"The page isn’t redirecting properly" when runn

1. Caddy version (caddy version):

v2.0.0

2. How I run Caddy:

a. System environment:

Docker

b. Command:

docker-compse up -d

c. Service/unit/compose file:

version: "3.6"
services:
  caddy:
    image: caddy
    container_name: caddy
    hostname: caddy
    restart: unless-stopped
    ports:
      - "80:80"
      - "443:443"
    environment:
      - DOMAIN
      - CF_API_EMAIL_FILE=$USERDIR/docker/traefik/cloudflare-api-email
      - CF_API_KEY_FILE=$USERDIR/docker/traefik/cloudflare-api-key
    volumes:
      - $USERDIR/docker/shared/Caddyfile:/etc/caddy/Caddyfile:ro
      - $USERDIR/docker/caddy/data:/data
      - $USERDIR/docker/caddy/config:/config
  ddclient:
    image: linuxserver/ddclient
    container_name: ddclient
    environment:
      - PUID=1001
      - PGID=1001
      - TZ=$TZ
    volumes:
      - $USERDIR/docker/ddclient/config:/config
    restart: unless-stopped
  nextcloud:
    image: linuxserver/nextcloud
    container_name: nextcloud
    hostname: nextcloud
    environment:
      - PUID=1001
      - PGID=1001
      - TZ=$TZ
    volumes:
      - /opt/docker/config/nextcloud:/config
      - /opt/docker/data/nextcloud:/data
    ports:
      - 8080:80
    depends_on:
      - nextcloud-db
    restart: unless-stopped
  nextcloud-db:
    image: linuxserver/mariadb
    container_name: nextcloud-db
    environment:
      - PUID=1001
      - PGID=1001
      - MYSQL_ROOT_PASSWORD=$ROOT_NEXTCLOUD_PASSWORD
      - MYSQL_PASSWORD=$NEXTCLOUD_PASSWORD
      - MYSQL_DATABASE=nextcloud
      - MYSQL_USER=nextcloud
      - TZ=$TZ
    volumes:
      - /opt/docker/config/mariadb:/config
    restart: unless-stopped
  jellyfin:
    image: linuxserver/jellyfin
    container_name: jellyfin
    hostname: jellyfin
    environment:
      - PUID=1001
      - PGID=1001
      - TZ=$TZ
    volumes:
      - $USERDIR/docker/jellyfin/config:/config
      - $USERDIR/docker/jellyfin/backup:/backup
      - $USERDIR/media/audiobooks:/audiobooks
      - $USERDIR/media/books:/books
      - $USERDIR/media/movies:/movies
      - $USERDIR/media/music:/music
      - $USERDIR/media/tvshows:/tvshows
    restart: unless-stopped
  gitea:
    image: gitea/gitea:1
    container_name: gitea
    hostname: gitea
    volumes:
      - /var/lib/gitea:/data
    depends_on:
      - gitea-db
    restart: always
    environment:
      - USER_UID=113
      - USER_GUID=65534
  gitea-db:
    image: mariadb:10
    container_name: gitea-db
    restart: always
    environment:
      - MYSQL_ROOT_PASSWORD=$ROOT_JELLYFIN_PASSWORD
      - MYSQL_DATABASE=gitea
      - MYSQL_USER=gitea
      - MYSQL_PASSWORD=$JELLYFIN_PASSWORD
    volumes:
            #- /home/docker/gitea-db:/var/lib/mysql
      - /opt/docker/data/gitea-db:/var/lib/mysql
  dashmachine:
    image: rmountjoy/dashmachine
    container_name: dashmachine
    volumes:
      - $USERDIR/docker/dashmachine:/dashmachine/dashmachine/user_data
    restart: unless-stopped
  bookstack:
    image: linuxserver/bookstack
    container_name: bookstack
    environment:
      - PUID=1001
      - PGID=1001
      - DB_HOST=bookstack-db
      - DB_USER=bookstack
      - DB_PASS=$BOOKSTACK_PASSWORD
      - DB_DATABASE=bookstackapp
    volumes:
      - $USERDIR/docker/bookstack/config:/config
    restart: unless-stopped
    depends_on:
      - bookstack-db
  bookstack-db:
    image: linuxserver/mariadb
    container_name: bookstack-db
    environment:
      - PUID=1001
      - PGID=1001
      - MYSQL_ROOT_PASSWORD=$ROOT_BOOKSTACK_PASSWORD
      - TZ=$TZ
      - MYSQL_DATABASE=bookstackapp
      - MYSQL_USER=bookstack
      - MYSQL_PASSWORD=$BOOKSTACK_PASSWORD
    volumes:
      - $USERDIR/docker/bookstack/database:/config
    restart: unless-stopped

d. My complete Caddyfile or JSON config:

{
    #acme_ca https://acme-staging-v02.api.letsencrypt.org/directory
}

cloud.{$DOMAIN} {
    reverse_proxy nextcloud:80
    header Strict-Transport-Security max-age=31536000;
    redir /.well-known/carddav /remote.php/carddav 301
    redir /.well-known/caldav /remote.php/caldav 301
}

git.{$DOMAIN} {
    reverse_proxy gitea:3000
}
media.{$DOMAIN} {
    reverse_proxy jellyfin:8096
}

3. The problem I’m having:

I’m trying to get Nextcloud up and running with Caddy v2. Every time I got to my Nextcloud domain, It gives me this:

I’m not disabling or refusing cookies.

4. Error messages and/or full log output:

2020/05/17 20:03:08 http: TLS handshake error from 192.168.50.1:52794: remote error: tls: unknown certificate authority
{"level":"error","ts":1589745792.1931398,"logger":"http.log.error","msg":"dial tcp 172.22.0.8:80: connect: connection refused","request":{"method":"GET","uri":"/","proto":"HTTP/2.0","remote_addr":"192.168.50.1:52802","host":"media.haddock.cc","headers":{"Te":["trailers"],"User-Agent":["Mozilla/5.0 (X11; Linux x86_64; rv:76.0) Gecko/20100101 Firefox/76.0"],"Accept":["text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8"],"Accept-Language":["en-US,en;q=0.5"],"Accept-Encoding":["gzip, deflate, br"],"Upgrade-Insecure-Requests":["1"],"Dnt":["1"],"Cache-Control":["max-age=0"]},"tls":{"resumed":false,"version":772,"ciphersuite":4865,"proto":"h2","proto_mutual":true,"server_name":"media.haddock.cc"}},"duration":0.00088949,"status":502,"err_id":"in526shsp","err_trace":"reverseproxy.(*Handler).ServeHTTP (reverseproxy.go:380)"}
2020/05/17 20:03:22 http: TLS handshake error from 107.178.232.250:59628: no certificate available for '172.22.0.11'
{"level":"info","ts":1589745839.2326262,"msg":"shutting down apps then terminating","signal":"SIGTERM"}
2020/05/17 20:03:59 [INFO][cache:0xc000224140] Stopped certificate maintenance routine
{"level":"info","ts":1589745839.233054,"logger":"admin","msg":"stopped previous server"}
{"level":"info","ts":1589745839.2330658,"msg":"shutdown done","signal":"SIGTERM"}
{"level":"info","ts":1589745841.8260295,"msg":"using provided configuration","config_file":"/etc/caddy/Caddyfile","config_adapter":"caddyfile"}
{"level":"info","ts":1589745841.8299327,"logger":"admin","msg":"admin endpoint started","address":"tcp/localhost:2019","enforce_origin":false,"origins":["localhost:2019","[::1]:2019","127.0.0.1:2019"]}
2020/05/17 20:04:01 [INFO][cache:0xc0007a8370] Started certificate maintenance routine
{"level":"info","ts":1589745841.830241,"logger":"http","msg":"server is listening only on the HTTPS port but has no TLS connection policies; adding one to enable TLS","server_name":"srv0","https_port":443}
{"level":"info","ts":1589745841.8302643,"logger":"http","msg":"enabling automatic HTTP->HTTPS redirects","server_name":"srv0"}
{"level":"info","ts":1589745841.8332562,"logger":"tls","msg":"cleaned up storage units"}
{"level":"info","ts":1589745841.8334165,"logger":"http","msg":"enabling automatic TLS certificate management","domains":["media.haddock.cc","git.haddock.cc","cloud.haddock.cc"]}
{"level":"info","ts":1589745841.8444514,"msg":"autosaved config","file":"/config/caddy/autosave.json"}
{"level":"info","ts":1589745841.8444633,"msg":"serving initial configuration"}
{"level":"error","ts":1589745858.6042135,"logger":"http.log.error","msg":"dial tcp 172.22.0.8:80: connect: connection refused","request":{"method":"GET","uri":"/","proto":"HTTP/2.0","remote_addr":"192.168.50.1:52808","host":"media.haddock.cc","headers":{"Accept":["text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8"],"Accept-Language":["en-US,en;q=0.5"],"Accept-Encoding":["gzip, deflate, br"],"Upgrade-Insecure-Requests":["1"],"Dnt":["1"],"Cache-Control":["max-age=0"],"Te":["trailers"],"User-Agent":["Mozilla/5.0 (X11; Linux x86_64; rv:76.0) Gecko/20100101 Firefox/76.0"]},"tls":{"resumed":false,"version":772,"ciphersuite":4865,"proto":"h2","proto_mutual":true,"server_name":"media.haddock.cc"}},"duration":0.000925538,"status":502,"err_id":"j65aueksg","err_trace":"reverseproxy.(*Handler).ServeHTTP (reverseproxy.go:380)"}
{"level":"error","ts":1589745880.3468199,"logger":"http.log.error","msg":"dial tcp 172.22.0.6:80: connect: connection refused","request":{"method":"GET","uri":"/PopeRigby/python-bootcamp/pulls?lang=ja-JP","proto":"HTTP/1.1","remote_addr":"66.249.79.205:55085","host":"git.haddock.cc","headers":{"Accept":["text/html,application/xhtml+xml,application/signed-exchange;v=b3,application/xml;q=0.9,*/*;q=0.8"],"From":["googlebot(at)googlebot.com"],"User-Agent":["Mozilla/5.0 (Linux; Android 6.0.1; Nexus 5X Build/MMB29P) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/80.0.3987.92 Mobile Safari/537.36 (compatible; Googlebot/2.1; +http://www.google.com/bot.html)"],"Accept-Encoding":["gzip,deflate,br"],"Amp-Cache-Transform":["google;v=\"1..3\""],"Connection":["keep-alive"]},"tls":{"resumed":false,"version":772,"ciphersuite":4865,"proto":"","proto_mutual":true,"server_name":"git.haddock.cc"}},"duration":0.000863465,"status":502,"err_id":"q9a996ekf","err_trace":"reverseproxy.(*Handler).ServeHTTP (reverseproxy.go:380)"}
{"level":"error","ts":1589745917.0087516,"logger":"http.log.error","msg":"dial tcp 172.22.0.6:80: connect: connection refused","request":{"method":"GET","uri":"/ScrapjackStudios/slayer/commit/5f94ddcfe39795d71740a7444154e95a79e7d49c?lang=fr-FR","proto":"HTTP/1.1","remote_addr":"66.249.79.209:40067","host":"git.haddock.cc","headers":{"Amp-Cache-Transform":["google;v=\"1..3\""],"Connection":["keep-alive"],"Accept":["text/html,application/xhtml+xml,application/signed-exchange;v=b3,application/xml;q=0.9,*/*;q=0.8"],"From":["googlebot(at)googlebot.com"],"User-Agent":["Mozilla/5.0 (Linux; Android 6.0.1; Nexus 5X Build/MMB29P) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2272.96 Mobile Safari/537.36 (compatible; Googlebot/2.1; +http://www.google.com/bot.html)"],"Accept-Encoding":["gzip,deflate,br"]},"tls":{"resumed":false,"version":772,"ciphersuite":4865,"proto":"","proto_mutual":true,"server_name":"git.haddock.cc"}},"duration":0.000937941,"status":502,"err_id":"4xeyzia3z","err_trace":"reverseproxy.(*Handler).ServeHTTP (reverseproxy.go:380)"}
{"level":"info","ts":1589745938.7086487,"msg":"shutting down apps then terminating","signal":"SIGTERM"}
2020/05/17 20:05:38 [INFO][cache:0xc0007a8370] Stopped certificate maintenance routine
{"level":"info","ts":1589745938.7092106,"logger":"admin","msg":"stopped previous server"}
{"level":"info","ts":1589745938.7092223,"msg":"shutdown done","signal":"SIGTERM"}
{"level":"info","ts":1589745941.524698,"msg":"using provided configuration","config_file":"/etc/caddy/Caddyfile","config_adapter":"caddyfile"}
{"level":"info","ts":1589745941.5286393,"logger":"admin","msg":"admin endpoint started","address":"tcp/localhost:2019","enforce_origin":false,"origins":["127.0.0.1:2019","localhost:2019","[::1]:2019"]}
2020/05/17 20:05:41 [INFO][cache:0xc000614ff0] Started certificate maintenance routine
{"level":"info","ts":1589745941.52893,"logger":"http","msg":"server is listening only on the HTTPS port but has no TLS connection policies; adding one to enable TLS","server_name":"srv0","https_port":443}
{"level":"info","ts":1589745941.5289528,"logger":"http","msg":"enabling automatic HTTP->HTTPS redirects","server_name":"srv0"}
{"level":"info","ts":1589745941.5319147,"logger":"tls","msg":"cleaned up storage units"}
{"level":"info","ts":1589745941.5320911,"logger":"http","msg":"enabling automatic TLS certificate management","domains":["media.haddock.cc","git.haddock.cc","cloud.haddock.cc"]}
{"level":"info","ts":1589745941.54509,"msg":"autosaved config","file":"/config/caddy/autosave.json"}
{"level":"info","ts":1589745941.545103,"msg":"serving initial configuration"}
{"level":"error","ts":1589746005.532132,"logger":"http.log.error","msg":"dial tcp 172.22.0.6:80: connect: connection refused","request":{"method":"GET","uri":"/","proto":"HTTP/2.0","remote_addr":"192.168.50.1:52844","host":"git.haddock.cc","headers":{"Accept-Encoding":["gzip, deflate, br"],"Upgrade-Insecure-Requests":["1"],"Cookie":["i_like_gitea=b5284520ae7c1382; lang=en-US; _csrf=Oro4WIpcDJZcVRFEuFQFPPg0g0s6MTU4OTc0MjYyOTg2NjMyNTQxMA"],"Te":["trailers"],"User-Agent":["Mozilla/5.0 (X11; Linux x86_64; rv:76.0) Gecko/20100101 Firefox/76.0"],"Accept":["text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8"],"Accept-Language":["en-US,en;q=0.5"]},"tls":{"resumed":false,"version":772,"ciphersuite":4865,"proto":"h2","proto_mutual":true,"server_name":"git.haddock.cc"}},"duration":0.000864841,"status":502,"err_id":"td45dfrdn","err_trace":"reverseproxy.(*Handler).ServeHTTP (reverseproxy.go:380)"}
{"level":"error","ts":1589746005.583612,"logger":"http.log.error","msg":"dial tcp 172.22.0.6:80: connect: connection refused","request":{"method":"GET","uri":"/favicon.ico","proto":"HTTP/2.0","remote_addr":"192.168.50.1:52844","host":"git.haddock.cc","headers":{"Accept-Language":["en-US,en;q=0.5"],"Accept-Encoding":["gzip, deflate, br"],"Cookie":["i_like_gitea=b5284520ae7c1382; lang=en-US; _csrf=Oro4WIpcDJZcVRFEuFQFPPg0g0s6MTU4OTc0MjYyOTg2NjMyNTQxMA"],"Te":["trailers"],"User-Agent":["Mozilla/5.0 (X11; Linux x86_64; rv:76.0) Gecko/20100101 Firefox/76.0"],"Accept":["image/webp,*/*"]},"tls":{"resumed":false,"version":772,"ciphersuite":4865,"proto":"h2","proto_mutual":true,"server_name":"git.haddock.cc"}},"duration":0.000879055,"status":502,"err_id":"tyb925p92","err_trace":"reverseproxy.(*Handler).ServeHTTP (reverseproxy.go:380)"}
{"level":"error","ts":1589746006.553168,"logger":"http.log.error","msg":"dial tcp 172.22.0.6:80: connect: connection refused","request":{"method":"GET","uri":"/serviceworker.js","proto":"HTTP/2.0","remote_addr":"192.168.50.1:52844","host":"git.haddock.cc","headers":{"Accept":["*/*"],"Accept-Language":["en-US,en;q=0.5"],"Accept-Encoding":["gzip, deflate, br"],"Service-Worker":["script"],"Cookie":["i_like_gitea=b5284520ae7c1382; lang=en-US; _csrf=Oro4WIpcDJZcVRFEuFQFPPg0g0s6MTU4OTc0MjYyOTg2NjMyNTQxMA"],"Cache-Control":["max-age=0"],"Te":["trailers"],"User-Agent":["Mozilla/5.0 (X11; Linux x86_64; rv:76.0) Gecko/20100101 Firefox/76.0"]},"tls":{"resumed":false,"version":772,"ciphersuite":4865,"proto":"h2","proto_mutual":true,"server_name":"git.haddock.cc"}},"duration":0.000864843,"status":502,"err_id":"jxdqqnrzs","err_trace":"reverseproxy.(*Handler).ServeHTTP (reverseproxy.go:380)"}
{"level":"error","ts":1589746071.6568348,"logger":"http.log.error","msg":"dial tcp 172.22.0.6:80: connect: connection refused","request":{"method":"GET","uri":"/","proto":"HTTP/2.0","remote_addr":"192.168.50.1:52844","host":"git.haddock.cc","headers":{"Accept":["text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8"],"Accept-Language":["en-US,en;q=0.5"],"Accept-Encoding":["gzip, deflate, br"],"Upgrade-Insecure-Requests":["1"],"Cookie":["i_like_gitea=b5284520ae7c1382; lang=en-US; _csrf=Oro4WIpcDJZcVRFEuFQFPPg0g0s6MTU4OTc0MjYyOTg2NjMyNTQxMA"],"Te":["trailers"],"User-Agent":["Mozilla/5.0 (X11; Linux x86_64; rv:76.0) Gecko/20100101 Firefox/76.0"]},"tls":{"resumed":false,"version":772,"ciphersuite":4865,"proto":"h2","proto_mutual":true,"server_name":"git.haddock.cc"}},"duration":0.001051739,"status":502,"err_id":"287pqdnnx","err_trace":"reverseproxy.(*Handler).ServeHTTP (reverseproxy.go:380)"}
{"level":"error","ts":1589746072.697818,"logger":"http.log.error","msg":"dial tcp 172.22.0.6:80: connect: connection refused","request":{"method":"GET","uri":"/serviceworker.js","proto":"HTTP/2.0","remote_addr":"192.168.50.1:52844","host":"git.haddock.cc","headers":{"User-Agent":["Mozilla/5.0 (X11; Linux x86_64; rv:76.0) Gecko/20100101 Firefox/76.0"],"Accept":["*/*"],"Accept-Language":["en-US,en;q=0.5"],"Accept-Encoding":["gzip, deflate, br"],"Service-Worker":["script"],"Cookie":["i_like_gitea=b5284520ae7c1382; lang=en-US; _csrf=Oro4WIpcDJZcVRFEuFQFPPg0g0s6MTU4OTc0MjYyOTg2NjMyNTQxMA"],"Cache-Control":["max-age=0"],"Te":["trailers"]},"tls":{"resumed":false,"version":772,"ciphersuite":4865,"proto":"h2","proto_mutual":true,"server_name":"git.haddock.cc"}},"duration":0.00088274,"status":502,"err_id":"12kdk6qwc","err_trace":"reverseproxy.(*Handler).ServeHTTP (reverseproxy.go:380)"}
{"level":"info","ts":1589746087.8330567,"msg":"shutting down apps then terminating","signal":"SIGTERM"}
2020/05/17 20:08:07 [INFO][cache:0xc000614ff0] Stopped certificate maintenance routine
{"level":"info","ts":1589746087.833727,"logger":"admin","msg":"stopped previous server"}
{"level":"info","ts":1589746087.8337429,"msg":"shutdown done","signal":"SIGTERM"}
{"level":"info","ts":1589746090.5966766,"msg":"using provided configuration","config_file":"/etc/caddy/Caddyfile","config_adapter":"caddyfile"}
{"level":"info","ts":1589746090.600265,"logger":"admin","msg":"admin endpoint started","address":"tcp/localhost:2019","enforce_origin":false,"origins":["localhost:2019","[::1]:2019","127.0.0.1:2019"]}
2020/05/17 20:08:10 [INFO][cache:0xc0006d1860] Started certificate maintenance routine
{"level":"info","ts":1589746090.6006298,"logger":"http","msg":"server is listening only on the HTTPS port but has no TLS connection policies; adding one to enable TLS","server_name":"srv0","https_port":443}
{"level":"info","ts":1589746090.600658,"logger":"http","msg":"enabling automatic HTTP->HTTPS redirects","server_name":"srv0"}
{"level":"info","ts":1589746090.6044872,"logger":"tls","msg":"cleaned up storage units"}
{"level":"info","ts":1589746090.6047063,"logger":"http","msg":"enabling automatic TLS certificate management","domains":["cloud.haddock.cc","media.haddock.cc","git.haddock.cc"]}
{"level":"info","ts":1589746090.6128967,"msg":"autosaved config","file":"/config/caddy/autosave.json"}
{"level":"info","ts":1589746090.6129074,"msg":"serving initial configuration"}
2020/05/17 20:14:15 http: TLS handshake error from 195.54.160.123:36862: no certificate available for '172.22.0.11'
{"level":"info","ts":1589746491.4121141,"msg":"shutting down apps then terminating","signal":"SIGTERM"}
2020/05/17 20:14:51 [INFO][cache:0xc0006d1860] Stopped certificate maintenance routine
{"level":"info","ts":1589746491.4127634,"logger":"admin","msg":"stopped previous server"}
{"level":"info","ts":1589746491.4127808,"msg":"shutdown done","signal":"SIGTERM"}
{"level":"info","ts":1589746495.1585264,"msg":"using provided configuration","config_file":"/etc/caddy/Caddyfile","config_adapter":"caddyfile"}
{"level":"info","ts":1589746495.162172,"logger":"admin","msg":"admin endpoint started","address":"tcp/localhost:2019","enforce_origin":false,"origins":["localhost:2019","[::1]:2019","127.0.0.1:2019"]}
2020/05/17 20:14:55 [INFO][cache:0xc0001d94a0] Started certificate maintenance routine
{"level":"info","ts":1589746495.162466,"logger":"http","msg":"server is listening only on the HTTPS port but has no TLS connection policies; adding one to enable TLS","server_name":"srv0","https_port":443}
{"level":"info","ts":1589746495.16249,"logger":"http","msg":"enabling automatic HTTP->HTTPS redirects","server_name":"srv0"}
{"level":"info","ts":1589746495.1654544,"logger":"tls","msg":"cleaned up storage units"}
{"level":"info","ts":1589746495.1656275,"logger":"http","msg":"enabling automatic TLS certificate management","domains":["cloud.haddock.cc","media.haddock.cc","git.haddock.cc"]}
{"level":"info","ts":1589746495.1767483,"msg":"autosaved config","file":"/config/caddy/autosave.json"}
{"level":"info","ts":1589746495.1767578,"msg":"serving initial configuration"}
{"level":"error","ts":1589746495.6640868,"logger":"http.log.error","msg":"dial tcp 172.22.0.7:3306: connect: connection refused","request":{"method":"OPTIONS","uri":"/remote.php/dav/principals/users/shawna/","proto":"HTTP/1.1","remote_addr":"192.168.50.1:59845","host":"cloud.haddock.cc","headers":{"Content-Length":["0"],"Accept-Encoding":["gzip, deflate, br"],"Connection":["keep-alive"],"Accept":["*/*"],"User-Agent":["iOS/13.4.1 (17E262) dataaccessd/1.0"],"Accept-Language":["en-us"]},"tls":{"resumed":false,"version":772,"ciphersuite":4865,"proto":"http/1.1","proto_mutual":true,"server_name":"cloud.haddock.cc"}},"duration":0.000866492,"status":502,"err_id":"891jb12xd","err_trace":"reverseproxy.(*Handler).ServeHTTP (reverseproxy.go:380)"}
{"level":"error","ts":1589746495.671113,"logger":"http.log.error","msg":"dial tcp 172.22.0.7:3306: connect: connection refused","request":{"method":"OPTIONS","uri":"/remote.php/dav/principals/users/shawna/","proto":"HTTP/1.1","remote_addr":"192.168.50.1:59847","host":"cloud.haddock.cc","headers":{"Connection":["keep-alive"],"Cookie":["ocgiijrqfwz6=53edq2ugbaeqjij6s7hjs38bl4; __Host-nc_sameSiteCookielax=true; __Host-nc_sameSiteCookiestrict=true; oc_sessionPassphrase=7gTIXdZxBUsQxtOXqXw6K%2BUQUzPBNxZ9eFzwl0gRfFGxvfMPFwawNuAumglPL7mGhIE2Px1kJoYgHSf9U7%2FVMJtrYr4ncPjImR01YDTWTOlC1oACFbOTTHrXdfr0CiGO"],"User-Agent":["iOS/13.4.1 (17E262) dataaccessd/1.0"],"Accept-Language":["en-us"],"Content-Length":["0"],"Accept-Encoding":["gzip, deflate, br"],"Accept":["*/*"]},"tls":{"resumed":false,"version":772,"ciphersuite":4865,"proto":"http/1.1","proto_mutual":true,"server_name":"cloud.haddock.cc"}},"duration":0.000663857,"status":502,"err_id":"xein29agi","err_trace":"reverseproxy.(*Handler).ServeHTTP (reverseproxy.go:380)"}
{"level":"error","ts":1589746495.7006876,"logger":"http.log.error","msg":"dial tcp 172.22.0.7:3306: connect: connection refused","request":{"method":"REPORT","uri":"/remote.php/dav/addressbooks/users/shawna/contacts/","proto":"HTTP/1.1","remote_addr":"192.168.50.1:59845","host":"cloud.haddock.cc","headers":{"Depth":["1"],"Brief":["t"],"Accept":["*/*"],"Connection":["keep-alive"],"Prefer":["return=minimal"],"User-Agent":["iOS/13.4.1 (17E262) dataaccessd/1.0"],"Content-Type":["text/xml"],"Accept-Encoding":["gzip, deflate, br"],"Content-Length":["225"],"Accept-Language":["en-us"]},"tls":{"resumed":false,"version":772,"ciphersuite":4865,"proto":"http/1.1","proto_mutual":true,"server_name":"cloud.haddock.cc"}},"duration":0.000865192,"status":502,"err_id":"swn4712k3","err_trace":"reverseproxy.(*Handler).ServeHTTP (reverseproxy.go:380)"}
{"level":"error","ts":1589746495.7449296,"logger":"http.log.error","msg":"dial tcp 172.22.0.7:3306: connect: connection refused","request":{"method":"REPORT","uri":"/remote.php/dav/principals/users/shawna/","proto":"HTTP/1.1","remote_addr":"192.168.50.1:59848","host":"cloud.haddock.cc","headers":{"Prefer":["return=minimal"],"User-Agent":["iOS/13.4.1 (17E262) dataaccessd/1.0"],"Accept-Encoding":["gzip, deflate, br"],"Content-Type":["text/xml"],"Cookie":["ocgiijrqfwz6=53edq2ugbaeqjij6s7hjs38bl4; __Host-nc_sameSiteCookielax=true; __Host-nc_sameSiteCookiestrict=true; oc_sessionPassphrase=7gTIXdZxBUsQxtOXqXw6K%2BUQUzPBNxZ9eFzwl0gRfFGxvfMPFwawNuAumglPL7mGhIE2Px1kJoYgHSf9U7%2FVMJtrYr4ncPjImR01YDTWTOlC1oACFbOTTHrXdfr0CiGO"],"Connection":["keep-alive"],"Content-Length":["768"],"Accept-Language":["en-us"],"Accept":["*/*"],"Brief":["t"]},"tls":{"resumed":false,"version":772,"ciphersuite":4865,"proto":"http/1.1","proto_mutual":true,"server_name":"cloud.haddock.cc"}},"duration":0.00088059,"status":502,"err_id":"9hp7f4buh","err_trace":"reverseproxy.(*Handler).ServeHTTP (reverseproxy.go:380)"}
{"level":"error","ts":1589746495.7568054,"logger":"http.log.error","msg":"dial tcp 172.22.0.7:3306: connect: connection refused","request":{"method":"PROPFIND","uri":"/remote.php/dav/calendars/shawna/","proto":"HTTP/1.1","remote_addr":"192.168.50.1:59848","host":"cloud.haddock.cc","headers":{"Content-Type":["text/xml"],"Depth":["1"],"Connection":["keep-alive"],"User-Agent":["iOS/13.4.1 (17E262) dataaccessd/1.0"],"Accept":["*/*"],"Brief":["t"],"Accept-Language":["en-us"],"Accept-Encoding":["gzip, deflate, br"],"Content-Length":["2293"],"Cookie":["ocgiijrqfwz6=53edq2ugbaeqjij6s7hjs38bl4; __Host-nc_sameSiteCookielax=true; __Host-nc_sameSiteCookiestrict=true; oc_sessionPassphrase=7gTIXdZxBUsQxtOXqXw6K%2BUQUzPBNxZ9eFzwl0gRfFGxvfMPFwawNuAumglPL7mGhIE2Px1kJoYgHSf9U7%2FVMJtrYr4ncPjImR01YDTWTOlC1oACFbOTTHrXdfr0CiGO"],"Prefer":["return=minimal"]},"tls":{"resumed":false,"version":772,"ciphersuite":4865,"proto":"http/1.1","proto_mutual":true,"server_name":"cloud.haddock.cc"}},"duration":0.001973201,"status":502,"err_id":"jii76vwd0","err_trace":"reverseproxy.(*Handler).ServeHTTP (reverseproxy.go:380)"}
{"level":"error","ts":1589746497.927298,"logger":"http.log.error","msg":"dial tcp 172.22.0.7:3306: connect: connection refused","request":{"method":"GET","uri":"/","proto":"HTTP/2.0","remote_addr":"192.168.50.1:52910","host":"cloud.haddock.cc","headers":{"Upgrade-Insecure-Requests":["1"],"Dnt":["1"],"Te":["trailers"],"User-Agent":["Mozilla/5.0 (X11; Linux x86_64; rv:76.0) Gecko/20100101 Firefox/76.0"],"Accept":["text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8"],"Accept-Language":["en-US,en;q=0.5"],"Accept-Encoding":["gzip, deflate, br"],"Cookie":["__Host-nc_sameSiteCookielax=true; __Host-nc_sameSiteCookiestrict=true; oc_sessionPassphrase=jtGvwQ0k22QOmsGIjtQ9qY3MEURz04m8g90Jv29oH6qIV8Rqt6l2HcPf3tTHklOxFn0Iif3nw2YumdCRMskcwEFrMSZvobHzRxkYGR48gEfxC%2BU2fqtusxs5dko6k9ax; i18next=en-US; oc6mbe5vxaa7=hnb90f9hh1lktfn44p50i0h1cg; ocgiijrqfwz6=qkm9m4jmv2rkp9iadsg3lvnchr"]},"tls":{"resumed":false,"version":772,"ciphersuite":4865,"proto":"h2","proto_mutual":true,"server_name":"cloud.haddock.cc"}},"duration":0.000833773,"status":502,"err_id":"30ki0cjar","err_trace":"reverseproxy.(*Handler).ServeHTTP (reverseproxy.go:380)"}
{"level":"info","ts":1589746521.5167701,"msg":"shutting down apps then terminating","signal":"SIGTERM"}
2020/05/17 20:15:21 [INFO][cache:0xc0001d94a0] Stopped certificate maintenance routine
{"level":"info","ts":1589746521.5173512,"logger":"admin","msg":"stopped previous server"}
{"level":"info","ts":1589746521.5173645,"msg":"shutdown done","signal":"SIGTERM"}
{"level":"info","ts":1589746525.4257755,"msg":"using provided configuration","config_file":"/etc/caddy/Caddyfile","config_adapter":"caddyfile"}
{"level":"info","ts":1589746525.4285939,"logger":"admin","msg":"admin endpoint started","address":"tcp/localhost:2019","enforce_origin":false,"origins":["localhost:2019","[::1]:2019","127.0.0.1:2019"]}
{"level":"info","ts":1589746525.428882,"logger":"http","msg":"server is listening only on the HTTPS port but has no TLS connection policies; adding one to enable TLS","server_name":"srv0","https_port":443}
{"level":"info","ts":1589746525.4289038,"logger":"http","msg":"enabling automatic HTTP->HTTPS redirects","server_name":"srv0"}
2020/05/17 20:15:25 [INFO][cache:0xc00022a140] Started certificate maintenance routine
{"level":"info","ts":1589746525.432614,"logger":"tls","msg":"cleaned up storage units"}
{"level":"info","ts":1589746525.4328213,"logger":"http","msg":"enabling automatic TLS certificate management","domains":["cloud.haddock.cc","media.haddock.cc","git.haddock.cc"]}
{"level":"info","ts":1589746525.4439378,"msg":"autosaved config","file":"/config/caddy/autosave.json"}
{"level":"info","ts":1589746525.4439487,"msg":"serving initial configuration"}
{"level":"info","ts":1589746596.4488478,"msg":"shutting down apps then terminating","signal":"SIGTERM"}
2020/05/17 20:16:36 [INFO][cache:0xc00022a140] Stopped certificate maintenance routine
{"level":"info","ts":1589746596.4496746,"logger":"admin","msg":"stopped previous server"}
{"level":"info","ts":1589746596.4496937,"msg":"shutdown done","signal":"SIGTERM"}
{"level":"info","ts":1589746599.9777136,"msg":"using provided configuration","config_file":"/etc/caddy/Caddyfile","config_adapter":"caddyfile"}
{"level":"info","ts":1589746599.9824266,"logger":"admin","msg":"admin endpoint started","address":"tcp/localhost:2019","enforce_origin":false,"origins":["localhost:2019","[::1]:2019","127.0.0.1:2019"]}
2020/05/17 20:16:39 [INFO][cache:0xc0006be0a0] Started certificate maintenance routine
{"level":"info","ts":1589746599.9827414,"logger":"http","msg":"server is listening only on the HTTPS port but has no TLS connection policies; adding one to enable TLS","server_name":"srv0","https_port":443}
{"level":"info","ts":1589746599.982764,"logger":"http","msg":"enabling automatic HTTP->HTTPS redirects","server_name":"srv0"}
{"level":"info","ts":1589746599.9860237,"logger":"tls","msg":"cleaned up storage units"}
{"level":"info","ts":1589746599.9862025,"logger":"http","msg":"enabling automatic TLS certificate management","domains":["cloud.haddock.cc","media.haddock.cc","git.haddock.cc"]}
{"level":"info","ts":1589746599.9982133,"msg":"autosaved config","file":"/config/caddy/autosave.json"}
{"level":"info","ts":1589746599.9982235,"msg":"serving initial configuration"}
2020/05/17 20:18:40 http: TLS handshake error from 195.54.160.123:50908: no certificate available for '172.22.0.11'
2020/05/17 20:18:41 http: TLS handshake error from 195.54.160.123:39904: no certificate available for '172.22.0.11'
2020/05/17 20:25:05 http: TLS handshake error from 195.54.160.123:39992: no certificate available for '172.22.0.11'
2020/05/17 20:45:39 http: TLS handshake error from 96.88.129.85:43324: EOF
2020/05/17 20:51:42 http: TLS handshake error from 5.101.0.209:47856: no certificate available for '172.22.0.11'
2020/05/17 21:36:15 http: TLS handshake error from 5.101.0.209:50776: no certificate available for '172.22.0.11'
2020/05/17 21:47:07 http: TLS handshake error from 195.54.160.123:49188: no certificate available for '172.22.0.11'
2020/05/17 21:49:27 http: TLS handshake error from 209.141.43.150:59556: no certificate available for '172.22.0.11'
2020/05/17 23:22:41 http: TLS handshake error from 209.141.43.150:43838: no certificate available for '172.22.0.11'

5. What I already tried:

I tried using diffferent ports for Nextcloud within my docker-compose.yml and my Caddyfile. I also tried commenting out the https://acme-staging-v02.api.letsencrypt.org/directory line to see if it was a certificate problem.

I can’t remember where I found this, but here is the Caddy v2 config I am using for Nextcloud which is working pretty well;

(headers) {
  header {
    -Server
    Strict-Transport-Security "max-age=31536000; includeSubDomains; preload"
    X-Xss-Protection "1; mode=block"
    X-Content-Type-Options "nosniff"
    X-Frame-Options "SAMEORIGIN"
    Content-Security-Policy "upgrade-insecure-requests"
    Referrer-Policy "strict-origin-when-cross-origin"
    Cache-Control "public, max-age=15, must-revalidate"
    Feature-Policy "accelerometer 'none'; ambient-light-sensor 'none'; autoplay 'self'; camera 'none'; encrypted-media 'none'; fullscreen 'self'; geolocation 'none'; gyroscope 'none'; magnetometer 'none'; microphone 'none'; midi 'none'; payment 'none'; picture-in-picture *; speaker 'none'; usb 'none'; vr 'none'"
  }
}

nextcloud.domain.tld {
  import headers

  root * /usr/share/nextcloud
  file_server

  php_fastcgi 127.0.0.1:9000
  encode gzip

  redir /.well-known/carddav /remote.php/dav permanent
  redir /.well-known/caldav /remote.php/dav permanent

  # .htaccess/data/config/... shouldn't be accessible from outside
  @forbidden {
    path    /.htaccess
    path    /data/*
    path    /config/*
    path    /db_structure
    path    /.xml
    path    /README
    path    /3rdparty/*
    path    /lib/*
    path    /templates/*
    path    /occ
    path    /console.php
  }
  respond @forbidden 404
}

After adding that to my Caddyfile

{
    #acme_ca https://acme-staging-v02.api.letsencrypt.org/directory
}

(headers) {
  header {
    -Server
    Strict-Transport-Security "max-age=31536000; includeSubDomains; preload"
    X-Xss-Protection "1; mode=block"
    X-Content-Type-Options "nosniff"
    X-Frame-Options "SAMEORIGIN"
    Content-Security-Policy "upgrade-insecure-requests"
    Referrer-Policy "strict-origin-when-cross-origin"
    Cache-Control "public, max-age=15, must-revalidate"
    Feature-Policy "accelerometer 'none'; ambient-light-sensor 'none'; autoplay 'self'; camera 'none'; encrypted-media 'none'; fullscreen 'self'; geolocation 'none'; gyroscope 'none'; magnetometer 'none'; microphone 'none'; midi 'none'; payment 'none'; picture-in-picture *; speaker 'none'; usb 'none'; vr 'none'"
  }
}

cloud.{$DOMAIN} {
  import headers

  root * /usr/share/nextcloud
  file_server

  php_fastcgi 127.0.0.1:9000
  encode gzip

  redir /.well-known/carddav /remote.php/dav permanent
  redir /.well-known/caldav /remote.php/dav permanent

  # .htaccess/data/config/... shouldn't be accessible from outside
  @forbidden {
    path    /.htaccess
    path    /data/*
    path    /config/*
    path    /db_structure
    path    /.xml
    path    /README
    path    /3rdparty/*
    path    /lib/*
    path    /templates/*
    path    /occ
    path    /console.php
  }
  respond @forbidden 404
}

git.{$DOMAIN} {
    reverse_proxy gitea:3000
}
media.{$DOMAIN} {
    reverse_proxy jellyfin:8096
}

…I just get a blank white screen when going to my Nextcloud domain. Last time this happened I had to specify the default port of the container after giving the hostname (e.g. gitea:3000). I don’t see the container hostname listed in your Caddyfile. Are you using Docker?

I am not sorry - just a LXC container with Nextcloud and Caddy running side-by-side

So, it looks to me like that docker image linuxserver/nextcloud is meant to be proxied on port 443 rather than port 80.

The default nginx config in the container just does a redirect to https when connected to on port 80.

So I think you’ll need to do this:

reverse_proxy nextcloud:443 {
    transport http {
         tls_insecure_skip_verify
    }
}

I hate recommending tls_insecure_skip_verify because it turns off any TLS security you have, but in this case it’s fine because it’s just a proxy within the docker network.

If you’re still having issues after that, try adding the debug global option which should add some additional details to the logs that might help with figuring out what’s going wrong.

Ok, so now I’ve got this:

cloud.{$DOMAIN} {
    reverse_proxy nextcloud:443 {
        transport http {
             tls_insecure_skip_verify
        }
    }
}

But I’m still getting a white screen, and the Caddy logs say:

{"level":"error","ts":1589820896.1618576,"logger":"http.log.error","msg":"tls: first record does not look like a TLS handshake","request":{"method":"GET","uri":"/status.php","proto":"HTTP/1.1","remote_addr":"192.168.50.1:34210","host":"cloud.haddock.cc","headers":{"User-Agent":["Mozilla/5.0 (Linux) mirall/2.6.4git (Nextcloud)"],"Accept":["*/*"],"X-Request-Id":["f4842097-4648-499e-a7dc-3ee08298abec"],"Connection":["Keep-Alive"],"Accept-Encoding":["gzip, deflate"],"Accept-Language":["en-US,*"]},"tls":{"resumed":false,"version":772,"ciphersuite":4865,"proto":"","proto_mutual":true,"server_name":"cloud.haddock.cc"}},"duration":0.001318633,"status":502,"err_id":"1dq4z2f2v","err_trace":"reverseproxy.(*Handler).ServeHTTP (reverseproxy.go:380)"}

How do I turn on the debug global option?

Change this:

{
    #acme_ca https://acme-staging-v02.api.letsencrypt.org/directory
}

to this:

{
    #acme_ca https://acme-staging-v02.api.letsencrypt.org/directory
    debug
}

This time it looks like the NextCloud container is responding, but not over TLS, for some reason.

Pretty much the same error, but I think it’s a bit longer this time:

{"level":"error","ts":1589822680.2773879,"logger":"http.log.error","msg":"tls: first record does not look like a TLS handshake","request":{"method":"GET","uri":"/","proto":"HTTP/2.0","remote_addr":"192.168.50.1:34646","host":"cloud.haddock.cc","headers":{"Te":["trailers"],"User-Agent":["Mozilla/5.0 (X11; Linux x86_64; rv:76.0) Gecko/20100101 Firefox/76.0"],"Accept-Language":["en-US,en;q=0.5"],"Cookie":["__Host-nc_sameSiteCookielax=true; __Host-nc_sameSiteCookiestrict=true; oc_sessionPassphrase=jtGvwQ0k22QOmsGIjtQ9qY3MEURz04m8g90Jv29oH6qIV8Rqt6l2HcPf3tTHklOxFn0Iif3nw2YumdCRMskcwEFrMSZvobHzRxkYGR48gEfxC%2BU2fqtusxs5dko6k9ax; i18next=en-US; oc6mbe5vxaa7=hnb90f9hh1lktfn44p50i0h1cg; ocgiijrqfwz6=qkm9m4jmv2rkp9iadsg3lvnchr"],"Upgrade-Insecure-Requests":["1"],"Accept":["text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8"],"Accept-Encoding":["gzip, deflate, br"],"Dnt":["1"],"Cache-Control":["max-age=0"]},"tls":{"resumed":false,"version":772,"ciphersuite":4865,"proto":"h2","proto_mutual":true,"server_name":"cloud.haddock.cc"}},"duration":0.00142044,"status":502,"err_id":"0r03kvnfp","err_trace":"reverseproxy.(*Handler).ServeHTTP (reverseproxy.go:380)"}
{"level":"error","ts":1589822688.1783245,"logger":"http.log.error","msg":"tls: first record does not look like a TLS handshake","request":{"method":"GET","uri":"/status.php","proto":"HTTP/1.1","remote_addr":"192.168.50.1:34648","host":"cloud.haddock.cc","headers":{"User-Agent":["Mozilla/5.0 (Linux) mirall/2.6.4git (Nextcloud)"],"Accept":["*/*"],"X-Request-Id":["1cd676f1-fbca-40d8-bef0-ad2e652a100c"],"Connection":["Keep-Alive"],"Accept-Encoding":["gzip, deflate"],"Accept-Language":["en-US,*"]},"tls":{"resumed":false,"version":772,"ciphersuite":4865,"proto":"","proto_mutual":true,"server_name":"cloud.haddock.cc"}},"duration":0.001263335,"status":502,"err_id":"1upxixb80","err_trace":"reverseproxy.(*Handler).ServeHTTP (reverseproxy.go:380)"}

Unfortunately, I don’t know enough about NextCloud to help much further. I think you’ll need to ask for help from the NextCloud forums or from the maintainers of the docker image to instruct you on how to run it correctly. I don’t think this is an issue with Caddy or your configuration right now.

So I went and asked on the Nextcloud forum and they said to ask you, because it was a Caddy problem. I’m almost positive that’s the case actually. It worked just fine before using Traefik and nginx.

tls: first record does not look like a TLS handshake

Caddy couldn’t connect to the upstream, because it apparently sent non-TLS-handshake bytes. So make sure your nextcloud installation is using TLS.

It must be if it was working for my other reverse proxies, right?

Can you grab the latest on master and then try it again? The debug log should actually output something this time.

I think I got the latest with docker pull caddy:latest

latest: Pulling from library/caddy
Digest: sha256:a318e53203be65b120d2bfc2a887838fe32bcc839c02df83571d101429bc4f4e
Status: Image is up to date for caddy:latest
docker.io/library/caddy:latest

but it’s giving me what looks like the same error:

{"level":"error","ts":1589922256.4171615,"logger":"http.log.error","msg":"tls: first record does not look like a TLS handshake","request":{"method":"GET","uri":"/","proto":"HTTP/2.0","remote_addr":"192.168.50.1:57222","host":"cloud.haddock.cc","headers":{"Cookie":["__Host-nc_sameSiteCookielax=true; __Host-nc_sameSiteCookiestrict=true; oc_sessionPassphrase=jtGvwQ0k22QOmsGIjtQ9qY3MEURz04m8g90Jv29oH6qIV8Rqt6l2HcPf3tTHklOxFn0Iif3nw2YumdCRMskcwEFrMSZvobHzRxkYGR48gEfxC%2BU2fqtusxs5dko6k9ax; i18next=en-US; oc6mbe5vxaa7=hnb90f9hh1lktfn44p50i0h1cg; ocgiijrqfwz6=qkm9m4jmv2rkp9iadsg3lvnchr"],"Upgrade-Insecure-Requests":["1"],"Dnt":["1"],"Te":["trailers"],"User-Agent":["Mozilla/5.0 (X11; Linux x86_64; rv:76.0) Gecko/20100101 Firefox/76.0"],"Accept":["text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8"],"Accept-Language":["en-US,en;q=0.5"],"Accept-Encoding":["gzip, deflate, br"]},"tls":{"resumed":false,"version":772,"ciphersuite":4865,"proto":"h2","proto_mutual":true,"server_name":"cloud.haddock.cc"}},"duration":0.001506589,"status":502,"err_id":"b1m7k38mb","err_trace":"reverseproxy.(*Handler).ServeHTTP (reverseproxy.go:380)"}
{"level":"error","ts":1589922366.2717865,"logger":"http.log.error","msg":"tls: first record does not look like a TLS handshake","request":{"method":"PROPFIND","uri":"/remote.php/dav/","proto":"HTTP/1.1","remote_addr":"192.168.50.1:57270","host":"cloud.haddock.cc","headers":{"Cache-Control":["no-cache"],"Accept":["text/html, text/*;q=0.9, image/jpeg;q=0.9, image/png;q=0.9, image/*;q=0.9, */*;q=0.8"],"Accept-Charset":["utf-8,*;q=0.5"],"Accept-Language":["en-US,en;q=0.9"],"Depth":["0"],"Content-Length":["239"],"Connection":["keep-alive"],"User-Agent":["Mozilla/5.0 (X11; Linux x86_64) KHTML/5.70.0 (like Gecko) Konqueror/5 KIO/5.70"],"Pragma":["no-cache"],"Accept-Encoding":["gzip, deflate, x-gzip, x-deflate"],"Content-Type":["text/xml; charset=utf-8"]},"tls":{"resumed":false,"version":772,"ciphersuite":4865,"proto":"","proto_mutual":true,"server_name":"cloud.haddock.cc"}},"duration":0.001434561,"status":502,"err_id":"577zyqpdt","err_trace":"reverseproxy.(*Handler).ServeHTTP (reverseproxy.go:380)"}
{"level":"error","ts":1589922366.275974,"logger":"http.log.error","msg":"tls: first record does not look like a TLS handshake","request":{"method":"PROPFIND","uri":"/remote.php/dav/","proto":"HTTP/1.1","remote_addr":"192.168.50.1:57272","host":"cloud.haddock.cc","headers":{"Connection":["keep-alive"],"Accept":["text/html, text/*;q=0.9, image/jpeg;q=0.9, image/png;q=0.9, image/*;q=0.9, */*;q=0.8"],"Accept-Encoding":["gzip, deflate, x-gzip, x-deflate"],"Accept-Language":["en-US,en;q=0.9"],"Content-Type":["text/xml; charset=utf-8"],"Content-Length":["243"],"User-Agent":["Mozilla/5.0 (X11; Linux x86_64) KHTML/5.70.0 (like Gecko) Konqueror/5 KIO/5.70"],"Pragma":["no-cache"],"Cache-Control":["no-cache"],"Accept-Charset":["utf-8,*;q=0.5"],"Depth":["0"]},"tls":{"resumed":false,"version":772,"ciphersuite":4865,"proto":"","proto_mutual":true,"server_name":"cloud.haddock.cc"}},"duration":0.001264136,"status":502,"err_id":"9b9gqf0ac","err_trace":"reverseproxy.(*Handler).ServeHTTP (reverseproxy.go:380)"}

Are you sure that is the latest on master? What is caddy version. You will get the same error, but you should get an additional debug log line that prints the upstream request.

That gives me: v2.0.0 h1:pQSaIJGFluFvu8KDGDODV8u4/QRED/OPyIR+MWYYse8=

So that’s using v2.0.0, not the latest on master. You’ll have to use the latest on master. Every CI run has artifacts, for example: https://github.com/caddyserver/caddy/actions/runs/108551135

Oh. How do I use the latest master with Docker?

I dunno. @francislavoie do you know?

Bind mount the binary on your host to /usr/bin/caddy temporarily to replace the Caddy binary in the container.