Dear @0xLem0nade,
are you sure you are using the configuration I provided? I just tested it on a new server. It works without any issues. Unfortunately, I can’t help with the Cloudflare configuration.
Caddy terminates outer TLS connection not the inner connection. That is what NGINX does as well and it is necessary.
Configuration:
root@ubuntu-2gb-nbg1-3:/etc/caddy# cat caddy.json | jq
{
"logging": {
"logs": {
"debug": {
"level": "debug"
}
}
},
"apps": {
"tls": {
"certificates": {
"automate": [
"sub1.example.com"
]
}
},
"layer4": {
"servers": {
"signal_proxy": {
"listen": [
":443"
],
"routes": [
{
"handle": [
{
"handler": "tls"
}
]
},
{
"match": [
{
"tls": {
"sni": [
"chat.signal.org",
"ud-chat.signal.org",
"textsecure-service.whispersystems.org",
"storage.signal.org",
"cdn.signal.org",
"cdn2.signal.org",
"api.directory.signal.org",
"cdsi.signal.org",
"contentproxy.signal.org",
"uptime.signal.org",
"api.backup.signal.org",
"sfu.voip.signal.org",
"updates.signal.org",
"updates2.signal.org"
]
}
}
],
"handle": [
{
"handler": "proxy",
"upstreams": [
{
"dial": [
"{l4.tls.server_name}:443"
]
}
]
}
]
}
]
}
}
}
}
}
Debug Logs:
Nov 01 13:45:03 ubuntu-2gb-nbg1-3 caddy[5812]: {"level":"debug","ts":1667310303.697431,"logger":"events","msg":"event","name":"cached_managed_cert","id":"2bd1478b-5318-4d81-aadd-e94e22c31615","origin":"tls","data":{"sans":["sub1.example.com"]}}
Nov 01 13:45:03 ubuntu-2gb-nbg1-3 caddy[5812]: {"level":"info","ts":1667310303.6978655,"msg":"autosaved config (load with --resume flag)","file":"/var/lib/caddy/.config/caddy/autosave.json"}
Nov 01 13:45:03 ubuntu-2gb-nbg1-3 systemd[1]: Started Caddy.
Nov 01 13:45:03 ubuntu-2gb-nbg1-3 caddy[5812]: {"level":"info","ts":1667310303.702464,"logger":"tls","msg":"cleaning storage unit","description":"FileStorage:/var/lib/caddy/.local/share/caddy"}
Nov 01 13:45:03 ubuntu-2gb-nbg1-3 caddy[5812]: {"level":"info","ts":1667310303.702464,"logger":"tls","msg":"cleaning storage unit","description":"FileStorage:/var/lib/caddy/.local/share/caddy"}
Nov 01 13:45:03 ubuntu-2gb-nbg1-3 caddy[5812]: {"level":"info","ts":1667310303.7038715,"logger":"tls","msg":"finished cleaning storage units"}
Nov 01 13:45:03 ubuntu-2gb-nbg1-3 caddy[5812]: {"level":"info","ts":1667310303.7038715,"logger":"tls","msg":"finished cleaning storage units"}
Nov 01 13:45:03 ubuntu-2gb-nbg1-3 caddy[5812]: {"level":"info","ts":1667310303.7029095,"logger":"tls.cache.maintenance","msg":"started background certificate maintenance","cache":"0xc0004e9c00"}
Nov 01 13:45:03 ubuntu-2gb-nbg1-3 caddy[5812]: {"level":"info","ts":1667310303.7029095,"logger":"tls.cache.maintenance","msg":"started background certificate maintenance","cache":"0xc0004e9c00"}
Nov 01 13:45:03 ubuntu-2gb-nbg1-3 caddy[5812]: {"level":"info","ts":1667310303.7046757,"msg":"serving initial configuration"}
Nov 01 13:45:36 ubuntu-2gb-nbg1-3 caddy[5812]: {"level":"debug","ts":1667310336.4750504,"logger":"events","msg":"event","name":"tls_get_certificate","id":"ecc6382b-db29-43a2-9776-9dcff198ae1a","origin":"tls","data":{"client_hello":{"CipherSuites":[6682,4865,4866,4867,49196,49195,52393,49200,49199,52392,49162,49161,49172,49171,157,156,53,47,49160,49170,10],"ServerName":"sub1.example.com","SupportedCurves":[23130,29,23,24,25],"SupportedPoints":"AA==","SignatureSchemes":[1027,2052,1025,1283,515,2053,2053,1281,2054,1537,513],"SupportedProtos":null,"SupportedVersions":[51914,772,771,770,769],"Conn":{"Conn":{},"Context":{"Context":{"Context":0}}}}}}
Nov 01 13:45:36 ubuntu-2gb-nbg1-3 caddy[5812]: {"level":"debug","ts":1667310336.4783845,"logger":"tls.handshake","msg":"choosing certificate","identifier":"sub1.example.com","num_choices":1}
Nov 01 13:45:36 ubuntu-2gb-nbg1-3 caddy[5812]: {"level":"debug","ts":1667310336.4801009,"logger":"events","msg":"event","name":"tls_get_certificate","id":"919893a7-c076-4938-8165-5f5002afb55c","origin":"tls","data":{"client_hello":{"CipherSuites":[6682,4865,4866,4867,49196,49195,52393,49200,49199,52392,49162,49161,49172,49171,157,156,53,47,49160,49170,10],"ServerName":"sub1.example.com","SupportedCurves":[31354,29,23,24,25],"SupportedPoints":"AA==","SignatureSchemes":[1027,2052,1025,1283,515,2053,2053,1281,2054,1537,513],"SupportedProtos":null,"SupportedVersions":[43690,772,771,770,769],"Conn":{"Conn":{},"Context":{"Context":{"Context":0}}}}}}
Nov 01 13:45:36 ubuntu-2gb-nbg1-3 caddy[5812]: {"level":"debug","ts":1667310336.4806702,"logger":"tls.handshake","msg":"choosing certificate","identifier":"sub1.example.com","num_choices":1}
Nov 01 13:45:36 ubuntu-2gb-nbg1-3 caddy[5812]: {"level":"debug","ts":1667310336.48112,"logger":"tls.handshake","msg":"default certificate selection results","identifier":"sub1.example.com","subjects":["sub1.example.com"],"managed":true,"issuer_key":"acme-v02.api.letsencrypt.org-directory","hash":"63e308396b113b854ebfb4284c0a1b790fb391056b3400ffea70c6a36b1a4aea"}
Nov 01 13:45:36 ubuntu-2gb-nbg1-3 caddy[5812]: {"level":"debug","ts":1667310336.4815319,"logger":"tls.handshake","msg":"matched certificate in cache","remote_ip":"X.X.X.X","remote_port":"61787","subjects":["sub1.example.com"],"managed":true,"expiration":1675082463,"hash":"63e308396b113b854ebfb4284c0a1b790fb391056b3400ffea70c6a36b1a4aea"}
Nov 01 13:45:36 ubuntu-2gb-nbg1-3 caddy[5812]: {"level":"debug","ts":1667310336.483951,"logger":"tls.handshake","msg":"default certificate selection results","identifier":"sub1.example.com","subjects":["sub1.example.com"],"managed":true,"issuer_key":"acme-v02.api.letsencrypt.org-directory","hash":"63e308396b113b854ebfb4284c0a1b790fb391056b3400ffea70c6a36b1a4aea"}
Nov 01 13:45:36 ubuntu-2gb-nbg1-3 caddy[5812]: {"level":"debug","ts":1667310336.4844446,"logger":"tls.handshake","msg":"matched certificate in cache","remote_ip":"X.X.X.X","remote_port":"61788","subjects":["sub1.example.com"],"managed":true,"expiration":1675082463,"hash":"63e308396b113b854ebfb4284c0a1b790fb391056b3400ffea70c6a36b1a4aea"}
Nov 01 13:45:36 ubuntu-2gb-nbg1-3 caddy[5812]: {"level":"debug","ts":1667310336.5508668,"logger":"layer4.handlers.tls","msg":"terminated TLS","remote":"X.X.X.X:61787","server_name":"sub1.example.com"}
Nov 01 13:45:36 ubuntu-2gb-nbg1-3 caddy[5812]: {"level":"debug","ts":1667310336.5544806,"logger":"layer4.handlers.tls","msg":"terminated TLS","remote":"X.X.X.X:61788","server_name":"sub1.example.com"}
Nov 01 13:45:36 ubuntu-2gb-nbg1-3 caddy[5812]: {"level":"debug","ts":1667310336.5741038,"logger":"layer4.matchers.tls","msg":"matched","remote":"X.X.X.X:61787","server_name":"chat.signal.org"}
Nov 01 13:45:36 ubuntu-2gb-nbg1-3 caddy[5812]: {"level":"debug","ts":1667310336.5778959,"logger":"layer4.matchers.tls","msg":"matched","remote":"X.X.X.X:61788","server_name":"ud-chat.signal.org"}
Nov 01 13:45:36 ubuntu-2gb-nbg1-3 caddy[5812]: {"level":"debug","ts":1667310336.5821037,"logger":"layer4.handlers.proxy","msg":"dial upstream","remote":"X.X.X.X:61787","upstream":"chat.signal.org:443"}
Nov 01 13:45:36 ubuntu-2gb-nbg1-3 caddy[5812]: {"level":"debug","ts":1667310336.5910122,"logger":"layer4.handlers.proxy","msg":"dial upstream","remote":"X.X.X.X:61788","upstream":"ud-chat.signal.org:443"}
Nov 01 13:45:50 ubuntu-2gb-nbg1-3 caddy[5812]: {"level":"debug","ts":1667310350.7157974,"logger":"layer4","msg":"connection stats","remote":"X.X.X.X:61787","read":1965,"written":9042,"duration":14.236649642}
Nov 01 13:45:50 ubuntu-2gb-nbg1-3 caddy[5812]: {"level":"debug","ts":1667310350.7180548,"logger":"layer4","msg":"connection stats","remote":"X.X.X.X:61788","read":1805,"written":8917,"duration":14.246852}