Tcp proxy with "net" plugin?

(Read this, then delete it before you post.) To get the best help possible, please:

I’m trying to get a subdomain to forward traffic to localhost:5901 {vncserver} in the hopes that I can use caddy tls subdomain in vnc viewer for a tightvncserver session thus sending my password over a secure connection.

I tried $ caddy -type=net -conf /etc/caddyfile

proxy :12017 :5901 {
tls on

I get the error msg “The connection was refused by the computer” in vnc viewer whenever i used

below is what caddy displayed when i attempted to connect via

Done proxying:
Done proxying:
Done proxying:

i want to able to connect via using only a subdomain
dns entry has * for dynamic hosts and there is a vnc subdomain pointed to the ip address.

Remember, this community only works when those who get help also give help. Thanks for participating!

What ports are VNC listening to on the host?

What ports are open at the edge of the network?

Does it work without tls on?

vnc is listening on port 5901 .

it’s running on a vps , the port is open and I just confirmed that with Open Port Check Tool - Test Port Forwarding on Your Router

caddy runs the conf file with tls on but vncviewer doesn’t connect via the subdomain.

If you run Caddy without tls on, can vncviewer connect?

I’ve run caddy with “tls off” and without a tls entry and vncviewer still saids “the connection was refused by computer” when i try to connect via the subdomain.

From what I’m reading, VNC needs port x+n, where x is usually the default 5900 and n is the display number (for virtual displays, etc).

Could it be that VNC expects more or different ports to be available? If the ports are open, and Caddy is logging the proxy, I’d have to assume that the connections are being refused at the target port i.e. 5901.

I can connect with ip:5901 and domain:5901 just fine.

Done proxying:
Done proxying:
Done proxying:

the ports caddy are forwarding to doesn’t make sense to me when it should be forwarding to 5901

So VNC doesn’t negotiate over the initial port and then connect to a higher port, counting up to the virtual display number?

It would explain this behaviour because connecting over 5901 and then adding port numbers for the virtual display, e.g. 5902, would work, but wouldn’t for 12017 (because Caddy isn’t listening or proxying from 12018).

Yep, they look pretty weird - to me they look more like source ports (from the connecting client) - they tend to be pretty high and a bit random.

The print line in the source code is here, I’ll look in to exactly what it’s echoing…

To clarify, it prints that line when a close signal is sent through the proxy, so either the client or the server (looks like the server) is closing the connection.

Is there any way I can resolve this?

I mean, I haven’t ruled it out yet. It should be a straightforward TCP proxy, so as long as everything is configured for VNC’s requirements, it should work just fine. I’m just not familiar enough with VNC to say for sure what it needs re: port behaviour, which prompted the question from my previous comment in this thread.

I followed this guide to set it up, How to Install and Configure VNC on Ubuntu 16.04 | DigitalOcean

Not sure if this is useful at all but I was able to make caddy do exactly what you are trying without any trouble. I used this Caddyfile (so obviously no TLS involved)

proxy :12017 :5901 {
    tls off

When I started a VNC server on that port I was able to access it fine (the connection refused errors were when I tried connecting without starting the VNC server):

$ ./caddy -type=net -conf Caddyfile
Activating privacy features... done.
[INFO] Proxying from  :12017  ->  :5901
WARNING: File descriptor limit 1024 is too low for production servers. At least 8192 is recommended. Fix with "ulimit -n 8192".
[ERROR] Cannot connect to remote connection: %s Err:dial tcp :5901: connect: connection refused
[ERROR] Cannot connect to remote connection: %s Err:dial tcp :5901: connect: connection refused
Done proxying: [::1]:12017

In this case the second port number seems to be the port Caddy is outputting the traffic on so it does make sense - you connect to caddy on port 12017 & it then creates a connection from → to connect to the VNC server.

This topic was automatically closed 90 days after the last reply. New replies are no longer allowed.