TLS proxy or relay in Caddy

Help
1

1. Output of caddy version:

v2.6.2

2. How I run Caddy:

Docker Compose

a. System environment:

Ubuntu 22.04

3. The problem I’m having:

I want to implement a TLS proxy / relay similar to this GitHub repo which is based on NGINX ssl_preread_module, is this possible in Caddy?

I saw this topic from 2020 and now that we have v2 I’m curios if the status has changed.

6. Links to relevant resources:

NGINX conf files I’d like to convert to Caddyfile:

  1. https://github.com/signalapp/Signal-TLS-Proxy/blob/main/data/nginx-terminate/nginx.conf
  2. https://github.com/signalapp/Signal-TLS-Proxy/blob/main/data/nginx-relay/nginx.conf

Thank you!

1 Like
2

The user https://twitter.com/RanSignal on Twitter is running a Signal proxy with Caddy. I don’t have the details of the config on hand, but it’s definitely possible. I’ll reach out to them to see if they can help you.

2 Likes
3

Dear @0xLem0nade,

it is certainly possible to implement a Signal proxy in Caddy v2. You will need to use the caddy-l4 module, which is not built in by default.

See GitHub - mholt/caddy-l4: Layer 4 (TCP/UDP) app for Caddy for instructions or you can download a binary from the Caddy homepage with the module as an extra feature.

Here is the config:

{
  "apps": {
    "tls": {
      "certificates": {
        "automate": [
          "example.com"
        ]
      }
    },
    "layer4": {
      "servers": {
        "signal_proxy": {
          "listen": [
            ":443"
          ],
          "routes": [
            {
              "handle": [
                {
                  "handler": "tls"
                }
              ]
            },
            {
              "match": [
                {
                  "tls": {
                    "sni": [
                      "chat.signal.org",
                      "ud-chat.signal.org",
                      "textsecure-service.whispersystems.org",
                      "storage.signal.org",
                      "cdn.signal.org",
                      "cdn2.signal.org",
                      "api.directory.signal.org",
                      "cdsi.signal.org",
                      "contentproxy.signal.org",
                      "uptime.signal.org",
                      "api.backup.signal.org",
                      "sfu.voip.signal.org",
                      "updates.signal.org",
                      "updates2.signal.org"
                    ]
                  }
                }
              ],
              "handle": [
                {
                  "handler": "proxy",
                  "upstreams": [
                    {
                      "dial": [
                        "{l4.tls.server_name}:443"
                      ]
                    }
                  ]
                }
              ]
            }
          ]
        }
      }
    }
  }
}
4 Likes
4

Thank you guys for the replies!
Dear @francislavoie I’ll reach out to him if I can’t make it work, thanks!

Dear @elcore thanks for the json example, one thing I forgot to mention is that I’d like to setup this relay only on one of my subdomains and not the main domain! I added a host matcher so that only the traffic to this subdomain is relayed to the Signal servers, but I get these errors I pasted below!

config.json:

{
    "apps": {
        "tls": {
            "certificates": {
                "automate": [
                    "sub1.example.com"
                ]
            }
        },
        "layer4": {
            "servers": {
                "signal_proxy": {
                    "listen": [
                        ":443"
                    ],
                    "routes": [
                        {
                            "handle": [
                                {
                                    "handler": "tls"
                                }
                            ]
                        },
                        {
                            "match": [
                                {
                                    "http": [
                                        {
                                            "host": [
                                                "sub1.example.com"
                                            ]
                                        }
                                    ]
                                },
                                {
                                    "tls": {
                                        "sni": [
                                            "chat.signal.org",
                                            "ud-chat.signal.org",
                                            "textsecure-service.whispersystems.org",
                                            "storage.signal.org",
                                            "cdn.signal.org",
                                            "cdn2.signal.org",
                                            "api.directory.signal.org",
                                            "cdsi.signal.org",
                                            "contentproxy.signal.org",
                                            "uptime.signal.org",
                                            "api.backup.signal.org",
                                            "sfu.voip.signal.org",
                                            "updates.signal.org",
                                            "updates2.signal.org"
                                        ]
                                    }
                                }
                            ],
                            "handle": [
                                {
                                    "handler": "proxy",
                                    "upstreams": [
                                        {
                                            "dial": [
                                                "{l4.tls.server_name}:443"
                                            ]
                                        }
                                    ]
                                }
                            ]
                        }
                    ]
                }
            }
        }
    }
}

Caddy logs:

{"level":"debug","ts":1667264718.7731676,"logger":"events","msg":"event","name":"tls_get_certificate","id":"de86568c-f8c0-45f4-9a4c-aba04b5d212d","origin":"tls","data":{"client_hello":{"CipherSuites":[49195,49196,52393,49199,49200,52392,49161,49162,49171,49172,156,157,47,53],"ServerName":"sub1.example.com","SupportedCurves":[29,23,24],"SupportedPoints":"AA==","SignatureSchemes":[1027,2052,1025,1283,2053,1281,2054,1537,513],"SupportedProtos":null,"SupportedVersions":[771,770,769],"Conn":{"Conn":{},"Context":{"Context":{"Context":0}}}}}}
{"level":"debug","ts":1667264718.7771604,"logger":"tls.handshake","msg":"choosing certificate","identifier":"sub1.example.com","num_choices":1}
{"level":"debug","ts":1667264718.7772427,"logger":"tls.handshake","msg":"default certificate selection results","identifier":"sub1.example.com","subjects":["sub1.example.com"],"managed":true,"issuer_key":"acme-v02.api.letsencrypt.org-directory","hash":"ecf57e5fdc1314d4a92abfdd5c08dcfd5c3cd796119bb3d24d95a3eb194d8696"}
{"level":"debug","ts":1667264718.7772737,"logger":"tls.handshake","msg":"matched certificate in cache","remote_ip":"x.x.x.x","remote_port":"40082","subjects":["sub1.example.com"],"managed":true,"expiration":1675034024,"hash":"ecf57e5fdc1314d4a92abfdd5c08dcfd5c3cd796119bb3d24d95a3eb194d8696"}
{"level":"debug","ts":1667264718.7782218,"logger":"events","msg":"event","name":"tls_get_certificate","id":"0cdc179c-3369-4650-9e57-22d76d6c8a42","origin":"tls","data":{"client_hello":{"CipherSuites":[49195,49196,52393,49199,49200,52392,49161,49162,49171,49172,156,157,47,53],"ServerName":"sub1.example.com","SupportedCurves":[29,23,24],"SupportedPoints":"AA==","SignatureSchemes":[1027,2052,1025,1283,2053,1281,2054,1537,513],"SupportedProtos":null,"SupportedVersions":[771,770,769],"Conn":{"Conn":{},"Context":{"Context":{"Context":0}}}}}}
{"level":"debug","ts":1667264718.7783346,"logger":"tls.handshake","msg":"choosing certificate","identifier":"sub1.example.com","num_choices":1}
{"level":"debug","ts":1667264718.7783608,"logger":"tls.handshake","msg":"default certificate selection results","identifier":"sub1.example.com","subjects":["sub1.example.com"],"managed":true,"issuer_key":"acme-v02.api.letsencrypt.org-directory","hash":"ecf57e5fdc1314d4a92abfdd5c08dcfd5c3cd796119bb3d24d95a3eb194d8696"}
{"level":"debug","ts":1667264718.7783759,"logger":"tls.handshake","msg":"matched certificate in cache","remote_ip":"x.x.x.x","remote_port":"40080","subjects":["sub1.example.com"],"managed":true,"expiration":1675034024,"hash":"ecf57e5fdc1314d4a92abfdd5c08dcfd5c3cd796119bb3d24d95a3eb194d8696"}
{"level":"debug","ts":1667264718.9360063,"logger":"layer4.handlers.tls","msg":"terminated TLS","remote":"x.x.x.x:40080","server_name":"sub1.example.com"}
{"level":"debug","ts":1667264718.939369,"logger":"layer4.handlers.tls","msg":"terminated TLS","remote":"x.x.x.x:40082","server_name":"sub1.example.com"}
{"level":"error","ts":1667264719.0470386,"logger":"layer4","msg":"matching connection","error":"EOF"}
{"level":"debug","ts":1667264719.0472076,"logger":"layer4","msg":"connection stats","remote":"x.x.x.x:40080","read":279,"written":4592,"duration":0.328903294}
{"level":"error","ts":1667264719.0529346,"logger":"layer4","msg":"matching connection","error":"EOF"}
{"level":"debug","ts":1667264719.0530303,"logger":"layer4","msg":"connection stats","remote":"x.x.x.x:40082","read":279,"written":4592,"duration":0.282025297}
5

The JSON config I’ve provided works with subdomains. You just need to replace example.com with sub1.example.com - That’s how I do it

I’ve tested your configuration and it does seem to work as well. You just have debug logs enabled.

Your error seems to occur as Caddy with your config is trying to match a HTTP connection on a client’s TLS connection. That will not work.

I’d simply recommend to use my provided config.

3 Likes
6

@elcore Okay I supplied your config and only inserted my sub1 domain and enabled debug logs to better troubleshoot this but still the Signal app is complaining and I see these TLS termination logs on my server!

Here’s my complete Caddy log:

{"level":"info","ts":1667305511.6063976,"logger":"admin","msg":"admin endpoint started","address":"localhost:2019","enforce_origin":false,"origins":["//localhost:2019","//[::1]:2019","//127.0.0.1:2019"]}
{"level":"info","ts":1667305511.6663375,"logger":"tls.cache.maintenance","msg":"started background certificate maintenance","cache":"0xc0000ee3f0"}
{"level":"debug","ts":1667305511.6664147,"logger":"layer4","msg":"listening","address":"tcp/[::]:443"}
{"level":"debug","ts":1667305511.723783,"logger":"tls","msg":"loading managed certificate","domain":"sub1.example.com","expiration":1675077557,"issuer_key":"acme-v02.api.letsencrypt.org-directory","storage":"FileStorage:/data/caddy"}
{"level":"debug","ts":1667305511.731342,"logger":"tls.cache","msg":"added certificate to cache","subjects":["sub1.example.com"],"expiration":1675077557,"managed":true,"issuer_key":"acme-v02.api.letsencrypt.org-directory","hash":"235427c9356ef81acf2622398a5d243c31fec91347cc7a7b00997e39f79f24c9","cache_size":1,"cache_capacity":10000}
{"level":"debug","ts":1667305511.7314622,"logger":"events","msg":"event","name":"cached_managed_cert","id":"70a48ba2-e2dd-4068-98ae-4280a1a29e94","origin":"tls","data":{"sans":["sub1.example.com"]}}
{"level":"info","ts":1667305511.732832,"logger":"tls","msg":"cleaning storage unit","description":"FileStorage:/data/caddy"}
{"level":"info","ts":1667305511.7440143,"msg":"autosaved config (load with --resume flag)","file":"/config/caddy/autosave.json"}
{"level":"info","ts":1667305511.7440805,"msg":"serving initial configuration"}
{"level":"info","ts":1667305511.7494097,"logger":"tls","msg":"finished cleaning storage units"}
{"level":"debug","ts":1667305539.0062802,"logger":"events","msg":"event","name":"tls_get_certificate","id":"45add127-ca39-4a8b-9a10-ede03ba9b6f6","origin":"tls","data":{"client_hello":{"CipherSuites":[49195,49196,52393,49199,49200,52392,49161,49162,49171,49172,156,157,47,53],"ServerName":"sub1.example.com","SupportedCurves":[29,23,24],"SupportedPoints":"AA==","SignatureSchemes":[1027,2052,1025,1283,2053,1281,2054,1537,513],"SupportedProtos":null,"SupportedVersions":[771,770,769],"Conn":{"Conn":{},"Context":{"Context":{"Context":0}}}}}}
{"level":"debug","ts":1667305539.0082834,"logger":"tls.handshake","msg":"choosing certificate","identifier":"sub1.example.com","num_choices":1}
{"level":"debug","ts":1667305539.0084622,"logger":"tls.handshake","msg":"default certificate selection results","identifier":"sub1.example.com","subjects":["sub1.example.com"],"managed":true,"issuer_key":"acme-v02.api.letsencrypt.org-directory","hash":"235427c9356ef81acf2622398a5d243c31fec91347cc7a7b00997e39f79f24c9"}
{"level":"debug","ts":1667305539.008578,"logger":"tls.handshake","msg":"matched certificate in cache","remote_ip":"x.x.x.x","remote_port":"49756","subjects":["sub1.example.com"],"managed":true,"expiration":1675077557,"hash":"235427c9356ef81acf2622398a5d243c31fec91347cc7a7b00997e39f79f24c9"}
{"level":"debug","ts":1667305539.0793154,"logger":"events","msg":"event","name":"tls_get_certificate","id":"c9939b24-65f6-4c3e-9646-e33c9c838108","origin":"tls","data":{"client_hello":{"CipherSuites":[49195,49196,52393,49199,49200,52392,49161,49162,49171,49172,156,157,47,53],"ServerName":"sub1.example.com","SupportedCurves":[29,23,24],"SupportedPoints":"AA==","SignatureSchemes":[1027,2052,1025,1283,2053,1281,2054,1537,513],"SupportedProtos":null,"SupportedVersions":[771,770,769],"Conn":{"Conn":{},"Context":{"Context":{"Context":0}}}}}}
{"level":"debug","ts":1667305539.0795312,"logger":"tls.handshake","msg":"choosing certificate","identifier":"sub1.example.com","num_choices":1}
{"level":"debug","ts":1667305539.079616,"logger":"tls.handshake","msg":"default certificate selection results","identifier":"sub1.example.com","subjects":["sub1.example.com"],"managed":true,"issuer_key":"acme-v02.api.letsencrypt.org-directory","hash":"235427c9356ef81acf2622398a5d243c31fec91347cc7a7b00997e39f79f24c9"}
{"level":"debug","ts":1667305539.0796866,"logger":"tls.handshake","msg":"matched certificate in cache","remote_ip":"x.x.x.x","remote_port":"49754","subjects":["sub1.example.com"],"managed":true,"expiration":1675077557,"hash":"235427c9356ef81acf2622398a5d243c31fec91347cc7a7b00997e39f79f24c9"}
{"level":"debug","ts":1667305539.1536903,"logger":"layer4.handlers.tls","msg":"terminated TLS","remote":"x.x.x.x:49756","server_name":"sub1.example.com"}
{"level":"debug","ts":1667305539.2310133,"logger":"layer4.handlers.tls","msg":"terminated TLS","remote":"x.x.x.x:49754","server_name":"sub1.example.com"}
{"level":"error","ts":1667305539.2583182,"logger":"layer4","msg":"matching connection","error":"EOF"}
{"level":"debug","ts":1667305539.2584815,"logger":"layer4","msg":"connection stats","remote":"x.x.x.x:49756","read":279,"written":4594,"duration":0.257897101}
{"level":"error","ts":1667305539.3458204,"logger":"layer4","msg":"matching connection","error":"EOF"}
{"level":"debug","ts":1667305539.3459413,"logger":"layer4","msg":"connection stats","remote":"x.x.x.x:49754","read":279,"written":4595,"duration":0.267138146}

This makes me wonder: Shouldn’t this be a non-terminating relay?

Things I have tried:

I even cleared the acme certs dir to force renew the certificates! My domain is managed in Cloudflare, I have added a CNAME record for the subdomain and the Cloudflare CDN proxy is off, also the SSL settings in Cloudflare is set to ‘Flexible’.

7

Dear @0xLem0nade,

are you sure you are using the configuration I provided? I just tested it on a new server. It works without any issues. Unfortunately, I can’t help with the Cloudflare configuration.

Caddy terminates outer TLS connection not the inner connection. That is what NGINX does as well and it is necessary.

Configuration:

root@ubuntu-2gb-nbg1-3:/etc/caddy# cat caddy.json | jq
{
  "logging": {
    "logs": {
      "debug": {
        "level": "debug"
      }
    }
  },
  "apps": {
    "tls": {
      "certificates": {
        "automate": [
          "sub1.example.com"
        ]
      }
    },
    "layer4": {
      "servers": {
        "signal_proxy": {
          "listen": [
            ":443"
          ],
          "routes": [
            {
              "handle": [
                {
                  "handler": "tls"
                }
              ]
            },
            {
              "match": [
                {
                  "tls": {
                    "sni": [
                      "chat.signal.org",
                      "ud-chat.signal.org",
                      "textsecure-service.whispersystems.org",
                      "storage.signal.org",
                      "cdn.signal.org",
                      "cdn2.signal.org",
                      "api.directory.signal.org",
                      "cdsi.signal.org",
                      "contentproxy.signal.org",
                      "uptime.signal.org",
                      "api.backup.signal.org",
                      "sfu.voip.signal.org",
                      "updates.signal.org",
                      "updates2.signal.org"
                    ]
                  }
                }
              ],
              "handle": [
                {
                  "handler": "proxy",
                  "upstreams": [
                    {
                      "dial": [
                        "{l4.tls.server_name}:443"
                      ]
                    }
                  ]
                }
              ]
            }
          ]
        }
      }
    }
  }
}

Debug Logs:

Nov 01 13:45:03 ubuntu-2gb-nbg1-3 caddy[5812]: {"level":"debug","ts":1667310303.697431,"logger":"events","msg":"event","name":"cached_managed_cert","id":"2bd1478b-5318-4d81-aadd-e94e22c31615","origin":"tls","data":{"sans":["sub1.example.com"]}}
Nov 01 13:45:03 ubuntu-2gb-nbg1-3 caddy[5812]: {"level":"info","ts":1667310303.6978655,"msg":"autosaved config (load with --resume flag)","file":"/var/lib/caddy/.config/caddy/autosave.json"}
Nov 01 13:45:03 ubuntu-2gb-nbg1-3 systemd[1]: Started Caddy.
Nov 01 13:45:03 ubuntu-2gb-nbg1-3 caddy[5812]: {"level":"info","ts":1667310303.702464,"logger":"tls","msg":"cleaning storage unit","description":"FileStorage:/var/lib/caddy/.local/share/caddy"}
Nov 01 13:45:03 ubuntu-2gb-nbg1-3 caddy[5812]: {"level":"info","ts":1667310303.702464,"logger":"tls","msg":"cleaning storage unit","description":"FileStorage:/var/lib/caddy/.local/share/caddy"}
Nov 01 13:45:03 ubuntu-2gb-nbg1-3 caddy[5812]: {"level":"info","ts":1667310303.7038715,"logger":"tls","msg":"finished cleaning storage units"}
Nov 01 13:45:03 ubuntu-2gb-nbg1-3 caddy[5812]: {"level":"info","ts":1667310303.7038715,"logger":"tls","msg":"finished cleaning storage units"}
Nov 01 13:45:03 ubuntu-2gb-nbg1-3 caddy[5812]: {"level":"info","ts":1667310303.7029095,"logger":"tls.cache.maintenance","msg":"started background certificate maintenance","cache":"0xc0004e9c00"}
Nov 01 13:45:03 ubuntu-2gb-nbg1-3 caddy[5812]: {"level":"info","ts":1667310303.7029095,"logger":"tls.cache.maintenance","msg":"started background certificate maintenance","cache":"0xc0004e9c00"}
Nov 01 13:45:03 ubuntu-2gb-nbg1-3 caddy[5812]: {"level":"info","ts":1667310303.7046757,"msg":"serving initial configuration"}
Nov 01 13:45:36 ubuntu-2gb-nbg1-3 caddy[5812]: {"level":"debug","ts":1667310336.4750504,"logger":"events","msg":"event","name":"tls_get_certificate","id":"ecc6382b-db29-43a2-9776-9dcff198ae1a","origin":"tls","data":{"client_hello":{"CipherSuites":[6682,4865,4866,4867,49196,49195,52393,49200,49199,52392,49162,49161,49172,49171,157,156,53,47,49160,49170,10],"ServerName":"sub1.example.com","SupportedCurves":[23130,29,23,24,25],"SupportedPoints":"AA==","SignatureSchemes":[1027,2052,1025,1283,515,2053,2053,1281,2054,1537,513],"SupportedProtos":null,"SupportedVersions":[51914,772,771,770,769],"Conn":{"Conn":{},"Context":{"Context":{"Context":0}}}}}}
Nov 01 13:45:36 ubuntu-2gb-nbg1-3 caddy[5812]: {"level":"debug","ts":1667310336.4783845,"logger":"tls.handshake","msg":"choosing certificate","identifier":"sub1.example.com","num_choices":1}
Nov 01 13:45:36 ubuntu-2gb-nbg1-3 caddy[5812]: {"level":"debug","ts":1667310336.4801009,"logger":"events","msg":"event","name":"tls_get_certificate","id":"919893a7-c076-4938-8165-5f5002afb55c","origin":"tls","data":{"client_hello":{"CipherSuites":[6682,4865,4866,4867,49196,49195,52393,49200,49199,52392,49162,49161,49172,49171,157,156,53,47,49160,49170,10],"ServerName":"sub1.example.com","SupportedCurves":[31354,29,23,24,25],"SupportedPoints":"AA==","SignatureSchemes":[1027,2052,1025,1283,515,2053,2053,1281,2054,1537,513],"SupportedProtos":null,"SupportedVersions":[43690,772,771,770,769],"Conn":{"Conn":{},"Context":{"Context":{"Context":0}}}}}}
Nov 01 13:45:36 ubuntu-2gb-nbg1-3 caddy[5812]: {"level":"debug","ts":1667310336.4806702,"logger":"tls.handshake","msg":"choosing certificate","identifier":"sub1.example.com","num_choices":1}
Nov 01 13:45:36 ubuntu-2gb-nbg1-3 caddy[5812]: {"level":"debug","ts":1667310336.48112,"logger":"tls.handshake","msg":"default certificate selection results","identifier":"sub1.example.com","subjects":["sub1.example.com"],"managed":true,"issuer_key":"acme-v02.api.letsencrypt.org-directory","hash":"63e308396b113b854ebfb4284c0a1b790fb391056b3400ffea70c6a36b1a4aea"}
Nov 01 13:45:36 ubuntu-2gb-nbg1-3 caddy[5812]: {"level":"debug","ts":1667310336.4815319,"logger":"tls.handshake","msg":"matched certificate in cache","remote_ip":"X.X.X.X","remote_port":"61787","subjects":["sub1.example.com"],"managed":true,"expiration":1675082463,"hash":"63e308396b113b854ebfb4284c0a1b790fb391056b3400ffea70c6a36b1a4aea"}
Nov 01 13:45:36 ubuntu-2gb-nbg1-3 caddy[5812]: {"level":"debug","ts":1667310336.483951,"logger":"tls.handshake","msg":"default certificate selection results","identifier":"sub1.example.com","subjects":["sub1.example.com"],"managed":true,"issuer_key":"acme-v02.api.letsencrypt.org-directory","hash":"63e308396b113b854ebfb4284c0a1b790fb391056b3400ffea70c6a36b1a4aea"}
Nov 01 13:45:36 ubuntu-2gb-nbg1-3 caddy[5812]: {"level":"debug","ts":1667310336.4844446,"logger":"tls.handshake","msg":"matched certificate in cache","remote_ip":"X.X.X.X","remote_port":"61788","subjects":["sub1.example.com"],"managed":true,"expiration":1675082463,"hash":"63e308396b113b854ebfb4284c0a1b790fb391056b3400ffea70c6a36b1a4aea"}
Nov 01 13:45:36 ubuntu-2gb-nbg1-3 caddy[5812]: {"level":"debug","ts":1667310336.5508668,"logger":"layer4.handlers.tls","msg":"terminated TLS","remote":"X.X.X.X:61787","server_name":"sub1.example.com"}
Nov 01 13:45:36 ubuntu-2gb-nbg1-3 caddy[5812]: {"level":"debug","ts":1667310336.5544806,"logger":"layer4.handlers.tls","msg":"terminated TLS","remote":"X.X.X.X:61788","server_name":"sub1.example.com"}
Nov 01 13:45:36 ubuntu-2gb-nbg1-3 caddy[5812]: {"level":"debug","ts":1667310336.5741038,"logger":"layer4.matchers.tls","msg":"matched","remote":"X.X.X.X:61787","server_name":"chat.signal.org"}
Nov 01 13:45:36 ubuntu-2gb-nbg1-3 caddy[5812]: {"level":"debug","ts":1667310336.5778959,"logger":"layer4.matchers.tls","msg":"matched","remote":"X.X.X.X:61788","server_name":"ud-chat.signal.org"}
Nov 01 13:45:36 ubuntu-2gb-nbg1-3 caddy[5812]: {"level":"debug","ts":1667310336.5821037,"logger":"layer4.handlers.proxy","msg":"dial upstream","remote":"X.X.X.X:61787","upstream":"chat.signal.org:443"}
Nov 01 13:45:36 ubuntu-2gb-nbg1-3 caddy[5812]: {"level":"debug","ts":1667310336.5910122,"logger":"layer4.handlers.proxy","msg":"dial upstream","remote":"X.X.X.X:61788","upstream":"ud-chat.signal.org:443"}
Nov 01 13:45:50 ubuntu-2gb-nbg1-3 caddy[5812]: {"level":"debug","ts":1667310350.7157974,"logger":"layer4","msg":"connection stats","remote":"X.X.X.X:61787","read":1965,"written":9042,"duration":14.236649642}
Nov 01 13:45:50 ubuntu-2gb-nbg1-3 caddy[5812]: {"level":"debug","ts":1667310350.7180548,"logger":"layer4","msg":"connection stats","remote":"X.X.X.X:61788","read":1805,"written":8917,"duration":14.246852}
1 Like
8

Dear @elcore ,

I have tried everything I could possibly think of and I agree your config is correct theoretically also the user @RanSignal on Twitter shared their config and it is exactly like yours, this makes me believe there’s something else wrong but I’m not sure on whose end! Whatever it is, it’s a mystery for now and I have spent days on troubleshooting it I can’t afford more time, maybe I’ll try again in the future, but I’ll mark your config as the solution and close this topic.

Thank you for your time and help! :slight_smile:

9

Dear @0xLem0nade,

I am very sorry that it did not work out for you. I am not an expert in Docker, however I have created a compose version which you can try out ( elcore/caddy-signal-proxy: Signal Proxy using Caddy (Debug POC) (github.com))

I kindly ask you to keep in mind that this is a debug version! If you want to run it in the background you will need to use the command docker-compose up -d instead of docker-compose up

1 Like
10

Dear @elcore ,

I tried your git repo and the same errors popped up:

caddy  | {"level":"debug","ts":1667743668.295348,"logger":"tls.handshake","msg":"choosing certificate","identifier":"sub.example.com","num_choices":1}
caddy  | {"level":"debug","ts":1667743668.2955751,"logger":"tls.handshake","msg":"default certificate selection results","identifier":"sub.example.com","subjects":["sub.example.com"],"managed":true,"issuer_key":"acme-v02.api.letsencrypt.org-directory","hash":"5d0445ce5a236466bf9ceb193015aeb88bf85f4618760db491f80f5fd470c6b3"}
caddy  | {"level":"debug","ts":1667743668.2957497,"logger":"tls.handshake","msg":"matched certificate in cache","remote_ip":"x.x.x.x","remote_port":"38270","subjects":["sub.example.com"],"managed":true,"expiration":1675516047,"hash":"5d0445ce5a236466bf9ceb193015aeb88bf85f4618760db491f80f5fd470c6b3"}
caddy  | {"level":"debug","ts":1667743668.4312167,"logger":"layer4.handlers.tls","msg":"terminated TLS","remote":"x.x.x.x:38270","server_name":"sub.example.com"}
caddy  | {"level":"debug","ts":1667743668.4317315,"logger":"layer4.handlers.tls","msg":"terminated TLS","remote":"x.x.x.x:38268","server_name":"sub.example.com"}
caddy  | {"level":"error","ts":1667743668.541543,"logger":"layer4","msg":"matching connection","error":"EOF"}
caddy  | {"level":"error","ts":1667743668.541543,"logger":"layer4","msg":"matching connection","error":"EOF"}
caddy  | {"level":"debug","ts":1667743668.5421162,"logger":"layer4","msg":"connection stats","remote":"x.x.x.x:38268","read":278,"written":4593,"duration":0.269241996}
caddy  | {"level":"error","ts":1667743668.5440037,"logger":"layer4","msg":"matching connection","error":"EOF"}
caddy  | {"level":"error","ts":1667743668.5440037,"logger":"layer4","msg":"matching connection","error":"EOF"}
caddy  | {"level":"debug","ts":1667743668.544383,"logger":"layer4","msg":"connection stats","remote":"x.x.x.x:38270","read":278,"written":4593,"duration":0.249924043}

I even tried a completely different domain added to my server but it didn’t work! Maybe I’ll get a new server soon and try again before making any changes to the server.
Thank you!

11

In that case it’s definitely an issue on your side. Caddy definitely works :100:

1 Like
12

This topic was automatically closed after 30 days. New replies are no longer allowed.