1. The problem I’m having:
Hi, I’m using caddy for quite a while now, always using the Caddyfile for config.
I now have a use case for the remote admin api and therefore looked into configuring caddy via json.
The issue I’m having is that calls to the api with various clients fail - except for curl.
This holds true for not just the admin api, but also the actual endpoints (reverse proxies) which work fine using curl, or using the caddyfile instead of json.
I expect the issue to be my config, but I have no idea what I did wrong.
2. Error messages and/or full log output:
The logs contain examples with requests made by a go-client and a request made by curl.
Jul 15 07:15:35 ip-10-78-0-183 caddy[31038]: {"level":"debug","ts":1721027735.9042864,"logger":"http.stdlib","msg":"http: TLS handshake error from 80.187.113.250:7664: no server TLS configuration available for ClientHello: &{CipherSuites:[4865 4866 4867] ServerName:caddy.influxdb.eco2web.de SupportedCurves:[X25519 CurveP256 CurveP384 CurveP521] SupportedPoints:[0] SignatureSchemes:[PSSWithSHA256 ECDSAWithP256AndSHA256 Ed25519 PSSWithSHA384 PSSWithSHA512 PKCS1WithSHA256 PKCS1WithSHA384 PKCS1WithSHA512 ECDSAWithP384AndSHA384 ECDSAWithP521AndSHA512 PKCS1WithSHA1 ECDSAWithSHA1] SupportedProtos:[] SupportedVersions:[772] Conn:0xc0008c6000 config:0xc0008b5ba0 ctx:0xc00046e000}"}
Jul 15 07:16:18 ip-10-78-0-183 caddy[31038]: {"level":"debug","ts":1721027778.3892276,"logger":"admin.remote","msg":"http: TLS handshake error from 80.187.113.250:10003: EOF"}
Jul 15 07:17:02 ip-10-78-0-183 caddy[31038]: {"level":"debug","ts":1721027822.4796996,"logger":"admin.remote.handshake","msg":"choosing certificate","identifier":"caddy.influxdb.eco2web.de","num_choices":1}
Jul 15 07:17:02 ip-10-78-0-183 caddy[31038]: {"level":"debug","ts":1721027822.4811368,"logger":"admin.remote.handshake","msg":"default certificate selection results","identifier":"caddy.influxdb.eco2web.de","subjects":["caddy.influxdb.eco2web.de"],"managed":true,"issuer_key":"acme-v02.api.letsencrypt.org-directory","hash":"68068ddce1398db6c2ab7a7beae1648319de78f9b8127730d3641c69a06c4207"}
Jul 15 07:17:02 ip-10-78-0-183 caddy[31038]: {"level":"debug","ts":1721027822.4832842,"logger":"admin.remote.handshake","msg":"matched certificate in cache","remote_ip":"80.187.113.250","remote_port":"12253","subjects":["caddy.influxdb.eco2web.de"],"managed":true,"expiration":1727963885,"hash":"68068ddce1398db6c2ab7a7beae1648319de78f9b8127730d3641c69a06c4207"}
Jul 15 07:17:02 ip-10-78-0-183 caddy[31038]: {"level":"info","ts":1721027822.5466316,"logger":"admin.api","msg":"received request","method":"GET","host":"caddy.influxdb.eco2web.de:2021","uri":"/config/apps/http/servers/srv0/routes","remote_ip":"80.187.113.250","remote_port":"12253","headers":{"Accept":["*/*"],"User-Agent":["curl/8.4.0"]},"secure":true,"verified_chains":1}
Jul 15 07:20:56 ip-10-78-0-183 caddy[31038]: {"level":"debug","ts":1721028056.909236,"logger":"http.stdlib","msg":"http: TLS handshake error from 80.187.113.250:20415: no server TLS configuration available for ClientHello: &{CipherSuites:[4865 4866 4867] ServerName:caddy.influxdb.eco2web.de SupportedCurves:[X25519 CurveP256 CurveP384 CurveP521] SupportedPoints:[0] SignatureSchemes:[PSSWithSHA256 ECDSAWithP256AndSHA256 Ed25519 PSSWithSHA384 PSSWithSHA512 PKCS1WithSHA256 PKCS1WithSHA384 PKCS1WithSHA512 ECDSAWithP384AndSHA384 ECDSAWithP521AndSHA512 PKCS1WithSHA1 ECDSAWithSHA1] SupportedProtos:[] SupportedVersions:[772] Conn:0xc0008c6000 config:0xc0008b5ba0 ctx:0xc00046e000}"}
3. Caddy version:
v2.8.4 h1:q3pe0wpBj1OcHFZ3n/1nl4V4bxBrYoSoab7rL9BMYNk=
4. How I installed and ran Caddy:
I followed the official installation instructions for linux as a system service using the resume variant.
a. System environment:
Running on an ubuntu container in aws, via systemd.
b. Command:
systemctl start caddy
c. Service/unit/compose file:
Using default unit file from the repository.
[Unit]
Description=Caddy
Documentation=https://caddyserver.com/docs/
After=network.target network-online.target
Requires=network-online.target
[Service]
Type=notify
User=caddy
Group=caddy
ExecStart=/usr/bin/caddy run --environ --resume
TimeoutStopSec=5s
LimitNOFILE=1048576
PrivateTmp=true
ProtectSystem=full
AmbientCapabilities=CAP_NET_ADMIN CAP_NET_BIND_SERVICE
[Install]
WantedBy=multi-user.target
d. My complete Caddy config:
{
"admin": {
"disabled": false,
"listen": "localhost:2019",
"origins": ["localhost:2019"],
"enforce_origin": false,
"config": {
"persist": true
},
"origins": [
"https://caddy.influxdb.eco2web.de"
],
"identity": {
"identifiers": [
"caddy.influxdb.eco2web.de"
]
},
"remote": {
"listen": ":2021",
"access_control": [
{
"public_keys": [
"MIIC9jCCAd4CCQDJlUjZF0vsOjANBgkqhkiG9w0BAQsFADA0MQswCQYDVQQGEwJERTETMBEGA1UECgwKQlMgU3lzdGVtZTEQMA4GA1UECwwHUm9vdCBDQTAgFw0yNDA3MDIxMzQ3MzZaGA8yMTI0MDYwODEzNDczNlowRDELMAkGA1UEBhMCREUxEzARBgNVBAoMCkJTLVN5c3RlbWUxIDAeBgNVBAsMF0NhZGR5IEFkbWluIGNsaWVudCBjZXJ0MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA6PXB3xxsNktJYKT8SaTXwYKJuSJ39B3SD3sMI49hyoy1LBiolOavnQ9iIgo2sxPwCVzNRFXhoy/m5xFdchtBYQvXHRvgPFBfrChF/nm9rMX2wI9r9r5lVCpz7w4e/QYfw3Bz+y0EcUP/4YO9TY598JJqomRhH3jcdMaLSXKi5wXKZThWdo9qDi9Af1fq5UEtx/RhQWhBnFuVYcXXtrtVP4+Xh/JBBqtCCLLPaOsZx97cM0Vt4DK0x3oJ1AJ7lGYpihThwvunaBgGi5DMhJIKuv8Ry4xXQkeIl3D5Ap5190z1biDQaK/GDrFPdYjabXvUB4EaTLJWBDAhBB7NIzZNfQIDAQABMA0GCSqGSIb3DQEBCwUAA4IBAQBd5D+3A/ogPdsqaeaWlwSfrgEgkHe551qXqF09hDDmElqGJj6ZB9SQE1t1hPtsyQL2SB4TrAbIiV4ZDNIsqH5DwnXvctRFEHz3wfQNsgsCCmp1Ir/A/wHCBccuhZkOLNJiwM78BxXNz1CYpGlC21OxfvPUjD1yQI0AeV3KC6RsbV/s/2jqI1T65phoAsHLkOf7SPDglvCfvkSvK2MsGkvwNdT7i1uBL9DfiedpqM3z9eItgUtwyuUV0MbECpTakGHtdCuznFjnS5YOdVoCvgKA0BUp0QC54zIg+D4YGhAImX9ZoN2q3WLZYXRlHEbTWaD+fExMf1giBJOjn4BfMcTs"
]
}
]
}
},
"logging": {
"logs": {
"default": {
"level": "debug"
}
}
},
"apps": {
"http": {
"servers": {
"srv0": {
"listen": [
":443"
],
"tls_connection_policies": [
{
"match": {
"sni": [
"*"
]
},
"protocol_min": "tls1.3"
}
],
"metrics": {},
"routes": [
{
"match": [
{
"host": [
"influxdb.eco2web.de"
]
}
],
"handle": [
{
"handler": "subroute",
"routes": [
{
"handle": [
{
"handler": "headers",
"response": {
"set": {
"Content-Security-Policy": [
"upgrade-insecure-requests"
],
"Referrer-Policy": [
"no-referrer"
],
"Strict-Transport-Security": [
"max-age=31536000"
],
"X-Content-Type-Options": [
"nosniff"
],
"X-Xss-Protection": [
"1; mode=block"
]
}
}
},
{
"handler": "reverse_proxy",
"headers": {
"request": {
"set": {
"Host": [
"eu-central-1-1.aws.cloud2.influxdata.com"
]
}
}
},
"transport": {
"protocol": "http",
"tls": {}
},
"upstreams": [
{
"dial": "eu-central-1-1.aws.cloud2.influxdata.com:443"
}
]
}
]
}
]
}
]
},
{
"match": [
{
"host": [
"3d191981-f43f-4671-b7cb-12e8cd7ef79a.influxdb.eco2web.de"
]
}
],
"handle": [
{
"handler": "subroute",
"routes": [
{
"handle": [
{
"handler": "headers",
"response": {
"set": {
"Content-Security-Policy": [
"upgrade-insecure-requests"
],
"Referrer-Policy": [
"no-referrer"
],
"Strict-Transport-Security": [
"max-age=31536000"
],
"X-Content-Type-Options": [
"nosniff"
],
"X-Xss-Protection": [
"1; mode=block"
]
}
}
},
{
"handler": "reverse_proxy",
"headers": {
"request": {
"set": {
"Host": [
"eu-central-1-1.aws.cloud2.influxdata.com"
]
}
}
},
"transport": {
"protocol": "http",
"tls": {}
},
"upstreams": [
{
"dial": "eu-central-1-1.aws.cloud2.influxdata.com:443"
}
]
}
]
}
]
}
]
}
]
}
}
}
}
}
