). I tried, but I ended up just getting a blank page with no files being served.
I posted that information in another topic to keep this one relevant.

mt-dev · April 26, 2020, 6:02pm

The WX site is now on Caddy 2

The reverse proxy relaying the site outside my network is not working.
The MIME type error appears to be happening because the only thing it is proxying is the root (https://wx.millhousen.com/). If I add the page name or the name of any other file that it should be proxying (like /index.html, /current.jpg) I get blank 200 replies.

matt · April 26, 2020, 6:31pm

Since a lot has changed I guess, can you clarify what your current config is now, what is not working, and how we can reproduce it? (A curl command would be ideal; no docker, if possible)

mt-dev · April 26, 2020, 7:19pm

https://wx.millhousen.com/ {
        reverse_proxy 192.168.0.180:80
        encode gzip
}

The only URL being proxied is the root directory.
The root is served properly

mt-dev@quiet-powerhouse ~> curl -v https://wx.millhousen.com/
*   Trying 216.8.220.80:443...
* Connected to wx.millhousen.com (216.8.220.80) port 443 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
* successfully set certificate verify locations:
*   CAfile: /etc/ssl/certs/ca-certificates.crt
  CApath: none
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
* TLSv1.3 (IN), TLS handshake, Server hello (2):
* TLSv1.3 (IN), TLS handshake, Encrypted Extensions (8):
* TLSv1.3 (IN), TLS handshake, Certificate (11):
* TLSv1.3 (IN), TLS handshake, CERT verify (15):
* TLSv1.3 (IN), TLS handshake, Finished (20):
* TLSv1.3 (OUT), TLS change cipher, Change cipher spec (1):
* TLSv1.3 (OUT), TLS handshake, Finished (20):
* SSL connection using TLSv1.3 / TLS_AES_128_GCM_SHA256
* ALPN, server accepted to use h2
* Server certificate:
*  subject: CN=wx.millhousen.com
*  start date: Apr 26 02:33:51 2020 GMT
*  expire date: Jul 25 02:33:51 2020 GMT
*  subjectAltName: host "wx.millhousen.com" matched cert's "wx.millhousen.com"
*  issuer: C=US; O=Let's Encrypt; CN=Let's Encrypt Authority X3
*  SSL certificate verify ok.
* Using HTTP2, server supports multi-use
* Connection state changed (HTTP/2 confirmed)
* Copying HTTP/2 data in stream buffer to connection buffer after upgrade: len=0
* Using Stream ID: 1 (easy handle 0x5591909a38b0)
> GET / HTTP/2
> Host: wx.millhousen.com
> user-agent: curl/7.69.1
> accept: */*
> 
* TLSv1.3 (IN), TLS handshake, Newsession Ticket (4):
* Connection state changed (MAX_CONCURRENT_STREAMS == 250)!
< HTTP/2 200 
< accept-ranges: bytes
< content-type: text/html; charset=utf-8
< date: Sun, 26 Apr 2020 19:12:52 GMT
< etag: "q9et9bq4s"
< last-modified: Sun, 26 Apr 2020 19:10:23 GMT
< server: Caddy
< server: Caddy
< content-length: 33868
< 




<!DOCTYPE html>
<!-- Page Content -->
</html>
* Connection #0 to host wx.millhousen.com left intact

Nothing else is served (blank output for style.css, index.html, etc)

mt-dev@quiet-powerhouse ~> curl -v https://wx.millhousen.com/style.css
*   Trying 216.8.220.80:443...
* Connected to wx.millhousen.com (216.8.220.80) port 443 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
* successfully set certificate verify locations:
*   CAfile: /etc/ssl/certs/ca-certificates.crt
  CApath: none
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
* TLSv1.3 (IN), TLS handshake, Server hello (2):
* TLSv1.3 (IN), TLS handshake, Encrypted Extensions (8):
* TLSv1.3 (IN), TLS handshake, Certificate (11):
* TLSv1.3 (IN), TLS handshake, CERT verify (15):
* TLSv1.3 (IN), TLS handshake, Finished (20):
* TLSv1.3 (OUT), TLS change cipher, Change cipher spec (1):
* TLSv1.3 (OUT), TLS handshake, Finished (20):
* SSL connection using TLSv1.3 / TLS_AES_128_GCM_SHA256
* ALPN, server accepted to use h2
* Server certificate:
*  subject: CN=wx.millhousen.com
*  start date: Apr 26 02:33:51 2020 GMT
*  expire date: Jul 25 02:33:51 2020 GMT
*  subjectAltName: host "wx.millhousen.com" matched cert's "wx.millhousen.com"
*  issuer: C=US; O=Let's Encrypt; CN=Let's Encrypt Authority X3
*  SSL certificate verify ok.
* Using HTTP2, server supports multi-use
* Connection state changed (HTTP/2 confirmed)
* Copying HTTP/2 data in stream buffer to connection buffer after upgrade: len=0
* Using Stream ID: 1 (easy handle 0x56183e0d98b0)
> GET /style.css HTTP/2
> Host: wx.millhousen.com
> user-agent: curl/7.69.1
> accept: */*
> 
* TLSv1.3 (IN), TLS handshake, Newsession Ticket (4):
* Connection state changed (MAX_CONCURRENT_STREAMS == 250)!
< HTTP/2 200 
< server: Caddy
< content-length: 0
< date: Sun, 26 Apr 2020 19:16:51 GMT
< 
* Connection #0 to host wx.millhousen.com left intact

matt · April 26, 2020, 7:27pm

Ahh, I bet that’s because your site address is:

https://wx.millhousen.com/

Which results in a host matcher for wx.millhousen.com () and a path matcher for / (). Path matchers are exact in Caddy 2, so either remove that slash or add a * after it to make it a prefix match. (But just remove it, why over-complicate things?)

system · May 26, 2020, 7:27pm

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.