Issue when handling both SSL passthrough and termination #294

cohesive-flight · 2025-01-30T04:05:58Z

Problem
When using Caddy to handle both SSL passthrough and termination, I encounter a "404 Not Found" error when using services configured to be passthroughed.

Caddyfile (updated)

{
	debug
	auto_https disable_certs
	layer4 {
		:443 {
			@match1 tls sni service1.example.com
			route @match1 {
				proxy 192.168.0.15:443
			}
		@match2 tls sni service2.example.com service3.example.com
		route @match2 {
			proxy 192.168.0.16:443
		}

		@match3 tls sni service4.example.com
		route @match3 {
			proxy 192.168.0.17:443
		}

		@excluded not {
            tls {
                sni service1.example.com service2.example.com service3.example.com service4.example.com
            }
        }

		route @excluded {
			proxy 127.0.0.1:1443
		}
	}
}

}
:1443 {

tls /etc/fullchain.pem /etc/privkey.pem
@match4 host service5.example.com
handle @match4 {
	reverse_proxy http://192.168.0.18:5000
}

@match5 host service6.example.com
handle @match5 {
	reverse_proxy http://192.168.0.18:6000
}

@match6 host service7.example.com
handle @match6 {
	reverse_proxy http://192.168.0.19:2000
}

handle {
	respond "404 Not Found" 404
}

}

Logs

{"level":"info","ts":1738430590.6814106,"msg":"using config from file","file":"/etc/caddy/Caddyfile"}
{"level":"info","ts":1738430590.6828122,"msg":"adapted config to JSON","adapter":"caddyfile"}
{"level":"info","ts":1738430590.683959,"logger":"admin","msg":"admin endpoint started","address":"localhost:2019","enforce_origin":false,"origins":["//[::1]:2019","//127.0.0.1:2019","//localhost:2019"]}
{"level":"debug","ts":1738430590.6843662,"logger":"events","msg":"event","name":"cached_unmanaged_cert","id":"5812dx12-85hd-193j-n45d-4dj2198gvnh5","origin":"tls","data":{"sans":["example.com","*.example.com"]}}
{"level":"debug","ts":1738430590.6843808,"logger":"tls.cache","msg":"added certificate to cache","subjects":["example.com","*.example.com"],"expiration":1934284859,"managed":false,"issuer_key":"","hash":"18972894791798fdgbbkbjk35t2000744814712586897df6897sd7f9asd7f873","cache_size":1,"cache_capacity":10000}
{"level":"warn","ts":1738430590.6843984,"logger":"http.auto_https","msg":"skipping automated certificate management for server because it is disabled","server_name":"srv0"}
{"level":"info","ts":1738430590.6844018,"logger":"http.auto_https","msg":"enabling automatic HTTP->HTTPS redirects","server_name":"srv0"}
{"level":"debug","ts":1738430590.6844223,"logger":"http.auto_https","msg":"adjusted config","tls":{"automation":{"policies":[{}]}},"http":{"servers":{"remaining_auto_https_redirects":{"listen":[":80"],"routes":[{},{}]},"srv0":{"listen":[":1443"],"routes":[{"handle":[{"handler":"subroute","routes":[{"group":"group4","handle":[{"handler":"subroute","routes":[{"handle":[{"handler":"reverse_proxy","upstreams":[{"dial":"192.168.0.18:5000"}]}]}]}],"match":[{"host":["service5.example.com"]}]},{"group":"group4","handle":[{"handler":"subroute","routes":[{"handle":[{"handler":"reverse_proxy","upstreams":[{"dial":"192.168.0.18:6000"}]}]}]}],"match":[{"host":["service6.example.com"]}]},{"group":"group4","handle":[{"handler":"subroute","routes":[{"handle":[{"handler":"reverse_proxy","upstreams":[{"dial":"192.168.0.19:2000"}]}]}]}],"match":[{"host":["service7.example.com"]}]},{"group":"group4","handle":[{"handler":"subroute","routes":[{"handle":[{"body":"404 Not Found","handler":"static_response","status_code":404}]}]}]}]}],"terminal":true}],"tls_connection_policies":[{"certificate_selection":{"any_tag":["cert0"]}}],"automatic_https":{"disable_certificates":true}}}}}
{"level":"info","ts":1738430590.6845593,"logger":"tls.cache.maintenance","msg":"started background certificate maintenance","cache":"0xc0001ab380"}
{"level":"debug","ts":1738430590.6852462,"logger":"http","msg":"starting server loop","address":"[::]:80","tls":false,"http3":false}
{"level":"warn","ts":1738430590.6852653,"logger":"http","msg":"HTTP/2 skipped because it requires TLS","network":"tcp","addr":":80"}
{"level":"warn","ts":1738430590.6852682,"logger":"http","msg":"HTTP/3 skipped because it requires TLS","network":"tcp","addr":":80"}
{"level":"info","ts":1738430590.6852708,"logger":"http.log","msg":"server running","name":"remaining_auto_https_redirects","protocols":["h1","h2","h3"]}
{"level":"debug","ts":1738430590.6852984,"logger":"http","msg":"starting server loop","address":"[::]:1443","tls":true,"http3":false}
{"level":"info","ts":1738430590.6853034,"logger":"http","msg":"enabling HTTP/3 listener","addr":":1443"}
{"level":"info","ts":1738430590.6853535,"msg":"failed to sufficiently increase receive buffer size (was: 208 kiB, wanted: 7168 kiB, got: 416 kiB). See https://github.com/quic-go/quic-go/wiki/UDP-Buffer-Sizes for details."}
{"level":"info","ts":1738430590.6854646,"logger":"http.log","msg":"server running","name":"srv0","protocols":["h1","h2","h3"]}
{"level":"debug","ts":1738430590.6855013,"logger":"layer4","msg":"listening","address":"tcp/[::]:443"}
{"level":"info","ts":1738430590.685739,"msg":"autosaved config (load with --resume flag)","file":"/config/caddy/autosave.json"}
{"level":"info","ts":1738430590.6857479,"msg":"serving initial configuration"}
{"level":"info","ts":1738430590.686241,"logger":"tls","msg":"storage cleaning happened too recently; skipping for now","storage":"FileStorage:/data/caddy","instance":"12407890-dg72-d81y-9889-dd2489nvs154","try_again":1721359808.2357298,"try_again_in":81246.999999154}
{"level":"info","ts":1738430590.6862965,"logger":"tls","msg":"finished cleaning storage units"}
{"level":"debug","ts":1738430594.737028,"logger":"layer4","msg":"matching","remote":"192.168.0.143:50788","error":"consumed all prefetched bytes","matcher":"layer4.matchers.tls","matched":false}
{"level":"debug","ts":1738430594.738577,"logger":"layer4","msg":"prefetched","remote":"192.168.0.143:50788","bytes":1448}
{"level":"debug","ts":1738430594.738592,"logger":"layer4","msg":"matching","remote":"192.168.0.143:50788","error":"consumed all prefetched bytes","matcher":"layer4.matchers.tls","matched":false}
{"level":"debug","ts":1738430594.7385976,"logger":"layer4","msg":"matching","remote":"192.168.0.143:50788","error":"consumed all prefetched bytes","matcher":"layer4.matchers.tls","matched":false}
{"level":"debug","ts":1738430594.7386005,"logger":"layer4","msg":"matching","remote":"192.168.0.143:50788","error":"consumed all prefetched bytes","matcher":"layer4.matchers.tls","matched":false}
{"level":"debug","ts":1738430594.7386036,"logger":"layer4","msg":"matching","remote":"192.168.0.143:50788","error":"consumed all prefetched bytes","matcher":"layer4.matchers.tls","matched":false}
{"level":"debug","ts":1738430594.738607,"logger":"layer4","msg":"matching","remote":"192.168.0.143:50788","error":"consumed all prefetched bytes","matcher":"layer4.matchers.not","matched":false}
{"level":"debug","ts":1738430594.7386165,"logger":"layer4","msg":"prefetched","remote":"192.168.0.143:50788","bytes":2223}
{"level":"debug","ts":1738430594.7386336,"logger":"layer4.matchers.tls","msg":"matched","remote":"192.168.0.143:50788","server_name":"service1.example.com"}
{"level":"debug","ts":1738430594.7386365,"logger":"layer4","msg":"matching","remote":"192.168.0.143:50788","matcher":"layer4.matchers.tls","matched":true}
{"level":"debug","ts":1738430594.7388783,"logger":"layer4.handlers.proxy","msg":"dial upstream","remote":"192.168.0.143:50788","upstream":"192.168.0.15:443"}
{"level":"debug","ts":1738430594.8004546,"logger":"layer4","msg":"connection stats","remote":"192.168.0.143:50788","read":3218,"written":3820,"duration":0.063435465}
{"level":"debug","ts":1738430595.0872593,"logger":"layer4","msg":"matching","remote":"192.168.0.143:50796","error":"consumed all prefetched bytes","matcher":"layer4.matchers.tls","matched":false}
{"level":"debug","ts":1738430595.087649,"logger":"layer4","msg":"prefetched","remote":"192.168.0.143:50796","bytes":2048}
{"level":"debug","ts":1738430595.0876718,"logger":"layer4","msg":"matching","remote":"192.168.0.143:50796","error":"consumed all prefetched bytes","matcher":"layer4.matchers.tls","matched":false}
{"level":"debug","ts":1738430595.0876787,"logger":"layer4","msg":"matching","remote":"192.168.0.143:50796","error":"consumed all prefetched bytes","matcher":"layer4.matchers.tls","matched":false}
{"level":"debug","ts":1738430595.087683,"logger":"layer4","msg":"matching","remote":"192.168.0.143:50796","error":"consumed all prefetched bytes","matcher":"layer4.matchers.tls","matched":false}
{"level":"debug","ts":1738430595.08771,"logger":"layer4","msg":"matching","remote":"192.168.0.143:50796","error":"consumed all prefetched bytes","matcher":"layer4.matchers.tls","matched":false}
{"level":"debug","ts":1738430595.0877345,"logger":"layer4","msg":"matching","remote":"192.168.0.143:50796","error":"consumed all prefetched bytes","matcher":"layer4.matchers.not","matched":false}
{"level":"debug","ts":1738430595.0877635,"logger":"layer4","msg":"prefetched","remote":"192.168.0.143:50796","bytes":2223}
{"level":"debug","ts":1738430595.087779,"logger":"layer4.matchers.tls","msg":"matched","remote":"192.168.0.143:50796","server_name":"service1.example.com"}
{"level":"debug","ts":1738430595.087782,"logger":"layer4","msg":"matching","remote":"192.168.0.143:50796","matcher":"layer4.matchers.tls","matched":true}
{"level":"debug","ts":1738430595.0879512,"logger":"layer4.handlers.proxy","msg":"dial upstream","remote":"192.168.0.143:50796","upstream":"192.168.0.15:443"}
{"level":"debug","ts":1738430600.1557646,"logger":"layer4","msg":"matching","remote":"192.168.0.143:50808","error":"consumed all prefetched bytes","matcher":"layer4.matchers.tls","matched":false}
{"level":"debug","ts":1738430600.1563914,"logger":"layer4","msg":"prefetched","remote":"192.168.0.143:50808","bytes":2048}
{"level":"debug","ts":1738430600.1564023,"logger":"layer4","msg":"matching","remote":"192.168.0.143:50808","error":"consumed all prefetched bytes","matcher":"layer4.matchers.tls","matched":false}
{"level":"debug","ts":1738430600.1564152,"logger":"layer4","msg":"matching","remote":"192.168.0.143:50808","error":"consumed all prefetched bytes","matcher":"layer4.matchers.tls","matched":false}
{"level":"debug","ts":1738430600.1564214,"logger":"layer4","msg":"matching","remote":"192.168.0.143:50808","error":"consumed all prefetched bytes","matcher":"layer4.matchers.tls","matched":false}
{"level":"debug","ts":1738430600.1564314,"logger":"layer4","msg":"matching","remote":"192.168.0.143:50808","error":"consumed all prefetched bytes","matcher":"layer4.matchers.tls","matched":false}
{"level":"debug","ts":1738430600.1564355,"logger":"layer4","msg":"matching","remote":"192.168.0.143:50808","error":"consumed all prefetched bytes","matcher":"layer4.matchers.not","matched":false}
{"level":"debug","ts":1738430600.156444,"logger":"layer4","msg":"prefetched","remote":"192.168.0.143:50808","bytes":2207}
{"level":"debug","ts":1738430600.1564646,"logger":"layer4","msg":"matching","remote":"192.168.0.143:50808","matcher":"layer4.matchers.tls","matched":false}
{"level":"debug","ts":1738430600.156477,"logger":"layer4.matchers.tls","msg":"matched","remote":"192.168.0.143:50808","server_name":"service3.example.com"}
{"level":"debug","ts":1738430600.1564796,"logger":"layer4","msg":"matching","remote":"192.168.0.143:50808","matcher":"layer4.matchers.tls","matched":true}
{"level":"debug","ts":1738430600.1566212,"logger":"layer4.handlers.proxy","msg":"dial upstream","remote":"192.168.0.143:50808","upstream":"192.168.0.16:443"}

Steps to Reproduce:

Start Caddy with a Caddyfile structured like mine
Access a service configured for SSL passthrough and verify it's working after refreshing its page.
Access another service also configured for SSL passthrough, and verify it's working after refreshing its page.
Return to the initial service you accessed in step 2, refresh its page, and verify you're presented with a "404 Not Found" error.
Check the remaining service configured for SSL passthrough and verify you're also presented with a "404 Not Found" error.

The service used in step 3 could be replaced with one configured for termination. It seems any service configured for SSL termination will always work, but services configured for SSL passthrough will encounter this error when using any other service while it's still active. It requires a hard reload (CTRL + SHIFT + R) for it to start working again, but it'll cause other services configured for passthrough to encounter the same error.

Environment

OS: Debian 12
Version: 2.9.1

Dockerfile (built 12 days ago, so one commit behind the caddy-l4 repo)

FROM caddy:2.9.1-builder-alpine@sha256:c82c536196354acff870ce9f99795ed7bff7d1ed85c52c8d3f10a1688a947de3 AS builder

RUN xcaddy build
--with github.com/mholt/caddy-l4
--with github.com/caddyserver/transform-encoder

FROM caddy:2.9.1-alpine@sha256:b60636634fd2aebaf9460cf60997ad83aad6b139318d5713e2b78a60f52b139c

COPY --from=builder /usr/bin/caddy /usr/bin/caddy

Compose

services:
  caddy:
    image: caddy:2.9.1-layer4
    container_name: caddy
    user: 1000:1000
    restart: unless-stopped
    ports:
      - 80:80
      - 443:443
    cap_drop:
      - ALL
    cap_add:
      - NET_BIND_SERVICE
    security_opt:
      - no-new-privileges
    volumes:
      - ./caddyfile.d:/etc/caddy
      - ./fullchain.pem:/etc/fullchain.pem
      - ./privkey.pem:/etc/privkey.pem
      - ./sites:/srv
      - ./config:/config
      - ./data:/data

Observations

The error indicates services configured for passthrough are being proxied to the layer 7 portion of Caddy running at port 1443, but why is that the case? Am I not using the not matcher correctly?

I initially didn't have any sort of exclusion, but I ran into this same issue and attempted to explicitly deny server names of services configured to be passthroughed.

The text was updated successfully, but these errors were encountered:

vnxme · 2025-01-30T06:59:40Z

@cohesive-flight Your issue lacks some relevant details, so it's unclear how to reproduce it. It may be useful if you add debug to the global config section and post your log here indicating the moment when you get 404.

I have another idea though. What if you rewrite your config to use the listener wrapper mode? See an example here.

cohesive-flight · 2025-02-01T18:47:09Z

Your issue lacks some relevant details, so it's unclear how to reproduce it. It may be useful if you add debug to the global config section and post your log here indicating the moment when you get 404.

I've added steps for reproducing the issue along with debug logs that will appear when following the steps.

I have another idea though. What if you rewrite your config to use the listener wrapper mode? See an example here.

I wasn't aware of this. I'll give it a try and provide an update.

cohesive-flight · 2025-02-02T07:40:43Z

I'm still encountering this error when using a listener wrapper.

Caddyfile:

{
	debug
	auto_https disable_certs
	servers {
		listener_wrappers {
			layer4 {
				@host1 tls sni service1.example.com
				route @host1 {
					proxy 192.168.0.15:443
				}
			@host2 tls sni service2.example.com service3.example.com
			route @host2 {
				proxy 192.168.0.16:443
			}

			@host3 tls sni service4.example.com
			route @host3 {
				proxy 192.168.0.17:443
			}
		}
		tls
	}
}

}
*.example.com {

tls /etc/fullchain.pem /etc/privkey.pem
@host4 host service5.example.com
handle @host4 {
	reverse_proxy http://192.168.0.17:5000
}

@host4 host service6.example.com
handle @host4 {
	reverse_proxy http://192.168.0.17:6000
}

@host5 host service7.example.com
handle @host5 {
	reverse_proxy http://192.168.0.18:2000
}

handle {
	respond "404 Not Found" 404
}

}

Logs (following the same steps in the initial post):

{"level":"info","ts":1738480492.1226125,"msg":"using config from file","file":"/etc/caddy/Caddyfile"}
{"level":"info","ts":1738480492.1240613,"msg":"adapted config to JSON","adapter":"caddyfile"}
{"level":"info","ts":1738480492.1250522,"logger":"admin","msg":"admin endpoint started","address":"localhost:2019","enforce_origin":false,"origins":["//localhost:2019","//[::1]:2019","//127.0.0.1:2019"]}
{"level":"info","ts":1738480492.12525,"logger":"tls.cache.maintenance","msg":"started background certificate maintenance","cache":"0xc000582e00"}
{"level":"debug","ts":1738480492.1254027,"logger":"events","msg":"event","name":"cached_unmanaged_cert","id":"5812dx12-85hd-193j-n45d-4dj2198gvnh5","origin":"tls","data":{"sans":["example.com","*.example.com"]}}
{"level":"debug","ts":1738480492.1254182,"logger":"tls.cache","msg":"added certificate to cache","subjects":["example.com","*.example.com"],"expiration":1934284859,"managed":false,"issuer_key":"","hash":"18972894791798fdgbbkbjk35t2000744814712586897df6897sd7f9asd7f873","cache_size":1,"cache_capacity":10000}
{"level":"warn","ts":1738480492.125438,"logger":"http.auto_https","msg":"skipping automated certificate management for server because it is disabled","server_name":"srv0"}
{"level":"info","ts":1738480492.1254416,"logger":"http.auto_https","msg":"enabling automatic HTTP->HTTPS redirects","server_name":"srv0"}
{"level":"debug","ts":1738480492.1254559,"logger":"http.auto_https","msg":"adjusted config","tls":{"automation":{"policies":[{}]}},"http":{"servers":{"remaining_auto_https_redirects":{"listen":[":80"],"routes":[{},{}]},"srv0":{"listen":[":443"],"listener_wrappers":[{"routes":[{"handle":[{"handler":"proxy","upstreams":[{"dial":["192.168.0.15:443"]}]}],"match":[{"tls":{"sni":["service1.example.com"]}}]},{"handle":[{"handler":"proxy","upstreams":[{"dial":["192.168.0.16:443"]}]}],"match":[{"tls":{"sni":["service2.example.com","service3.example.com"]}}]},{"handle":[{"handler":"proxy","upstreams":[{"dial":["192.168.0.17:443"]}]}],"match":[{"tls":{"sni":["service4.example.com"]}}]}],"wrapper":"layer4"},{"wrapper":"tls"}],"routes":[{"handle":[{"handler":"subroute","routes":[{"group":"group4","handle":[{"handler":"subroute","routes":[{"handle":[{"handler":"reverse_proxy","upstreams":[{"dial":"192.168.0.17:5000"}]}]}]}],"match":[{"host":["service5.example.com"]}]},{"group":"group4","handle":[{"handler":"subroute","routes":[{"handle":[{"handler":"reverse_proxy","upstreams":[{"dial":"192.168.0.17:6000"}]}]}]}],"match":[{"host":["service6.example.com"]}]},{"group":"group4","handle":[{"handler":"subroute","routes":[{"handle":[{"handler":"reverse_proxy","upstreams":[{"dial":"192.168.0.18:2000"}]}]}]}],"match":[{"host":["service7.example.com"]}]},{"group":"group4","handle":[{"handler":"subroute","routes":[{"handle":[{"body":"404 Not Found","handler":"static_response","status_code":404}]}]}]}]}],"terminal":true}],"tls_connection_policies":[{"match":{"sni":["*.example.com"]},"certificate_selection":{"any_tag":["cert0"]}},{}],"automatic_https":{"disable_certificates":true}}}}}
{"level":"debug","ts":1738480492.1266565,"logger":"http","msg":"starting server loop","address":"[::]:443","tls":true,"http3":false}
{"level":"info","ts":1738480492.1266737,"logger":"http","msg":"enabling HTTP/3 listener","addr":":443"}
{"level":"info","ts":1738480492.1267366,"msg":"failed to sufficiently increase receive buffer size (was: 208 kiB, wanted: 7168 kiB, got: 416 kiB). See https://github.com/quic-go/quic-go/wiki/UDP-Buffer-Sizes for details."}
{"level":"info","ts":1738480492.1268883,"logger":"http.log","msg":"server running","name":"srv0","protocols":["h1","h2","h3"]}
{"level":"debug","ts":1738480492.126925,"logger":"http","msg":"starting server loop","address":"[::]:80","tls":false,"http3":false}
{"level":"warn","ts":1738480492.12693,"logger":"http","msg":"HTTP/2 skipped because it requires TLS","network":"tcp","addr":":80"}
{"level":"warn","ts":1738480492.126932,"logger":"http","msg":"HTTP/3 skipped because it requires TLS","network":"tcp","addr":":80"}
{"level":"info","ts":1738480492.126934,"logger":"http.log","msg":"server running","name":"remaining_auto_https_redirects","protocols":["h1","h2","h3"]}
{"level":"info","ts":1738480492.127129,"msg":"autosaved config (load with --resume flag)","file":"/config/caddy/autosave.json"}
{"level":"info","ts":1738480492.1271353,"msg":"serving initial configuration"}
{"level":"info","ts":1738480492.1275907,"logger":"tls","msg":"storage cleaning happened too recently; skipping for now","storage":"FileStorage:/data/caddy","instance":"38756aaa-750b-4dab-9a53-577551a25d9d","try_again":1738566892.1275897,"try_again_in":86399.999999705}
{"level":"info","ts":1738480492.1276464,"logger":"tls","msg":"finished cleaning storage units"}
{"level":"debug","ts":1738480492.9703732,"logger":"caddy.listeners.layer4","msg":"matching","remote":"192.168.0.143:41930","error":"consumed all prefetched bytes","matcher":"layer4.matchers.tls","matched":false}
{"level":"debug","ts":1738480492.9703948,"logger":"caddy.listeners.layer4","msg":"matching","remote":"192.168.0.143:41946","error":"consumed all prefetched bytes","matcher":"layer4.matchers.tls","matched":false}
{"level":"debug","ts":1738480492.9708781,"logger":"caddy.listeners.layer4","msg":"prefetched","remote":"192.168.0.143:41930","bytes":2048}
{"level":"debug","ts":1738480492.9708953,"logger":"caddy.listeners.layer4","msg":"matching","remote":"192.168.0.143:41930","error":"consumed all prefetched bytes","matcher":"layer4.matchers.tls","matched":false}
{"level":"debug","ts":1738480492.9708998,"logger":"caddy.listeners.layer4","msg":"matching","remote":"192.168.0.143:41930","error":"consumed all prefetched bytes","matcher":"layer4.matchers.tls","matched":false}
{"level":"debug","ts":1738480492.9709027,"logger":"caddy.listeners.layer4","msg":"matching","remote":"192.168.0.143:41930","error":"consumed all prefetched bytes","matcher":"layer4.matchers.tls","matched":false}
{"level":"debug","ts":1738480492.9709127,"logger":"caddy.listeners.layer4","msg":"prefetched","remote":"192.168.0.143:41930","bytes":2223}
{"level":"debug","ts":1738480492.9709263,"logger":"layer4.matchers.tls","msg":"matched","remote":"192.168.0.143:41930","server_name":"service1.example.com"}
{"level":"debug","ts":1738480492.9709294,"logger":"caddy.listeners.layer4","msg":"matching","remote":"192.168.0.143:41930","matcher":"layer4.matchers.tls","matched":true}
{"level":"debug","ts":1738480492.9711401,"logger":"layer4.handlers.proxy","msg":"dial upstream","remote":"192.168.0.143:41930","upstream":"192.168.0.15:443"}
{"level":"debug","ts":1738480492.971285,"logger":"caddy.listeners.layer4","msg":"prefetched","remote":"192.168.0.143:41946","bytes":2048}
{"level":"debug","ts":1738480492.971302,"logger":"caddy.listeners.layer4","msg":"matching","remote":"192.168.0.143:41946","error":"consumed all prefetched bytes","matcher":"layer4.matchers.tls","matched":false}
{"level":"debug","ts":1738480492.9713097,"logger":"caddy.listeners.layer4","msg":"matching","remote":"192.168.0.143:41946","error":"consumed all prefetched bytes","matcher":"layer4.matchers.tls","matched":false}
{"level":"debug","ts":1738480492.9713135,"logger":"caddy.listeners.layer4","msg":"matching","remote":"192.168.0.143:41946","error":"consumed all prefetched bytes","matcher":"layer4.matchers.tls","matched":false}
{"level":"debug","ts":1738480492.971326,"logger":"caddy.listeners.layer4","msg":"prefetched","remote":"192.168.0.143:41946","bytes":2223}
{"level":"debug","ts":1738480492.9713414,"logger":"layer4.matchers.tls","msg":"matched","remote":"192.168.0.143:41946","server_name":"service1.example.com"}
{"level":"debug","ts":1738480492.9713514,"logger":"caddy.listeners.layer4","msg":"matching","remote":"192.168.0.143:41946","matcher":"layer4.matchers.tls","matched":true}
{"level":"debug","ts":1738480492.9714906,"logger":"layer4.handlers.proxy","msg":"dial upstream","remote":"192.168.0.143:41946","upstream":"192.168.0.15:443"}
{"level":"debug","ts":1738480492.973453,"logger":"caddy.listeners.layer4","msg":"connection stats","remote":"192.168.0.143:41946","read":2311,"written":1012,"duration":0.003059554}
{"level":"debug","ts":1738480492.98732,"logger":"caddy.listeners.layer4","msg":"matching","remote":"192.168.0.143:41952","error":"consumed all prefetched bytes","matcher":"layer4.matchers.tls","matched":false}
{"level":"debug","ts":1738480492.9877481,"logger":"caddy.listeners.layer4","msg":"prefetched","remote":"192.168.0.143:41952","bytes":2048}
{"level":"debug","ts":1738480492.9877582,"logger":"caddy.listeners.layer4","msg":"matching","remote":"192.168.0.143:41952","error":"consumed all prefetched bytes","matcher":"layer4.matchers.tls","matched":false}
{"level":"debug","ts":1738480492.987763,"logger":"caddy.listeners.layer4","msg":"matching","remote":"192.168.0.143:41952","error":"consumed all prefetched bytes","matcher":"layer4.matchers.tls","matched":false}
{"level":"debug","ts":1738480492.9877694,"logger":"caddy.listeners.layer4","msg":"matching","remote":"192.168.0.143:41952","error":"consumed all prefetched bytes","matcher":"layer4.matchers.tls","matched":false}
{"level":"debug","ts":1738480492.9877765,"logger":"caddy.listeners.layer4","msg":"prefetched","remote":"192.168.0.143:41952","bytes":2223}
{"level":"debug","ts":1738480492.9877892,"logger":"layer4.matchers.tls","msg":"matched","remote":"192.168.0.143:41952","server_name":"service1.example.com"}
{"level":"debug","ts":1738480492.9877915,"logger":"caddy.listeners.layer4","msg":"matching","remote":"192.168.0.143:41952","matcher":"layer4.matchers.tls","matched":true}
{"level":"debug","ts":1738480492.9879467,"logger":"layer4.handlers.proxy","msg":"dial upstream","remote":"192.168.0.143:41952","upstream":"192.168.0.15:443"}
{"level":"debug","ts":1738480496.8555431,"logger":"caddy.listeners.layer4","msg":"matching","remote":"192.168.0.143:41960","error":"consumed all prefetched bytes","matcher":"layer4.matchers.tls","matched":false}
{"level":"debug","ts":1738480496.8559704,"logger":"caddy.listeners.layer4","msg":"prefetched","remote":"192.168.0.143:41960","bytes":2048}
{"level":"debug","ts":1738480496.855988,"logger":"caddy.listeners.layer4","msg":"matching","remote":"192.168.0.143:41960","error":"consumed all prefetched bytes","matcher":"layer4.matchers.tls","matched":false}
{"level":"debug","ts":1738480496.8559945,"logger":"caddy.listeners.layer4","msg":"matching","remote":"192.168.0.143:41960","error":"consumed all prefetched bytes","matcher":"layer4.matchers.tls","matched":false}
{"level":"debug","ts":1738480496.855998,"logger":"caddy.listeners.layer4","msg":"matching","remote":"192.168.0.143:41960","error":"consumed all prefetched bytes","matcher":"layer4.matchers.tls","matched":false}
{"level":"debug","ts":1738480496.8560083,"logger":"caddy.listeners.layer4","msg":"prefetched","remote":"192.168.0.143:41960","bytes":2223}
{"level":"debug","ts":1738480496.856024,"logger":"layer4.matchers.tls","msg":"matched","remote":"192.168.0.143:41960","server_name":"service1.example.com"}
{"level":"debug","ts":1738480496.8560274,"logger":"caddy.listeners.layer4","msg":"matching","remote":"192.168.0.143:41960","matcher":"layer4.matchers.tls","matched":true}
{"level":"debug","ts":1738480496.8562403,"logger":"layer4.handlers.proxy","msg":"dial upstream","remote":"192.168.0.143:41960","upstream":"192.168.0.15:443"}
{"level":"debug","ts":1738480502.0748587,"logger":"caddy.listeners.layer4","msg":"matching","remote":"192.168.0.143:56222","error":"consumed all prefetched bytes","matcher":"layer4.matchers.tls","matched":false}
{"level":"debug","ts":1738480502.075447,"logger":"caddy.listeners.layer4","msg":"prefetched","remote":"192.168.0.143:56222","bytes":1448}
{"level":"debug","ts":1738480502.075493,"logger":"caddy.listeners.layer4","msg":"matching","remote":"192.168.0.143:56222","error":"consumed all prefetched bytes","matcher":"layer4.matchers.tls","matched":false}
{"level":"debug","ts":1738480502.0754976,"logger":"caddy.listeners.layer4","msg":"matching","remote":"192.168.0.143:56222","error":"consumed all prefetched bytes","matcher":"layer4.matchers.tls","matched":false}
{"level":"debug","ts":1738480502.0755007,"logger":"caddy.listeners.layer4","msg":"matching","remote":"192.168.0.143:56222","error":"consumed all prefetched bytes","matcher":"layer4.matchers.tls","matched":false}
{"level":"debug","ts":1738480502.0755093,"logger":"caddy.listeners.layer4","msg":"prefetched","remote":"192.168.0.143:56222","bytes":2207}
{"level":"debug","ts":1738480502.075532,"logger":"caddy.listeners.layer4","msg":"matching","remote":"192.168.0.143:56222","matcher":"layer4.matchers.tls","matched":false}
{"level":"debug","ts":1738480502.075542,"logger":"layer4.matchers.tls","msg":"matched","remote":"192.168.0.143:56222","server_name":"service3.example.com"}
{"level":"debug","ts":1738480502.0755455,"logger":"caddy.listeners.layer4","msg":"matching","remote":"192.168.0.143:56222","matcher":"layer4.matchers.tls","matched":true}
{"level":"debug","ts":1738480502.075713,"logger":"layer4.handlers.proxy","msg":"dial upstream","remote":"192.168.0.143:56222","upstream":"192.168.0.16:443"}
{"level":"debug","ts":1738480510.4558806,"logger":"caddy.listeners.layer4","msg":"matching","remote":"192.168.0.143:52212","error":"consumed all prefetched bytes","matcher":"layer4.matchers.tls","matched":false}
{"level":"debug","ts":1738480510.4565017,"logger":"caddy.listeners.layer4","msg":"prefetched","remote":"192.168.0.143:52212","bytes":1448}
{"level":"debug","ts":1738480510.4565113,"logger":"caddy.listeners.layer4","msg":"matching","remote":"192.168.0.143:52212","error":"consumed all prefetched bytes","matcher":"layer4.matchers.tls","matched":false}
{"level":"debug","ts":1738480510.4565363,"logger":"caddy.listeners.layer4","msg":"matching","remote":"192.168.0.143:52212","error":"consumed all prefetched bytes","matcher":"layer4.matchers.tls","matched":false}
{"level":"debug","ts":1738480510.4565423,"logger":"caddy.listeners.layer4","msg":"matching","remote":"192.168.0.143:52212","error":"consumed all prefetched bytes","matcher":"layer4.matchers.tls","matched":false}
{"level":"debug","ts":1738480510.45658,"logger":"caddy.listeners.layer4","msg":"prefetched","remote":"192.168.0.143:52212","bytes":2207}
{"level":"debug","ts":1738480510.4566,"logger":"caddy.listeners.layer4","msg":"matching","remote":"192.168.0.143:52212","matcher":"layer4.matchers.tls","matched":false}
{"level":"debug","ts":1738480510.4566076,"logger":"caddy.listeners.layer4","msg":"matching","remote":"192.168.0.143:52212","matcher":"layer4.matchers.tls","matched":false}
{"level":"debug","ts":1738480510.4566152,"logger":"layer4.matchers.tls","msg":"matched","remote":"192.168.0.143:52212","server_name":"service4.example.com"}
{"level":"debug","ts":1738480510.456618,"logger":"caddy.listeners.layer4","msg":"matching","remote":"192.168.0.143:52212","matcher":"layer4.matchers.tls","matched":true}
{"level":"debug","ts":1738480510.4569652,"logger":"layer4.handlers.proxy","msg":"dial upstream","remote":"192.168.0.143:52212","upstream":"192.168.0.17:443"}
{"level":"debug","ts":1738480510.4616117,"logger":"caddy.listeners.layer4","msg":"connection stats","remote":"192.168.0.143:52212","read":2404,"written":3082,"duration":0.005759508}

vnxme · 2025-02-04T07:18:51Z

I'm still encountering this error when using a listener wrapper.

What if you put protocols h1 h2 inside the global servers section of your config? I guess you might be facing 404 because of h3 enabled with no UDP wrapper (it doesn't exist yet).

cohesive-flight · 2025-02-04T09:02:29Z

What if you put protocols h1 h2 inside the global servers section of your config?

Same issue occurs.

Caddyfile:

{
	debug
	auto_https disable_certs
	servers {
		protocols h1 h2
		listener_wrappers {
			layer4 {
				@host1 tls sni service1.example.com
				route @host1 {
					proxy 192.168.0.15:443
				}
			@host2 tls sni service2.example.com service3.example.com
			route @host2 {
				proxy 192.168.0.16:443
			}

			@host3 tls sni service4.example.com
			route @host3 {
				proxy 192.168.0.17:443
			}
		}
		tls
	}
}

}
*.example.com {

tls /etc/fullchain.pem /etc/privkey.pem
@host4 host service5.example.com
handle @host4 {
	reverse_proxy http://192.168.0.18:5000
}

@host4 host service6.example.com
handle @host4 {
	reverse_proxy http://192.168.0.18:6000
}

@host5 host service7.example.com
handle @host5 {
	reverse_proxy http://192.168.0.19:2000
}

handle {
	respond "404 Not Found" 404
}

}

Logs (same steps):

{"level":"info","ts":1738659089.5350306,"msg":"using config from file","file":"/etc/caddy/Caddyfile"}
{"level":"info","ts":1738659089.5364337,"msg":"adapted config to JSON","adapter":"caddyfile"}
{"level":"info","ts":1738659089.5373113,"logger":"admin","msg":"admin endpoint started","address":"localhost:2019","enforce_origin":false,"origins":["//localhost:2019","//[::1]:2019","//127.0.0.1:2019"]}
{"level":"info","ts":1738659089.537483,"logger":"tls.cache.maintenance","msg":"started background certificate maintenance","cache":"0xc00039f980"}
{"level":"debug","ts":1738659089.5376658,"logger":"events","msg":"event","name":"cached_unmanaged_cert","id":"5812dx12-85hd-193j-n45d-4dj2198gvnh","origin":"tls","data":{"sans":["example.com","*.example.com"]}}
{"level":"debug","ts":1738659089.537678,"logger":"tls.cache","msg":"added certificate to cache","subjects":["example.com","*.example.com"],"expiration":1934284859,"managed":false,"issuer_key":"","hash":"18972894791798fdgbbkbjk35t2000744814712586897df6897sd7f9asd7f873","cache_size":1,"cache_capacity":10000}
{"level":"warn","ts":1738659089.5377045,"logger":"http.auto_https","msg":"skipping automated certificate management for server because it is disabled","server_name":"srv0"}
{"level":"info","ts":1738659089.5377083,"logger":"http.auto_https","msg":"enabling automatic HTTP->HTTPS redirects","server_name":"srv0"}
{"level":"debug","ts":1738659089.537723,"logger":"http.auto_https","msg":"adjusted config","tls":{"automation":{"policies":[{}]}},"http":{"servers":{"remaining_auto_https_redirects":{"listen":[":80"],"routes":[{},{}]},"srv0":{"listen":[":443"],"listener_wrappers":[{"routes":[{"handle":[{"handler":"proxy","upstreams":[{"dial":["192.168.0.15:443"]}]}],"match":[{"tls":{"sni":["service1.example.com"]}}]},{"handle":[{"handler":"proxy","upstreams":[{"dial":["192.168.0.16:443"]}]}],"match":[{"tls":{"sni":["service2.example.com","service3.example.com"]}}]},{"handle":[{"handler":"proxy","upstreams":[{"dial":["192.168.0.17:443"]}]}],"match":[{"tls":{"sni":["service4.example.com"]}}]}],"wrapper":"layer4"},{"wrapper":"tls"}],"routes":[{"handle":[{"handler":"subroute","routes":[{"group":"group4","handle":[{"handler":"subroute","routes":[{"handle":[{"handler":"reverse_proxy","upstreams":[{"dial":"192.168.0.18:5000"}]}]}]}],"match":[{"host":["service5.example.com"]}]},{"group":"group4","handle":[{"handler":"subroute","routes":[{"handle":[{"handler":"reverse_proxy","upstreams":[{"dial":"192.168.0.18:6000"}]}]}]}],"match":[{"host":["service6.example.com"]}]},{"group":"group4","handle":[{"handler":"subroute","routes":[{"handle":[{"handler":"reverse_proxy","upstreams":[{"dial":"192.168.0.19:2000"}]}]}]}],"match":[{"host":["service7.example.com"]}]},{"group":"group4","handle":[{"handler":"subroute","routes":[{"handle":[{"body":"404 Not Found","handler":"static_response","status_code":404}]}]}]}]}],"terminal":true}],"tls_connection_policies":[{"match":{"sni":["*.example.com"]},"certificate_selection":{"any_tag":["cert0"]}},{}],"automatic_https":{"disable_certificates":true},"protocols":["h1","h2"]}}}}
{"level":"debug","ts":1738659089.5389125,"logger":"http","msg":"starting server loop","address":"[::]:443","tls":true,"http3":false}
{"level":"info","ts":1738659089.53893,"logger":"http.log","msg":"server running","name":"srv0","protocols":["h1","h2"]}
{"level":"debug","ts":1738659089.5389624,"logger":"http","msg":"starting server loop","address":"[::]:80","tls":false,"http3":false}
{"level":"warn","ts":1738659089.5391145,"logger":"http","msg":"HTTP/2 skipped because it requires TLS","network":"tcp","addr":":80"}
{"level":"warn","ts":1738659089.539119,"logger":"http","msg":"HTTP/3 skipped because it requires TLS","network":"tcp","addr":":80"}
{"level":"info","ts":1738659089.5391216,"logger":"http.log","msg":"server running","name":"remaining_auto_https_redirects","protocols":["h1","h2","h3"]}
{"level":"info","ts":1738659089.5392542,"msg":"autosaved config (load with --resume flag)","file":"/config/caddy/autosave.json"}
{"level":"info","ts":1738659089.5392604,"msg":"serving initial configuration"}
{"level":"info","ts":1738659089.5400937,"logger":"tls","msg":"storage cleaning happened too recently; skipping for now","storage":"FileStorage:/data/caddy","instance":"38756aaa-750b-4dab-9a53-577551a25d9d","try_again":1738745489.5400927,"try_again_in":86399.999999654}
{"level":"info","ts":1738659089.5401492,"logger":"tls","msg":"finished cleaning storage units"}
{"level":"debug","ts":1738659101.8326683,"logger":"caddy.listeners.layer4","msg":"matching","remote":"192.168.0.143:39996","error":"consumed all prefetched bytes","matcher":"layer4.matchers.tls","matched":false}
{"level":"debug","ts":1738659101.8335164,"logger":"caddy.listeners.layer4","msg":"prefetched","remote":"192.168.0.143:39996","bytes":1448}
{"level":"debug","ts":1738659101.8335316,"logger":"caddy.listeners.layer4","msg":"matching","remote":"192.168.0.143:39996","error":"consumed all prefetched bytes","matcher":"layer4.matchers.tls","matched":false}
{"level":"debug","ts":1738659101.833537,"logger":"caddy.listeners.layer4","msg":"matching","remote":"192.168.0.143:39996","error":"consumed all prefetched bytes","matcher":"layer4.matchers.tls","matched":false}
{"level":"debug","ts":1738659101.8335397,"logger":"caddy.listeners.layer4","msg":"matching","remote":"192.168.0.143:39996","error":"consumed all prefetched bytes","matcher":"layer4.matchers.tls","matched":false}
{"level":"debug","ts":1738659101.8336148,"logger":"caddy.listeners.layer4","msg":"prefetched","remote":"192.168.0.143:39996","bytes":2223}
{"level":"debug","ts":1738659101.8336315,"logger":"layer4.matchers.tls","msg":"matched","remote":"192.168.0.143:39996","server_name":"service1.example.com"}
{"level":"debug","ts":1738659101.8336349,"logger":"caddy.listeners.layer4","msg":"matching","remote":"192.168.0.143:39996","matcher":"layer4.matchers.tls","matched":true}
{"level":"debug","ts":1738659101.8338115,"logger":"layer4.handlers.proxy","msg":"dial upstream","remote":"192.168.0.143:39996","upstream":"192.168.0.15:443"}
{"level":"debug","ts":1738659101.9737546,"logger":"caddy.listeners.layer4","msg":"connection stats","remote":"192.168.0.143:39996","read":3323,"written":3820,"duration":0.141081961}
{"level":"debug","ts":1738659102.2627604,"logger":"caddy.listeners.layer4","msg":"matching","remote":"192.168.0.143:40000","error":"consumed all prefetched bytes","matcher":"layer4.matchers.tls","matched":false}
{"level":"debug","ts":1738659102.2633567,"logger":"caddy.listeners.layer4","msg":"prefetched","remote":"192.168.0.143:40000","bytes":2048}
{"level":"debug","ts":1738659102.2633755,"logger":"caddy.listeners.layer4","msg":"matching","remote":"192.168.0.143:40000","error":"consumed all prefetched bytes","matcher":"layer4.matchers.tls","matched":false}
{"level":"debug","ts":1738659102.2633824,"logger":"caddy.listeners.layer4","msg":"matching","remote":"192.168.0.143:40000","error":"consumed all prefetched bytes","matcher":"layer4.matchers.tls","matched":false}
{"level":"debug","ts":1738659102.2634015,"logger":"caddy.listeners.layer4","msg":"matching","remote":"192.168.0.143:40000","error":"consumed all prefetched bytes","matcher":"layer4.matchers.tls","matched":false}
{"level":"debug","ts":1738659102.263424,"logger":"caddy.listeners.layer4","msg":"prefetched","remote":"192.168.0.143:40000","bytes":2223}
{"level":"debug","ts":1738659102.2634425,"logger":"layer4.matchers.tls","msg":"matched","remote":"192.168.0.143:40000","server_name":"service1.example.com"}
{"level":"debug","ts":1738659102.2634463,"logger":"caddy.listeners.layer4","msg":"matching","remote":"192.168.0.143:40000","matcher":"layer4.matchers.tls","matched":true}
{"level":"debug","ts":1738659102.2636864,"logger":"layer4.handlers.proxy","msg":"dial upstream","remote":"192.168.0.143:40000","upstream":"192.168.0.15:443"}
{"level":"debug","ts":1738659107.7189596,"logger":"caddy.listeners.layer4","msg":"matching","remote":"192.168.0.143:34950","error":"consumed all prefetched bytes","matcher":"layer4.matchers.tls","matched":false}
{"level":"debug","ts":1738659107.719306,"logger":"caddy.listeners.layer4","msg":"prefetched","remote":"192.168.0.143:34950","bytes":2048}
{"level":"debug","ts":1738659107.7193458,"logger":"caddy.listeners.layer4","msg":"matching","remote":"192.168.0.143:34950","error":"consumed all prefetched bytes","matcher":"layer4.matchers.tls","matched":false}
{"level":"debug","ts":1738659107.7193532,"logger":"caddy.listeners.layer4","msg":"matching","remote":"192.168.0.143:34950","error":"consumed all prefetched bytes","matcher":"layer4.matchers.tls","matched":false}
{"level":"debug","ts":1738659107.719356,"logger":"caddy.listeners.layer4","msg":"matching","remote":"192.168.0.143:34950","error":"consumed all prefetched bytes","matcher":"layer4.matchers.tls","matched":false}
{"level":"debug","ts":1738659107.71937,"logger":"caddy.listeners.layer4","msg":"prefetched","remote":"192.168.0.143:34950","bytes":2207}
{"level":"debug","ts":1738659107.7193863,"logger":"caddy.listeners.layer4","msg":"matching","remote":"192.168.0.143:34950","matcher":"layer4.matchers.tls","matched":false}
{"level":"debug","ts":1738659107.7193937,"logger":"layer4.matchers.tls","msg":"matched","remote":"192.168.0.143:34950","server_name":"service3.example.com"}
{"level":"debug","ts":1738659107.719396,"logger":"caddy.listeners.layer4","msg":"matching","remote":"192.168.0.143:34950","matcher":"layer4.matchers.tls","matched":true}
{"level":"debug","ts":1738659107.7198606,"logger":"layer4.handlers.proxy","msg":"dial upstream","remote":"192.168.0.143:34950","upstream":"192.168.0.16:443"}

vnxme · 2025-02-05T13:25:23Z

I've tested the following config and it works flawlessly. I haven't received any 404 errors while requesting abc.caddy, def.caddy or xyz.caddy in various combinations.

{
	debug
	servers {
		protocols h1 h2
		listener_wrappers {
			layer4 {
				@host1 tls sni abc.caddy
				route @host1 {
					proxy machine1:443
				}
				@host2 tls sni def.caddy
				route @host2 {
					proxy machine2:443
				}
			}
			tls
		}
	}
}

*.caddy {
	@host3 host xyz.caddy
	handle @host3 {
		reverse_proxy http://machine3:80
	}

	handle {
		respond "404 Not Found" 404
	}
}

My hosts file contains the following lines:

127.0.0.1	abc.caddy
127.0.0.1	def.caddy
127.0.0.1	xyz.caddy

::1		abc.caddy
::1		def.caddy
::1		xyz.caddy

Unless you provide any further details, I have no idea how to reproduce the issue. By the way, you have multiple mistakes here:

	@host4 host service5.example.com <-- should be @host5
	handle @host3 { <-- should be @host5
		reverse_proxy http://192.168.0.17:5000
	}
	
	@host4 host service6.example.com <-- should be @host6
	handle @host3 { <-- should be @host6
		reverse_proxy http://192.168.0.17:6000
	}
	
	@host5 host service7.example.com <-- should be @host7
	handle @host4 { <-- should be @host7
		reverse_proxy http://192.168.0.18:2000
	}
	
	handle {
		respond "404 Not Found" 404
	}

cohesive-flight · 2025-02-06T12:31:47Z

Are you using the Dockerfile and compose file I added in the initial post? I've been testing this with Firefox, and the same issue also occurs with a Chromium browser, but hard reloading behaves differently in Chromium, so the steps I provided won't apply.

And those aren't mistakes. The service's number isn't meant to correlate with the host's number. It's intended to demonstrate that I'm proxying to multiple different services running on the same host. But I did forget to increment the IP starting from host4, so I'll fix that now.

Correction: Partially mistakes. I was referring to the wrong host in the examples I provided, but my actual Caddyfile doesn't.

vnxme · 2025-02-06T13:16:19Z

Are you using the Dockerfile and compose file I added in the initial post? I've been testing this with Firefox, and the same issue also occurs with a Chromium browser, but hard reloading behaves differently in Chromium, so the steps I provided won't apply.

No, I've tested it inside my IDE (GoLand) with the simplified config I posted above. I don't have Firefox, used Chrome instead.

And those aren't mistakes.

You may call it anything you like, but your config has two equally-named matchers (@host4), which is wrong, and two handlers trying to match a non-existing matcher (@host3), which is also wrong.

cohesive-flight · 2025-02-06T14:00:26Z

Ah, sorry. I misunderstood what you were correcting. I was associating the host's number with the host running the service, so when I saw you matching it with the service's number, I thought you misunderstood. But no, I confused how the matchers work (probably because of the name choice I made, so I think I'll use @serviceX instead of @hostX to make it clearer). I did catch the latter mistake though and corrected it with edits before you commented.

Anyway, neither of these mistakes are present in my actual Caddyfile, so this is still potentially a bug. I just did a poor job in "translating" it to a practical example. I'm going to try to use a more native installation to see if this is only Docker-specific.

cohesive-flight · 2025-02-08T20:19:51Z

I've tested the Caddyfile with a Debian package of Caddy (used the xcaddy package from the Cloudsmith repo to build it with l4) instead of a Docker image, and the same issue still occurs when using either Firefox or Brave. But it led me to discover that this seems to be a cookie issue rather than a Caddyfile one, as while I was testing, I decided to try accessing service1 (configured for SSL passthrough) in private browsing mode while accessing service5 (configured for SSL termination) normally. Surprisingly, I was able to reload and use service1 without issue even after accessing, reloading, and using service5. I also tested this with the Multi-Account Containers extension, which isolates cookies to its own container, and it works perfectly.

I'm not sure why cookies are causing this issue, but I'm going to continue using the Multi-Account Containers extension to work around it for now.

Also, here's the fixed Caddyfile that matches the structure of my current one:

Caddyfile

{
	debug
	auto_https disable_certs
	servers {
		protocols h1 h2
		listener_wrappers {
			layer4 {
				@match1 tls sni service1.example.com
				route @match1 {
					proxy 192.168.0.15:443
				}
			@match2 tls sni service2.example.com service3.example.com
			route @match2 {
				proxy 192.168.0.16:443
			}

			@match3 tls sni service4.example.com
			route @match3 {
				proxy 192.168.0.17:443
			}
		}
		tls
	}
}

}
*.example.com {

tls /etc/fullchain.pem /etc/privkey.pem
@match4 host service5.example.com
handle @match4 {
	reverse_proxy http://192.168.0.18:5000
}

@match5 host service6.example.com
handle @match5 {
	reverse_proxy http://192.168.0.18:6000
}

@match6 host service7.example.com
handle @match6 {
	reverse_proxy http://192.168.0.19:2000
}

handle {
	respond "404 Not Found" 404
}

}

cohesive-flight changed the title ~~Handling Both SSL Passthrough and Termination~~ Issue when handling both SSL passthrough and termination Feb 1, 2025

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Issue when handling both SSL passthrough and termination #294

Issue when handling both SSL passthrough and termination #294

cohesive-flight commented Jan 30, 2025 •

edited

Loading

vnxme commented Jan 30, 2025

cohesive-flight commented Feb 1, 2025

cohesive-flight commented Feb 2, 2025 •

edited

Loading

vnxme commented Feb 4, 2025 •

edited

Loading

cohesive-flight commented Feb 4, 2025 •

edited

Loading

vnxme commented Feb 5, 2025 •

edited

Loading

cohesive-flight commented Feb 6, 2025 •

edited

Loading

vnxme commented Feb 6, 2025

cohesive-flight commented Feb 6, 2025

cohesive-flight commented Feb 8, 2025 •

edited

Loading

Issue when handling both SSL passthrough and termination #294

Issue when handling both SSL passthrough and termination #294

Comments

cohesive-flight commented Jan 30, 2025 • edited Loading

vnxme commented Jan 30, 2025

cohesive-flight commented Feb 1, 2025

cohesive-flight commented Feb 2, 2025 • edited Loading

vnxme commented Feb 4, 2025 • edited Loading

cohesive-flight commented Feb 4, 2025 • edited Loading

vnxme commented Feb 5, 2025 • edited Loading

cohesive-flight commented Feb 6, 2025 • edited Loading

vnxme commented Feb 6, 2025

cohesive-flight commented Feb 6, 2025

cohesive-flight commented Feb 8, 2025 • edited Loading

cohesive-flight commented Jan 30, 2025 •

edited

Loading

cohesive-flight commented Feb 2, 2025 •

edited

Loading

vnxme commented Feb 4, 2025 •

edited

Loading

cohesive-flight commented Feb 4, 2025 •

edited

Loading

vnxme commented Feb 5, 2025 •

edited

Loading

cohesive-flight commented Feb 6, 2025 •

edited

Loading

cohesive-flight commented Feb 8, 2025 •

edited

Loading