TLS Handshake timeouts with an EOF in logs

Pixiestix · November 25, 2023, 10:17pm

1. The problem I’m having:

For some reason TLS handshake seems to drop due to an EOF error that caddy claims to have received. Resulting in connection timeouts from my web browser or curl. Not sure how to fix it.

The behavior happens whenever I run a curl against one of the site blocks listed below, rs2.12egc.com . Whether I have a respond directive or a redir directive. The behavior is the same. I am using Porkbun as my DNS provider, and I thought maybe it was because I had enabled DNSSEC, but even with turning it off the issue remains. Not sure how to fix this.

Any help would be appreciated!

2. Error messages and/or full log output:

{"level":"debug","ts":"2023/11/25 16:59:13","logger":"tls.handshake","msg":"matched certificate in cache","remote_ip":"X.X.X.X","remote_port":"57594","subjects":["rs2.12egc.com"],"managed":true,"expiration":"2024/02/23 14:37:56","hash":"c0e0ed30fca585c0635ac258e5f61087efe88a8c383743d70bbfc46e5fed1a80"}
{"level":"debug","ts":"2023/11/25 16:59:44","logger":"http.stdlib","msg":"http: TLS handshake error from X.X.X.X:57594: EOF"}
{"level":"debug","ts":"2023/11/25 17:03:21","logger":"dynamic_dns","msg":"beginning IP address check"}
{"level":"debug","ts":"2023/11/25 17:03:31","logger":"dynamic_dns.ip_sources.simple_http","msg":"lookup failed","type":"IPv4","endpoint":"https://ipconfig.io/ip","error":"Get \"https://ipconfig.io/ip\": dial tcp4: lookup ipconfig.io: i/o timeout"}
{"level":"warn","ts":"2023/11/25 17:03:31","logger":"dynamic_dns.ip_sources.simple_http","msg":"no IP found; consider disabling this IP version","type":"IPv4"}
{"level":"error","ts":"2023/11/25 17:03:31","logger":"dynamic_dns","msg":"looking up IP address","ip_source":"simple_http","error":"no IP addresses returned"}
{"level":"debug","ts":"2023/11/25 17:03:36","logger":"dynamic_dns.ip_sources.simple_http","msg":"lookup","type":"IPv4","endpoint":"https://icanhazip.com","ip":"X.X.X.X"}
{"level":"debug","ts":"2023/11/25 17:03:36","logger":"dynamic_dns","msg":"no IP address change; no update needed"}
{"level":"debug","ts":"2023/11/25 17:03:58","logger":"http.stdlib","msg":"http: TLS handshake error from X.X.X.X:48300: EOF"}

particular line of interest I think

{"level":"debug","ts":"2023/11/25 17:03:58","logger":"http.stdlib","msg":"http: TLS handshake error from X.X.X.X:48300: EOF"}

3. Caddy version:

v2.7.5 h1:HoysvZkLcN2xJExEepaFHK92Qgs7xAiCFydN5x5Hs6Q=root@caddy1

4. How I installed and ran Caddy:

I built a version of caddy via xcaddy loaded with the following modules

https://github.com/caddy-dns/porkbun
https://github.com/mholt/caddy-dynamicdns

a. System environment:

Caddy is running behind my home router as an LXC container where the home router is set to port forward all 80 and 443 traffic to the caddy lxc container.

Caddy is running as an LXC inside of my Proxmox server

b. Command:

./caddy start

d. My complete Caddy config:

# Global
{
        email X@x.x
        log default {
                output file /var/log/caddy/access.log
                format json {
                        time_format wall
                        time_local
                }
                level DEBUG
        }

        acme_dns porkbun {
                api_key {env.PORKBUN_API_KEY}
                api_secret_key {env.PORKBUN_API_SECRET_KEY}
        }
        dynamic_dns {
                ip_source simple_http https://ipconfig.io/ip
                ip_source simple_http https://icanhazip.com
                ip_source interface eth0
                provider porkbun {
                        api_key {env.PORKBUN_API_KEY}
                        api_secret_key {env.PORKBUN_API_SECRET_KEY}
                }
                domains {
                        12egc.com @ www
                        12egc.com mb neth rs2 rdp
                }
                versions ipv4
                check_interval 5m
                ttl 1h
        }
}


rs2.12egc.com {
        #respond "<h1>Hello, World!</h1>"
        redir https://www.google.com
}

I commented out the respond, to test with redir. I’m simply trying to test this out, and ideally make caddy be a reverse proxy.

5. Links to relevant resources:

This was the closest relevant thread I found

but it dealt with wireguard which I’m not using here.

francislavoie · November 25, 2023, 11:07pm

Strange. What do you see when you make requests with curl -v?

Pixiestix · November 26, 2023, 3:15am

curl -v https://rs2.12egc.com/
*   Trying X.X.X.X:443...
* Connected to rs2.12egc.com (X.X.X.X) port 443 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
*  CAfile: /etc/ssl/certs/ca-certificates.crt
*  CApath: /etc/ssl/certs
* TLSv1.0 (OUT), TLS header, Certificate Status (22):
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
* SSL connection timeout
* Closing connection 0
curl: (28) SSL connection timeout

is what I see when I run a curl -v cmd

When I am in the container and I run the command, I get a different outcome

* Connected to rs2.12egc.com (172.16.0.2) port 443 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
*  CAfile: /etc/ssl/certs/ca-certificates.crt
*  CApath: /etc/ssl/certs
* TLSv1.0 (OUT), TLS header, Certificate Status (22):
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
* TLSv1.2 (IN), TLS header, Certificate Status (22):
* TLSv1.3 (IN), TLS handshake, Server hello (2):
* TLSv1.2 (IN), TLS header, Certificate Status (22):
* TLSv1.2 (IN), TLS handshake, Certificate (11):
* TLSv1.2 (IN), TLS header, Certificate Status (22):
* TLSv1.2 (IN), TLS handshake, Server key exchange (12):
* TLSv1.2 (IN), TLS header, Certificate Status (22):
* TLSv1.2 (IN), TLS handshake, Server finished (14):
* TLSv1.2 (OUT), TLS header, Certificate Status (22):
* TLSv1.2 (OUT), TLS handshake, Client key exchange (16):
* TLSv1.2 (OUT), TLS header, Finished (20):
* TLSv1.2 (OUT), TLS change cipher, Change cipher spec (1):
* TLSv1.2 (OUT), TLS header, Certificate Status (22):
* TLSv1.2 (OUT), TLS handshake, Finished (20):
* TLSv1.2 (IN), TLS header, Finished (20):
* TLSv1.2 (IN), TLS header, Certificate Status (22):
* TLSv1.2 (IN), TLS handshake, Finished (20):
* SSL connection using TLSv1.2 / ECDHE-RSA-AES256-GCM-SHA384
* ALPN, server did not agree to a protocol
* Server certificate:
*  subject: CN=neth.idiaz.dev
*  start date: Nov 20 16:41:28 2023 GMT
*  expire date: Feb 18 16:41:27 2024 GMT
*  subjectAltName: host "rs2.12egc.com" matched cert's "rs2.12egc.com"
*  issuer: C=US; O=Let's Encrypt; CN=R3
*  SSL certificate verify ok.
* TLSv1.2 (OUT), TLS header, Supplemental data (23):
> GET / HTTP/1.1
> Host: rs2.12egc.com
> User-Agent: curl/7.81.0
> Accept: */*

* TLSv1.2 (IN), TLS header, Supplemental data (23):
* Mark bundle as not supporting multiuse
< HTTP/1.1 503 Service Unavailable
< Date: Sun, 26 Nov 2023 04:52:38 GMT
< Server: Apache/2.4.6 (CentOS) OpenSSL/1.0.2k-fips PHP/5.4.16
< Content-Length: 299
< Connection: close
< Content-Type: text/html; charset=iso-8859-1
< 
* TLSv1.2 (IN), TLS header, Supplemental data (23):
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>503 Service Unavailable</title>
</head><body>
<h1>Service Unavailable</h1>
<p>The server is temporarily unable to service your
request due to maintenance downtime or capacity
problems. Please try again later.</p>
</body></html>
* Closing connection 0
* TLSv1.2 (IN), TLS header, Unknown (21):
* TLSv1.2 (IN), TLS alert, close notify (256):
* TLSv1.2 (OUT), TLS header, Unknown (21):
* TLSv1.2 (OUT), TLS alert, close notify (256):

And then it ends

francislavoie · November 26, 2023, 11:01am

That tells me that there’s somekind of networking problem in front of Caddy preventing the connections from succeeding. Do you have a firewall or something enabled? It might be breaking the connection part-way through for some weird reason.

Pixiestix · November 26, 2023, 11:07pm

Thank you for that, it seems that helped make sense of the second response. I am trying to migrate to Caddy from an old gateway service I was using. It used to handle my certificates and my reverse proxy.

What I did was, I transferred the domains to another DNS provider and want to use caddy to manage the certificates and reverse proxy from them now.

The idea was my home router forwards all port 80 and 443 to Caddy lxc container, and than any non-80 or 443 would go through the old gateway instead. The reason is the old gateway has fail2ban and other stuff I had setup for protection, but it’s dynamic DNS system does not support my new DNS provider, but Caddy does.

I tried to hack my network around to follow this diagram more-or-less

So before it was Home router → Old gateway server

Now what I’m trying to do is Home router → Http(s) to Caddy else → to old gateway

I noticed that the 2nd response resulted from the caddy lxc pointing to the old gateway as it’s DNS. When I switched the DNS to my home router , it now has the same hanging issue as the first output.

Am I just placing caddy in the wrong part of my network? I figured i could it between my home router and my old gateway.

Hopefully this made sense.

francislavoie · November 26, 2023, 11:44pm

Are you making requests from within your network? Try from your cell phone (on cell networks) to see if it works.

Many home routers don’t support NAT hairpinning (i.e. when DNS is your WAN IP, your router doesn’t know to route packets back into your network so they get dropped). The solution for that is to run a DNS server in your LAN to override your domain to resolve to your server’s LAN IP.

Pixiestix · November 27, 2023, 1:55am

Thanks for the help so far. Originally I was doing both. So what I did was , I tested doing the curl commands in the lxc container and then again on a remote computer. The behavior was the same.

But, given your response, I changed the DNS to be towards my pihole (I realized I did this in my old gatewayserver, it was using the pihole as it’s DNS server). What this means is my home router is not the DNS. It’s just the WAN IP that port-forwards 80 and 443 to my Caddy now. When I did that, I did make some progress?

I was able to run it against sites such as SSL Shopper, and SSLlabs. The caddy file showed their outputs

{"level":"debug","ts":"2023/11/26 20:45:42","logger":"events","msg":"event","name":"tls_get_certificate","id":"a202e609-5e9a-4e7d-a02a-3d7fd458c335","origin":"tls","data":{"client_hello":{"CipherSuites":[136,150,156,157,158,159,255,49154,49155,49156,49157,49159,49160,49161,49162,49164,49165,49166,49167,49169,49170,49171,49172,49187,49188,49191,49195,49196,49199,49200,49201,49202],"ServerName":"rs2.12egc.com","SupportedCurves":[14,13,25,11,12,24,9,10,22,23,8,6,7,20,21,4,5,18,19,1,2,3,15,16,17,29],"SupportedPoints":"AA==","SignatureSchemes":[1537,1538,1539,1281,1282,1283,1025,1026,1027,769,770,771,513,514,515],"SupportedProtos":null,"SupportedVersions":[771,770,769],"Conn":{}}}}
{"level":"debug","ts":"2023/11/26 20:45:42","logger":"tls.handshake","msg":"choosing certificate","identifier":"rs2.12egc.com","num_choices":1}
{"level":"debug","ts":"2023/11/26 20:45:42","logger":"tls.handshake","msg":"default certificate selection results","identifier":"rs2.12egc.com","subjects":["rs2.12egc.com"],"managed":true,"issuer_key":"acme-v02.api.letsencrypt.org-directory","hash":"c0e0ed30fca585c0635ac258e5f61087efe88a8c383743d70bbfc46e5fed1a80"}
{"level":"debug","ts":"2023/11/26 20:45:42","logger":"tls.handshake","msg":"matched certificate in cache","remote_ip":"64.41.200.106","remote_port":"39908","subjects":["rs2.12egc.com"],"managed":true,"expiration":"2024/02/23 14:37:56","hash":"c0e0ed30fca585c0635ac258e5f61087efe88a8c383743d70bbfc46e5fed1a80"}
{"level":"debug","ts":"2023/11/26 20:45:46","logger":"events","msg":"event","name":"tls_get_certificate","id":"5c0e2f90-6a40-4a4c-8c69-a3accfeef453","origin":"tls","data":{"client_hello":{"CipherSuites":[4866,4867,4865,49196,49200,159,52393,52392,52394,49195,49199,158,49188,49192,107,49187,49191,103,49162,49172,57,49161,49171,51,157,156,61,60,53,47,255],"ServerName":"rs2.12egc.com","SupportedCurves":[29,23,30,25,24,256,257,258,259,260],"SupportedPoints":"AAEC","SignatureSchemes":[1027,1283,1539,2055,2056,2057,2058,2059,2052,2053,2054,1025,1281,1537,771,769,770,1026,1282,1538],"SupportedProtos":["h2","http/1.1"],"SupportedVersions":[772,771],"Conn":{}}}}
{"level":"debug","ts":"2023/11/26 20:45:46","logger":"tls.handshake","msg":"choosing certificate","identifier":"rs2.12egc.com","num_choices":1}
{"level":"debug","ts":"2023/11/26 20:45:46","logger":"tls.handshake","msg":"default certificate selection results","identifier":"rs2.12egc.com","subjects":["rs2.12egc.com"],"managed":true,"issuer_key":"acme-v02.api.letsencrypt.org-directory","hash":"c0e0ed30fca585c0635ac258e5f61087efe88a8c383743d70bbfc46e5fed1a80"}
{"level":"debug","ts":"2023/11/26 20:45:46","logger":"tls.handshake","msg":"matched certificate in cache","remote_ip":"108.48.66.209","remote_port":"45158","subjects":["rs2.12egc.com"],"managed":true,"expiration":"2024/02/23 14:37:56","hash":"c0e0ed30fca585c0635ac258e5f61087efe88a8c383743d70bbfc46e5fed1a80"}
{"level":"debug","ts":"2023/11/26 20:45:50","logger":"http.stdlib","msg":"http: TLS handshake error from 64.41.200.106:39908: EOF"}
{"level":"debug","ts":"2023/11/26 20:45:50","logger":"http.stdlib","msg":"http: TLS handshake error from 64.41.200.106:36136: EOF"}

But the EOF is still there. That said when I re-ran the curl cmd from a remote computer I got this instead, it does seem to take a long time to get to this new failure

 curl -v https://rs2.12egc.com/
*   Trying 173.66.250.81:443...
* Connected to rs2.12egc.com (173.66.250.81) port 443 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
*  CAfile: /etc/ssl/certs/ca-certificates.crt
*  CApath: /etc/ssl/certs
* TLSv1.0 (OUT), TLS header, Certificate Status (22):
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
* TLSv1.2 (IN), TLS header, Certificate Status (22):
* TLSv1.3 (IN), TLS handshake, Server hello (2):
* TLSv1.2 (IN), TLS header, Finished (20):
* TLSv1.2 (IN), TLS header, Supplemental data (23):
* TLSv1.3 (IN), TLS handshake, Encrypted Extensions (8):
* TLSv1.2 (IN), TLS header, Supplemental data (23):
* TLSv1.3 (IN), TLS handshake, Certificate (11):
* TLSv1.2 (IN), TLS header, Supplemental data (23):
* TLSv1.3 (IN), TLS handshake, CERT verify (15):
* TLSv1.2 (IN), TLS header, Supplemental data (23):
* TLSv1.3 (IN), TLS handshake, Finished (20):
* TLSv1.2 (OUT), TLS header, Finished (20):
* TLSv1.3 (OUT), TLS change cipher, Change cipher spec (1):
* TLSv1.2 (OUT), TLS header, Supplemental data (23):
* TLSv1.3 (OUT), TLS handshake, Finished (20):
* SSL connection using TLSv1.3 / TLS_AES_128_GCM_SHA256
* ALPN, server accepted to use h2
* Server certificate:
*  subject: CN=rs2.12egc.com
*  start date: Nov 25 19:37:56 2023 GMT
*  expire date: Feb 23 19:37:55 2024 GMT
*  subjectAltName: host "rs2.12egc.com" matched cert's "rs2.12egc.com"
*  issuer: C=US; O=Let's Encrypt; CN=R3
*  SSL certificate verify ok.
* Using HTTP2, server supports multiplexing
* Connection state changed (HTTP/2 confirmed)
* Copying HTTP/2 data in stream buffer to connection buffer after upgrade: len=0
* TLSv1.2 (OUT), TLS header, Supplemental data (23):
* TLSv1.2 (OUT), TLS header, Supplemental data (23):
* TLSv1.2 (OUT), TLS header, Supplemental data (23):
* Using Stream ID: 1 (easy handle 0x56337b273e90)
* TLSv1.2 (OUT), TLS header, Supplemental data (23):
> GET / HTTP/2
> Host: rs2.12egc.com
> user-agent: curl/7.81.0
> accept: */*
> 
* TLSv1.2 (IN), TLS header, Supplemental data (23):
* TLSv1.3 (IN), TLS handshake, Newsession Ticket (4):
* TLSv1.2 (IN), TLS header, Supplemental data (23):
* Connection state changed (MAX_CONCURRENT_STREAMS == 250)!
* TLSv1.2 (OUT), TLS header, Supplemental data (23):
* TLSv1.2 (IN), TLS header, Supplemental data (23):
* OpenSSL SSL_read: Connection reset by peer, errno 104
* Failed receiving HTTP2 data
* TLSv1.2 (OUT), TLS header, Supplemental data (23):
* OpenSSL SSL_write: Broken pipe, errno 32
* Failed sending HTTP2 data
* Connection #0 to host rs2.12egc.com left intact
curl: (56) OpenSSL SSL_read: Connection reset by peer, errno 104

When I re-ran it inside my Caddy LXC container, I got a different response, though

curl -v https://rs2.12egc.com
*   Trying 173.66.250.81:443...
* Connected to rs2.12egc.com (173.66.250.81) port 443 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
*  CAfile: /etc/ssl/certs/ca-certificates.crt
*  CApath: /etc/ssl/certs
* TLSv1.0 (OUT), TLS header, Certificate Status (22):
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
* SSL connection timeout
* Closing connection 0
curl: (28) SSL connection timeout

EDIT: Perhaps another clue?

I really didn’t change much besides now my caddy has a respond <h1>Hello, World</h1> and now I see that but, inconsistently

curl -v --trace-time https://rs2.12egc.com
21:51:41.834375 *   Trying 173.66.250.81:443...
21:51:41.854598 * Connected to rs2.12egc.com (173.66.250.81) port 443 (#0)
21:51:41.855998 * ALPN, offering h2
21:51:41.856019 * ALPN, offering http/1.1
21:51:41.879614 *  CAfile: /etc/ssl/certs/ca-certificates.crt
21:51:41.879624 *  CApath: /etc/ssl/certs
21:51:41.879705 * TLSv1.0 (OUT), TLS header, Certificate Status (22):
21:51:41.879713 * TLSv1.3 (OUT), TLS handshake, Client hello (1):
21:51:41.894234 * TLSv1.2 (IN), TLS header, Certificate Status (22):
21:51:41.894259 * TLSv1.3 (IN), TLS handshake, Server hello (2):
21:51:41.894432 * TLSv1.2 (IN), TLS header, Finished (20):
21:51:41.894455 * TLSv1.2 (IN), TLS header, Supplemental data (23):
21:51:41.894473 * TLSv1.3 (IN), TLS handshake, Encrypted Extensions (8):
21:51:41.894491 * TLSv1.2 (IN), TLS header, Supplemental data (23):
21:51:41.894523 * TLSv1.3 (IN), TLS handshake, Certificate (11):
21:51:41.895292 * TLSv1.2 (IN), TLS header, Supplemental data (23):
21:51:41.895309 * TLSv1.3 (IN), TLS handshake, CERT verify (15):
21:51:41.895375 * TLSv1.2 (IN), TLS header, Supplemental data (23):
21:51:41.895389 * TLSv1.3 (IN), TLS handshake, Finished (20):
21:51:41.895409 * TLSv1.2 (OUT), TLS header, Finished (20):
21:51:41.895418 * TLSv1.3 (OUT), TLS change cipher, Change cipher spec (1):
21:51:41.895437 * TLSv1.2 (OUT), TLS header, Supplemental data (23):
21:51:41.895449 * TLSv1.3 (OUT), TLS handshake, Finished (20):
21:51:41.895477 * SSL connection using TLSv1.3 / TLS_AES_128_GCM_SHA256
21:51:41.895487 * ALPN, server accepted to use h2
21:51:41.895505 * Server certificate:
21:51:41.895515 *  subject: CN=rs2.12egc.com
21:51:41.895525 *  start date: Nov 25 19:37:56 2023 GMT
21:51:41.895534 *  expire date: Feb 23 19:37:55 2024 GMT
21:51:41.895544 *  subjectAltName: host "rs2.12egc.com" matched cert's "rs2.12egc.com"
21:51:41.895553 *  issuer: C=US; O=Let's Encrypt; CN=R3
21:51:41.895561 *  SSL certificate verify ok.
21:51:41.895586 * Using HTTP2, server supports multiplexing
21:51:41.895595 * Connection state changed (HTTP/2 confirmed)
21:51:41.895611 * Copying HTTP/2 data in stream buffer to connection buffer after upgrade: len=0
21:51:41.895624 * TLSv1.2 (OUT), TLS header, Supplemental data (23):
21:51:41.895647 * TLSv1.2 (OUT), TLS header, Supplemental data (23):
21:51:41.895664 * TLSv1.2 (OUT), TLS header, Supplemental data (23):
21:51:41.895682 * Using Stream ID: 1 (easy handle 0x565474cd4e90)
21:51:41.895696 * TLSv1.2 (OUT), TLS header, Supplemental data (23):
21:51:41.895709 > GET / HTTP/2
21:51:41.895709 > Host: rs2.12egc.com
21:51:41.895709 > user-agent: curl/7.81.0
21:51:41.895709 > accept: */*
21:51:41.895709 > 
21:51:41.895766 * TLSv1.2 (IN), TLS header, Supplemental data (23):
21:51:41.895792 * TLSv1.3 (IN), TLS handshake, Newsession Ticket (4):
21:51:41.905540 * TLSv1.2 (IN), TLS header, Supplemental data (23):
21:51:41.905558 * Connection state changed (MAX_CONCURRENT_STREAMS == 250)!
21:51:41.905567 * TLSv1.2 (OUT), TLS header, Supplemental data (23):
21:51:41.905584 * TLSv1.2 (IN), TLS header, Supplemental data (23):
21:51:41.905723 * TLSv1.2 (IN), TLS header, Supplemental data (23):
21:51:41.909848 * TLSv1.2 (IN), TLS header, Supplemental data (23):
21:51:41.909879 < HTTP/2 200 
21:51:41.909889 < alt-svc: h3=":443"; ma=2592000
21:51:41.909903 < content-type: text/plain; charset=utf-8
21:51:41.909912 < server: Caddy
21:51:41.909918 < content-length: 22
21:51:41.909931 < date: Mon, 27 Nov 2023 02:51:41 GMT
21:51:41.909943 < 
21:51:41.909955 * TLSv1.2 (IN), TLS header, Supplemental data (23):
21:51:41.909977 * Connection #0 to host rs2.12egc.com left intact
<h1>Hello, World!</h1>

I ran it twice in two different terminals on a remote computer. In One terminal hangs, while the other does it instantly. But when I re-ran it, it hangs. Thus, it is not a consistent result. The same for my Firefox browser

Screenshot from 2023-11-26 21-57-20

Edit #2: As of this edit, it’s working suddenly. I don’t know what fixed it. I figured maybe because I was running caddy and my old gateway, there was some fight in the network(?) since I have a reverse proxy rule to go to my old gateway if I use a special subdomain. I turned that off and tried again, but it did not work.

I figured I’d reboot Caddy lxc container, just gave it more cores (4 instead of 2), and noticed it was working suddenly. I turned back on my old gateway to see if that caused all the hanging, and nope, it still works even with that on. I’m not sure how this got resolved. I’ll update again if it breaks magically in the next 24hrs. If someone has an idea why it could be working or has a test I could do to figure out the truth, I’d love to help.

Edit #3 Not sure how to strike through above. It seems it’s an order of operations which was causing the issue. If my Old gateway was on before my caddy was on, TLS handshake gets dropped. If I turn off my old gateway and do not reboot my caddy lxc container, the entire 443 will time out, no TLS even happens. At that point, if I reboot my caddy LXC container while leaving the old gateway off, it works perfectly, no problems. This persists if I turn back on my old gateway. Thus it seems to be as follows, If the old gate way was up before caddy was up, TLS will not work, otherwise if Caddy was up before the old gateway was up, TLS works and the reverse proxy work. This is definitely on my side then!

Not sure if this is for a different thread, and it might be , but, my old gateway has certificates for another domain that I was going to migrate - in phases- to my new provider. Yet it seems it is responding for the TLS traffic or somehow its intercepting or having packets redirecting to it instead of going back to the client straight from Caddy. So, can Caddy be the handler of certificates and dynamic DNS, and be placed in-between a Home Router and a virtualized Gateway service that manages a LAN (I’m using Nethserver) ?

francislavoie · November 27, 2023, 7:16am

Glad you figured it out!

If it’s HTTP traffic, then yes. Just configure Caddy with the domains + reverse_proxy to your gateway.

I’m not sure what you mean by dynamic DNS though.

Pixiestix · November 27, 2023, 7:48am

Dynamic dns as in, there is a module for caddy listed a few posts above ( ), which i really enjoyed as I could list sub domains on the go, reload the caddy file and it would automatically add that to my list of subdomains and update the IP address in the record.

I looked forward to leveraging it but unfortunately my gateway seems to be receiving parts of the TLS handshake despite my home router forwarding all http/s to Caddy. But that’s a different problem, i think for all intents and purposes for the thread, and with your help, I’ve figured it out thanks!

system · December 27, 2023, 7:49am

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.