Caddy with SSL does not work for dynamic loading screen

[valankar]

Describe the bug
When using HTTPS endpoint, it seems the dynamic loading screen does not work. Here is the curl output:

valankar@debian ~/caddy> curl -v https://valankar.ftp.sh/accounts_plotly/
*   Trying [2a01:4f9:c011:8a49::1]:443...
* Connected to valankar.ftp.sh (2a01:4f9:c011:8a49::1) port 443 (#0)
* ALPN: offers h2,http/1.1
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
*  CAfile: /etc/ssl/certs/ca-certificates.crt
*  CApath: /etc/ssl/certs
* TLSv1.3 (IN), TLS handshake, Server hello (2):
* TLSv1.3 (IN), TLS handshake, Encrypted Extensions (8):
* TLSv1.3 (IN), TLS handshake, Certificate (11):
* TLSv1.3 (IN), TLS handshake, CERT verify (15):
* TLSv1.3 (IN), TLS handshake, Finished (20):
* TLSv1.3 (OUT), TLS change cipher, Change cipher spec (1):
* TLSv1.3 (OUT), TLS handshake, Finished (20):
* SSL connection using TLSv1.3 / TLS_AES_128_GCM_SHA256
* ALPN: server accepted h2
* Server certificate:
*  subject: CN=valankar.ftp.sh
*  start date: Apr 20 10:31:25 2024 GMT
*  expire date: Jul 19 10:31:24 2024 GMT
*  subjectAltName: host "valankar.ftp.sh" matched cert's "valankar.ftp.sh"
*  issuer: C=US; O=Let's Encrypt; CN=R3
*  SSL certificate verify ok.
* using HTTP/2
* h2h3 [:method: GET]
* h2h3 [:path: /accounts_plotly/]
* h2h3 [:scheme: https]
* h2h3 [:authority: valankar.ftp.sh]
* h2h3 [user-agent: curl/7.88.1]
* h2h3 [accept: */*]
* Using Stream ID: 1 (easy handle 0x55b2107d0400)
> GET /accounts_plotly/ HTTP/2
> Host: valankar.ftp.sh
> user-agent: curl/7.88.1
> accept: */*                                                                                                                                                                                                                                                                              >
* TLSv1.3 (IN), TLS handshake, Newsession Ticket (4):
* HTTP/2 stream 1 was not closed cleanly: PROTOCOL_ERROR (err 1)
* Connection #0 to host valankar.ftp.sh left intact
curl: (92) HTTP/2 stream 1 was not closed cleanly: PROTOCOL_ERROR (err 1)

And when I use the HTTP endpoint, it works:

valankar@debian ~/caddy> curl -v http://valankar.ftp.sh/accounts_plotly/
...
<div class="terminal">
    <h1><span>Starting </span> <span class="error_code">Accounts</span>...</h1>
    <p class="output"><span>Your instance(s) will stop after 1 minutes of inactivity</span>.</p>

    <div class="details">
        <p class="output small command"><span>sablier status <span class="error_code">accounts</span></span></code></p>
        <p class="output small success"><span>accounts</span> is not-ready <code>(0/1)</code></p>
    </div>

</div>
</body>

Context

• Sablier version: 1.6.1
• Provider: docer 26.1.0
• Reverse proxy: caddy 2.7.6
• Sablier running inside a container? yes

Expected behavior
Working via HTTPS.

[valankar]

Here is the relevant Caddyfile config:

valankar.ftp.sh, valankar.ftp.sh:80 {
        log
        route {
                sablier http://localhost:10000 {
                        names accounts
                        session_duration 1m
                        dynamic {
                                display_name Accounts
                        }
                }
                reverse_proxy localhost:8050
        }
}

[acouvreur]

Maybe HTTP2 is the issue, can you try without HTTP2 ?

[valankar]

I switched to using Cloudflare tunnels and don't need SSL in Caddy anymore. It works great in that case.

Feel free to close. But might want to verify whether it works via SSL in your end-to-end test.

[cheats-py]

I'm having loads of trouble getting sablier to work with TLS. I've tried with traefik and caddy, as soon as I add TLS to the route it stops working. It would be nice to see some examples in the documentation on how to use TLS both with caddy and traefik reverse proxies.

[acouvreur]

I'm having loads of trouble getting sablier to work with TLS. I've tried with traefik and caddy, as soon as I add TLS to the route it stops working. It would be nice to see some examples in the documentation on how to use TLS both with caddy and traefik reverse proxies.

Hello, can you please share your setup ?

I have no issue with Traefik and TLS.

[cheats-py]

I just revisited this and now its working LOL, sorry. The only thing i changed in my compose is the treafik version and sablier version. I originally had traefik:v2.10 and acouvreur/sablier:1.6.0. I changed both to latest and now its working. I spent hours trying to get this to work about a month ago.

[freezurbern]

Caddy with SSL does not work for me with this Caddyfile:

*.example.com {
	tls {
		dns cloudflare KEY
		resolvers 1.1.1.1
	}

	@foo host foo.example.com
	handle @foo {
		respond "Foo!"
	}

    @host_int_whoami host whoami.example.com
    handle @host_int_whoami {
        sablier {
            group whoami
			blocking {
				timeout 1m
			}
			session_duration 30s
        }
        reverse_proxy whoami:80
    }
	# Fallback for unhandled subdomains
	handle {
		abort
	}
}

I noticed the request goes directly to the container before starting it. Therefore it is refused, and a blank page is shown.