Hi.
1. Problem
I am running a caddy-reverse-proxy in a podman-container serving contents of a podman-apache-container. Loading a png-image (less than 100kB; either inside html and as raw file) results in loading and displaying 12% of the image as fast as expected. Then it hangs for about 5 to 6 seconds, then the rest of the file will be loaded as fast as expected.
The issue occurs with all browsers, I tested with chromium, firefox, curl and wget.
The issue occurs only with png, not with jpg, gif or html-content.
Once the image lies in cache, loading time is as expected.
I think it’s because of caddy as loading the png-image is
→ fast with development-apache-container (podman) directly connected
→ fast with production-apache-container (podman) directly connected to the port on server
→ slow as described with production-apache-container (podman) behind caddy-reverse-proxy running in a container (podman) on server
Somewhere I read about KeepAlive. I switched it off in apache and caddy: no success.
2. Error messages and/or full log output:
As there is no systemd in container, I cannot use journalctl for logging.
Here is the output of “podman pod logs”. You can see the delay of 6s between loading the image and the final loading of favicon.ico:
podman pod logs
> eae0b030cf95 10.0.2.100 - - [16/Nov/2023:00:19:09 +0000] "GET /storage/base/titlelogo/3d6266fed52d0a99b6cebc1a209d1c33.png HTTP/1.1" 200 86772 "-" "Mozilla/5.0 (X11; Linux x86_64; rv:109.0) Gecko/20100101 Firefox/117.0"
> eae0b030cf95 10.0.2.100 - - [16/Nov/2023:00:19:15 +0000] "GET /favicon.ico HTTP/1.1" 200 1250 "https://wikicardia.de/storage/base/titlelogo/3d6266fed52d0a99b6cebc1a209d1c33.png" "Mozilla/5.0 (X11; Linux x86_64; rv:109.0) Gecko/20100101 Firefox/117.0"
curl log
curl -vL wikicardia.de/storage/base/titlelogo/3d6266fed52d0a99b6cebc1a209d1c33.png > out.png
* processing: wikicardia.de/storage/base/titlelogo/3d6266fed52d0a99b6cebc1a209d1
* Connected to wikicardia.de (90.187.109.81) port 80
> GET /storage/base/titlelogo/3d6266fed52d0a99b6cebc1a209d1c33.png HTTP/1.1
> Host: wikicardia.de
> User-Agent: curl/8.2.1
> Accept: */*
>
< HTTP/1.1 308 Permanent Redirect
< Connection: close
< Location: https://wikicardia.de/storage/base/titlelogo/3d6266fed52d0a99b6cebc1a209d1c33.png
< Server: Caddy
< Date: Thu, 16 Nov 2023 00:25:53 GMT
< Content-Length: 0
* Closing connection
* Clear auth, redirects to port from 80 to 443
* Issue another request to this URL: 'https://wikicardia.de/storage/base/titlelogo/3d6266fed52d0a99b6cebc1a209d1c33.png'
* Trying 90.187.109.81:443...
* Connected to wikicardia.de (90.187.109.81) port 443
* ALPN: offers h2,http/1.1
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
* TLSv1.3 (IN), TLS handshake, Server hello (2):
* TLSv1.3 (IN), TLS handshake, Encrypted Extensions (8):
* TLSv1.3 (IN), TLS handshake, Certificate (11):
* TLSv1.3 (IN), TLS handshake, CERT verify (15):
* TLSv1.3 (IN), TLS handshake, Finished (20):
* TLSv1.3 (OUT), TLS change cipher, Change cipher spec (1):
* TLSv1.3 (OUT), TLS handshake, Finished (20):
* SSL connection using TLSv1.3 / TLS_AES_128_GCM_SHA256
* ALPN: server accepted h2
* Server certificate:
* subject: CN=wikicardia.de
* start date: Oct 30 00:00:00 2023 GMT
* expire date: Jan 28 23:59:59 2024 GMT
* subjectAltName: host "wikicardia.de" matched cert's "wikicardia.de"
* issuer: C=AT; O=ZeroSSL; CN=ZeroSSL ECC Domain Secure Site CA
* SSL certificate verify ok.
* TLSv1.3 (IN), TLS handshake, Newsession Ticket (4):
* using HTTP/2
* h2 [:method: GET]
* h2 [:scheme: https]
* h2 [:authority: wikicardia.de]
* h2 [:path: /storage/base/titlelogo/3d6266fed52d0a99b6cebc1a209d1c33.png]
* h2 [user-agent: curl/8.2.1]
* h2 [accept: */*]
* Using Stream ID: 1
> GET /storage/base/titlelogo/3d6266fed52d0a99b6cebc1a209d1c33.png HTTP/2
> Host: wikicardia.de
> User-Agent: curl/8.2.1
> Accept: */*
>
{ [5 bytes data]
< HTTP/2 200
< accept-ranges: bytes
< alt-svc: h3=":443"; ma=2592000
< content-type: image/png
< date: Thu, 16 Nov 2023 00:25:53 GMT
< etag: "1520b-607bb34a24eb2"
< last-modified: Sun, 15 Oct 2023 06:14:43 GMT
< server: Caddy
< server: Apache/2.4.54 (Debian)
< content-length: 86539
<
{ [11203 bytes data]
100 86539 100 86539 0 0 16749 0 0:00:05 0:00:05 --:--:-- 13675
* Connection #1 to host wikicardia.de left intact
caddy debug log:
{"level":"debug","ts":1700321689.566036,"logger":"events","msg":"event","name":"tls_get_certificate","id":"8b2045c7-be4d-48d9-a338-fab458002e0d","origin":"tls","data":{"client_hello":{"CipherSuites":[4866,4867,4865,4868,49196,49200,52393,52392,49325,49195,49199,49324,49187,49191,49162,49172,49161,49171,157,49309,156,49308,61,60,53,47,159,52394,49311,158,49310,107,103,57,51,255],"ServerName":"wikicardia.de","SupportedCurves":[29,23,30,25,24,256,257,258,259,260],"SupportedPoints":"AAEC","SignatureSchemes":[1027,1283,1539,2055,2056,2057,2058,2059,2052,2053,2054,1025,1281,1537,771,769],"SupportedProtos":["h2","http/1.1"],"SupportedVersions":[772,771],"Conn":{}}}}
{"level":"debug","ts":1700321689.56612,"logger":"tls.handshake","msg":"choosing certificate","identifier":"wikicardia.de","num_choices":1}
{"level":"debug","ts":1700321689.5661445,"logger":"tls.handshake","msg":"default certificate selection results","identifier":"wikicardia.de","subjects":["wikicardia.de"],"managed":true,"issuer_key":"acme.zerossl.com-v2-DV90","hash":"81c72b079e2dc74073c45ae2e0599f67332fdc913046b2b3e4eade153d8eb47c"}
{"level":"debug","ts":1700321689.5661566,"logger":"tls.handshake","msg":"matched certificate in cache","remote_ip":"10.0.2.100","remote_port":"34040","subjects":["wikicardia.de"],"managed":true,"expiration":1706486400,"hash":"81c72b079e2dc74073c45ae2e0599f67332fdc913046b2b3e4eade153d8eb47c"}
{"level":"debug","ts":1700321689.608357,"logger":"http.handlers.reverse_proxy","msg":"selected upstream","dial":"fiducit-0-performance-server:18002","total_upstreams":1}
{"level":"debug","ts":1700321689.6137106,"logger":"http.handlers.reverse_proxy","msg":"upstream roundtrip","upstream":"fiducit-0-performance-server:18002","duration":0.005303351,"request":{"remote_ip":"10.0.2.100","remote_port":"34040","client_ip":"10.0.2.100","proto":"HTTP/2.0","method":"GET","host":"wikicardia.de","uri":"/storage/base/titlelogo/3d6266fed52d0a99b6cebc1a209d1c33.png","headers":{"User-Agent":["curl/8.2.1"],"Accept":["*/*"],"X-Forwarded-For":["10.0.2.100"],"X-Forwarded-Proto":["https"],"X-Forwarded-Host":["wikicardia.de"]},"tls":{"resumed":false,"version":772,"cipher_suite":4865,"proto":"h2","server_name":"wikicardia.de"}},"headers":{"Accept-Ranges":["bytes"],"Content-Length":["86539"],"Content-Type":["image/png"],"Date":["Sat, 18 Nov 2023 15:34:49 GMT"],"Server":["Apache/2.4.54 (Debian)"],"Last-Modified":["Sun, 15 Oct 2023 06:14:43 GMT"],"Etag":["\"1520b-607bb34a24eb2\""]},"status":200}
Caddy version:
v2.7.5
4. How I installed and ran Caddy:
docker image via podman:
Client: Podman Engine
Version: 4.3.1
API Version: 4.3.1
Go Version: go1.19.8
Built: Thu Jan 1 01:00:00 1970
OS/Arch: linux/amd64
#podman ps
cd9d004c848e docker.io/library/caddy:latest caddy run --confi... 7 minutes ago Up 7 minutes ago 0.0.0.0:14001->443/tcp, 0.0.0.0:18001->80/tcp reverse-proxy_caddy
docker.io/library/caddy:latest
a. System environment
uname -r
6.1.0-13-amd64
neofetch
app_001_infra_reverse-proxy@fiducit-0-performance-server
OS: Debian GNU/Linux 12 (bookworm) x86_64
Kernel: 6.1.0-13-amd64
Uptime: 4 days, 18 hours, 23 mins
Packages: 906 (dpkg)
Shell: bash 5.2.15
Terminal: /dev/pts/0
CPU: AMD Ryzen Threadripper 2990WX (64) @ 3.000GHz
GPU: NVIDIA GeForce GT 1030
Memory: 1760MiB / 31990MiB
b. Command:
/usr/bin/podman container run \
--cidfile=%t/%n.ctr-id \
--cgroups=no-conmon \
--rm \
--pod-id-file %t/pod-reverse-proxy.pod-id \
--sdnotify=conmon \
-d \
--replace \
--name reverse-proxy_caddy \
-v /data/apps/001_infra_reverse-proxy/data/caddy/Caddyfiles/:/etc/caddy/ \
-v /data/apps/001_infra_reverse-proxy/data/caddy/config/:/config/ \
-v /data/apps/001_infra_reverse-proxy/data/caddy/data/:/data/ \
caddy:latest
c. Service/unit/compose file:
# container-reverse-proxy_caddy.service
# autogenerated by Podman 4.3.1
# Mon Oct 30 01:22:01 CET 2023
[Unit]
Description=Podman container-reverse-proxy_caddy.service
Documentation=man:podman-generate-systemd(1)
Wants=network-online.target
After=network-online.target
RequiresMountsFor=%t/containers
BindsTo=pod-reverse-proxy.service
After=pod-reverse-proxy.service
[Service]
Environment=PODMAN_SYSTEMD_UNIT=%n
Restart=on-failure
TimeoutStopSec=70
ExecStartPre=/bin/rm \
-f %t/%n.ctr-id
ExecStart=/usr/bin/podman container run \
--cidfile=%t/%n.ctr-id \
--cgroups=no-conmon \
--rm \
--pod-id-file %t/pod-reverse-proxy.pod-id \
--sdnotify=conmon \
-d \
--replace \
--name reverse-proxy_caddy \
-v /data/apps/001_infra_reverse-proxy/data/caddy/Caddyfiles/:/etc/caddy/ \
-v /data/apps/001_infra_reverse-proxy/data/caddy/config/:/config/ \
-v /data/apps/001_infra_reverse-proxy/data/caddy/data/:/data/ \
caddy:latest
d. My complete Caddy config:
{
debug
email kontakt@fiducit.de
cert_issuer zerossl APIID
}
import etc_conf.d/*.caddy
import 0-performance_conf.d/*.caddy
import 1-storage_conf.d/*.caddy
cat 0-performance_conf.d/002_egbert.jacobs_wikicardia.caddy
wikicardia.de {
reverse_proxy fiducit-0-performance-server:18002
}
www.wikicardia.de {
redir https://wikicardia.de{uri}
}
5. Links to relevant resources:
none