Top Menu

Jump to content
Home
    Modules
      • Projects
      • Activity
      • Work packages
      • Gantt charts
      • Calendars
      • Team planners
      • Boards
      • News
    • Getting started
    • Introduction video
      Welcome to OpenProject Community
      Get a quick overview of project management and team collaboration with OpenProject. You can restart this video from the help menu.
    • Help and support
    • User guides
    • Videos
    • Shortcuts
    • Community forum
    • Enterprise support
    • Additional resources
    • Data privacy and security policy
    • Digital accessibility (DE)
    • OpenProject website
    • Security alerts / Newsletter
    • OpenProject blog
    • Release notes
    • Report a bug
    • Development roadmap
    • Add and edit translations
    • API documentation
  • Sign in
      Forgot your password?

      or sign in with your existing account

      Google

Side Menu

  • Overview
  • Activity
    Activity
  • Roadmap
  • Work packages
    Work packages
  • Gantt charts
    Gantt charts
  • Calendars
    Calendars
  • Team planners
    Team planners
  • Boards
    Boards
  • News
  • Forums

Content

You are here:
  1. Messages
Development
  1. OpenProject
  2. Forums
  3. Development
  4. Caddy Web Server not Working

Caddy Web Server not Working

Added by Abhi Chaturvedi 15 days ago

Does any body. has a standard script for Caddy server to act a webserver .There is one availiable for Apache but not for Caddy.


Is any body using Caddy as a webserver for openproject . ?

Issue Summary:

1. CSRF Token Error (Error 422) on Second Login Attempt

• Users can log in once successfully, but logging in a second time fails with a CSRF verification error.

• The error message states that the Cross-Site Request Forgery (CSRF) token is missing or invalid.

• Caddy is not correctly handling or forwarding cookies, leading to missing authentication/session tokens.

2. Session Cookies Not Persisting Properly

• On login, _open_project_session and other authentication-related cookies are set.

• However, on subsequent login attempts, the expected session cookie is either missing or being regenerated incorrectly.

• Apache does not exhibit this issue, meaning there is a difference in how Caddy and Apache handle sessions/cookies.

3. Current Caddy Configuration

• Reverse proxy is set up to forward requests to OpenProject (running on port 3000).

• Caddy is configured with header_up directives to preserve X-Forwarded-Proto, X-Real-IP, and other key headers.

• Cookies and CSRF headers may not be correctly forwarded or preserved, breaking authentication on subsequent login attempts.

4. Key Differences Between Apache and Caddy

• Apache handles session cookies correctly, while Caddy does not.

• Apache uses ProxyPass and ProxyPassReverse, which may have implicit session handling differences.

• Caddy might be missing certain headers or cookie directives that Apache manages automatically.



This is the present set up for caddy 

    # ✅ OpenProject Reverse Proxy

    reverse_proxy http://127.0.0.1:3000 {

        transport http {

            versions h1

        }

        header_up X-Forwarded-Proto "https"

        header_up X-Forwarded-Ssl "on"

        header_up X-Real-IP {remote}

        header_down Location http://127.0.0.1:3000/login https://scalenowai.com.au/login

        header_down Location http://127.0.0.1:3000 https://scalenowai.com.au

"By default OpenProject starts with the HTTPS option enabled, but it does not handle SSL termination itself. This is usually done separately via a reverse proxy setup. Without this you will run into an ERR_SSL_PROTOCOL_ERROR when accessing OpenProject.

See below how to disable HTTPS.

Be aware that if you want to use the integrated Caddy proxy as a proxy with outbound connections, you need to rewrite the Caddyfile. In the default state, it is configured to forward the X-Forwarded-* headers from the reverse proxy in front of it and not setting them itself. This is considered a security flaw and should instead be solved by configuring trusted_proxies inside the Caddyfile. For more information read the Caddy documentation."


Loading...