Are you running that from within Docker?
Yes, I did.
That doesn’t work.
Not much I can do with this statement except start enumerating the huge number of ways this could “not work”. It’s a long list.
What, specifically, doesn’t work?
- What did you do? (e.g. browse to my site)
- What did you expect? (e.g. a page with some content)
- What did you get instead? (e.g. an error - be specific!)
Sorry about that.
Yep, browsed to the site
A page with content
A blank white screen and this error:
{"level":"error","ts":1590714405.8933592,"logger":"http.log.error","msg":"tls: first record does not look like a TLS handshake","request":{"method":"GET","uri":"/","proto":"HTTP/2.0","remote_addr":"192.168.50.1:48970","host":"cloud.haddock.cc","headers":{"Accept":["text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8"],"Accept-Language":["en-US,en;q=0.5"],"Accept-Encoding":["gzip, deflate, br"],"Cookie":["__Host-nc_sameSiteCookielax=true; __Host-nc_sameSiteCookiestrict=true; oc_sessionPassphrase=jtGvwQ0k22QOmsGIjtQ9qY3MEURz04m8g90Jv29oH6qIV8Rqt6l2HcPf3tTHklOxFn0Iif3nw2YumdCRMskcwEFrMSZvobHzRxkYGR48gEfxC%2BU2fqtusxs5dko6k9ax; i18next=en-US; oc6mbe5vxaa7=hnb90f9hh1lktfn44p50i0h1cg; ocgiijrqfwz6=qkm9m4jmv2rkp9iadsg3lvnchr"],"Upgrade-Insecure-Requests":["1"],"Te":["trailers"],"User-Agent":["Mozilla/5.0 (X11; Linux x86_64; rv:76.0) Gecko/20100101 Firefox/76.0"]},"tls":{"resumed":false,"version":772,"ciphersuite":4865,"proto":"h2","proto_mutual":true,"server_name":"cloud.haddock.cc"}},"duration":0.001510511,"status":502,"err_id":"5jhm6chnh","err_trace":"reverseproxy.(*Handler).ServeHTTP (reverseproxy.go:380)"}
{"level":"error","ts":1590714408.7454536,"logger":"http.log.error","msg":"tls: first record does not look like a TLS handshake","request":{"method":"GET","uri":"/status.php","proto":"HTTP/1.1","remote_addr":"192.168.50.1:48974","host":"cloud.haddock.cc","headers":{"Authorization":["Basic Y2Fzc2lkeTpBNERnVFU2cnhjZFRDbTE1VjE2OVB0TnhQMFpvZmtUWDJDbHFGdFpHa3huSjFLajZ0ZlZwRGdmMFhqeHBYV1B5RlhOZkdJRHM="],"User-Agent":["Mozilla/5.0 (Linux) mirall/2.6.4git (Nextcloud)"],"Accept-Language":["en-US,*"],"Accept":["*/*"],"X-Request-Id":["aec2552a-927c-4c18-b67e-88b1bb9ccb17"],"Cookie":["oc_sessionPassphrase=UHQj9qI%2FnrTyjgnS859NOTLz9CSnjuJzYHA%2Fqi%2BxHGnfN%2BbtshsnAyXFWRNTQUklLPhJtzNH9%2FdeiYnt2sDU0wRfvKPUmbu%2FRW9bKVf1DedjJ4IWNoWVoswN46Pu6zBq; __Host-nc_sameSiteCookielax=true; __Host-nc_sameSiteCookiestrict=true; ocgiijrqfwz6=i30m5cr957ljka72gtkj0v1v35"],"Connection":["Keep-Alive"],"Accept-Encoding":["gzip, deflate"]},"tls":{"resumed":false,"version":772,"ciphersuite":4865,"proto":"","proto_mutual":true,"server_name":"cloud.haddock.cc"}},"duration":0.001332102,"status":502,"err_id":"6mf321vqe","err_trace":"reverseproxy.(*Handler).ServeHTTP (reverseproxy.go:380)"}
{"level":"error","ts":1590714440.8476026,"logger":"http.log.error","msg":"tls: first record does not look like a TLS handshake","request":{"method":"GET","uri":"/status.php","proto":"HTTP/1.1","remote_addr":"192.168.50.1:48986","host":"cloud.haddock.cc","headers":{"User-Agent":["Mozilla/5.0 (Linux) mirall/2.6.4git (Nextcloud)"],"Accept":["*/*"],"Cookie":["oc_sessionPassphrase=UHQj9qI%2FnrTyjgnS859NOTLz9CSnjuJzYHA%2Fqi%2BxHGnfN%2BbtshsnAyXFWRNTQUklLPhJtzNH9%2FdeiYnt2sDU0wRfvKPUmbu%2FRW9bKVf1DedjJ4IWNoWVoswN46Pu6zBq; __Host-nc_sameSiteCookielax=true; __Host-nc_sameSiteCookiestrict=true; ocgiijrqfwz6=i30m5cr957ljka72gtkj0v1v35"],"Accept-Encoding":["gzip, deflate"],"Authorization":["Basic Y2Fzc2lkeTpBNERnVFU2cnhjZFRDbTE1VjE2OVB0TnhQMFpvZmtUWDJDbHFGdFpHa3huSjFLajZ0ZlZwRGdmMFhqeHBYV1B5RlhOZkdJRHM="],"Accept-Language":["en-US,*"],"X-Request-Id":["bb0c4402-3a43-4434-beab-f77795a2c9ee"],"Connection":["Keep-Alive"]},"tls":{"resumed":false,"version":772,"ciphersuite":4865,"proto":"","proto_mutual":true,"server_name":"cloud.haddock.cc"}},"duration":0.001347555,"status":502,"err_id":"e4b02c29v","err_trace":"reverseproxy.(*Handler).ServeHTTP (reverseproxy.go:380)"}
{"level":"error","ts":1590714472.743511,"logger":"http.log.error","msg":"tls: first record does not look like a TLS handshake","request":{"method":"GET","uri":"/status.php","proto":"HTTP/1.1","remote_addr":"192.168.50.1:48994","host":"cloud.haddock.cc","headers":{"Accept-Encoding":["gzip, deflate"],"Accept-Language":["en-US,*"],"Accept":["*/*"],"Cookie":["oc_sessionPassphrase=UHQj9qI%2FnrTyjgnS859NOTLz9CSnjuJzYHA%2Fqi%2BxHGnfN%2BbtshsnAyXFWRNTQUklLPhJtzNH9%2FdeiYnt2sDU0wRfvKPUmbu%2FRW9bKVf1DedjJ4IWNoWVoswN46Pu6zBq; __Host-nc_sameSiteCookielax=true; __Host-nc_sameSiteCookiestrict=true; ocgiijrqfwz6=i30m5cr957ljka72gtkj0v1v35"],"User-Agent":["Mozilla/5.0 (Linux) mirall/2.6.4git (Nextcloud)"],"X-Request-Id":["06c98d39-4398-4b70-a919-47894c2f6a1a"],"Connection":["Keep-Alive"],"Authorization":["Basic Y2Fzc2lkeTpBNERnVFU2cnhjZFRDbTE1VjE2OVB0TnhQMFpvZmtUWDJDbHFGdFpHa3huSjFLajZ0ZlZwRGdmMFhqeHBYV1B5RlhOZkdJRHM="]},"tls":{"resumed":false,"version":772,"ciphersuite":4865,"proto":"","proto_mutual":true,"server_name":"cloud.haddock.cc"}},"duration":0.001295974,"status":502,"err_id":"mxbkx4pyp","err_trace":"reverseproxy.(*Handler).ServeHTTP (reverseproxy.go:380)"}
{"level":"error","ts":1590714473.6051157,"logger":"http.log.error","msg":"tls: first record does not look like a TLS handshake","request":{"method":"GET","uri":"/","proto":"HTTP/2.0","remote_addr":"192.168.50.1:48970","host":"cloud.haddock.cc","headers":{"Accept-Language":["en-US,en;q=0.5"],"Accept-Encoding":["gzip, deflate, br"],"Cookie":["__Host-nc_sameSiteCookielax=true; __Host-nc_sameSiteCookiestrict=true; oc_sessionPassphrase=jtGvwQ0k22QOmsGIjtQ9qY3MEURz04m8g90Jv29oH6qIV8Rqt6l2HcPf3tTHklOxFn0Iif3nw2YumdCRMskcwEFrMSZvobHzRxkYGR48gEfxC%2BU2fqtusxs5dko6k9ax; i18next=en-US; oc6mbe5vxaa7=hnb90f9hh1lktfn44p50i0h1cg; ocgiijrqfwz6=qkm9m4jmv2rkp9iadsg3lvnchr"],"Upgrade-Insecure-Requests":["1"],"Te":["trailers"],"User-Agent":["Mozilla/5.0 (X11; Linux x86_64; rv:76.0) Gecko/20100101 Firefox/76.0"],"Accept":["text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8"]},"tls":{"resumed":false,"version":772,"ciphersuite":4865,"proto":"h2","proto_mutual":true,"server_name":"cloud.haddock.cc"}},"duration":0.001364805,"status":502,"err_id":"1ifw4g3ny","err_trace":"reverseproxy.(*Handler).ServeHTTP (reverseproxy.go:380)"}
Alright, that’s helpful!
Looks like Caddy’s going to HTTPS again, probably inferred by port 443 and agnostic scheme.
Try override it by changing the upstream to: http://nextcloud:443
Like this?
cloud.{$DOMAIN} {
reverse_proxy http://nextcloud:443
}
That shows me this when going to the page:
I also get this error:
{"level":"info","ts":1590716181.6530917,"msg":"using provided configuration","config_file":"/etc/caddy/Caddyfile","config_adapter":"caddyfile"}
run: adapting config using caddyfile: parsing caddyfile tokens for 'reverse_proxy': /etc/caddy/Caddyfile:6 - Error during parsing: upstream address has conflicting scheme (http://) and port (:443, the HTTPS port)
{"level":"info","ts":1590716184.0143726,"msg":"using provided configuration","config_file":"/etc/caddy/Caddyfile","config_adapter":"caddyfile"}
run: adapting config using caddyfile: parsing caddyfile tokens for 'reverse_proxy': /etc/caddy/Caddyfile:6 - Error during parsing: upstream address has conflicting scheme (http://) and port (:443, the HTTPS port)
{"level":"info","ts":1590716186.338895,"msg":"using provided configuration","config_file":"/etc/caddy/Caddyfile","config_adapter":"caddyfile"}
run: adapting config using caddyfile: parsing caddyfile tokens for 'reverse_proxy': /etc/caddy/Caddyfile:6 - Error during parsing: upstream address has conflicting scheme (http://) and port (:443, the HTTPS port)
{"level":"info","ts":1590716188.4517374,"msg":"using provided configuration","config_file":"/etc/caddy/Caddyfile","config_adapter":"caddyfile"}
run: adapting config using caddyfile: parsing caddyfile tokens for 'reverse_proxy': /etc/caddy/Caddyfile:6 - Error during parsing: upstream address has conflicting scheme (http://) and port (:443, the HTTPS port)
{"level":"info","ts":1590716190.6897066,"msg":"using provided configuration","config_file":"/etc/caddy/Caddyfile","config_adapter":"caddyfile"}
run: adapting config using caddyfile: parsing caddyfile tokens for 'reverse_proxy': /etc/caddy/Caddyfile:6 - Error during parsing: upstream address has conflicting scheme (http://) and port (:443, the HTTPS port)
{"level":"info","ts":1590716193.4822166,"msg":"using provided configuration","config_file":"/etc/caddy/Caddyfile","config_adapter":"caddyfile"}
run: adapting config using caddyfile: parsing caddyfile tokens for 'reverse_proxy': /etc/caddy/Caddyfile:6 - Error during parsing: upstream address has conflicting scheme (http://) and port (:443, the HTTPS port)
{"level":"info","ts":1590716197.8322918,"msg":"using provided configuration","config_file":"/etc/caddy/Caddyfile","config_adapter":"caddyfile"}
run: adapting config using caddyfile: parsing caddyfile tokens for 'reverse_proxy': /etc/caddy/Caddyfile:6 - Error during parsing: upstream address has conflicting scheme (http://) and port (:443, the HTTPS port)
{"level":"info","ts":1590716205.5135624,"msg":"using provided configuration","config_file":"/etc/caddy/Caddyfile","config_adapter":"caddyfile"}
run: adapting config using caddyfile: parsing caddyfile tokens for 'reverse_proxy': /etc/caddy/Caddyfile:6 - Error during parsing: upstream address has conflicting scheme (http://) and port (:443, the HTTPS port)
{"level":"info","ts":1590716219.5308127,"msg":"using provided configuration","config_file":"/etc/caddy/Caddyfile","config_adapter":"caddyfile"}
run: adapting config using caddyfile: parsing caddyfile tokens for 'reverse_proxy': /etc/caddy/Caddyfile:6 - Error during parsing: upstream address has conflicting scheme (http://) and port (:443, the HTTPS port)
{"level":"info","ts":1590716246.3325531,"msg":"using provided configuration","config_file":"/etc/caddy/Caddyfile","config_adapter":"caddyfile"}
run: adapting config using caddyfile: parsing caddyfile tokens for 'reverse_proxy': /etc/caddy/Caddyfile:6 - Error during parsing: upstream address has conflicting scheme (http://) and port (:443, the HTTPS port)
Gonna tag @matt in on this one, should this be a breaking error? HTTP on port 443 is pretty stupid, yes, but still technically functional. In this case the only thing stopping this from working fine is the parsing error itself.
And the rest of my pages aren’t working
Yeah, that’s intentional. I believe it was the same way in Caddy 1 too.
Oh, so what do I do to fix it?
Simple: Change the port to anything else, or use https://.
So, as your Nextcloud instance appears to be listening for HTTP on port 443, and Caddy is opinionated against allowing HTTP upstreams on default HTTPS port, your Nextcloud installation is not supported by Caddy.
Best bet to get things running from here would be to go to Linuxserver, the maintainers of your Nextcloud image, and sort out how to fix your container so that it either accepts traffic on port 80 without issue, or listens to HTTPS instead of HTTP on port 443.
2 Likes
How was I able to get it to work outside Docker then? Can’t I try and replicate that?
It works because it hides the fact that Nextcloud is serving HTTP on port 443 from Caddy. Caddy doesn’t realise it because Docker is translating the port to 8443.
You can leave Caddy outside of Docker if you like and it’ll keep working fine.
That makes sense. I’ll create a post on the LinuxServer forums then.
@Whitestrake can you tell the LinuxServer people what you’re talking about in my thread? I’m not really sure how to explain it myself and they’re asking.
No worries. It can be a bit confusing.
Currently, your Nextcloud is listening to HTTP (i.e. no TLS) on port 443.
Ideally, it should listen to HTTPS (i.e. with TLS) on port 443. I am not sure why it isn’t.
They are telling you that, by default, the Nextcloud container does in fact listen on HTTPS. Yours for some reason is not exhibiting the default behaviour.
Feel free to link them to this post by way of explanation (click the timestamp up the top right of this post for a shareable link).
Thank you (:
@Whitestrake I don’t want to ask the Nextcloud people about this, but I’m getting the whole:
2020/06/05 21:24:42 http: TLS handshake error from 192.168.50.1:37575: no certificate available for 'cloud.haddock.cc'
and this after resetting /config/nginx/site-confs
@matt do you think maybe you could help me fix this one? (Sorry this is taking so long. Thanks for all your help).