Caddy fallback to 80

hendry · October 9, 2016, 6:17am

Hi guys,

I have a configuration which currently assumes 443 myresponder/Caddyfile at master · kaihendry/myresponder · GitHub

But sometimes it’s deployed behind a proxy (i.e. another Caddy instance), e.g.:

duroa.dabase.com, d.duroa.dabase.com, m.duroa.dabase.com, h.duroa.dabase.com, g.duroa.dabase.com {
 tls hendry@my.email
 proxy / myresponder:80 {
      transparent
}
}

So in the case it’s deployed behind a proxy, I need it to fallback to 80 without exiting like it does here:

docker run --rm --name myresponder --env-file envfile -p 80:80 -v /home/hendry/myresponder/data:/srv/data -v /home/hendry/.caddy:/root/.caddy hendry/myresponder
Activating privacy features...^E^E^E^E^E^Y^Y^Y^Y^Y^Y^Y^Y^Y^Y^Y2016/10/09 06:10:59 [browserinabox.com] failed to get certificate: acme: Error 400 - urn:acme:error:connection - Failed to connect to 128.199.115.232:443 for TLS-SNI-01 challenge
Error Detail:
        Validation for browserinabox.com:443
        Resolved to:
                128.199.115.232
        Used: 128.199.115.232

Or am I missing a trick?

matt · October 9, 2016, 2:18pm

If you don’t want Caddy to use port 443 (which is the default for production sites), you need to specify http:// or :80 in the address in the Caddyfile or use tls off in your site description.

hendry · October 10, 2016, 8:24am

Hi Matt,

I don’t want to change the configuration is what I am asking for here.

Port 443 not exposed or not working? Use Port 80.

80+443 exposed & working, use 443.

Does that make sense?

matt · October 10, 2016, 8:32am

I guess you could fork Caddy and change the auto https feature, but that’s not something I’m going to do for mainline Caddy.

hendry · October 10, 2016, 8:45am

So you prefer Caddy to be a bit draconian with error handling?

If a configuration fails on nginx/apache it still “carries on” IIRC

thechriswalker · October 14, 2016, 9:02am

Neither apache nor nginx automatically use ACME to obtain a certificate and if you configure them to serve HTTPS without a certificate (the equivalent of what you are doing here), they will hard fail.

I am definitely with matt here, if I configure my webserver just so and it cannot do what I have asked it to, I would prefer it to fail than silently decide to do something else. Draconian is exactly what I want.

But, as a possible solution to your woes, you could maybe use an environment variable so your config is static but the tls option is configured externally.

hendry · October 15, 2016, 3:20am

Fail silently? I.e. use port 80 if there is some failure with SSL? I think this is common sense. Oh well.

The fail hard software approach has known the be a failzone too. Checkout XHTML.

Could you please give me an example of that?

Thank you,

thechriswalker · October 17, 2016, 8:10am

You can use environment variables in your Caddyfile so if you write

tls {$TLS_CONFIG}

Then you can start the process with

TLS_CONFIG=off caddy ...

and it will start without trying to serve TLS.