Binding not working quite the way I expect - multiple sites causing failure

voltagex · November 4, 2020, 6:53am

1. Caddy version (`caddy version`):

v2.1.1 h1:X9k1+ehZPYYrSqBvf/ocUgdLSRIuiNiMo7CvyGUQKeA=

2. How I run Caddy:

a. System environment:

Ubuntu Server 20.04.1

b. Command:

paste command here

c. Service/unit/compose file:

# caddy.service
#
# For using Caddy with a config file.
#
# Make sure the ExecStart and ExecReload commands are correct
# for your installation.
#
# See https://caddyserver.com/docs/install for instructions.
#
# WARNING: This service does not use the --resume flag, so if you
# use the API to make changes, they will be overwritten by the
# Caddyfile next time the service is restarted. If you intend to
# use Caddy's API to configure it, add the --resume flag to the
# `caddy run` command or use the caddy-api.service file instead.

[Unit]
Description=Caddy
Documentation=https://caddyserver.com/docs/
After=systemd-networkd-wait-online.service
Wants=network-online.target systemd-networkd-wait-online.service


[Service]
User=caddy
Group=caddy
ExecStart=/usr/bin/caddy run --environ --config /etc/caddy/Caddyfile
ExecReload=/usr/bin/caddy reload --config /etc/caddy/Caddyfile
TimeoutStopSec=5s
LimitNOFILE=1048576
LimitNPROC=512
PrivateTmp=true
ProtectSystem=full
AmbientCapabilities=CAP_NET_BIND_SERVICE
Environment="GANDI_API_TOKEN=xxx"
[Install]
WantedBy=multi-user.target

d. My complete Caddyfile or JSON config:

*.baxter.works {
        tls email.address@no.spam {
                dns gandi {env.GANDI_API_TOKEN}
        }
        bind 127.0.0.2 #prevent caddy from taking port 443 everywhere and then the next section fails
}

home.baxter.works {
        bind home.baxter.works

        reverse_proxy /* localhost:8123 {
        }
}

files.baxter.works {
        respond / "Hello!"
}

3. The problem I’m having:

I can get one site to bind to a specific address just fine, but if I have any other sites without binds then everything fails

i.e. home.baxter.works bound to its own IP, if I then try to add files.baxter.works without specifying another IP (and adding yet another v6 address to the server) then Caddy fails, instead of binding on other available addresses (and maybe warning me)

4. Error messages and/or full log output:

Nov 04 17:21:20 boxodisks caddy[92409]: caddy.HomeDir=/var/lib/caddy
Nov 04 17:21:20 boxodisks caddy[92409]: caddy.AppDataDir=/var/lib/caddy/.local/share/caddy
Nov 04 17:21:20 boxodisks caddy[92409]: caddy.AppConfigDir=/var/lib/caddy/.config/caddy
Nov 04 17:21:20 boxodisks caddy[92409]: caddy.ConfigAutosavePath=/var/lib/caddy/.config/caddy/autosave.json
Nov 04 17:21:20 boxodisks caddy[92409]: runtime.GOOS=linux
Nov 04 17:21:20 boxodisks caddy[92409]: runtime.GOARCH=amd64
Nov 04 17:21:20 boxodisks caddy[92409]: runtime.Compiler=gc
Nov 04 17:21:20 boxodisks caddy[92409]: runtime.NumCPU=8
Nov 04 17:21:20 boxodisks caddy[92409]: runtime.GOMAXPROCS=8
Nov 04 17:21:20 boxodisks caddy[92409]: runtime.Version=go1.14
Nov 04 17:21:20 boxodisks caddy[92409]: os.Getwd=/
Nov 04 17:21:20 boxodisks caddy[92409]: LANG=en_AU.UTF-8
Nov 04 17:21:20 boxodisks caddy[92409]: PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/snap/bin
Nov 04 17:21:20 boxodisks caddy[92409]: HOME=/var/lib/caddy
Nov 04 17:21:20 boxodisks caddy[92409]: LOGNAME=caddy
Nov 04 17:21:20 boxodisks caddy[92409]: USER=caddy
Nov 04 17:21:20 boxodisks caddy[92409]: SHELL=/bin/sh
Nov 04 17:21:20 boxodisks caddy[92409]: INVOCATION_ID=97419f90b2644fff8cd1fc28886fffe0
Nov 04 17:21:20 boxodisks caddy[92409]: JOURNAL_STREAM=9:4781497
Nov 04 17:21:20 boxodisks caddy[92409]: {"level":"info","ts":1604470880.4427464,"msg":"using provided configuration","config_file":"/etc/caddy/Caddyfile","config_adapter":""}
Nov 04 17:21:20 boxodisks caddy[92409]: {"level":"info","ts":1604470880.4476025,"logger":"admin","msg":"admin endpoint started","address":"tcp/localhost:2019","enforce_origin":false,"origins":["localhost:2019","[::1]:2019","127.0.0.1:2019"]}
Nov 04 17:21:20 boxodisks caddy[92409]: 2020/11/04 17:21:20 [INFO][cache:0xc00013ae40] Started certificate maintenance routine
Nov 04 17:21:20 boxodisks caddy[92409]: {"level":"info","ts":1604470880.4484506,"logger":"http","msg":"server is listening only on the HTTPS port but has no TLS connection policies; adding one to enable TLS","server_name":"srv0","https_port":443}
Nov 04 17:21:20 boxodisks caddy[92409]: {"level":"info","ts":1604470880.4485078,"logger":"http","msg":"enabling automatic HTTP->HTTPS redirects","server_name":"srv0"}
Nov 04 17:21:20 boxodisks caddy[92409]: {"level":"info","ts":1604470880.448563,"logger":"http","msg":"server is listening only on the HTTPS port but has no TLS connection policies; adding one to enable TLS","server_name":"srv1","https_port":443}
Nov 04 17:21:20 boxodisks caddy[92409]: {"level":"info","ts":1604470880.4485908,"logger":"http","msg":"enabling automatic HTTP->HTTPS redirects","server_name":"srv1"}
Nov 04 17:21:20 boxodisks caddy[92409]: {"level":"info","ts":1604470880.4506757,"logger":"tls","msg":"cleaned up storage units"}
Nov 04 17:21:21 boxodisks caddy[92409]: run: loading initial config: loading new config: http app module: start: tcp: listening on home.baxter.works:443: listen tcp [2403:5800:7300:a600::4663]:443: bind: address already in use
Nov 04 17:21:21 boxodisks systemd[1]: caddy.service: Main process exited, code=exited, status=1/FAILURE
Nov 04 17:21:21 boxodisks systemd[1]: caddy.service: Failed with result 'exit-code'.

5. What I already tried:

When moving to a wildcard cert I needed to put that localhost bind in there or even my single site would fail with that ‘address already in use’ message.
I can use multiple IPs but I’d rather split out Home Assistant on to its own IP, then be able to have Caddy listening on one other IP for all the rest of the sites.

francislavoie · November 4, 2020, 7:30am

I’m not sure why you’re using bind here

What exactly are you trying to do? It’s not clear to me.

One tip, use the caddy adapt --config /etc/caddy/Caddyfile --pretty command to get the underlying JSON representation of your config, it might help you understand what’s actually happening under the hood with bind. That Caddyfile directive maps to the listen part of servers in the JSON.

voltagex · November 4, 2020, 7:32am

Oh, maybe I’ve misinterpreted bind. I wanted that particular server only listening to one IP, and bind let me use a hostname in case I needed to change the address.

voltagex · November 4, 2020, 7:32am

home.baxter.works listening on only one IP
anything else I add to the config listening on others.

francislavoie · November 4, 2020, 7:40am

Hmm.

Well, first of all I think bind home.baxter.works isn’t really going to do anything useful. home.baxter.works isn’t an IP address, so the network stack won’t know what to do with that.

Caddy uses SNI (Server Name Identification) after the connection is established, at the TLS layer. It also uses a request matcher to group handlers based on that host.

I think the problem is that if you have one server that binds to 127.0.0.2 and another that binds to 0.0.0.0 (i.e. everything, implicitly in your files.baxter.works) then that’s a conflict. I think you’re not allowed to have any overlap.

To be clear the error you’re seeing, bind: address already in use, isn’t actually from Caddy though, it’s from the linux network stack.

voltagex · November 4, 2020, 8:32am

You’re right, changing it to the following worked:

*.baxter.works {
        tls email.address@no.spam {
                dns gandi {env.GANDI_API_TOKEN}
        }
}

home.baxter.works {
        reverse_proxy /* localhost:8123 {
        }
}

files.baxter.works {
        respond / "Hello!"
}

Frustratingly, it requested a certificate for files.baxter.works despite having the wildcard available

francislavoie · November 4, 2020, 8:44am

If you want to share the wildcard cert, you should write your config like this instead:

*.baxter.works {
	tls email.address@no.spam {
		dns gandi {env.GANDI_API_TOKEN}
	}

	@home host home.baxter.works
	handle @home {
		reverse_proxy localhost:8123
	}

	@files host files.baster.works
	handle @files {
		respond "Hello!"
	}
}

Btw the email is optional, if you’re just sending it to a black hole email. You could just omit that field.

voltagex · November 4, 2020, 8:46am

Thank you!
I’ll delete my other thread.

I’ve redacted the email in the config but I am sending it to a real address.

system · December 4, 2020, 6:53am

This topic was automatically closed after 30 days. New replies are no longer allowed.