I’d like to disable some weak cipher suites, I am using the following Caddyfile:
header / Strict-Transport-Security "max-age=31536000; includeSubDomains"
header / X-Frame-Options "DENY"
header / -Server
ciphers ECDHE-ECDSA-AES256-GCM-SHA384 ECDHE-ECDSA-AES128-GCM-SHA256 ECDHE-ECDSA-WITH-CHACHA20-POLY1305 ECDHE-RSA-WITH-CHACHA20-POLY1305 ECDHE-ECDSA-AES256-CBC-SHA ECDHE-ECDSA-AES128-CBC-SHA
And running Caddy with the following command:
/usr/bin/caddy --conf /etc/Caddyfile --log stdout
Running Caddy without the
tls directive works just fine, but including the directive results in the following error (Caddy does start up):
503 Service Unavailable
No server is available to handle this request.
That’s not a Caddy error, so there must be something else going on. What’s in your logs (esp. Caddy logs)?
16/07/2018 17:36:16 MYDOMAIN
16/07/2018 17:36:16 /backend
16/07/2018 17:36:17 https://MYDOMAIN
16/07/2018 17:36:17 Activating privacy features... done.
16/07/2018 17:36:17 https://0.0.0.0
16/07/2018 17:36:17 2018/07/16 15:36:17 https://0.0.0.0
16/07/2018 17:36:17 2018/07/16 15:36:17 [INFO] Sending telemetry: success
What other infrastructure do you have? Firewalls, proxies, literally anything other than your OS?
That error smacks of load balancer health checking.
Probably worth noting that by going from no
tls directive to the above configuration, you’ve changed the port for this site from Caddy’s default 2015 to the HTTPS standard 443.
Ah thanks, I changed the port from 2015 to 443. I’m now getting:
502 Bad Gateway
The server returned an invalid or incomplete response.
http: TLS handshake error from IP:36190: tls: first record does not look like a TLS handshake
http: TLS handshake error from IP:36192: tls: first record does not look like a TLS handshake
http: TLS handshake error from IP:36210: tls: first record does not look like a TLS handshake
http: TLS handshake error from IP:36212: tls: first record does not look like a TLS handshake
I am testing to see if it is the use of
key_type. EDIT: Same error without
When you updated the port from 2015 to 443, did you also change the protocol from HTTP to HTTPS?
Yes, the protocol is HTTPS.
That error is consistent with a client attempting to connect to a HTTPS port using HTTP.
You can see this error in action yourself with a quick test. Run Caddy in the foreground with
caddy -log stdout "tls self_signed", then run
curl http://localhost:2015 from another shell and observe the output from Caddy.
I’m not sure what circumstances could produce it outside of that scenario. Caddy simply isn’t capable of handling non-TLS connections on a TLS listener.
This topic was automatically closed 90 days after the last reply. New replies are no longer allowed.