Messages

I'm getting an error in the Caddy log when trying to use the reverse proxy on a Plex instance.  The log shows:

"error","ts":"2025-03-19T23:36:47Z","logger":"http.log.error","msg":"EOF","request":{"remote_ip":"192.168.x.xxx","remote_port":"50589","client_ip":"192.168.x.xxx","proto":"HTTP/2.0","method":"GET","host":"plexsub.mydomain.com","uri":"/media/providers?X-Plex-Product=Plex%20Web&X-Plex-Version=4.145.1&X-Plex-Client-Identifier=y1574g5pgysu0b7435g9qsqd&X-Plex-Platform=Firefox&X-Plex-Platform-Version=136.0&X-Plex-Features=external-media%2Cindirect-media%2Chub-style-list&X-Plex-Model=bundled&X-Plex-Device=Windows&X-Plex-Device-Name=Firefox&X-Plex-Device-Screen-Resolution=1536x731%2C1536x864&X-Plex-Token=TWeNgtGispep-E4RBR1m&X-Plex-Language=en&X-Plex-Session-Id=72ff17fc-21db-4b3b-8437-9194ca66bd7d","headers":{"Referer":["http://192.168.x.xxx:32400/"],"Accept-Encoding":["gzip, deflate, br, zstd"],"User-Agent":["Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:136.0) Gecko/20100101 Firefox/136.0"],"Accept-Language":["en"],"Dnt":["1"],"Sec-Fetch-Site":["cross-site"],"Accept":["application/json"],"Sec-Fetch-Dest":["empty"],"Sec-Fetch-Mode":["cors"],"Sec-Gpc":["1"],"Te":["trailers"],"Origin":["http://192.168.x.xxx:32400"]},"tls":{"resumed":false,"version":772,"cipher_suite":4865,"proto":"h2","server_name":"plexsub.mydomain.com"}},"duration":0.000950754,"status":502,"err_id":"kr1iycyqd","err_trace":"reverseproxy.statusError (reverseproxy.go:1373)"}

Plex is stating that remote access through the reverse proxy doesn't work.  Is this something easily fixed?

Thank you for the info on the UDP bug.  I don't recall seeing and option to turn UDP off for Layer 4 to work properly.

I need assistance with two Caddy issues

1.  I started using Caddy for a reverse proxy last week.  Once I got it work, I started having issues when it had been running for 6 - 12 hours.  The reverse proxy was working and then it would stop.  I didn't see anything in the logs that indicated what the problem is.  I'm not using a dyndns service.

2.  I followed the instructions to use Caddy as a Layer 4/7 proxy for SSH.  When trying to SSH in, all I got was a message stating the connection had been reset.  I couldn't log into SSH.  I didn't see anything unusual in the logs.

I can post any config or logs that are needed.

Thanks!

Thank you for reviewing my caddy file.  You pointed me in the right direction, and infrastructure issue.  I had port forwarding turned on for 40 and 443 to point to NPM.  I turned it off and Caddy now has the ports.

Thanks again!

Here's my caddy file.  I've removed the personal info.  I hope this helps.

# DO NOT EDIT THIS FILE -- OPNsense auto-generated file


# caddy_user=root

# Global Options
{
   log {
      output net unixgram//var/run/caddy/log.sock {
      }
      format json {
         time_format rfc3339
      }
   }

   servers {
      protocols h1 h2 h3
      log_credentials
   }

   dynamic_dns {
      provider duckdns xxx-xxxxx-xxxx
      domains {
         mysite.duckdns.org *
         mysite.duckdns.org ab
      }
      versions ipv4
      update_only
   }

   email myemail@domain.com
   grace_period 10s
   import /usr/local/etc/caddy/caddy.d/*.global
}

# Reverse Proxy Configuration


# Reverse Proxy Domain: "xxx-xxx-xxxxx"
*.mysite.duckdns.org {
   tls {
      issuer acme {
         dns duckdns {
            api_token xxx-xxx-xxxxx
         }
      }
   }

   @xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx {
      host ab.mysite.duckdns.org
   }
   handle @xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx {
      handle {
         reverse_proxy 192.168.x.xxx {
         }
      }
   }
}

import /usr/local/etc/caddy/caddy.d/*.conf

Hi,

I'm currently using the Nginx Proxy Manager and I'm trying to switch to the Caddy plug-in.

Originally I was getting errors with Let's Encrypt and fixed that issue but I'm still unable to access anything behind the reverse proxy.  All I'm seeing in the logs is this:

"info","ts":"2025-01-12T06:13:00Z","logger":"http.log.access","msg":"handled request","request":{"remote_ip":"127.0.0.1","remote_port":"12807","client_ip":"127.0.0.1","proto":"HTTP/1.1","method":"GET","host":"localhost","uri":"/scrape.php?v=6&url=https://www.spamhaus.org/drop/asndrop.json","headers":{"User-Agent":["python-requests/2.32.3"],"Accept-Encoding":["gzip, deflate"],"Accept":["*/*"],"Connection":["keep-alive"]}},"bytes_read":0,"user_id":"","duration":0.000013514,"size":0,"status":308,"resp_headers":{"Server":["Caddy"],"Connection":["close"],"Location":["https://localhost/scrape.php?v=6&url=https://www.spamhaus.org/drop/asndrop.json"],"Content-Type":[]}}

I'm not exactly sure what the problem is.  All suggestions are welcome.

Thank you!

I upgraded firewall from 24.7 to 24.10 and I've noticed resource usage has increased by a factor of 2 times.

The CPU load average was previously below 1 and now it bounces between 3 and 30.  I've disabled as many services as I can to debug this and I'm not having any success.  The GUI slows down to the point it's almost nonresponsive.  Services are Unbound, Kea DHCP, CrowdSec and ADGuardHome.

I'm not sure where to go next to solve this issue.  All suggestions are appreciated.

Thanks!

I'm currently running AdGuard on OPNsense along with intrusion detection, CrowdSec and some firewall rules to keep the nasties out.  I tried messing with Zenarmor but then OPNsense kept telling me there were updates to apply, when there was none and Zenarmor felt like overkill.  I had used the blocklists in Unbound, but it was duplicating what AdGuard does.

Is there something out there that would pull all these separate things into one, cohesive dashboard or something in Docker?  I'm getting tired of having to check four different places when something my wife needs is getting blocked.

Thanks!

I'm running 24.7.5 and it's always showing I have pending updates when I log in to Opnsense.  If I remove Zenarmor, I don't have any pending updates.

Anyone know why Zenarmor would cause this?

Thanks!

I initially upgraded to 24.7 with Zenarmor installed.  I'm at the current release of 24.7.4_1.  I keep having issues with pending updates, primarily for Zenarmor.

I keep seeing this update list:
New packages to be INSTALLED:
   alsa-lib: 1.2.11 [mimugmail]
   fontconfig: 2.15.0_2,1 [SunnyValley]
   freetype2: 2.13.2 [SunnyValley]
   giflib: 5.2.2 [SunnyValley]
   graphite2: 1.3.14 [mimugmail]
   jbigkit: 2.1_2 [SunnyValley]
   jpeg-turbo: 3.0.3 [SunnyValley]
   lcms2: 2.16_2 [mimugmail]
   lerc: 4.0.0 [OPNsense]
   libXext: 1.3.6,1 [mimugmail]
   libXfixes: 6.0.0_1 [mimugmail]
   libXi: 1.8_1,1 [mimugmail]
   libXrender: 0.9.10_2 [mimugmail]
   libdeflate: 1.20 [SunnyValley]
   libfontenc: 1.1.8 [SunnyValley]
   png: 1.6.43 [SunnyValley]
   tiff: 4.6.0 [OPNsense]
The update performs the download, install and deletes the old packages.

If I check updates again, the same list appears.  It doesn't matter if I reboot Opnsense or not.  Anyone know how to fix this?

Zenarmor keeps crashing on me.  I have the latest version of OPNsense and Zenarmor.  The error message is:

      zenarmor has detected a problem during operation and has shut down zenarmor services in order to prevent a network outage.

      It is because we detected high SWAP usage 82 % ( 6.62GB / 8GB )

      If you think this is something we should have a look, just click here to let us know about the details and we will investigate this further.

      You can re-enable the services from Status page.

I'm not sure how to fix this.

New user here.  I was using an old Cisco ASA 5505 at home.  Can't really do too much with it.  Cisco dropped support for it, and adding a new features required another payment to Cisco.  So I switched to OPNsense and not looking back.

I've been interested in using the transparent proxy with web & AV filtering.  Just using HTTP is worthless now that almost everything is using HTTPS.  From what I've read, I need to create a certificate for HTTPS.  After that I can add the web and AV filtering for all inbound/outbound requests.

I'm not interested in browsing the HTTPS traffic, just want to filter web traffic and use the AV scanner for additional protection at home.  Is there some way I can do this without needing a certificate.  I'm also do not want to add the CA to each computer/phone in the house.  I'm not even sure out this would affect Roku and Amazon devices.

Any suggestions are greatly appreciated.

Thanks!