[Caddy] Remote access not working from some networks

matto · January 14, 2019, 2:22pm

Hi all!

I’ve done my best to search the forum before asking this, but I could not find anything.
I recently implemented Caddy to be able to remotely access some services in my network by using subdomains and close a lot of open ports in my router. I have the DuckDNS addon and I disabled LetsEncrypt there and enabled it in Caddy.

Everything works great as expected (with local and remote access), but I have one strange problem: I can’t access my home’s Hassio from work. It only happens from this network. If I connect from my phone using 4G, it works flawlessly. But then if I connect my phone to my company’s WiFi, I get a timeout.
The strange part of the story is that I can access all of my subdomains with no problems at all, but only my main URL is not working.

This is my Caddyfile:

example.duckdns.org {
    header / {
        Strict-Transport-Security "max-age=31536000; includeSubdomains"
        X-XSS-Protection "1; mode=block"
        X-Content-Type-Options "nosniff"
        X-Frame-Options "SAMEORIGIN"
        Referrer-Policy "same-origin"
    }

    proxy / localhost:8123 {
        websocket
        transparent
    }
}

config.example.duckdns.org {
    proxy / localhost:3218 {
        websocket
        transparent
    }
}

logs.example.duckdns.org {
    proxy / localhost:4277 {
        websocket
        transparent
    }
}

tasmoadmin.example.duckdns.org {
    proxy / localhost:9541 {
        websocket
        transparent
    }
}

octoprint.example.duckdns.org {
    proxy / 192.168.1.111:80 {
        websocket
        transparent
    }
}

Here’s what’s working and what is not:

I was able to access with no problems from my work’s network before implementing Caddy.
Any ideas?

Thanks!

Florian · January 14, 2019, 4:17pm

Can you explain what you mean with “Timeout”?

Do you get a page containing the following message?

Unable to connect to Home Assistant.

And did you click “Retry” if you are talking about this message?

matto · January 14, 2019, 5:09pm

Not exactly!

The page stays loading for a very long time (a couple of minutes) and ends up showing the Chrome timeout page with the message “This webpage is not available - ERR_CONNECTION_TIMED_OUT”

I’ve tried reloading, erasing the cache and even with another browser, but no luck.
It also happens with my Android clients (both HA Client and Ariela). They give a connection time out only when I’m connecting from my workplace’s network. They run perfectly from everywhere else.

Florian · January 14, 2019, 6:33pm

I’ve noticed you’re using the header just for the subdomain, not the sub-subdomains. You could try to use the header also for one of the sub-subdomains (e.g. logs.exam...) and try if this has any effect. If this sub-subdomain also stops working you have the “culprit”.

If the sub-subdomain still works with the header try it by adding the following between header and proxy of the subdomain:

tls {
  alpn http/1.1
}

Don’t forget to restart Caddy after changing the configuration

matto · January 14, 2019, 7:56pm

Okay!

I actually did something like that this morning, but the other way around: given that the sub-subdomains work without the header, I just removed the header from the subdomain and restarted Caddy, but no luck.

I’m home now, but I’ll try your suggestions tomorrow first time in the morning and let you know.
Thanks for your help!

matto · January 15, 2019, 11:31am

Ok, an update and some good news:

I tested your suggestions separately, and no luck. But then I thought that it could be some problem with the router. Since we have the router in the office, I have access to it’s configuration (we’re a small company).
What I did is to change the DNS to 1.1.1.1 instead of leaving it in “automatic”, and then it happened.
It works now!

I’m a little confused anyway, because if it really was a DNS problem, the sub-subdomains should not have worked either, right?

In any case, it works now.
Thanks a lot for your help!

Florian · January 15, 2019, 4:26pm

Could be that you’ve tested with your subdomain first, the IP behind it changed and while the old one was still cached in your company’s router while the sub-subdomains’ IPs were fetched later and pointed to the up-to-date IP…

Anyway, I’m glad that it is working now