Caddy domain not accessible when using DDNS

kexo1 · March 27, 2025, 8:10pm

1. The problem I’m having:

I want my docker app (emby) that’s exposed to internet to be accessible with portless caddy domain however I can’t get it working no matter what. Simply said, currently it’s accessible from:
http://app.example.domain:port
I want it to be accessible like this:
https://app.example.domain

Other info:
I use cloudflare to set DNS records

I use dynamic_dns plugin in caddy for my emby domain

All my containers are in caddy_network, emby is pingable and accessible within caddy network

I have open port 8096

I use Tailscale VPN for my other docker apps, so why I am not using it on emby? Because if I go somewhere else, into hotels, friends house, I want to simply install emby on TV and connect to my domain, Tailscale is not avaiable on TVs as far as I know.

2. Error messages and/or full log output:

No errors

3. Caddy version:

2.9.1

4. How I installed and ran Caddy:

I’ve built my own dockerfile with plugins I needed - dynamicdns, cloudflare, sablier, run with docker run

ARG CADDY_VERSION=2.9.1

FROM caddy:${CADDY_VERSION}-builder AS builder

ADD https://github.com/sablierapp/sablier.git /sablier

RUN xcaddy build \
    --with github.com/caddy-dns/cloudflare \
    --with github.com/sablierapp/sablier/plugins/caddy=/sablier/plugins/caddy \
	--with github.com/mholt/caddy-dynamicdns

FROM caddy:${CADDY_VERSION}

COPY --from=builder /usr/bin/caddy /usr/bin/caddy

a. System environment:

Device: Raspberry Pi 5
OS: Raspberry OS 64-bit
Using docker

c. Service/unit/compose file:

services:
  caddy:
    image: caddy:cloudflare-sablier
    restart: unless-stopped
    networks:
      - caddy_network
    ports:
      - "8082:80"
      - "443:443"
      - "2019:2019"
    volumes:
      - /DATA/AppData/caddy:/data
      - /DATA/AppData/caddy/conf/Caddyfile:/etc/caddy/Caddyfile

d. My complete Caddy config:

{
	admin 0.0.0.0:2019 # Allow external API access
	acme_dns cloudflare {env.CLOUDFLARE_ZONE_TOKEN}
	order sablier before reverse_proxy
	email my@email.com

	dynamic_dns {
		provider cloudflare {env.CLOUDFLARE_ZONE_TOKEN}
		domains {
			example.domain emby
		}
		versions ipv4
		check_interval 1m
		ttl 5m
	}
}

emby.example.domain {
	reverse_proxy emby:8096

	handle_errors {
		respond "{err.status_code} {err.status_text}"
	}
}

Mohammed90 · March 27, 2025, 10:56pm

These together are dangerous if your machine is exposed to the Internet because it means anyone in the World can configure your Caddy instance

Why 8082?

You need to allow ports 80 and 443

kexo1 · March 27, 2025, 11:22pm

what do you mean anyone can configure my Caddy instance, only port that is open to internet is 8096 which is for Emby only, other than that they are safe in my docker network
Port 8082, I just came up with random port because port 80 is already allocated by Pihole container
Allow ports 80 and 443 in terms of opening them in router? Isn’t that unsafe?

Mohammed90 · March 27, 2025, 11:44pm

You’re exposing it in the docker-compose config, so it’s available outside the container. If that’s still strictly within your LAN, then it’s fine (depending on your threat model, though not as risky).

Alright, as long as you’re forwarding port 80 on the router to this port.

Define unsafe. What are you considering as risk? There’s no connectivity from the outside without ports. What you call “portless” is not without port, rather there’s an implicit assumed port (80 for HTTP, and 443 for HTTPS). You don’t want to use tunneling solution, so you’ll have to expose 80 and 443 to the outside.

kexo1 · March 28, 2025, 11:58am

So I exposed ports 8082 and 443, but now when accessing url I get bad gateway error.

Mohammed90 · March 28, 2025, 12:09pm

You must expose 80 as well, not 8082.

kexo1 · March 28, 2025, 12:59pm

Same error with port 80 open, but 8082 is pointing to port 80 inside Caddy container

Mohammed90 · March 28, 2025, 2:15pm

What’s your port forwarding rule? Port 80 on the router must forward to 8082

kexo1 · March 28, 2025, 2:40pm

Still bad gateway error
Router:

https://imgur.com/a/kaICncI

Caddy:
https://imgur.com/aJIJb53

kexo1 · March 29, 2025, 12:15pm

After restarting Emby it now works, however I don’t understand why can’t port 443 be mapped to something different, like I have port 80 mapped to 8082 and it works fine, but when I try to map port 443 to 8443, Emby will no longer be accessible.

Mohammed90 · March 29, 2025, 10:51pm

You should be able to. Ensure that the external Docker port matches the internal port stated in your router port forwarding config, but the router’s external port must be 443.