V1 upgrade v2 but cloudflare dns and Let's Encrypt acme didn't work "TLS handshake error from X.X.X.X:XXXX: no certificate available for xxx.com "

zsbstephen · August 12, 2020, 10:58am

1. Caddy version (`caddy version`):

v2.1.1

2. How I run Caddy:

caddy.service
systemctl start caddy.service

a. System environment:

debian 8 x86_x64
kernel 5.5.8-050508-generic
systemd 215

b. Command:

systemctl start caddy.service

c. Service/unit/compose file:

/etc/systemd/system/caddy.service

#
# For using Caddy with a config file.
#
# Make sure the ExecStart and ExecReload commands are correct
# for your installation.
#
#
# WARNING: This service does not use the --resume flag, so if you
# use the API to make changes, they will be overwritten by the
# Caddyfile next time the service is restarted. If you intend to
# use Caddy's API to configure it, add the --resume flag to the
# `caddy run` command or use the caddy-api.service file instead.

[Unit]
Description=Caddy
After=network.target

[Service]
User=www-data
Group=www-data
Environment=CADDYPATH=/etc/caddy/ssl
ExecStart=/usr/local/bin/caddy run --environ --config /etc/caddy/Caddyfile
ExecReload=/usr/local/bin/caddy reload --config /etc/caddy/Caddyfile
TimeoutStopSec=5s
LimitNOFILE=1048576
LimitNPROC=512
PrivateTmp=true
ProtectSystem=full
AmbientCapabilities=CAP_NET_BIND_SERVICE

[Install]
WantedBy=multi-user.target

d. My complete Caddyfile or JSON config:

/etc/caddy/Caddyfile

{
  debug
  http_port   80
  https_port  443
  admin   off
  key_type p384
}

domain1
{
header {
  Strict-Transport-Security "max-age=31536000; includeSubDomains; preload"
  X-XSS-Protection "1; mode=block;"
  X-Content-Type-Options nosniff
  X-Frame-Options DENY
}

  {
  @http {
    protocol http
    }
  redir @https : / / domain1
  }

  encode gzip
  root * /var/lib/caddy/domain1
  tls {
  dns cloudflare <cloudflare_dns_api_key>
  protocols tls1.2 tls1.3
  }

  log {
    output file /var/log/access.log 
    format single_field common_log
  }

  reverse_proxy https : / / reverse.domain:443

  @v2rayport {
  header Connection *Upgrade*
  header Upgrade    websocket
  }
  reverse_proxy @v2rayport 127.0.0.1:5120
}

domain2
{
header {
  Strict-Transport-Security "max-age=31536000; includeSubDomains; preload"
  X-XSS-Protection "1; mode=block;"
  X-Content-Type-Options nosniff
  X-Frame-Options DENY
}

 {
  @http {
    protocol http
  }
  redir @https : / / domain2
  }

  encode gzip
  root * /var/lib/caddy/domain2
  tls email@example.com {
  protocols tls1.2 tls1.3
  }

  log {
    output file /var/log/access.log
    format single_field common_log
  }

  reverse_proxy https : / / reverse.domain2:443

  @v2rayport {
  header Connection *Upgrade*
  header Upgrade    websocket
  }
  reverse_proxy @v2rayport 127.0.0.1:5120
}

3. The problem I’m having:

Caddy has responded "TLS handshake error from X.X.X.X:XXXX: no certificate available for xxx.com " error , and both reverse proxy websites yelled HTTP 525 error code .

4. Error messages and/or full log output:

root@debian:~# systemctl status caddy -l
● caddy.service - Caddy
Loaded: loaded (/etc/systemd/system/caddy.service; enabled)
Active: inactive (dead) since Wed 2020-08-12 17:15:05 HKT; 10s ago
Docs: Welcome — Caddy Documentation
Process: 31756 ExecStart=/usr/local/bin/caddy run --environ --config /etc/caddy/Caddyfile (code=exited, status=0/SUCCESS)
Main PID: 31756 (code=exited, status=0/SUCCESS)
Aug 12 17:15:33 debian caddy[30943]: 2020/08/12 17:15:33 http: TLS handshake error from X.X.X.X:42468: no certificate available for ‘domain1.com’
Aug 12 17:15:34 debian caddy[30944]: 2020/08/12 17:15:33 http: TLS handshake error from X.X.X.X:42468: no certificate available for ‘domain2.com’

5. What I already tried:

Reset cloudflare dns api token , made sure the token has proper authorities;
Proofread the caddyfile into v2 format .

francislavoie · August 12, 2020, 12:04pm

Please use code formatting for your configs by using ``` on the lines before and after each block. It’s very hard to read your post otherwise.

zsbstephen · August 12, 2020, 12:56pm

Sorry for the inconvenience for I wasn’t familiar with the code format . I’m just a beginner of Linux and I learned HTML by myself just for interest and passing by the firewall . Anyway thx for your reply .

francislavoie · August 12, 2020, 3:48pm

Your Caddyfile syntax is a bit messy. Could you run it through caddy fmt? It’s a built-in command that cleans up the formatting of your Caddyfile.

You seem to have spaces in your proxy upstream addresses where they don’t belong, { braces in strange places, etc.

Could you post your full logs? It’s unclear what’s going on without more detailed logs. You can use journalctl --no-pager -u caddy | less to see them.

zsbstephen · August 12, 2020, 5:12pm

Roger that~
root@debian:~# caddy fmt /etc/caddy/Caddyfile

{
	debug
	http_port 80
	https_port 443
	admin off
	key_type p384
}

domain1.com {
	header {
		Strict-Transport-Security "max-age=31536000; includeSubDomains; preload"
		X-XSS-Protection "1; mode=block;"
		X-Content-Type-Options nosniff
		X-Frame-Options DENY
	}	{
		@http {
			protocol http
		}
		redir @http https://domain1.com
	}

	encode gzip
	root * /var/lib/caddy/domain1.com
	tls {
		dns cloudflare <cloudflare_dns_api_token>
		protocols tls1.2 tls1.3
	}

	log {
		output file /var/log/access.log
		format single_field common_log
	}

	reverse_proxy https://reverse.domain1.com:443

	@v2rayport {
		header Connection *Upgrade*
		header Upgrade websocket
	}
	reverse_proxy @v2rayport 127.0.0.1:5120
}

domain2.com {
	header {
		Strict-Transport-Security "max-age=31536000; includeSubDomains; preload"
		X-XSS-Protection "1; mode=block;"
		X-Content-Type-Options nosniff
		X-Frame-Options DENY
	}	{
		@http {
			protocol http
		}
		redir @http https://domain2.com
	}

	encode gzip
	root * /var/lib/caddy/domain2.com
	tls email@example.com {
		protocols tls1.2 tls1.3
	}

	log {
		output file /var/log/access.log
		format single_field common_log
	}

	reverse_proxy https://reverse.domain2.com:443

	@v2rayport {
		header Connection *Upgrade*
		header Upgrade websocket
	}
	reverse_proxy @v2rayport 127.0.0.1:5120
}

root@debian:~# journalctl --no-pager -u caddy | less

Aug 13 01:04:50 debian systemd[1]: Starting Caddy...
Aug 13 01:04:50 debian systemd[1]: Started Caddy.
Aug 13 01:04:50 debian caddy[10387]: caddy.HomeDir=/var/www
Aug 13 01:04:50 debian caddy[10387]: caddy.AppDataDir=/var/www/.local/share/caddy
Aug 13 01:04:50 debian caddy[10387]: caddy.AppConfigDir=/var/www/.config/caddy
Aug 13 01:04:50 debian caddy[10387]: caddy.ConfigAutosavePath=/var/www/.config/caddy/autosave.json
Aug 13 01:04:50 debian caddy[10387]: runtime.GOOS=linux
Aug 13 01:04:50 debian caddy[10387]: runtime.GOARCH=amd64
Aug 13 01:04:50 debian caddy[10387]: runtime.Compiler=gc
Aug 13 01:04:50 debian caddy[10387]: runtime.NumCPU=1
Aug 13 01:04:50 debian caddy[10387]: runtime.GOMAXPROCS=1
Aug 13 01:04:50 debian caddy[10387]: runtime.Version=go1.14.6
Aug 13 01:04:50 debian caddy[10387]: os.Getwd=/
Aug 13 01:04:50 debian caddy[10387]: LANG=en_US.UTF-8
Aug 13 01:04:50 debian caddy[10387]: PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
Aug 13 01:04:50 debian caddy[10387]: HOME=/var/www
Aug 13 01:04:51 debian caddy[10387]: LOGNAME=www-data
Aug 13 01:04:51 debian caddy[10387]: USER=www-data
Aug 13 01:04:51 debian caddy[10387]: SHELL=/usr/sbin/nologin
Aug 13 01:04:51 debian caddy[10387]: CADDYPATH=/etc/caddy/ssl
Aug 13 01:04:51 debian caddy[10387]: {"level":"info","ts":1597251890.9949615,"msg":"using provided configuration","config_file":"/etc/caddy/Caddyfile","config_adapter":""}
Aug 13 01:04:51 debian caddy[10387]: {"level":"warn","ts":1597251891.0123775,"logger":"admin","msg":"admin endpoint disabled"}
Aug 13 01:04:51 debian caddy[10387]: {"level":"error","ts":1597251891.013798,"logger":"tls","msg":"migrating certificates","error":"listing used ACME CAs: open /var/www/.local/share/caddy/acme: permission denied"}
Aug 13 01:04:51 debian caddy[10387]: {"level":"info","ts":1597251891.01451,"logger":"http","msg":"enabling automatic HTTP->HTTPS redirects","server_name":"srv0"}
Aug 13 01:04:51 debian caddy[10387]: {"level":"info","ts":1597251891.0163143,"logger":"tls","msg":"cleaned up storage units"}
Aug 13 01:04:51 debian caddy[10387]: {"level":"debug","ts":1597251891.0172524,"logger":"http","msg":"starting server loop","address":"[::]:443","http3":false,"tls":true}
Aug 13 01:04:51 debian caddy[10387]: {"level":"debug","ts":1597251891.017858,"logger":"http","msg":"starting server loop","address":"[::]:80","http3":false,"tls":false}
Aug 13 01:04:51 debian caddy[10387]: {"level":"info","ts":1597251891.0185423,"logger":"http","msg":"enabling automatic TLS certificate management","domains":["reverse.domain1.com","reverse.domain2.com"]}
Aug 13 01:04:51 debian caddy[10387]: {"level":"info","ts":1597251891.0196984,"msg":"autosaved config","file":"/var/www/.config/caddy/autosave.json"}
Aug 13 01:04:51 debian caddy[10387]: {"level":"info","ts":1597251891.0201511,"msg":"serving initial configuration"}
Aug 13 01:04:51 debian caddy[10387]: 2020/08/13 01:04:51 [ERROR] domain1.com: caching certificate after obtaining it: decoding certificate metadata: unexpected end of JSON input
Aug 13 01:04:51 debian caddy[10387]: 2020/08/13 01:04:51 [ERROR] domain2.com: caching certificate after obtaining it: decoding certificate metadata: unexpected end of JSON input
Aug 13 01:04:51 debian caddy[10387]: 2020/08/13 01:04:51 [INFO][cache:0xc0001cb0e0] Started certificate maintenance routine
Aug 13 01:04:51 debian caddy[10387]: 2020/08/13 01:04:51 http: TLS handshake error from X.X.X.X:16580: no certificate available for 'reverse.domain1.com'
Aug 13 01:04:51 debian caddy[10387]: 2020/08/13 01:04:51 http: TLS handshake error from X.X.X.X:16572: no certificate available for 'reverse.domain1.com'
Aug 13 01:04:51 debian caddy[10387]: 2020/08/13 01:04:51 http: TLS handshake error from X.X.X.X:16578: no certificate available for 'reverse.domain1.com'
Aug 13 01:04:51 debian caddy[10387]: 2020/08/13 01:04:51 http: TLS handshake error from X.X.X.X:16576: no certificate available for 'reverse.domain1.com'
Aug 13 01:04:51 debian caddy[10387]: 2020/08/13 01:04:51 http: TLS handshake error from X.X.X.X:16612: no certificate available for 'reverse.domain1.com'
Aug 13 01:04:51 debian caddy[10387]: 2020/08/13 01:04:51 http: TLS handshake error from X.X.X.X:16606: no certificate available for 'reverse.domain1.com'
Aug 13 01:04:51 debian caddy[10387]: 2020/08/13 01:04:51 http: TLS handshake error from X.X.X.X:16622: no certificate available for 'reverse.domain1.com'
Aug 13 01:04:51 debian caddy[10387]: 2020/08/13 01:04:51 http: TLS handshake error from X.X.X.X:16626: no certificate available for 'reverse.domain1.com'
Aug 13 01:04:51 debian caddy[10387]: 2020/08/13 01:04:51 http: TLS handshake error from X.X.X.X:16634: no certificate available for 'reverse.domain1.com'
Aug 13 01:04:51 debian caddy[10387]: 2020/08/13 01:04:51 http: TLS handshake error from X.X.X.X:16636: no certificate available for 'reverse.domain1.com'

And this error goes on and on .
Sincere appreciation .

francislavoie · August 12, 2020, 7:57pm

zsbstephen:

	header {
		Strict-Transport-Security "max-age=31536000; includeSubDomains; preload"
		X-XSS-Protection "1; mode=block;"
		X-Content-Type-Options nosniff
		X-Frame-Options DENY
	}	{
		@http {
			protocol http
		}
		redir @http https://domain1.com
	}

This bit here has invalid syntax. You have an extra pair of { } (just above the @http and below the redir. Same with your second domain. It should look like this:

	header {
		Strict-Transport-Security "max-age=31536000; includeSubDomains; preload"
		X-XSS-Protection "1; mode=block;"
		X-Content-Type-Options nosniff
		X-Frame-Options DENY
	}

	@http {
		protocol http
	}
	redir @http https://domain1.com

That redirect block isn’t necessary though, Caddy sets up automatic HTTP->HTTPS redirects when a site has Automatic HTTPS activated. You can see that in the logs here (Caddy v1 did this as well, FYI):

Ultimately your actual problem is here though:

Caddy doesn’t seem to have permissions to write to its storage directory, which it says is at /var/www/.local/share/caddy/acme. This is because you set the user and group to www-data which has its $HOME set to /var/www. Generally we recommend running with a caddy user instead, which is added to the www-data group. You can see our install instructions below, or you can use the debian repo we provide (2nd link) which sets this up for you

zsbstephen · August 13, 2020, 4:22pm

Thank you very much ! The cert error did solve ! Let’s Encrypt and Cloudflare had successfully signed certs finally . I didn’t realise that caddy v2 had already switch to XDG Specification at the beginning .
But there’re 2 issues remained . First domain1.com showed 403 error other than reverse.domain1.com , while domain2.com showed “Plesk” default page not reverse.domain2.com . As a simple whole-site proxy , is there any command need to be added to header or other blocks compared to v1 ? Second the reverse proxy of the websocket path “v2rayport” seemed didn’t work , the remote websocket client reported " 403 Forbidden > websocket: bad handshake " error .
Sorry to bother you with my low-end question.

root@debian:~# systemctl status caddy -l

root@debian:~# systemctl status caddy -l
● caddy.service - Caddy
   Loaded: loaded (/etc/systemd/system/caddy.service; enabled)
   Active: active (running) since Fri 2020-08-14 00:05:03 HKT; 7min ago
     Docs: https://caddyserver.com/docs/
 Main PID: 9520 (caddy)
   CGroup: /system.slice/caddy.service
           └─9520 /usr/local/bin/caddy run --environ --config /etc/caddy/Caddyfile

Aug 14 00:12:08 debian caddy[9520]: {"level":"debug","ts":1597335128.148482,"logger":"http.handlers.reverse_proxy","msg":"upstream roundtrip","upstream":"reverse.domain2.com:80","request":{"method":"GET","uri":"/","proto":"HTTP/2.0","remote_addr":"X.X.X.X:56816","host":"domain2.com","headers":{"Upgrade-Insecure-Requests":["1"],"If-None-Match":["\"0c066ec7ef0d51:0\""],"If-Modified-Since":["Mon, 02 Mar 2020 10:40:00 GMT"],"Cache-Control":["max-age=0"],"Dnt":["1"],"Accept":["text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9"],"X-Forwarded-For":["X.X.X.X"],"X-Forwarded-Proto":["https"],"Accept-Language":["zh-CN,zh;q=0.9,ja;q=0.8,zh-TW;q=0.7,en-US;q=0.6,en;q=0.5,zh-HK;q=0.4"],"User-Agent":["Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/84.0.4147.105 Safari/537.36"],"Sec-Fetch-Site":["none"],"Sec-Fetch-User":["?1"],"Sec-Fetch-Dest":["document"],"Accept-Encoding":["gzip, deflate, br"],"Sec-Fetch-Mode":["navigate"]},"tls":{"resumed":false,"version":772,"ciphersuite":4865,"proto":"h2","proto_mutual":true,"server_name":"domain2.com"}},"duration":0.06493765,"headers":{"Accept-Ranges":["bytes"],"Etag":["\"0c066ec7ef0d51:0\""],"Server":["Microsoft-IIS/10.0"],"X-Powered-By":["ASP.NET"],"Date":["Thu, 13 Aug 2020 16:12:07 GMT"]},"status":304}
Aug 14 00:12:08 debian caddy[9520]: {"level":"info","ts":1597335128.148598,"logger":"http.log.access.log1","msg":"handled request","request":{"method":"GET","uri":"/","proto":"HTTP/2.0","remote_addr":"X.X.X.X:56816","host":"domain2.com","headers":{"Sec-Fetch-Dest":["document"],"Accept-Encoding":["gzip, deflate, br"],"Accept-Language":["zh-CN,zh;q=0.9,ja;q=0.8,zh-TW;q=0.7,en-US;q=0.6,en;q=0.5,zh-HK;q=0.4"],"If-None-Match":["\"0c066ec7ef0d51:0\""],"Upgrade-Insecure-Requests":["1"],"User-Agent":["Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/84.0.4147.105 Safari/537.36"],"Sec-Fetch-Site":["none"],"Sec-Fetch-User":["?1"],"If-Modified-Since":["Mon, 02 Mar 2020 10:40:00 GMT"],"Cache-Control":["max-age=0"],"Dnt":["1"],"Accept":["text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9"],"Sec-Fetch-Mode":["navigate"]},"tls":{"resumed":false,"version":772,"ciphersuite":4865,"proto":"h2","proto_mutual":true,"server_name":"domain2.com"}},"common_log":"X.X.X.X - - [14/Aug/2020:00:12:08 +0800] \"GET / HTTP/2.0\" 304 0","duration":0.065358539,"size":0,"status":304,"resp_headers":{"Server":["Caddy","Microsoft-IIS/10.0"],"X-Content-Type-Options":["nosniff"],"Accept-Ranges":["bytes"],"X-Powered-By":["ASP.NET"],"Strict-Transport-Security":["max-age=31536000; includeSubDomains; preload"],"X-Frame-Options":["DENY"],"X-Xss-Protection":["1; mode=block;"],"Etag":["\"0c066ec7ef0d51:0\""],"Date":["Thu, 13 Aug 2020 16:12:07 GMT"]}}
Aug 14 00:12:12 debian caddy[9520]: {"level":"debug","ts":1597335132.6411717,"logger":"http.handlers.reverse_proxy","msg":"upstream roundtrip","upstream":"reverse.domain1.com:443","request":{"method":"GET","uri":"/","proto":"HTTP/1.1","remote_addr":"X.X.X.X:10882","host":"domain1.com","headers":{"Sec-Fetch-Dest":["document"],"Cf-Ray":["5c23b7623c67dbc8-SEA"],"Cache-Control":["max-age=0"],"Dnt":["1"],"Upgrade-Insecure-Requests":["1"],"Sec-Fetch-Site":["none"],"Sec-Fetch-Mode":["navigate"],"Cf-Request-Id":["048a30f1640000dbc848abb200000001"],"Cookie":["__cfduid=dba693d4c185d12c556d870cc68b7333f1597329587"],"Accept-Encoding":["gzip"],"Cf-Ipcountry":["US"],"X-Forwarded-For":["X.X.X.X, X.X.X.X"],"X-Forwarded-Proto":["https"],"Cf-Visitor":["{\"scheme\":\"https\"}"],"Accept":["text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9"],"Accept-Language":["zh-CN,zh;q=0.9,ja;q=0.8,zh-TW;q=0.7,en-US;q=0.6,en;q=0.5,zh-HK;q=0.4"],"Cdn-Loop":["cloudflare"],"User-Agent":["Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/84.0.4147.105 Safari/537.36"],"Sec-Fetch-User":["?1"],"Cf-Connecting-Ip":["X.X.X.X"]},"tls":{"resumed":false,"version":772,"ciphersuite":4865,"proto":"","proto_mutual":true,"server_name":"domain1.com"}},"duration":0.013703962,"headers":{"Server":["cloudflare"],"Date":["Thu, 13 Aug 2020 16:12:12 GMT"],"Content-Type":["text/html"],"Content-Length":["553"],"Cf-Ray":["5c23b76309675f79-LAS"],"Cf-Request-Id":["048a30f1e000005f79df110200000001"]},"status":403}
Aug 14 00:12:12 debian caddy[9520]: {"level":"error","ts":1597335132.6428497,"logger":"http.log.access.log0","msg":"handled request","request":{"method":"GET","uri":"/","proto":"HTTP/1.1","remote_addr":"X.X.X.X:10882","host":"domain1.com","headers":{"Connection":["Keep-Alive"],"User-Agent":["Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/84.0.4147.105 Safari/537.36"],"Sec-Fetch-User":["?1"],"Cf-Connecting-Ip":["X.X.X.X"],"Dnt":["1"],"Upgrade-Insecure-Requests":["1"],"Sec-Fetch-Site":["none"],"Sec-Fetch-Mode":["navigate"],"Sec-Fetch-Dest":["document"],"Cf-Ray":["5c23b7623c67dbc8-SEA"],"Cache-Control":["max-age=0"],"Cf-Request-Id":["048a30f1640000dbc848abb200000001"],"X-Forwarded-Proto":["https"],"Cf-Visitor":["{\"scheme\":\"https\"}"],"Accept":["text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9"],"Accept-Language":["zh-CN,zh;q=0.9,ja;q=0.8,zh-TW;q=0.7,en-US;q=0.6,en;q=0.5,zh-HK;q=0.4"],"Cookie":["__cfduid=dba693d4c185d12c556d870cc68b7333f1597329587"],"Accept-Encoding":["gzip"],"Cf-Ipcountry":["US"],"X-Forwarded-For":["X.X.X.X"],"Cdn-Loop":["cloudflare"]},"tls":{"resumed":false,"version":772,"ciphersuite":4865,"proto":"","proto_mutual":true,"server_name":"domain1.com"}},"common_log":"X.X.X.X - - [14/Aug/2020:00:12:12 +0800] \"GET / HTTP/1.1\" 403 172","duration":0.015706746,"size":172,"status":403,"resp_headers":{"Strict-Transport-Security":["max-age=31536000; includeSubDomains; preload"],"X-Frame-Options":["DENY"],"Content-Type":["text/html"],"Content-Encoding":["gzip"],"Cf-Ray":["5c23b76309675f79-LAS"],"Vary":["Accept-Encoding"],"Server":["Caddy","cloudflare"],"X-Content-Type-Options":["nosniff"],"X-Xss-Protection":["1; mode=block;"],"Cf-Request-Id":["048a30f1e000005f79df110200000001"],"Date":["Thu, 13 Aug 2020 16:12:12 GMT"]}}
Aug 14 00:12:12 debian caddy[9520]: {"level":"debug","ts":1597335132.9367406,"logger":"http.handlers.reverse_proxy","msg":"upstream roundtrip","upstream":"reverse.domain1.com:443","request":{"method":"GET","uri":"/favicon.ico","proto":"HTTP/1.1","remote_addr":"X.X.X.X:22212","host":"domain1.com","headers":{"User-Agent":["Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/84.0.4147.105 Safari/537.36"],"Dnt":["1"],"Referer":["https://domain1.com/"],"Cookie":["__cfduid=dba693d4c185d12c556d870cc68b7333f1597329587"],"Cf-Request-Id":["048a30f2ef0000dbc848ad6200000001"],"Cf-Visitor":["{\"scheme\":\"https\"}"],"Sec-Fetch-Mode":["no-cors"],"Accept-Language":["zh-CN,zh;q=0.9,ja;q=0.8,zh-TW;q=0.7,en-US;q=0.6,en;q=0.5,zh-HK;q=0.4"],"Cf-Connecting-Ip":["X.X.X.X"],"Cdn-Loop":["cloudflare"],"Accept-Encoding":["gzip"],"Cf-Ipcountry":["US"],"X-Forwarded-For":["X.X.X.X, X.X.X.X"],"Cf-Ray":["5c23b764b8dddbc8-SEA"],"Sec-Fetch-Site":["same-origin"],"X-Forwarded-Proto":["https"],"Accept":["image/webp,image/apng,image/*,*/*;q=0.8"],"Sec-Fetch-Dest":["image"]},"tls":{"resumed":false,"version":772,"ciphersuite":4865,"proto":"","proto_mutual":true,"server_name":"domain1.com"}},"duration":0.012431505,"headers":{"Content-Type":["text/html"],"Content-Length":["553"],"Cf-Ray":["5c23b764dac15f79-LAS"],"Cf-Request-Id":["048a30f30800005f79df117200000001"],"Server":["cloudflare"],"Date":["Thu, 13 Aug 2020 16:12:12 GMT"]},"status":403}
Aug 14 00:12:12 debian caddy[9520]: {"level":"error","ts":1597335132.93891,"logger":"http.log.access.log0","msg":"handled request","request":{"method":"GET","uri":"/favicon.ico","proto":"HTTP/1.1","remote_addr":"X.X.X.X:22212","host":"domain1.com","headers":{"Referer":["https://domain1.com/"],"Cookie":["__cfduid=dba693d4c185d12c556d870cc68b7333f1597329587"],"Cf-Request-Id":["048a30f2ef0000dbc848ad6200000001"],"Connection":["Keep-Alive"],"User-Agent":["Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/84.0.4147.105 Safari/537.36"],"Dnt":["1"],"Accept-Language":["zh-CN,zh;q=0.9,ja;q=0.8,zh-TW;q=0.7,en-US;q=0.6,en;q=0.5,zh-HK;q=0.4"],"Cf-Connecting-Ip":["X.X.X.X"],"Cdn-Loop":["cloudflare"],"Cf-Visitor":["{\"scheme\":\"https\"}"],"Sec-Fetch-Mode":["no-cors"],"Cf-Ray":["5c23b764b8dddbc8-SEA"],"Sec-Fetch-Site":["same-origin"],"Accept-Encoding":["gzip"],"Cf-Ipcountry":["US"],"X-Forwarded-For":["X.X.X.X"],"X-Forwarded-Proto":["https"],"Accept":["image/webp,image/apng,image/*,*/*;q=0.8"],"Sec-Fetch-Dest":["image"]},"tls":{"resumed":false,"version":772,"ciphersuite":4865,"proto":"","proto_mutual":true,"server_name":"domain1.com"}},"common_log":"X.X.X.X - - [14/Aug/2020:00:12:12 +0800] \"GET /favicon.ico HTTP/1.1\" 403 172","duration":0.014732135,"size":172,"status":403,"resp_headers":{"Server":["Caddy","cloudflare"],"Strict-Transport-Security":["max-age=31536000; includeSubDomains; preload"],"X-Frame-Options":["DENY"],"X-Xss-Protection":["1; mode=block;"],"Cf-Ray":["5c23b764dac15f79-LAS"],"X-Content-Type-Options":["nosniff"],"Date":["Thu, 13 Aug 2020 16:12:12 GMT"],"Content-Type":["text/html"],"Cf-Request-Id":["048a30f30800005f79df117200000001"],"Content-Encoding":["gzip"],"Vary":["Accept-Encoding"]}}
Aug 14 00:12:14 debian caddy[9520]: {"level":"debug","ts":1597335134.8723383,"logger":"http.handlers.reverse_proxy","msg":"upstream roundtrip","upstream":"reverse.domain1.com:443","request":{"method":"GET","uri":"/v2rayport","proto":"HTTP/1.1","remote_addr":"X.X.X.X:54768","host":"domain1.com","headers":{"Cdn-Loop":["cloudflare"],"Accept-Encoding":["gzip"],"Cf-Connecting-Ip":["X.X.X.X"],"Cf-Ray":["5c23b770cd8c0530-LAX"],"User-Agent":["Go-http-client/1.1"],"Connection":["Upgrade"],"Cf-Ipcountry":["CN"],"Sec-Websocket-Key":["dKs2sl84TPGCvEYidIHMNg=="],"Cf-Request-Id":["048a30fa78000005305f8de200000001"],"X-Forwarded-For":["X.X.X.X, X.X.X.X"],"X-Forwarded-Proto":["https"],"Cf-Visitor":["{\"scheme\":\"https\"}"],"Sec-Websocket-Version":["13"],"Upgrade":["websocket"]},"tls":{"resumed":false,"version":772,"ciphersuite":4865,"proto":"","proto_mutual":true,"server_name":"domain1.com"}},"duration":0.00856557,"headers":{"Server":["cloudflare"],"Date":["Thu, 13 Aug 2020 16:12:14 GMT"],"Content-Type":["text/html"],"Content-Length":["151"],"Connection":["keep-alive"],"Cf-Ray":["5c23b770fede5f3d-LAS"],"Cf-Request-Id":["048a30fa9b00005f3dee1d0200000001"]},"status":403}
Aug 14 00:12:14 debian caddy[9520]: {"level":"error","ts":1597335134.8739572,"logger":"http.log.access.log0","msg":"handled request","request":{"method":"GET","uri":"/v2rayport","proto":"HTTP/1.1","remote_addr":"X.X.X.X:54768","host":"domain1.com","headers":{"Upgrade":["websocket"],"Cf-Visitor":["{\"scheme\":\"https\"}"],"Sec-Websocket-Version":["13"],"Accept-Encoding":["gzip"],"Cf-Connecting-Ip":["X.X.X.X"],"Cdn-Loop":["cloudflare"],"Connection":["Upgrade"],"Cf-Ipcountry":["CN"],"Cf-Ray":["5c23b770cd8c0530-LAX"],"User-Agent":["Go-http-client/1.1"],"X-Forwarded-For":["X.X.X.X"],"X-Forwarded-Proto":["https"],"Sec-Websocket-Key":["dKs2sl84TPGCvEYidIHMNg=="],"Cf-Request-Id":["048a30fa78000005305f8de200000001"]},"tls":{"resumed":false,"version":772,"ciphersuite":4865,"proto":"","proto_mutual":true,"server_name":"domain1.com"}},"common_log":"X.X.X.X - - [14/Aug/2020:00:12:14 +0800] \"GET /v2rayport HTTP/1.1\" 403 151","duration":0.010359965,"size":151,"status":403,"resp_headers":{"Cf-Request-Id":["048a30fa9b00005f3dee1d0200000001"],"X-Frame-Options":["DENY"],"Strict-Transport-Security":["max-age=31536000; includeSubDomains; preload"],"X-Content-Type-Options":["nosniff"],"X-Xss-Protection":["1; mode=block;"],"Date":["Thu, 13 Aug 2020 16:12:14 GMT"],"Content-Type":["text/html"],"Content-Length":["151"],"Cf-Ray":["5c23b770fede5f3d-LAS"],"Server":["Caddy","cloudflare"]}}
Aug 14 00:12:15 debian caddy[9520]: {"level":"debug","ts":1597335135.0959215,"logger":"http.handlers.reverse_proxy","msg":"upstream roundtrip","upstream":"reverse.domain1.com:443","request":{"method":"GET","uri":"/v2rayport","proto":"HTTP/1.1","remote_addr":"X.X.X.X:40966","host":"domain1.com","headers":{"Cf-Ray":["5c23b7723801eae3-LAX"],"X-Forwarded-Proto":["https"],"Sec-Websocket-Version":["13"],"Upgrade":["websocket"],"Cf-Request-Id":["048a30fb600000eae333868200000001"],"Cf-Connecting-Ip":["X.X.X.X"],"Accept-Encoding":["gzip"],"Cf-Ipcountry":["CN"],"X-Forwarded-For":["X.X.X.X, X.X.X.X"],"Cf-Visitor":["{\"scheme\":\"https\"}"],"User-Agent":["Go-http-client/1.1"],"Cdn-Loop":["cloudflare"],"Connection":["Upgrade"],"Sec-Websocket-Key":["h5axOnGVwNWnFUnlvqlKUA=="]},"tls":{"resumed":false,"version":772,"ciphersuite":4865,"proto":"","proto_mutual":true,"server_name":"domain1.com"}},"duration":0.008802242,"headers":{"Date":["Thu, 13 Aug 2020 16:12:15 GMT"],"Content-Type":["text/html"],"Content-Length":["151"],"Connection":["keep-alive"],"Cf-Ray":["5c23b77258425f3d-LAS"],"Cf-Request-Id":["048a30fb7b00005f3dee1df200000001"],"Server":["cloudflare"]},"status":403}
Aug 14 00:12:15 debian caddy[9520]: {"level":"error","ts":1597335135.0975766,"logger":"http.log.access.log0","msg":"handled request","request":{"method":"GET","uri":"/v2rayport","proto":"HTTP/1.1","remote_addr":"X.X.X.X:40966","host":"domain1.com","headers":{"Connection":["Upgrade"],"Sec-Websocket-Key":["h5axOnGVwNWnFUnlvqlKUA=="],"Cf-Ray":["5c23b7723801eae3-LAX"],"X-Forwarded-Proto":["https"],"Sec-Websocket-Version":["13"],"Upgrade":["websocket"],"Cf-Request-Id":["048a30fb600000eae333868200000001"],"Cf-Connecting-Ip":["X.X.X.X"],"X-Forwarded-For":["X.X.X.X"],"Cf-Visitor":["{\"scheme\":\"https\"}"],"User-Agent":["Go-http-client/1.1"],"Cdn-Loop":["cloudflare"],"Accept-Encoding":["gzip"],"Cf-Ipcountry":["CN"]},"tls":{"resumed":false,"version":772,"ciphersuite":4865,"proto":"","proto_mutual":true,"server_name":"domain1.com"}},"common_log":"X.X.X.X - - [14/Aug/2020:00:12:15 +0800] \"GET /v2rayport HTTP/1.1\" 403 151","duration":0.010564202,"size":151,"status":403,"resp_headers":{"Server":["Caddy","cloudflare"],"Strict-Transport-Security":["max-age=31536000; includeSubDomains; preload"],"X-Xss-Protection":["1; mode=block;"],"Content-Type":["text/html"],"Cf-Ray":["5c23b77258425f3d-LAS"],"X-Content-Type-Options":["nosniff"],"X-Frame-Options":["DENY"],"Date":["Thu, 13 Aug 2020 16:12:15 GMT"],"Content-Length":["151"],"Cf-Request-Id":["048a30fb7b00005f3dee1df200000001"]}}
Aug 14 00:23:23 debian caddy[9520]: {"level":"debug","ts":1597335803.4184012,"logger":"http.handlers.reverse_proxy","msg":"upstream roundtrip","upstream":"reverse.domain1.com:443","request":{"method":"GET","uri":"/v2rayport","proto":"HTTP/1.1","remote_addr":"X.X.X.X:21904","host":"domain1.com","headers":{"Cf-Ipcountry":["CN"],"Cf-Ray":["5c23c7c2fca0eb19-LAX"],"Cf-Visitor":["{\"scheme\":\"https\"}"],"Cf-Request-Id":["048a3b2dda0000eb1901bbf200000001"],"Connection":["Upgrade"],"X-Forwarded-Proto":["https"],"User-Agent":["Go-http-client/1.1"],"Cf-Connecting-Ip":["X.X.X.X"],"Upgrade":["websocket"],"Accept-Encoding":["gzip"],"X-Forwarded-For":["X.X.X.X, X.X.X.X"],"Sec-Websocket-Key":["ia2dqzsVnvyeAH3l6l1XWw=="],"Sec-Websocket-Version":["13"],"Cdn-Loop":["cloudflare"]},"tls":{"resumed":false,"version":772,"ciphersuite":4865,"proto":"","proto_mutual":true,"server_name":"domain1.com"}},"duration":0.037001858,"headers":{"Cf-Request-Id":["048a3b2e0b0000c7d9cf2e2200000001"],"Server":["cloudflare"],"Date":["Thu, 13 Aug 2020 16:23:23 GMT"],"Content-Type":["text/html"],"Content-Length":["151"],"Connection":["keep-alive"],"Cf-Ray":["5c23c7c34f85c7d9-DEN"]},"status":403}
Aug 14 00:23:23 debian caddy[9520]: {"level":"error","ts":1597335803.4200683,"logger":"http.log.access.log0","msg":"handled request","request":{"method":"GET","uri":"/v2rayport","proto":"HTTP/1.1","remote_addr":"X.X.X.X:21904","host":"domain1.com","headers":{"Connection":["Upgrade"],"X-Forwarded-Proto":["https"],"Cf-Connecting-Ip":["X.X.X.X"],"User-Agent":["Go-http-client/1.1"],"Accept-Encoding":["gzip"],"X-Forwarded-For":["X.X.X.X"],"Sec-Websocket-Key":["ia2dqzsVnvyeAH3l6l1XWw=="],"Sec-Websocket-Version":["13"],"Cdn-Loop":["cloudflare"],"Upgrade":["websocket"],"Cf-Ray":["5c23c7c2fca0eb19-LAX"],"Cf-Visitor":["{\"scheme\":\"https\"}"],"Cf-Request-Id":["048a3b2dda0000eb1901bbf200000001"],"Cf-Ipcountry":["CN"]},"tls":{"resumed":false,"version":772,"ciphersuite":4865,"proto":"","proto_mutual":true,"server_name":"domain1.com"}},"common_log":"X.X.X.X - - [14/Aug/2020:00:23:23 +0800] \"GET /v2rayport HTTP/1.1\" 403 151","duration":0.03913786,"size":151,"status":403,"resp_headers":{"X-Xss-Protection":["1; mode=block;"],"Content-Length":["151"],"Cf-Ray":["5c23c7c34f85c7d9-DEN"],"Cf-Request-Id":["048a3b2e0b0000c7d9cf2e2200000001"],"Date":["Thu, 13 Aug 2020 16:23:23 GMT"],"Strict-Transport-Security":["max-age=31536000; includeSubDomains; preload"],"X-Content-Type-Options":["nosniff"],"X-Frame-Options":["DENY"],"Server":["Caddy","cloudflare"],"Content-Type":["text/html"]}}

francislavoie · August 13, 2020, 5:25pm

I don’t know much about v2ray but my understanding if that you might need to enable h2c support for it to work correctly?

https://github.com/caddyserver/caddy/issues/3556#issuecomment-666018116

zsbstephen · August 14, 2020, 1:59am

Thank you so much! The websocket reverse proxy error was solved by just adding “path /v2rayport”, but lots of related topics had neglected that . By far the certs error and the websocket reverse proxy error has been solved , and just the reverse proxy web page error remains now ( cloudflare returns 403 and domain2 returns 502 ) . Honestly I didn’t expect that caddy v2 config would be that much complicated , I haven’t realised that I had to configure extra lines to handle h2/h2c upstream , while v1 would handle it automatically . In my point of view it had been transformed into a new Nginx rather than “caddy” itself . And BTW the lack of v2 examples and cases does make some trouble . Anyway thanks for your consistent help .
Current Caddyfile content :

root@debian:~# caddy fmt /etc/caddy/Caddyfile
{
	debug
	http_port 80
	https_port 443
	admin off
	key_type p384
}

domain1.com {
	header {
		Strict-Transport-Security "max-age=31536000; includeSubDomains; preload"
		X-XSS-Protection "1; mode=block;"
		X-Content-Type-Options nosniff
		X-Frame-Options DENY
	}

	encode gzip
	root * /var/lib/caddy/domain1.com
	file_server
	tls {
		dns cloudflare <cloudflare_dns_api_token>
		protocols tls1.2 tls1.3
	}

	log {
		output file /var/log/access.log
		format single_field common_log
	}

	reverse_proxy https://reverse.domain1.com {
		transport http {
			tls
			tls_insecure_skip_verify
			versions h2c 2
		}
	}

	@v2ray_websocket {
		path /v2rayport
		header Connection *Upgrade*
		header Upgrade websocket
	}
	reverse_proxy @v2ray_websocket 127.0.0.1:5120
}

domain2.com {
	header {
		Strict-Transport-Security "max-age=31536000; includeSubDomains; preload"
		X-XSS-Protection "1; mode=block;"
		X-Content-Type-Options nosniff
		X-Frame-Options DENY
	}

	encode gzip
	root * /var/lib/caddy/domain2.com
	file_server
	tls email@example.com {
		protocols tls1.2 tls1.3
	}

	log {
		output file /var/log/access.log
		format single_field common_log
	}

	reverse_proxy http://reverse.domain2.com {
		transport http {
			versions h2c 2
		}
	}

	@v2ray_websocket {
		path /v2rayport
		header Connection *Upgrade*
		header Upgrade websocket
	}
	reverse_proxy @v2ray_websocket 127.0.0.1:5120
}

system · September 11, 2020, 10:58am

This topic was automatically closed after 30 days. New replies are no longer allowed.