Simple reverser proxy returning SSL_ERROR_INTERNAL_ERROR_ALERT

1. The problem I’m having:

In our company, I have an Ubuntu server that is not visible from the internet and until recently could only be accessed on port 22. I want to use it for local testing of webapps and therefore asked for ports 80 and 443 to be open.
As a minimal test, I run python -m http.server 8080 and then test port 80 with sudo caddy reverse-proxy --from :80 --to :8080 - this works.
However, where I try port 443 with sudo caddy reverse-proxy --to :8080, I get SSL_ERROR_INTERNAL_ERROR_ALERT in my browser.
Using curl -vL https://or-miniserver.sintef.no returns:

* Host or-miniserver.sintef.no:443 was resolved.
* IPv6: (none)
* IPv4: 10.218.6.71
*   Trying 10.218.6.71:443...
* Connected to or-miniserver.sintef.no (10.218.6.71) port 443
* schannel: disabled automatic use of client certificate
* ALPN: curl offers http/1.1
* schannel: next InitializeSecurityContext failed: SEC_E_ILLEGAL_MESSAGE (0x80090326) - This error usually occurs when a fatal SSL/TLS alert is received (e.g. handshake failed). More detail may be available in the Windows System event log.
* closing connection #0
curl: (35) schannel: next InitializeSecurityContext failed: SEC_E_ILLEGAL_MESSAGE (0x80090326) - This error usually occurs when a fatal SSL/TLS alert is received (e.g. handshake failed). More detail may be available in the Windows System event log.

What am I missing? (This is the first time I am trying Caddy…)

2. Error messages and/or full log output:

Log from the terminal:

$ sudo caddy reverse-proxy --to :8080
2025/04/30 08:34:10.400 WARN    admin   admin endpoint disabled
2025/04/30 08:34:10.400 INFO    http.auto_https server is listening only on the HTTPS port but has no TLS connection policies; adding one to enable TLS {"server_name": "proxy", "https_port": 443}
2025/04/30 08:34:10.400 INFO    http.auto_https enabling automatic HTTP->HTTPS redirects        {"server_name": "proxy"}
2025/04/30 08:34:10.400 INFO    tls.cache.maintenance   started background certificate maintenance      {"cache": "0xc0004b4780"}
2025/04/30 08:34:10.401 INFO    pki.ca.local    root certificate is already trusted by system   {"path": "storage:pki/authorities/local/root.crt"}
2025/04/30 08:34:10.401 INFO    http    enabling HTTP/3 listener        {"addr": ":443"}
2025/04/30 08:34:10.401 INFO    http.log        server running  {"name": "proxy", "protocols": ["h1", "h2", "h3"]}
2025/04/30 08:34:10.401 WARN    http    HTTP/2 skipped because it requires TLS  {"network": "tcp", "addr": ":80"}
2025/04/30 08:34:10.401 WARN    http    HTTP/3 skipped because it requires TLS  {"network": "tcp", "addr": ":80"}
2025/04/30 08:34:10.401 INFO    http.log        server running  {"name": "remaining_auto_https_redirects", "protocols": ["h1", "h2", "h3"]}
2025/04/30 08:34:10.401 INFO    http    enabling automatic TLS certificate management   {"domains": ["localhost"]}
2025/04/30 08:34:10.401 INFO    caddy proxying  {"from": "https://localhost", "to": [":8080"]}
2025/04/30 08:34:10.405 INFO    tls     storage cleaning happened too recently; skipping for now        {"storage": "FileStorage:/root/.local/share/caddy", "instance": "4482d726-f6ad-4a1d-9a82-f8d87d0d8e76", "try_again": "2025/05/01 08:34:10.405", "try_again_in": 86399.999999728}
2025/04/30 08:34:10.405 INFO    tls     finished cleaning storage units

3. Caddy version:

v2.10.0 h1:fonubSaQKF1YANl8TXqGcn4IbIRUDdfAkpcsfI/vX5U=

4. How I installed and ran Caddy:

a. System environment:

Ubuntu 22.04.5 LTS, on bare metal
Installed from PPA, following instructions from [Install — Caddy Documentation]

b. Command:

sudo caddy reverse-proxy --to :8080

c. Service/unit/compose file:

N/A

d. My complete Caddy config:

No config file

5. Links to relevant resources:

You didn’t tell Caddy what domain name should it use

Certificates are created for domain name (with nuance, but not in this scope), but the command you’re running doesn’t tell Caddy what domain name to use, so it doesn’t know how to handle incoming requests. Use the --from flag.

I strongly recommend you move away from the command reverse-proxy to Caddyfile config.

1 Like