Auto https not redirecting to 443?

1. Caddy version (caddy version):

docker.io/caddy/caddy:2.2.1-alpine

2. How I run Caddy:

TLS termination

a. System environment:

AWS ECS/fargate

b. Command:

caddy run --config /config/caddy/autosave.json

c. Service/unit/compose file:

    "name": "caddy-prd",
    "image": "${caddyImage}",
    "essential": true,
    "portMappings": [{
        "protocol": "tcp",
        "containerPort": 80,
        "hostPort": 80
    }, {
        "protocol": "tcp",
        "containerPort": 443,
        "hostPort": 443
    }, {
        "protocol": "tcp",
        "containerPort": 8081,
        "hostPort": 8081
    },
    {
        "protocol": "tcp",
        "containerPort": 2020,
        "hostPort": 2020
    }
    ],
    "command": [
      "caddy",
      "run",
      "--config",
      "/config/caddy/autosave.json"
    ],

    "mountPoints": [
        {
            "sourceVolume": "caddy-storage",
            "containerPath": "/config"
        },
        {
            "sourceVolume": "caddy-storage",
            "containerPath": "/data"
        }
    ],

    "logConfiguration": {
        "logDriver": "awslogs",
        "options": {
            "awslogs-group": "/ecs/caddy",
            "awslogs-region": "${awsRegion}",
            "awslogs-stream-prefix": "ecs"
        }
    }
}

d. My complete Caddyfile or JSON config:

{
  "admin": {
    "config": {
      "persist": true
    },
    "listen": "0.0.0.0:2020",
    "origins": [
      "115.70.195.253",
      "52.64.48.128",
      "13.210.211.75"
    ]
  },
  "apps": {
    "http": {
      "https_port": 443,
      "servers": {
        "socket-stg": {
          "automatic_https": {
            "disable_redirects": true
          },
          "listen": [
            ":8081"
          ],
          "routes": [
            {
              "handle": [
                {
                  "handler": "subroute",
                  "routes": [
                    {
                      "handle": [
                        {
                          "handler": "reverse_proxy",
                          "upstreams": [
                            {
                              "dial": "ec2-54-79-52-98.ap-southeast-2.compute.amazonaws.com:8081"
                            }
                          ]
                        }
                      ]
                    }
                  ]
                }
              ],
              "match": [
                {
                  "host": [
                    "global.schoolbox.cloud"
                  ]
                }
              ],
              "terminal": true
            }
          ]
        },
        "web-stg": {
          "listen": [
            ":443"
          ],
          "routes": [
            {
              "handle": [
                {
                  "handler": "subroute",
                  "routes": [
                    {
                      "handle": [
                        {
                          "handler": "reverse_proxy",
                          "headers": {
                            "request": {
                              "set": {
                                "Host": [
                                  "{http.request.host}"
                                ],
                                "X-Forwarded-For": [
                                  "{http.request.remote}"
                                ],
                                "X-Forwarded-Host": [
                                  "{http.request.host}"
                                ],
                                "X-Forwarded-Port": [
                                  "{server_port}"
                                ],
                                "X-Forwarded-Proto": [
                                  "{http.request.scheme}"
                                ],
                                "X-Forwarded-Ssl": [
                                  "on"
                                ],
                                "X-Real-Ip": [
                                  "{http.request.remote}"
                                ],
                                "X-Url-Scheme": [
                                  "{http.request.scheme}"
                                ]
                              }
                            }
                          },
                          "upstreams": [
                            {
                              "dial": "ec2-54-79-52-98.ap-southeast-2.compute.amazonaws.com:80"
                            }
                          ]
                        }
                      ]
                    }
                  ]
                }
              ],
              "match": [
                {
                  "host": [
                    "global.schoolbox.cloud"
                  ]
                }
              ]
            }
          ]
        }
      }
    }
  },
  "logging": {
    "logs": {
      "default": {
        "level": "DEBUG"
      }
    }
  }
}

3. The problem I’m having:

when ever i browse to http / port 80 it redirects to 8081 which is not what i expected from auto HTTPS. It looks like it is getting the first match rather than the server listening on the 443 port even with the https port explicitly set (it fails without it as well)

4. Error messages and/or full log output:

browsing to http://global.schoolbox.cloud/ gets a “308 Permanent Redirect” from caddy to https://global.schoolbox.cloud:8081/

5. What I already tried:

added the “https_port”: 443
added disabling https redirects to the socket server

have replicated on 2 different caddy servers (haven’t supplied config for the other as it’s quite verbose. with 400+ routes on it)

6. Links to relevant resources:

OK, got it working with the disabling automatic https on the server listening to 8081 so it wouldn’t be part of the lucky dip. Guess i had just been lucky previously to have it going to web by default

A 308 redirect gets cached by the browser, so you need to clear your browser cache for it to stop redirecting, if a previous configuration triggered the redirects.

yep, thanks @francislavoie got that to

A couple other things:

  • Please use caddy:2.2.1-alpine rather than caddy/caddy:2.2.1-alpine, the first is the official docker image, the second is the “old” image (it still gets builds pushed to it because we use it for CI testing before images are pushed to the official repo).

  • I don’t think you actually need any of those upstream headers for your proxy. Caddy actually sets X-Forwarded-For and X-Forwarded-Proto on its own correctly, and your Host one does nothing at all (Caddy already passes through the request host), and {server_port} is not a valid placeholder ({port} is a Caddyfile shortcut, but shortcuts are Caddyfile only. You’d want {http.request.port} but you likely don’t even need it anyways). Only set these headers if you actually know you need them, otherwise you might get some unexpected behaviour.

Thanks for the tips! The devs seemed to want control over the options but ill suggest it to them and see what happens. We will certainly change the image address.

Relevant docs regarding the headers:

This topic was automatically closed after 30 days. New replies are no longer allowed.