Websockets fail - Venus OS - Cerbo GX Victron

solear · September 20, 2024, 5:08am

Hi!

1. The problem I’m having:

OPNSense with Adguard/Unbound-Plugin and Caddy-Plugin.
Caddy is used to serve home network domains (eg: nc.example.de points to 192.168.1.60, but only in my homemetwork). Everythink is working fine.

Everythink? No - one service I cant get to run.

It’s the dashboard of venus os (Cerbo GX device from victron, a solar power/battery management system). Via IP (192.168.1.50) everythink works fine:

With venus.example.de, there is a connection error

I think it is a websocket problem. I tought caddy handles websockets automatically. I cant find a websocket option in caddy.

2. Error messages and/or full log output:

Chrome F12:

Caddy Debug log:

	"debug","ts":"2024-09-20T04:26:31Z","logger":"http.handlers.reverse_proxy","msg":"streaming error","upstream":"192.168.1.50:80","duration":0.008340873,"request":{"remote_ip":"192.168.1.159","remote_port":"55788","client_ip":"192.168.1.159","proto":"HTTP/1.1","method":"GET","host":"venus.xxx.de","uri":"/websockify","headers":{"Connection":["Upgrade"],"Sec-Websocket-Protocol":["binary, base64"],"Cache-Control":["no-cache"],"X-Forwarded-Host":["venus.xxx.de"],"User-Agent":["Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/128.0.0.0 Safari/537.36"],"Sec-Websocket-Key":["dMDCSw/tM1pmoQbwxAb0mg=="],"Origin":["https://venus.xxx.de"],"Sec-Websocket-Version":["13"],"Sec-Websocket-Extensions":["permessage-deflate; client_max_window_bits"],"Accept-Language":["de-DE,de;q=0.9,en-US;q=0.8,en;q=0.7"],"Pragma":["no-cache"],"Upgrade":["websocket"],"Accept-Encoding":["gzip, deflate, br, zstd"],"X-Forwarded-For":["192.168.1.159"],"X-Forwarded-Proto":["https"]},"tls":{"resumed":true,"version":772,"cipher_suite":4865,"proto":"http/1.1","server_name":"venus.xxx.de"}}}

3. Caddy version:

OPNSense: 24.7.4_1
Caddy Plugin: 1.7.0_1

4. How I installed and ran Caddy:

OPNSense Plugin

a. System environment:

OPNSense bare metal

b. Command:

c. Service/unit/compose file:

d. My complete Caddy config:


[details="Summary"]

# DO NOT EDIT THIS FILE -- OPNsense auto-generated file


# caddy_user=root

# Global Options
{
        log {
                output net unixgram//var/run/caddy/log.sock {
        }
        format json {
            time_format rfc3339
        }
                    level DEBUG
            }

            
        
                
            
                                            
    
                
        servers {
                    trusted_proxies static 192.168.1.0/24 10.10.0.0/24 10.7.0.0/24 10.9.0.0/24 192.168.200.0/24 192.168.90.0/24
                                    listener_wrappers {
                                


layer4 {
    import /usr/local/etc/caddy/caddy.d/*.layer4
                                        route
}
tls
            }
            }
    
                                                            
            
                    
                    
                    
                    
                    
                    
            
        
        
                    email xx
                    grace_period 10s
    import /usr/local/etc/caddy/caddy.d/*.global
}

# Reverse Proxy Configuration


    # Layer4 default HTTP port
            :80 {
        }
        # Layer4 default HTTPS port
            :443 {
        }
    

                            








            # Reverse Proxy Domain: "38ba0804-7c0a-4dc8-9b95-2c4aca9f85fc"
        immich.xxx.de {
                                                log {
                        output file /var/log/caddy/access/38ba0804-7c0a-4dc8-9b95-2c4aca9f85fc.log {
                            roll_keep_for 10d
                        }
                    }
                                                                    

            
                                                                        @9acb4085-666d-4a2c-b32b-b6047fa3f127 {
             client_ip 192.168.1.0/24 10.10.0.0/24 10.7.0.0/24 10.9.0.0/24 192.168.200.0/24 192.168.90.0/24
        }
        handle @9acb4085-666d-4a2c-b32b-b6047fa3f127 {
                                    
                                            handle  {
                        reverse_proxy                                     192.168.1.39:2283         {
                
                                            }
    }

            
            
        }
    

                                                abort
            
        }
                # Reverse Proxy Domain: "89891edb-f5a3-4f6a-8668-44671e065f19"
        whoogle.xxx.de {
                                                log {
                        output file /var/log/caddy/access/89891edb-f5a3-4f6a-8668-44671e065f19.log {
                            roll_keep_for 10d
                        }
                    }
                                                                    

            
                                                                        @9acb4085-666d-4a2c-b32b-b6047fa3f127 {
             client_ip 192.168.1.0/24 10.10.0.0/24 10.7.0.0/24 10.9.0.0/24 192.168.200.0/24 192.168.90.0/24
        }
        handle @9acb4085-666d-4a2c-b32b-b6047fa3f127 {
                                    
                                            handle  {
                        reverse_proxy                                     192.168.1.57:5000         {
                
                                            }
    }

            
            
        }
    

                                                abort
            
        }
                # Reverse Proxy Domain: "0daafce0-e7da-4061-b839-99069d689781"
        omv.xxx.de {
                                                log {
                        output file /var/log/caddy/access/0daafce0-e7da-4061-b839-99069d689781.log {
                            roll_keep_for 10d
                        }
                    }
                                                                    

            
                                                                        @9acb4085-666d-4a2c-b32b-b6047fa3f127 {
             client_ip 192.168.1.0/24 10.10.0.0/24 10.7.0.0/24 10.9.0.0/24 192.168.200.0/24 192.168.90.0/24
        }
        handle @9acb4085-666d-4a2c-b32b-b6047fa3f127 {
                                    
                                            handle  {
                        reverse_proxy                                     192.168.1.58         {
                
                                            }
    }

            
            
        }
    

                                                abort
            
        }
                # Reverse Proxy Domain: "b89a7d6b-45c8-4ee2-9298-e12dcdbdca22"
        dess.xxx.de {
                                                log {
                        output file /var/log/caddy/access/b89a7d6b-45c8-4ee2-9298-e12dcdbdca22.log {
                            roll_keep_for 10d
                        }
                    }
                                                                    

            
                                                                        @9acb4085-666d-4a2c-b32b-b6047fa3f127 {
             client_ip 192.168.1.0/24 10.10.0.0/24 10.7.0.0/24 10.9.0.0/24 192.168.200.0/24 192.168.90.0/24
        }
        handle @9acb4085-666d-4a2c-b32b-b6047fa3f127 {
                                    
                                            handle  {
                        reverse_proxy                                     192.168.1.50:1881         {
                
                                                                    transport http {
                                                                                                    tls
                                                                tls_insecure_skip_verify
                                                                            }
                    }
    }

            
            
        }
    

                                                abort
            
        }
                # Reverse Proxy Domain: "7d967257-1b59-44c1-a5dd-481e4482f223"
        vaultwarden.xxx.de {
                                                log {
                        output file /var/log/caddy/access/7d967257-1b59-44c1-a5dd-481e4482f223.log {
                            roll_keep_for 10d
                        }
                    }
                                                                    

            
                                                                        @9acb4085-666d-4a2c-b32b-b6047fa3f127 {
             client_ip 192.168.1.0/24 10.10.0.0/24 10.7.0.0/24 10.9.0.0/24 192.168.200.0/24 192.168.90.0/24
        }
        handle @9acb4085-666d-4a2c-b32b-b6047fa3f127 {
                                    
                                            handle  {
                        reverse_proxy                                     192.168.1.59:8000         {
                
                                            }
    }

            
            
        }
    

                                                abort
            
        }
                # Reverse Proxy Domain: "1d55b940-5ee4-4e48-9527-c48986c5fc36"
        gitea.xxx.de {
                                                log {
                        output file /var/log/caddy/access/1d55b940-5ee4-4e48-9527-c48986c5fc36.log {
                            roll_keep_for 10d
                        }
                    }
                                                                    

            
                                                                        @9acb4085-666d-4a2c-b32b-b6047fa3f127 {
             client_ip 192.168.1.0/24 10.10.0.0/24 10.7.0.0/24 10.9.0.0/24 192.168.200.0/24 192.168.90.0/24
        }
        handle @9acb4085-666d-4a2c-b32b-b6047fa3f127 {
                                    
                                            handle  {
                        reverse_proxy                                     192.168.1.34         {
                
                                            }
    }

            
            
        }
    

                                                abort
            
        }
                # Reverse Proxy Domain: "114a69a8-670a-4f56-af4a-fb5d9bbb959c"
        venus.xxx.de {
                                                log {
                        output file /var/log/caddy/access/114a69a8-670a-4f56-af4a-fb5d9bbb959c.log {
                            roll_keep_for 10d
                        }
                    }
                                                                    

            
                                                                        @9acb4085-666d-4a2c-b32b-b6047fa3f127 {
             client_ip 192.168.1.0/24 10.10.0.0/24 10.7.0.0/24 10.9.0.0/24 192.168.200.0/24 192.168.90.0/24
        }
        handle @9acb4085-666d-4a2c-b32b-b6047fa3f127 {
                                    
                                            handle  {
                        reverse_proxy                                     192.168.1.50         {
                
                                            }
    }

            
            
        }
    

                                                abort
            
        }
    
import /usr/local/etc/caddy/caddy.d/*.conf

[/details]

5. Links to relevant resources:

Thank you!

francislavoie · September 20, 2024, 7:22am

FYI @Monviech

Your config’s formatting is pretty unreadable Please fix that.

Monviech · September 20, 2024, 7:37am

@francislavoie This only happens when caddy is not enabled. If the service is enabled it will use caddy fmt automatically.

github.com

opnsense/plugins/blob/1e934b0c08b5130aa0ed16786ba774360797b64c/www/caddy/src/opnsense/scripts/OPNsense/Caddy/setup.sh#L68


      
          find "${CADDY_LOG_DIR}" -type d -exec chmod 770 {} +
          find "${CADDY_RUN_DIR}" -type d -exec chmod 770 {} +
          
          # Files can have read/write permissions
          find "${CADDY_CONF_DIR}" -type f -exec chmod 660 {} +
          find "${CADDY_DATA_DIR}" -type f -exec chmod 660 {} +
          find "${CADDY_LOG_DIR}" -type f -exec chmod 660 {} +
          find "${CADDY_RUN_DIR}" -type f -exec chmod 660 {} +
          
          # Format and overwrite the Caddyfile, this makes whitespace control in jinja2 unnecessary
          (cd "${CADDY_CONF_DIR}" && /usr/local/bin/caddy fmt --overwrite)
          
          # Write custom certs from the OPNsense Trust Store to CADDY_DATA_CUSTOM_DIR
          /usr/local/opnsense/scripts/OPNsense/Caddy/caddy_certs.php

solear · September 20, 2024, 7:44am

Oh, how do I make the config readable? Caddy is activated, its the output from Caddy Plugin/Diagnostic/config

Monviech · September 20, 2024, 7:49am

Let me verify later on a fresh installation if this still triggers or not. If not I’m going to fix it. If I can’t reproduce it then I don’t know whats wrong.

It depends on this checkbox:

github.com

opnsense/plugins/blob/1e934b0c08b5130aa0ed16786ba774360797b64c/www/caddy/src/opnsense/mvc/app/controllers/OPNsense/Caddy/forms/general.xml#L3-L8


      
          <field>
              <id>caddy.general.enabled</id>
              <label>Enabled</label>
              <type>checkbox</type>
              <help><![CDATA[Enable or disable the Caddy web server.]]></help>
          </field>

Which triggers the service and the setup script:

github.com

opnsense/plugins/blob/1e934b0c08b5130aa0ed16786ba774360797b64c/www/caddy/src/opnsense/service/templates/OPNsense/Caddy/rc.conf.d/caddy#L4-L6


      
          {% if generalSettings.enabled|default("0") == "1" %}
          caddy_enable="YES"
          caddy_setup="/usr/local/opnsense/scripts/OPNsense/Caddy/setup.sh"

If it doesnt happen it means the setup script is not executed.

You can either manually use the setup script from the shell, or go to cd /usr/local/etc/caddy/ and use caddy fmt --overwrite

EDIT:

Or just press “Apply” in the GUI once.

solear · September 20, 2024, 8:46am

Maybe I’m to stupid for this.

“Press Apply in the gui” - where?

Via putty:
sudo /usr/local/opnsense/scripts/OPNsense/Caddy/./setup.sh

no error - but no easy log…

Monviech · September 20, 2024, 10:17am

Go to “Services - Caddy Web Server - Reverse Proxy”, which is /ui/caddy/reverse_proxy in the address bar. Press the Apply button.

Alternatively go to “Services - Caddy Web Server - Diagnostics”, and press Validate Caddyfile button. Afterwards refresh that page.

solear · September 20, 2024, 11:34am

Ah ok. This was too easy. I did not think that you guys mean this.
Of course caddy is activated. Otherwise other domains wouldnt work.
Again: caddy works at expected. Only this one site does not work.

I already rebootet and reactivated caddy.
But - the websocket site doesnt work and - thats what I doesnt know - the config script doesnt work…?!

Monviech · September 20, 2024, 12:41pm

Did your Caddyfile get properly formatted now? Please edit your initial post and add it there.

solear · September 20, 2024, 2:46pm

No change. Its the same output.
I can run the script via ssh without an error. But the output is the same…

I’ve reinstalled the caddy plugin, but its the same output.

Monviech · September 20, 2024, 3:00pm

I will try to recreate this issue and solve it when possible. An improper formatted Caddyfile shouldnt be responsible for the wss:// not working.

In addition, post your JSON configuration, that one should be properly formatted.

I’ll lurk for now, please ping me if I have to patch anything.

francislavoie · September 21, 2024, 2:14am

The problem is with how you copied it probably, not with the content in the source.

solear · September 21, 2024, 2:40pm

Here is my json config from the diagnostic tab:

Summary

{
  "apps": {
    "http": {
      "grace_period": 10000000000,
      "servers": {
        "srv0": {
          "listen": [
            ":443"
          ],
          "logs": {
            "logger_names": {
              "dess.example.de": [
                "log3"
              ],
              "gitea.example.de": [
                "log5"
              ],
              "immich.example.de": [
                "log0"
              ],
              "omv.example.de": [
                "log2"
              ],
              "vaultwarden.example.de": [
                "log4"
              ],
              "venus.example.de": [
                "log6"
              ],
              "whoogle.example.de": [
                "log1"
              ]
            }
          },
          "routes": [
            {
              "handle": [
                {
                  "handler": "subroute",
                  "routes": [
                    {
                      "handle": [
                        {
                          "handler": "subroute",
                          "routes": [
                            {
                              "handle": [
                                {
                                  "handler": "subroute",
                                  "routes": [
                                    {
                                      "handle": [
                                        {
                                          "handler": "reverse_proxy",
                                          "upstreams": [
                                            {
                                              "dial": "192.168.1.59:8000"
                                            }
                                          ]
                                        }
                                      ]
                                    }
                                  ]
                                }
                              ]
                            }
                          ]
                        }
                      ],
                      "match": [
                        {
                          "client_ip": {
                            "ranges": [
                              "192.168.1.0/24",
                              "10.10.0.0/24",
                              "10.7.0.0/24",
                              "10.9.0.0/24",
                              "192.168.200.0/24",
                              "192.168.90.0/24"
                            ]
                          }
                        }
                      ]
                    },
                    {
                      "handle": [
                        {
                          "abort": true,
                          "handler": "static_response"
                        }
                      ]
                    }
                  ]
                }
              ],
              "match": [
                {
                  "host": [
                    "vaultwarden.example.de"
                  ]
                }
              ],
              "terminal": true
            },
            {
              "handle": [
                {
                  "handler": "subroute",
                  "routes": [
                    {
                      "handle": [
                        {
                          "handler": "subroute",
                          "routes": [
                            {
                              "handle": [
                                {
                                  "handler": "subroute",
                                  "routes": [
                                    {
                                      "handle": [
                                        {
                                          "handler": "reverse_proxy",
                                          "upstreams": [
                                            {
                                              "dial": "192.168.1.57:5000"
                                            }
                                          ]
                                        }
                                      ]
                                    }
                                  ]
                                }
                              ]
                            }
                          ]
                        }
                      ],
                      "match": [
                        {
                          "client_ip": {
                            "ranges": [
                              "192.168.1.0/24",
                              "10.10.0.0/24",
                              "10.7.0.0/24",
                              "10.9.0.0/24",
                              "192.168.200.0/24",
                              "192.168.90.0/24"
                            ]
                          }
                        }
                      ]
                    },
                    {
                      "handle": [
                        {
                          "abort": true,
                          "handler": "static_response"
                        }
                      ]
                    }
                  ]
                }
              ],
              "match": [
                {
                  "host": [
                    "whoogle.example.de"
                  ]
                }
              ],
              "terminal": true
            },
            {
              "handle": [
                {
                  "handler": "subroute",
                  "routes": [
                    {
                      "handle": [
                        {
                          "handler": "subroute",
                          "routes": [
                            {
                              "handle": [
                                {
                                  "handler": "subroute",
                                  "routes": [
                                    {
                                      "handle": [
                                        {
                                          "handler": "reverse_proxy",
                                          "upstreams": [
                                            {
                                              "dial": "192.168.1.39:2283"
                                            }
                                          ]
                                        }
                                      ]
                                    }
                                  ]
                                }
                              ]
                            }
                          ]
                        }
                      ],
                      "match": [
                        {
                          "client_ip": {
                            "ranges": [
                              "192.168.1.0/24",
                              "10.10.0.0/24",
                              "10.7.0.0/24",
                              "10.9.0.0/24",
                              "192.168.200.0/24",
                              "192.168.90.0/24"
                            ]
                          }
                        }
                      ]
                    },
                    {
                      "handle": [
                        {
                          "abort": true,
                          "handler": "static_response"
                        }
                      ]
                    }
                  ]
                }
              ],
              "match": [
                {
                  "host": [
                    "immich.example.de"
                  ]
                }
              ],
              "terminal": true
            },
            {
              "handle": [
                {
                  "handler": "subroute",
                  "routes": [
                    {
                      "handle": [
                        {
                          "handler": "subroute",
                          "routes": [
                            {
                              "handle": [
                                {
                                  "handler": "subroute",
                                  "routes": [
                                    {
                                      "handle": [
                                        {
                                          "handler": "reverse_proxy",
                                          "upstreams": [
                                            {
                                              "dial": "192.168.1.34:80"
                                            }
                                          ]
                                        }
                                      ]
                                    }
                                  ]
                                }
                              ]
                            }
                          ]
                        }
                      ],
                      "match": [
                        {
                          "client_ip": {
                            "ranges": [
                              "192.168.1.0/24",
                              "10.10.0.0/24",
                              "10.7.0.0/24",
                              "10.9.0.0/24",
                              "192.168.200.0/24",
                              "192.168.90.0/24"
                            ]
                          }
                        }
                      ]
                    },
                    {
                      "handle": [
                        {
                          "abort": true,
                          "handler": "static_response"
                        }
                      ]
                    }
                  ]
                }
              ],
              "match": [
                {
                  "host": [
                    "gitea.example.de"
                  ]
                }
              ],
              "terminal": true
            },
            {
              "handle": [
                {
                  "handler": "subroute",
                  "routes": [
                    {
                      "handle": [
                        {
                          "handler": "subroute",
                          "routes": [
                            {
                              "handle": [
                                {
                                  "handler": "subroute",
                                  "routes": [
                                    {
                                      "handle": [
                                        {
                                          "handler": "reverse_proxy",
                                          "upstreams": [
                                            {
                                              "dial": "192.168.1.50:80"
                                            }
                                          ]
                                        }
                                      ]
                                    }
                                  ]
                                }
                              ]
                            }
                          ]
                        }
                      ],
                      "match": [
                        {
                          "client_ip": {
                            "ranges": [
                              "192.168.1.0/24",
                              "10.10.0.0/24",
                              "10.7.0.0/24",
                              "10.9.0.0/24",
                              "192.168.200.0/24",
                              "192.168.90.0/24"
                            ]
                          }
                        }
                      ]
                    },
                    {
                      "handle": [
                        {
                          "abort": true,
                          "handler": "static_response"
                        }
                      ]
                    }
                  ]
                }
              ],
              "match": [
                {
                  "host": [
                    "venus.example.de"
                  ]
                }
              ],
              "terminal": true
            },
            {
              "handle": [
                {
                  "handler": "subroute",
                  "routes": [
                    {
                      "handle": [
                        {
                          "handler": "subroute",
                          "routes": [
                            {
                              "handle": [
                                {
                                  "handler": "subroute",
                                  "routes": [
                                    {
                                      "handle": [
                                        {
                                          "handler": "reverse_proxy",
                                          "transport": {
                                            "protocol": "http",
                                            "tls": {
                                              "insecure_skip_verify": true
                                            }
                                          },
                                          "upstreams": [
                                            {
                                              "dial": "192.168.1.50:1881"
                                            }
                                          ]
                                        }
                                      ]
                                    }
                                  ]
                                }
                              ]
                            }
                          ]
                        }
                      ],
                      "match": [
                        {
                          "client_ip": {
                            "ranges": [
                              "192.168.1.0/24",
                              "10.10.0.0/24",
                              "10.7.0.0/24",
                              "10.9.0.0/24",
                              "192.168.200.0/24",
                              "192.168.90.0/24"
                            ]
                          }
                        }
                      ]
                    },
                    {
                      "handle": [
                        {
                          "abort": true,
                          "handler": "static_response"
                        }
                      ]
                    }
                  ]
                }
              ],
              "match": [
                {
                  "host": [
                    "dess.example.de"
                  ]
                }
              ],
              "terminal": true
            },
            {
              "handle": [
                {
                  "handler": "subroute",
                  "routes": [
                    {
                      "handle": [
                        {
                          "handler": "subroute",
                          "routes": [
                            {
                              "handle": [
                                {
                                  "handler": "subroute",
                                  "routes": [
                                    {
                                      "handle": [
                                        {
                                          "handler": "reverse_proxy",
                                          "upstreams": [
                                            {
                                              "dial": "192.168.1.58:80"
                                            }
                                          ]
                                        }
                                      ]
                                    }
                                  ]
                                }
                              ]
                            }
                          ]
                        }
                      ],
                      "match": [
                        {
                          "client_ip": {
                            "ranges": [
                              "192.168.1.0/24",
                              "10.10.0.0/24",
                              "10.7.0.0/24",
                              "10.9.0.0/24",
                              "192.168.200.0/24",
                              "192.168.90.0/24"
                            ]
                          }
                        }
                      ]
                    },
                    {
                      "handle": [
                        {
                          "abort": true,
                          "handler": "static_response"
                        }
                      ]
                    }
                  ]
                }
              ],
              "match": [
                {
                  "host": [
                    "omv.example.de"
                  ]
                }
              ],
              "terminal": true
            }
          ],
          "trusted_proxies": {
            "ranges": [
              "192.168.1.0/24",
              "10.10.0.0/24",
              "10.7.0.0/24",
              "10.9.0.0/24",
              "192.168.200.0/24",
              "192.168.90.0/24"
            ],
            "source": "static"
          }
        }
      }
    },
    "tls": {
      "automation": {
        "policies": [
          {
            "issuers": [
              {
                "email": "hp@example.de",
                "module": "acme"
              },
              {
                "ca": "https://acme.zerossl.com/v2/DV90",
                "email": "hp@example.de",
                "module": "acme"
              }
            ],
            "subjects": [
              "vaultwarden.example.de",
              "whoogle.example.de",
              "immich.example.de",
              "gitea.example.de",
              "venus.example.de",
              "dess.example.de",
              "omv.example.de"
            ]
          }
        ]
      }
    }
  },
  "logging": {
    "logs": {
      "default": {
        "encoder": {
          "format": "json",
          "time_format": "rfc3339"
        },
        "exclude": [
          "http.log.access.log0",
          "http.log.access.log1",
          "http.log.access.log2",
          "http.log.access.log3",
          "http.log.access.log4",
          "http.log.access.log5",
          "http.log.access.log6"
        ],
        "level": "DEBUG",
        "writer": {
          "address": "unixgram//var/run/caddy/log.sock",
          "output": "net"
        }
      },
      "log0": {
        "include": [
          "http.log.access.log0"
        ],
        "writer": {
          "filename": "/var/log/caddy/access/38ba0804-7c0a-4dc8-9b95-2c4aca9f85fc.log",
          "output": "file",
          "roll_keep_days": 10
        }
      },
      "log1": {
        "include": [
          "http.log.access.log1"
        ],
        "writer": {
          "filename": "/var/log/caddy/access/89891edb-f5a3-4f6a-8668-44671e065f19.log",
          "output": "file",
          "roll_keep_days": 10
        }
      },
      "log2": {
        "include": [
          "http.log.access.log2"
        ],
        "writer": {
          "filename": "/var/log/caddy/access/0daafce0-e7da-4061-b839-99069d689781.log",
          "output": "file",
          "roll_keep_days": 10
        }
      },
      "log3": {
        "include": [
          "http.log.access.log3"
        ],
        "writer": {
          "filename": "/var/log/caddy/access/b89a7d6b-45c8-4ee2-9298-e12dcdbdca22.log",
          "output": "file",
          "roll_keep_days": 10
        }
      },
      "log4": {
        "include": [
          "http.log.access.log4"
        ],
        "writer": {
          "filename": "/var/log/caddy/access/7d967257-1b59-44c1-a5dd-481e4482f223.log",
          "output": "file",
          "roll_keep_days": 10
        }
      },
      "log5": {
        "include": [
          "http.log.access.log5"
        ],
        "writer": {
          "filename": "/var/log/caddy/access/1d55b940-5ee4-4e48-9527-c48986c5fc36.log",
          "output": "file",
          "roll_keep_days": 10
        }
      },
      "log6": {
        "include": [
          "http.log.access.log6"
        ],
        "writer": {
          "filename": "/var/log/caddy/access/114a69a8-670a-4f56-af4a-fb5d9bbb959c.log",
          "output": "file",
          "roll_keep_days": 10
        }
      }
    }
  }
}

@francislavoie
I’m using putty and type:
sudo /usr/local/etc/caddy/caddy fmt --overwrite

something is wrong, I dont know what.
I wouldn’t like to set up the whole router again now, everything is running, even caddy, except websockets and the config script.

Mohammed90 · September 21, 2024, 3:39pm

You’re using the wrong path for Caddy. From above, the caddy executable is at /usr/local/bin/caddy. You were only supposed to cd into /user/local/etc/caddy then just run caddy fmt --overwrite, not /usr/local/etc/caddy/caddy fmt.

Monviech · September 23, 2024, 8:06pm

So I just did a quick tests if websockets work or not.

I used a debian and installed websocketd
I created a simple script that increments a counter:

#!/bin/sh
counter=0
while true; do
  echo $counter
  counter=$((counter + 1))
  sleep 1
done

I called that script with websocketd

websocketd --port=8080 ./counter.sh

Opened chrome and used the dev console to call the ws socket directly:

var ws = new WebSocket('ws://172.16.1.113:8080/');
ws.onmessage = function(event) {
    console.log('Message from server:', event.data);
};

Got responses:

Message from server: 0
Message from server: 1
Message from server: 2
...

Logged access in websocketd:

Mon, 23 Sep 2024 21:42:53 +0200 | ACCESS | session    | url:'http://172.16.1.113:8080/' id:'1727120573048247102' remote:'172.16.1.105' command:'./counter.sh' origin:'file:' | CONNECT

Now I put Caddy on the OPNsense between it with this Caddyfile:

# Reverse Proxy Domain: "170f91bb-d125-44ba-b391-612046f47ec6"
applepie.pischem.com {
	handle {
		reverse_proxy 172.16.1.113:8080 {
		}
	}
}

I called the websocket again, this time with wss:// since Caddy is used as TLS Termination reverse proxy, and forwards the connection as ws:// internally.

var ws = new WebSocket('wss://applepie.pischem.com/');
ws.onmessage = function(event) {
    console.log('Message from server:', event.data);
};

Got the same responses, logged it in websocketd and in Caddy debug log:

Mon, 23 Sep 2024 21:48:30 +0200 | ACCESS | session    | url:'http://applepie.pischem.com/' id:'1727120910272607555' remote:'172.16.1.1' command:'./counter.sh' origin:'file:' | CONNECT

Caddy Log:

|2024-09-23T21:48:38|Debug|caddy|"debug","ts":"2024-09-23T19:48:38Z","logger":"http.handlers.reverse_proxy","msg":"upgrading connection","upstream":"172.16.1.113:8080","duration":0.001227763,"request":{"remote_ip":"172.16.1.105","remote_port":"65237","client_ip":"172.16.1.105","proto":"HTTP/1.1","method":"GET","host":"applepie.pischem.com","uri":"/","headers":{"Accept-Encoding":["gzip, deflate, br, zstd"],"Accept-Language":["de-DE,de;q=0.9,en-US;q=0.8,en;q=0.7"],"X-Forwarded-Proto":["https"],"Connection":["Upgrade"],"Origin":["null"],"X-Forwarded-For":["172.16.1.105"],"X-Forwarded-Host":["applepie.pischem.com"],"Cache-Control":["no-cache"],"Sec-Websocket-Version":["13"],"User-Agent":["Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/128.0.0.0 Safari/537.36"],"Sec-Websocket-Key":["2WbY5kKzeSTaOwz+Iv8vlQ=="],"Pragma":["no-cache"],"Upgrade":["websocket"],"Sec-Websocket-Extensions":["permessage-deflate; client_max_window_bits"]},"tls":{"resumed":true,"version":772,"cipher_suite":4865,"proto":"http/1.1","server_name":"applepie.pischem.com"}}}||
| --- | --- | --- | --- | --- |
|2024-09-23T21:48:38|Debug|caddy|"debug","ts":"2024-09-23T19:48:38Z","logger":"http.handlers.reverse_proxy","msg":"upstream roundtrip","upstream":"172.16.1.113:8080","duration":0.001227763,"request":{"remote_ip":"172.16.1.105","remote_port":"65237","client_ip":"172.16.1.105","proto":"HTTP/1.1","method":"GET","host":"applepie.pischem.com","uri":"/","headers":{"Accept-Encoding":["gzip, deflate, br, zstd"],"Accept-Language":["de-DE,de;q=0.9,en-US;q=0.8,en;q=0.7"],"X-Forwarded-Proto":["https"],"Connection":["Upgrade"],"Origin":["null"],"X-Forwarded-For":["172.16.1.105"],"X-Forwarded-Host":["applepie.pischem.com"],"Cache-Control":["no-cache"],"Sec-Websocket-Version":["13"],"User-Agent":["Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/128.0.0.0 Safari/537.36"],"Sec-Websocket-Key":["2WbY5kKzeSTaOwz+Iv8vlQ=="],"Pragma":["no-cache"],"Upgrade":["websocket"],"Sec-Websocket-Extensions":["permessage-deflate; client_max_window_bits"]},"tls":{"resumed":true,"version":772,"cipher_suite":4865,"proto":"http/1.1","server_name":"applepie.pischem.com"}},"headers":{"Upgrade":["websocket"],"Connection":["Upgrade"],"Sec-Websocket-Accept":["T1k8Rn9Vnfy3h9Q6uELa6/u4iR8="]},"status":101}|

So I guess in conclusion this means that websockets work with Caddy on OPNsense without any additional configuration needed if I tested this correctly.

solear · September 25, 2024, 5:18am

Thank you, @Monviech

I don’t know why it doesn’t work with caddy.

I have now tried it with the nginx-container. It works here. There you can activate or deactivate the websocket support. If I activate the websocket support, it works with my venus.example.de site.

I’m already on the verge of completely reinstalling opnsense to rule out the possibility that something has gotten tangled up internally in the long history of my APU.1D4 box.

Monviech · September 25, 2024, 5:41am

This is not something OPNsense related. You probably just do something wrong in the handler.

In my above example, I only used HTTP internally without tls insecure skip verify.

Try to connect to your websocket server internally only via http on its http port in the Upstream.

solear · September 25, 2024, 6:10am

I’ve tried several options, but no luck.

Monviech · September 25, 2024, 10:44am

I really don’t know. Might be something specific of the web application then.

For me the Websocket test worked with the Domain with https and 443.

And the reverse proxy just had http and the IP address + port.

There will be a bigger GUI update this week on the plugin that will make some of these things clearer, maybe that will help to clear your issues.

nicksellen · October 7, 2024, 8:40am

I am also having trouble using caddy to reverse proxy to a cerbo gx

It was working fine with nginx-proxy-manager, but I want to switch to caddy.
The websockets are working fine with other things I am proxying, just not to the cerbo gx…

Still investigating…