On my NixOS server I have Caddy as main incoming gateway for HTTPS requests to proxy them via HTTP to my application in Podman container. It does not work. Moreover if I ssh inside server shell, I can’t send requests even by curl. But app itself works, that we can see if use internal container address in request.
[laniakea@reposado:~]$ sudo podman ps
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
8f95390bd1f5 docker.io/redpandadata/redpanda:v24.1.2 redpanda start --... 18 hours ago Up 18 hours 127.0.0.1:9092->9092/tcp, 127.0.0.1:33145->33145/tcp, 8081-8082/tcp, 9644/tcp kafka
28266655b8a7 gcr.io/cadvisor/cadvisor:latest 3 hours ago Up 3 hours (reset) 127.0.0.1:8088->8080/tcp cadvisor
881f68011531 localhost/michelada/webhook-server:latest /nix/store/38i2fz... 49 minutes ago Up 49 minutes 127.0.0.1:8080->8080/tcp, 127.0.0.1:9900->9900/tcp webhook-server
...
[laniakea@reposado:~]$ curl 127.0.0.1:8080/ping
curl: (7) Failed to connect to 127.0.0.1 port 8080 after 0 ms: Could not connect to server
[laniakea@reposado:~]$ SERVER_IP=$(sudo podman inspect -f '{{range .NetworkSettings.Networks}}{{.IPAddress}}{{end}}' webhook-server); curl -v "http://$SERVER_IP:8080/ping"
* Trying 10.89.0.35:8080...
* Established connection to 10.89.0.35 (10.89.0.35 port 8080) from 10.89.0.1 port 44682
* using HTTP/1.x
> GET /ping HTTP/1.1
> Host: 10.89.0.35:8080
> User-Agent: curl/8.18.0
> Accept: */*
>
* Request completely sent off
< HTTP/1.1 200 OK
< Server: Jetty(12.1.0)
< Date: Tue, 17 Feb 2026 14:44:11 GMT
< Content-Length: 4
<
* Connection #0 to host 10.89.0.35:8080 left intact
pong
Related parts of my config:
{
...
}:
let
...
in
{
...
users.users.laniakea = {
isNormalUser = true;
description = "Laniakea User";
extraGroups = [
"wheel" # Enable 'sudo' privileges
"podman" # Allow interaction with Podman containers
"systemd-journal" # Allow reading logs without sudo
];
...
shell = pkgs.bash;
};
...
boot.kernel.sysctl = {
"net.ipv4.ip_forward" = 1;
"net.ipv4.conf.all.forwarding" = 1;
};
virtualisation.podman = {
enable = true;
dockerCompat = true;
defaultNetwork.settings.dns_enabled = true;
autoPrune = {
enable = true;
dates = "daily";
flags = [ "--all" ];
};
};
virtualisation.oci-containers.backend = "podman";
systemd.services.init-michelada-podman-network = {
description = "Create Michelada Podman network ${michelada-network-name}";
after = [ "podman.service" ];
requires = [ "podman.service" ];
serviceConfig = {
Type = "oneshot";
RemainAfterExit = true;
};
script = ''
# Check if network exists, if not create it with DNS enabled
${pkgs.podman}/bin/podman network exists ${michelada-network-name} || \
${pkgs.podman}/bin/podman network create ${michelada-network-name}
'';
wantedBy = [ "multi-user.target" ];
};
...
virtualisation.oci-containers.containers = {
...
# --- Webhook Server ---
webhook-server = {
image = "webhook-server:latest";
imageFile = michelada-apps.webhook-server-image;
extraOptions = [ "--network=${michelada-network-name}" ];
ports = [
"127.0.0.1:8080:8080"
"127.0.0.1:9900:9900"
];
dependsOn = [ "kafka" ];
environment = {
MICHELADA_PROFILE = "prod";
};
volumes = [
"/var/lib/michelada/logs:/logs"
];
};
...
};
# Firewall Rules
networking.firewall = {
enable = true;
allowedTCPPorts = [
22 # SSH
80 # HTTP
443 # HTTPS
8443 # Telegram Webhook
3000 # Grafana
];
# Trust the podman bridge interface
trustedInterfaces = [ "podman1" ];
extraCommands = ''
# Allow all traffic on loopback
iptables -A INPUT -i lo -j ACCEPT
iptables -A OUTPUT -o lo -j ACCEPT
# Allow established connections
iptables -A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
'';
};
services.caddy = {
enable = true;
virtualHosts."<my-host>:8443".extraConfig = ''
reverse_proxy 127.0.0.1:8080
'';
};
}
I can’t believe that there is no elegant way to solve such common task.
nixpkgs version is 25.11 if that’s important.