Setup Caddy for to access ERPNext with https

1. The problem I’m having:

Greetings
I have been using Caddy for Grafana and other systems. I loved it a lot, no hassle to access the systems through https on the local area network. Currently, I am using ERPNext which I deployed using Podman and I am trying to access it with https://mydomain.net. The pod / container is running on port 8085; when I go to https://mydomain.net I am getting black screen with no content on it.

2. Error messages and/or full log output:

Dec 13 10:07:37 fedora caddy[1419]: {"level":"error","ts":1734073657.9075766,"logger":"http.log.error","msg":"tls: first record does not look like a TLS handshake","request":{"remote_ip":"192.168.4.33","remote_port":"36846","client_ip":"192.168.4.33","proto":"HTTP/2.0","method":"GET","host":"erp.liyumfi.net","uri":"/","headers":{"Priority":["u=0, i"],"User-Agent":["Mozilla/5.0 (X11; Linux x86_64; rv:132.0) Gecko/20100101 Firefox/132.0"],"Accept-Language":["en-US,en;q=0.5"],"Accept-Encoding":["gzip, deflate, br, zstd"],"Sec-Fetch-Dest":["document"],"Sec-Fetch-Mode":["navigate"],"Sec-Fetch-Site":["none"],"Sec-Fetch-User":["?1"],"Te":["trailers"],"Accept":["text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8"],"Upgrade-Insecure-Requests":["1"],"Cookie":["REDACTED"]},"tls":{"resumed":false,"version":772,"cipher_suite":4865,"proto":"h2","server_name":"erp.liyumfi.net"}},"duration":0.001602726,"status":502,"err_id":"8zi46xs7e","err_trace":"reverseproxy.statusError (reverseproxy.go:1269)"}
Dec 13 10:07:37 fedora caddy[1419]: {"level":"error","ts":1734073657.9914207,"logger":"http.log.error","msg":"tls: first record does not look like a TLS handshake","request":{"remote_ip":"192.168.4.33","remote_port":"36846","client_ip":"192.168.4.33","proto":"HTTP/2.0","method":"GET","host":"erp.liyumfi.net","uri":"/","headers":{"User-Agent":["Mozilla/5.0 (X11; Linux x86_64; rv:132.0) Gecko/20100101 Firefox/132.0"],"Sec-Fetch-Dest":["document"],"Sec-Fetch-Mode":["navigate"],"Priority":["u=0, i"],"Te":["trailers"],"Accept":["text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8"],"Accept-Language":["en-US,en;q=0.5"],"Accept-Encoding":["gzip, deflate, br, zstd"],"Cookie":["REDACTED"],"Upgrade-Insecure-Requests":["1"],"Sec-Fetch-Site":["cross-site"]},"tls":{"resumed":false,"version":772,"cipher_suite":4865,"proto":"h2","server_name":"erp.liyumfi.net"}},"duration":0.001069844,"status":502,"err_id":"7xf17t6py","err_trace":"reverseproxy.statusError (reverseproxy.go:1269)"}
Dec 13 10:07:38 fedora caddy[1419]: {"level":"error","ts":1734073658.1293514,"logger":"http.log.error","msg":"tls: first record does not look like a TLS handshake","request":{"remote_ip":"192.168.4.33","remote_port":"36846","client_ip":"192.168.4.33","proto":"HTTP/2.0","method":"GET","host":"erp.liyumfi.net","uri":"/favicon.ico","headers":{"Accept":["image/avif,image/webp,image/png,image/svg+xml,image/*;q=0.8,*/*;q=0.5"],"Accept-Language":["en-US,en;q=0.5"],"Accept-Encoding":["gzip, deflate, br, zstd"],"Sec-Fetch-Mode":["no-cors"],"Te":["trailers"],"User-Agent":["Mozilla/5.0 (X11; Linux x86_64; rv:132.0) Gecko/20100101 Firefox/132.0"],"Referer":["https://erp.liyumfi.net/"],"Cookie":["REDACTED"],"Sec-Fetch-Dest":["image"],"Sec-Fetch-Site":["same-origin"],"Priority":["u=6"]},"tls":{"resumed":false,"version":772,"cipher_suite":4865,"proto":"h2","server_name":"erp.liyumfi.net"}},"duration":0.001046611,"status":502,"err_id":"m55ukieu0","err_trace":"reverseproxy.statusError (reverseproxy.go:1269)"}

3. Caddy version:

v2.8.4

4. How I installed and ran Caddy:

From official fedora repository

Name            : caddy
Epoch           : 0
Version         : 2.8.4
Release         : 1.fc41
Architecture    : x86_64
Installed size  : 42.7 MiB
Source          : caddy-2.8.4-1.fc41.src.rpm
From repository : fedora
Summary         : Web server with automatic HTTPS
URL             : https://caddyserver.com
License         : Apache-2.0 AND BSD-2-Clause AND BSD-3-Clause AND MIT AND BSD-2-Clause-Views AND CC0-1.0 AND ISC AND MPL-2.0
Description     : Caddy is an extensible server platform that uses TLS by default.
Vendor          : Fedora Project

a. System environment:

 OS: Fedora Linux 41 (KDE Plasma) x86_64
 Host: VMware Virtual Platform
 Kernel: Linux 6.11.11-300.fc41.x86_64
 Shell: bash 5.2.32
 Terminal: /dev/pts/0
 cCPU: 12th Gen Intel(R) Core(TM) i7-12700 (12) @ 2.11 GHz
 GPU: VMware SVGA II Adapter

b. Command:

# I am running as a system daemon
systems start caddy

c. Service/unit/compose file:

# caddy.service
#
# For using Caddy with a config file.
#
# WARNING: This service does not use the --resume flag, so if you
# use the API to make changes, they will be overwritten by the
# Caddyfile next time the service is restarted. If you intend to
# use Caddy's API to configure it, add the --resume flag to the
# `caddy run` command or use the caddy-api.service file instead.

[Unit]
Description=Caddy web server
Documentation=https://caddyserver.com/docs/
After=network.target

[Service]
Type=notify
User=caddy
Group=caddy
ExecStartPre=/usr/bin/caddy validate --config /etc/caddy/Caddyfile
ExecStart=/usr/bin/caddy run --environ --config /etc/caddy/Caddyfile
ExecReload=/usr/bin/caddy reload --config /etc/caddy/Caddyfile
TimeoutStopSec=5s
LimitNOFILE=1048576
PrivateTmp=true
ProtectHome=true
ProtectSystem=full
AmbientCapabilities=CAP_NET_ADMIN CAP_NET_BIND_SERVICE

[Install]
WantedBy=multi-user.target

d. My complete Caddy config:

# The Caddyfile is an easy way to configure your Caddy web server.
#
# https://caddyserver.com/docs/caddyfile


# The configuration below serves a welcome page over HTTP on port 80.  To use
# your own domain name with automatic HTTPS, ensure your A/AAAA DNS record is
# pointing to this machine's public IP, then replace `http://` with your domain
# name.  Refer to the documentation for full instructions on the address
# specification.
#
# https://caddyserver.com/docs/caddyfile/concepts#addresses
http:// {
        # Set this path to your site's directory.
        root * /usr/share/caddy

        # Enable the static file server.
        file_server

        # Another common task is to set up a reverse proxy:
        # reverse_proxy localhost:8080

        # Or serve a PHP site through php-fpm:
        # php_fastcgi localhost:9000

        # Refer to the directive documentation for more options.
        # https://caddyserver.com/docs/caddyfile/directives
}

# As an alternative to editing the above site block, you can add your own site
# block files in the Caddyfile.d directory, and they will be included as long
# as they use the .caddyfile extension.
import Caddyfile.d/*.caddyfile

cloud.liyumfi.net {
        tls internal

        reverse_proxy localhost:8080 {
                # Use https with a self signed cert between Caddy and Cells
                transport http {
                        tls
                        tls_insecure_skip_verify
                }
        }
}

monitor.liyumfi.net {
        tls internal
        reverse_proxy localhost:3000 {
                # Use https with a self signed cert between Caddy and Cells
                transport http {
                        tls
                        tls_insecure_skip_verify
                }
        }
}

liyumfi.net {
        tls internal

        root * /var/www/liyumfiportal/
        file_server
}

erp.liyumfi.net {
        tls internal

        reverse_proxy localhost:8085 {
                # Use https with a self signed cert between Caddy and Cells
                transport http {
                        tls
                        tls_insecure_skip_verify
                }
        }
}

5. Links to relevant resources:

Is anyone here, please? I want to understand what Caddy requires for the other systems to be able to route traffic through 443.

This error comes from the reverse_proxy handler

I see this in your config

Is your upstream (ERPNext) configured with TLS certificate? It appears like it wasn’t

Hello @Mohammed90 , Thank you so much for replying

I am running ERPNext on a container and I exposed 8085 to access it from the host and other computers. But I have changed the caddy setting to

reverse_proxy erp.liyumfi.net:8085 {
                transport http {
                        tls
                        tls_insecure_skip_verify
                }
        }

The erpnext can be accessible with http://erp.liyumfi.net.

Is your upstream (ERPNext) configured with TLS certificate? It appears like it wasn’t

I have configured nginx to listen for 443, here is the nginx config file nginx.conf. I have added this on the backend container but tried it on frontend container too

Just because it’s listening on 443 doesn’t mean it’s configured with TLS

Here you say it works with http://, meaning it’s only listening on http.

Remove this

@Mohammed90 Thank you so much. It worked for me as you suggested. I think I need to understand Caddy’s configuration better.

Thank you.