Why is caddy looking for a certificate when proxifying https to https?

I have a site I access via https://172.21.0.33:8443 (this is a docker network). In order to simplify the URLs, I wanted to proxify a FQDN to that site:

https://unifi.example.info {
  proxy / https://172.21.0.33:8443 {
    insecure_skip_verify
    transparent
  }
}

My intent was to have Caddy forward the traffic to 172.21.0.33:8443 without terminating the TLS connection itself (the TLS connection is handled by 172.21.0.33). When requesting https://unifi.example.info the call fails with a error:14094438:SSL routines:ssl3_read_bytes:tlsv1 alert internal error and I see in Caddy logs

2019/07/31 17:57:26 http: TLS handshake error from 192.168.10.251:9191: no certificate available for 'unifi.example.info'

Why is Caddy looking for a cert while it should simply forward the call?

I think I understood. It looks like the proxy is terminating the TLS call (and thus requiring certs), and then recreating it.

Is there a way to bypass this terminate-recreate part and directly direct the call to the target server?

Sure, use Caddy’s TCP proxy: https://caddyserver.com/docs/net

2 Likes