Why does this config work for reverse proxying to portainer?

dalibran · April 20, 2025, 6:17pm

1. The problem I’m having:

My question is more about why my current config works, as opposed to how to fix a current problem. I was trying to reverse proxy the url for my portainer dashboard so that I had a nice path I could use in combination with my tailnet name. I wanted something like"

“tailnet.ts.net/portainer”

I was hoping that Caddy would upgrade it to https, like it did for my adguard and netdata dashboards. However, when I added the portainer handle_path commands to my Caddyfile, it wouldn’t work. I kept getting an error to the effect of “http request being sent to an https server”

Originally, my Caddyfile had a url of localhost:9443 for the reverse_proxy command for portainer, and 9443 is the port that portainer uses for https. Eventually I solved this by shutting down my portainer container, restarting it with an open port for 9000 (which is portainer’s http port), and then editing my Caddyfile so that it reverse proxies using the 9000 port.

So now, my url “tailname.ts.net/portainer” gets automatically upgraded to https in my browser. The problem is I have no idea why this works. I don’t understand why the reverse_proxy didn’t work when I used the https port 9443. Can anyone help me understand?

Also open to any config improvements. I am only a couple weeks new to the homelab tinkering life. Thanks!

3. Caddy version:

v2.9.1

4. How I installed and ran Caddy:

I used the recommended package for Ubuntu.

a. System environment:

Ubuntu 24.04

Caddyfile:

tailname.ts.net  {
        # redirects root to homepage dashboard
        reverse_proxy localhost:3000

        # Enable the static file server.
        file_server

        # adguard reverse proxy settings
        @adguardNoSlash {
                path /adguard
        }
        redir @adguardNoSlash /adguard/ permanent

        handle_path /adguard/* {
                reverse_proxy localhost:8080
        }

        # netdata reverse proxy settings
        @netdataNoSlash {
                path /netdata
        }
        redir @netdataNoSlash /netdata/ permanent

        handle_path /netdata/* {
                reverse_proxy localhost:19999
        }

        # portainer reverse proxy settings
        @portainerNoSlash {
                path /portainer
        }
        redir @portainerNoSlash /portainer/ permanent

        handle_path /portainer/* {
                reverse_proxy localhost:9000
        }
}

victor · April 20, 2025, 6:21pm

The reason is this. When caddy proxies to an https backend that uses a self-signed certificate, it will not be able to verify the validity of said certificate.

To bypass this you can add the following block to your reverse proxy block.

		reverse_proxy localhost:9443 {
		    transport http {
		        tls_insecure_skip_verify
		}

This will tell caddy to skip verification of the self-signed certificate.

dalibran · April 20, 2025, 7:25pm

That’s great to know, and I appreciate the quick reply! In Adguard, I supplied a certificate I generated with the tailscale daemon. Based on what you said, could I do the same thing with my adguard block, and caddy would upgrade the connection to my dashboard without me needing to do anything else?

victor · April 20, 2025, 8:30pm

I believe so.

system · May 20, 2025, 8:30pm

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.