TLS handshake error from : EOF

1. Caddy version (caddy version):

v2.0.0 h1:pQSaIJGFluFvu8KDGDODV8u4/QRED/OPyIR+MWYYse8=

2. How I run Caddy:

Installed by APT
Run with systemctl

a. System environment:

Ubuntu LTS 20.04

d. My complete Caddyfile or JSON config:

www.supersamaworld.com, supersamaworld.com {
    bind 51.89.18.59
	
    tls hello@jewome62.eu
    encode gzip

    reverse_proxy https://ssw2.samaserv.link
}

3. The problem I’m having:

Website respond

421 Site supersamaworld.com is not served on this interface

4. Error messages and/or full log output:

here journalctl -xe

Jun 10 21:46:53 srv1 caddy[343432]: 2020/06/10 21:46:53 http: TLS handshake error from 83.243.126.50:39234: EOF

5. What I already tried:

I try to add * on match for proxy_reverse
I try define transport with http + tls option

wget from the server to https://ssw2.samaserv.link work (this is a caddy server on other server with valid lets encrypt certificate)

i didn’t find any resource with this error code (i found something but specific to kubernetes into Azure Cloud)

6. Links to relevant resources:

Hi @Jewome62, welcome to the Caddy community!

Do you still get this error if you remove the bind directive?

To clarify, that is not a message that Caddy 2 emits.

Hello @Whitestrake,

I try without bind, but that’s don’t work. same error

Hello @matt
currently netstat said me this is caddy which respond.

tcp6       0      0 :::80                   :::*                    LISTEN      394084/caddy        
tcp6       0      0 :::443                  :::*                    LISTEN      394084/caddy  

And the respond is into HTTPS

I follow access log into https://ssw2.samaserv.link server, when i use simple wget, i have access log and i have save index.html
when i access to supersamaworld.com i have no call into access log into ssw2.samaserv.link server,

I have no problem to access to ssw2.samaserv.link, i didn’t have others program which can answer that’s
And there i see same error message about caddy server

https://www.gitmemory.com/issue/wekan/wekan/2748/539130644

It’s a similar message, but note two things:

1. In the example above, Caddy sets Status 404 Not Found, not Status 421 Misdirected Request.
2. Caddy v1 would issue 404s with this message, but Caddy v2 does not.

That means the 421 is almost certainly coming from the upstream server, and Caddy’s actually working as configured.

To confirm, you can add this to the top of your Caddyfile:

{
  debug
}

Reload the new configuration, try to browse to your site, then copy the log entry from Caddy’s output, which should contain the results from the reverse proxy.

Each call i have just that’s, no more

Jun 11 02:10:10 srv1 caddy[403324]: {"level":"debug","ts":1591841410.3823211,"logger":"http.handlers.reverse_proxy","msg":"upstream roundtrip","upstream":"ssw2.samaserv.link:443","request">
Jun 11 02:10:10 srv1 caddy[403324]: {"level":"debug","ts":1591841410.4516513,"logger":"http.handlers.reverse_proxy","msg":"upstream roundtrip","upstream":"ssw2.samaserv.link:443","request">

Those are truncated. We need the full lines.

oups sorry i didn’t see the truncate

Jun 11 02:16:14 srv1 caddy[403324]: {"level":"debug","ts":1591841774.666237,"logger":"http.handlers.reverse_proxy","msg":"upstream roundtrip","upstream":"ssw2.samaserv.link:443","request":{"method":"GET","uri":"/","proto":"HTTP/2.0","remote_addr":"83.243.126.50:42278","host":"supersamaworld.com","headers":{"User-Agent":["Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:77.0) Gecko/20100101 Firefox/77.0"],"Accept-Language":["fr,fr-FR;q=0.8,en-US;q=0.5,en;q=0.3"],"Accept-Encoding":["gzip, deflate, br"],"Accept":["text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8"],"Upgrade-Insecure-Requests":["1"],"Cache-Control":["max-age=0"],"Te":["trailers"],"X-Forwarded-For":["83.243.126.50"],"X-Forwarded-Proto":["https"]},"tls":{"resumed":true,"version":772,"ciphersuite":4865,"proto":"h2","proto_mutual":true,"server_name":"supersamaworld.com"}},"headers":{"Date":["Thu, 11 Jun 2020 02:16:14 GMT"],"Content-Type":["text/plain; charset=utf-8"],"Server":["Caddy"],"X-Content-Type-Options":["nosniff"],"Content-Length":["60"]},"duration":0.010033197,"status":421}
Jun 11 02:16:14 srv1 caddy[403324]: {"level":"debug","ts":1591841774.7348788,"logger":"http.handlers.reverse_proxy","msg":"upstream roundtrip","upstream":"ssw2.samaserv.link:443","request":{"method":"GET","uri":"/","proto":"HTTP/2.0","remote_addr":"83.243.126.50:42280","host":"supersamaworld.com","headers":{"Accept-Language":["fr,fr-FR;q=0.8,en-US;q=0.5,en;q=0.3"],"Te":["trailers"],"X-Forwarded-For":["83.243.126.50"],"User-Agent":["Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:77.0) Gecko/20100101 Firefox/77.0"],"Accept":["text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8"],"Accept-Encoding":["gzip, deflate, br"],"Upgrade-Insecure-Requests":["1"],"Cache-Control":["max-age=0"],"X-Forwarded-Proto":["https"]},"tls":{"resumed":true,"version":772,"ciphersuite":4865,"proto":"h2","proto_mutual":true,"server_name":"supersamaworld.com"}},"headers":{"Content-Type":["text/plain; charset=utf-8"],"Server":["Caddy"],"X-Content-Type-Options":["nosniff"],"Content-Length":["60"],"Date":["Thu, 11 Jun 2020 02:16:14 GMT"]},"duration":0.009985555,"status":421}

On the distant server (ssw2) i have check access log and error log, i didn’t have any log added with the code 421.
I just have access log when i call ssw2 adress directly and last into error log is 09/Jun/2020:22:07:03 +0200 [ERROR 0 /wp-login.php] Primary script unknown

Parse it out for readability, and we have these results:

{
  "level": "debug",
  "ts": 1591841774.666237,
  "logger": "http.handlers.reverse_proxy",
  "msg": "upstream roundtrip",
  "upstream": "ssw2.samaserv.link:443",
  "request": {
    "method": "GET",
    "uri": "/",
    "proto": "HTTP/2.0",
    "remote_addr": "83.243.126.50:42278",
    "host": "supersamaworld.com",
    "headers": {
      "User-Agent": [
        "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:77.0) Gecko/20100101 Firefox/77.0"
      ],
      "Accept-Language": [
        "fr,fr-FR;q=0.8,en-US;q=0.5,en;q=0.3"
      ],
      "Accept-Encoding": [
        "gzip, deflate, br"
      ],
      "Accept": [
        "text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8"
      ],
      "Upgrade-Insecure-Requests": [
        "1"
      ],
      "Cache-Control": [
        "max-age=0"
      ],
      "Te": [
        "trailers"
      ],
      "X-Forwarded-For": [
        "83.243.126.50"
      ],
      "X-Forwarded-Proto": [
        "https"
      ]
    },
    "tls": {
      "resumed": true,
      "version": 772,
      "ciphersuite": 4865,
      "proto": "h2",
      "proto_mutual": true,
      "server_name": "supersamaworld.com"
    }
  },
  "headers": {
    "Date": [
      "Thu, 11 Jun 2020 02:16:14 GMT"
    ],
    "Content-Type": [
      "text/plain; charset=utf-8"
    ],
    "Server": [
      "Caddy"
    ],
    "X-Content-Type-Options": [
      "nosniff"
    ],
    "Content-Length": [
      "60"
    ]
  },
  "duration": 0.010033197,
  "status": 421
}

{
  "level": "debug",
  "ts": 1591841774.7348788,
  "logger": "http.handlers.reverse_proxy",
  "msg": "upstream roundtrip",
  "upstream": "ssw2.samaserv.link:443",
  "request": {
    "method": "GET",
    "uri": "/",
    "proto": "HTTP/2.0",
    "remote_addr": "83.243.126.50:42280",
    "host": "supersamaworld.com",
    "headers": {
      "Accept-Language": [
        "fr,fr-FR;q=0.8,en-US;q=0.5,en;q=0.3"
      ],
      "Te": [
        "trailers"
      ],
      "X-Forwarded-For": [
        "83.243.126.50"
      ],
      "User-Agent": [
        "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:77.0) Gecko/20100101 Firefox/77.0"
      ],
      "Accept": [
        "text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8"
      ],
      "Accept-Encoding": [
        "gzip, deflate, br"
      ],
      "Upgrade-Insecure-Requests": [
        "1"
      ],
      "Cache-Control": [
        "max-age=0"
      ],
      "X-Forwarded-Proto": [
        "https"
      ]
    },
    "tls": {
      "resumed": true,
      "version": 772,
      "ciphersuite": 4865,
      "proto": "h2",
      "proto_mutual": true,
      "server_name": "supersamaworld.com"
    }
  },
  "headers": {
    "Content-Type": [
      "text/plain; charset=utf-8"
    ],
    "Server": [
      "Caddy"
    ],
    "X-Content-Type-Options": [
      "nosniff"
    ],
    "Content-Length": [
      "60"
    ],
    "Date": [
      "Thu, 11 Jun 2020 02:16:14 GMT"
    ]
  },
  "duration": 0.009985555,
  "status": 421
}

So… curiously, Caddy is talking to an upstream Caddy server. The upstream Caddy server is issuing 421 responses. Hmm!

Anyway, that’s exactly the behaviour I’m seeing from your upstream server, too. The Caddy server you have configured to serve www.supersamaworld.com, supersamaworld.com and reverse proxy to https://ssw2.samaserv.link is working exactly as expected.

~/Projects/test
➜ curl -iLH "Host:supersamaworld.com" https://ssw2.samaserv.link
HTTP/2 421
content-type: text/plain; charset=utf-8
server: Caddy
x-content-type-options: nosniff
content-length: 60
date: Thu, 11 Jun 2020 02:27:27 GMT

421 Site supersamaworld.com is not served on this interface

OK thanks for your answer.
So the problem is on ssw2 (this is caddy version 1)

2020/06/11 04:27:15 [INFO] supersamaworld.com - No such site at :443 (Remote: 145.239.0.175, Referer: )
2020/06/11 04:27:15 [INFO] supersamaworld.com - No such site at :443 (Remote: 145.239.0.175, Referer: )

I suppose it try to find supersamaworld.com into config
So i have edit my caddyfile
from

ssw2.samaserv.link {

to

supersamaworld.com, www.supersamaworld.com, ssw2.samaserv.link {

And that’s works !

But, this is not the real server, so how the certificates will be renew ?
is it possible to tell caddy not to trust Host sent?
Edit, i have rollback config on ssw2 caddy
And i have change header Host from supersamaworld.com caddy server

    reverse_proxy https://ssw2.samaserv.link {
        header_up Host ssw2.samaserv.link
    }

Edit 2 : Thanks @Whitestrake for your precious help !

This topic was automatically closed after 30 days. New replies are no longer allowed.