Reverse proxy of caddy with nginx returning "empty" results for any non-root url

1. Caddy version (caddy version):

v2.3.0 h1:fnrqJLa3G5vfxcxmOH/+kJOcunPLhSBnjgIvjXV/QTA=

2. How I run Caddy:

Using docker image here lucaslorentz/caddy-docker-proxy:ci-alpine

c. Service/unit/compose file:

version: "3.7"
services:
  caddy:
    image: lucaslorentz/caddy-docker-proxy:ci-alpine
    ports:
      - 80:80
      - 443:443
    networks:
      - caddy
    volumes:
      - /var/run/docker.sock:/var/run/docker.sock
      - ./Caddyfile:/Caddyfile
      - caddy_data:/data
      - /root/sites:/sites
    restart: unless-stopped
    environment:
      CADDY_DOCKER_CADDYFILE_PATH: "/Caddyfile"
networks:
  caddy:
    external: true
volumes:
  caddy_data: {}

d. My complete Caddyfile or JSON config:

the relevant lines for the server I have trouble with: nginx.conf · GitHub

3. The problem I’m having:

I want to proxy from caddy to nginx server here nginx.conf · GitHub (also running inside docker).

When I issue: docker exec caddy_caddy_1 curl http://sovazlutice:8001/static/central/js/custom.js, that is internally talking to the nginx service of sovazlutice from within caddy container, I get the expected result.

But when I try to go through caddy (with TLS): curl https://sovazlutice.eu/http://sovazlutice:8001/static/central/js/custom.js -v, I only get empty results with 200:

  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
  0     0    0     0    0     0      0      0 --:--:-- --:--:-- --:--:--     0*   Trying 162.55.58.53:443...
* TCP_NODELAY set
* Connected to sovazlutice.eu (162.55.58.53) port 443 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
* successfully set certificate verify locations:
*   CAfile: /etc/ssl/certs/ca-certificates.crt
  CApath: none
} [5 bytes data]
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
} [512 bytes data]
* TLSv1.3 (IN), TLS handshake, Server hello (2):
{ [122 bytes data]
* TLSv1.3 (IN), TLS handshake, Encrypted Extensions (8):
{ [15 bytes data]
* TLSv1.3 (IN), TLS handshake, Certificate (11):
{ [2263 bytes data]
* TLSv1.3 (IN), TLS handshake, CERT verify (15):
{ [79 bytes data]
* TLSv1.3 (IN), TLS handshake, Finished (20):
{ [36 bytes data]
* TLSv1.3 (OUT), TLS change cipher, Change cipher spec (1):
} [1 bytes data]
* TLSv1.3 (OUT), TLS handshake, Finished (20):
} [36 bytes data]
* SSL connection using TLSv1.3 / TLS_AES_128_GCM_SHA256
* ALPN, server accepted to use h2
* Server certificate:
*  subject: CN=sovazlutice.eu
*  start date: Apr 20 05:56:40 2021 GMT
*  expire date: Jul 19 05:56:40 2021 GMT
*  subjectAltName: host "sovazlutice.eu" matched cert's "sovazlutice.eu"
*  issuer: C=US; O=Let's Encrypt; CN=R3
*  SSL certificate verify ok.
* Using HTTP2, server supports multi-use
* Connection state changed (HTTP/2 confirmed)
* Copying HTTP/2 data in stream buffer to connection buffer after upgrade: len=0
} [5 bytes data]
* Using Stream ID: 1 (easy handle 0x5618d0282600)
} [5 bytes data]
> GET /blog/ HTTP/2
> Host: sovazlutice.eu
> user-agent: curl/7.67.0
> accept: */*
> 
{ [5 bytes data]
* TLSv1.3 (IN), TLS handshake, Newsession Ticket (4):
{ [130 bytes data]
* Connection state changed (MAX_CONCURRENT_STREAMS == 250)!
} [5 bytes data]
< HTTP/2 200 
< server: Caddy
< content-length: 0
< date: Tue, 20 Apr 2021 09:25:53 GMT
< 
{ [0 bytes data]
  0     0    0     0    0     0      0      0 --:--:-- --:--:-- --:--:--     0
* Connection #0 to host sovazlutice.eu left intact

what’s striking is that when I do the request to the root, I get through just fine https://sovazlutice.eu/ :frowning_face: , but that’s the only address that hits nginx.

4. Error messages and/or full log output:

Nothing in the logs actually :-/

5. What I already tried:

Various changes in the nginx configuration, as I suspect the problem is somehow there, but I cannot figure out what/how and it only demonstrates when trying to go through caddy :-/ .

It seems that requests through caddy just don’t make it to the nginx server at all except when asking for root (which you can validate yourself). Everything else is ignored when going through caddy (according to the access log on nginx)

You have a path matcher on /. This matches only exactly / and nothing else, so any other paths will return an empty response (because Caddy worked “as configured”, in the sense that it was not configured to serve anything for other paths). Just remove the / path matcher and it should work fine.

1 Like

OMG :man_facepalming: , 4 hours wasted on this, totally my bad and it’s clear from the description.

Thanks a lot, really appreciated and I am grateful, solved!

2 Likes

This topic was automatically closed after 30 days. New replies are no longer allowed.