Caddy won't route external requests - get Default deny / state violation

[OPNSense_toq]

OPNSense 24.1.5_2-amd64
Caddy os-caddy (installed)   1.5.3

I have installed caddy and gotten internal requests to https://server1.mydomain.tld to route properly. Works great. However, if I try to hit the same site from external I get Default deny / state violation error in the logs. So I know the request is actually making it to my OPNsense but for some reason they aren't making it to Caddy.

I do have Firewall rules on both the LAN and WAN interfaces that point 80 and 443 to 'This Firewall' as specified in the documentation. But it doesn't look like the external requests are actually making it that far.

I tried troubleshooting this with the folks at Caddy but they sent me over here. Here is the support thread.
https://caddy.community/t/caddy-opnsense-internal-working-external-not/23426/9

Appreciate any help or ideas of what to look at. Thanks.

[Patrick M. Hausen]

Did you move your UI to a different port than 443 and disable the HTTP --> HTTPS redirection?

[OPNSense_toq]

Yes, OPNSense is on 8443.

[Patrick M. Hausen]

Then please show the firewall rule on WAN.

[OPNSense_toq]

screenshot is attached. Is there another way to list the rules?

[Patrick M. Hausen]

And that's on the WAN interface? Could you try:

- remove UDP - it's not used
- change "This Firewall" for "WAN address"

?

[Monviech (Cedrik)]

Actually UDP is used cause Caddy supports HTTP1, 2 and 3. Thats why I put that in the doc as suggested rule.

[Patrick M. Hausen]

Actually UDP is used cause Caddy supports HTTP1, 2 and 3. Thats why I put that in the doc as suggested rule.

TIL :)

[Monviech (Cedrik)]

I have already tried most trouble shooting steps I could think of in the Caddy form. Whats left would be a complete print of all nat and firewall roules from FIREWALL: DIAGNOSTICS: STATISTICS: rules.

[OPNSense_toq]

Wow, there is a lot in FIREWALL: DIAGNOSTICS: STATISTICS: rules.

is there an easy way to output that? from command line maybe?

[Monviech (Cedrik)]

Can you just create a rule in

Firewall: Rules: Floating

That allows anything?

Just press +, then save, then apply.

Look if it solves the issues. If it does you know its really the firewall and we can look at the rules afterwards.

Just delete this rule after your tests finish.

[OPNSense_toq]

An any/any floating rule does appear to allow caddy to forward requests but they go to the wrong port. does that offer any insight?  I can look into it more later.

[Monviech (Cedrik)]

Please disable the Floating rule again (dont forget it)

These redirects are weird. Maybe your application forces redirects or something else weird is happening. I really dont understand this.

I guess it doesnt work from externally cause Caddy receices the request, but then there are redirects going on, forced by the application behind it. Then the traffic tries to get redirected to port 5000, but there is no rule allowing that. And it really shouldnt happen

These kind of redirects have ti be troubleshooted with a recurse curl command that shows whats gping on.

EDIT:

Code Select Expand


root@opn02:~ # curl -L jelly.castlewolf.net
<!DOCTYPE html>
<html>
    <body>
        <input type="hidden" id="http" name="http" value="5000">
        <input type="hidden" id="https" name="https" value="5001">
        <input type="hidden" id="prefer_https" name="prefer_https" value="false">
    </body>
    <script type="text/javascript">
        var protocol=location.protocol;
        var port=location.protocol === "https:" ? 5001 : 5000;
        var URL=protocol+"//"+location.hostname+":"+port+location.pathname+location.search;
        location.replace(URL);
    </script>
</html>

There is javascript on your Synology NAS that forces a client side redirect to port 5000 to http and 5001 for https.

That's why it doesn't work, a reverse proxy can't fix client side redirects happening.

Edit2:

Now we have proven it's not an OPNsense Problem, and not a Caddy problem, it's an Application side Problem. The Synology NAS forces a client side redirect with javascript.

[OPNSense_toq]

I knew it was something stupid simple that I was missing.  Thank you for your comment.   I had port forwards in place for 80 and 443.  (Firewall -> NAT -> Port Forward) Completely forgotten about them. Removed those, everything works as expected.

Thank you everyone for your help.

[catchyuser]

Hi,

I am trying to setup Caddy on Opnsense for Synology NAS and have similar issues.

Would you mind to please share the solution to resolve this issue?

I too have the redirect issue.  BTW I have created the A record on Cloudflare for Synology (nas.mydomain.com)

Thanks in advance for the help.