I’m on an ews instance that doesn’t have any external IPv6 address.
Things are working as they used to (in the nginx era).
But I observe that Caddy seems to be listening only to the IPv6 443 port (see my caddy file at the bottom)
~# netstat -tulpn
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name
tcp 0 0 127.0.0.53:53 0.0.0.0:* LISTEN 647/systemd-resolve
tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN 1034/sshd
tcp6 0 0 :::22 :::* LISTEN 1034/sshd
tcp6 0 0 :::443 :::* LISTEN 11097/caddy
udp 0 0 127.0.0.53:53 0.0.0.0:* 647/systemd-resolve
udp 0 0 172.26.5.250:68 0.0.0.0:* 626/systemd-network
udp6 0 0 :::443 :::* 11097/caddy
Now, these are the actual connections:
ESTAB 0 0 [::ffff:172.26.5.250]:https [::ffff:117.246.90.203]:23110
ESTAB 0 0 [::ffff:172.26.5.250]:https [::ffff:103.211.55.137]:36866
ESTAB 0 0 [::ffff:172.26.5.250]:https [::ffff:106.203.67.117]:11468
ESTAB 0 0 [::ffff:172.26.5.250]:https [::ffff:106.67.5.195]:14949
ESTAB 0 0 [::ffff:172.26.5.250]:https [::ffff:223.182.81.121]:5542
ESTAB 0 3478 [::ffff:172.26.5.250]:https [::ffff:43.243.175.190]:52120
ESTAB 0 0 [::ffff:172.26.5.250]:https [::ffff:182.69.171.248]:54289
ESTAB 0 0 [::ffff:172.26.5.250]:https [::ffff:223.176.38.30]:45754
ESTAB 0 0 [::ffff:172.26.5.250]:https [::ffff:103.85.127.89]:34561
ESTAB 0 0 [::ffff:172.26.5.250]:https [::ffff:45.64.236.248]:41798
ESTAB 0 0 [::ffff:172.26.5.250]:https [::ffff:45.125.69.62]:56922
ESTAB 0 0 [::ffff:172.26.5.250]:https [::ffff:103.92.113.98]:60008
ESTAB 0 0 [::ffff:172.26.5.250]:https [::ffff:42.106.29.133]:1765
As you can see, the server seems to be converting the local IPv4 address to IPv6. It’s also converting the external IPv4 into IPv6 to serve it to caddy.
Is this the expected behavior? Nginx used to listen on 172.26.5.250:443 rather than [::ffff:172.26.5.250]:443 like caddy does. And of course it used to show connections directly to the IPv4 address of the client.
What exactly is happening here?
My caddyfile
example.com:443 {
tls /etc/ssl/caddy/fullchain.pem /etc/ssl/caddy/privkey.pem
root /var/www/wordpress
gzip
bind 0.0.0.0
# rewrite {
# if {path} ends_with /
# r ^/(.*)/$
# to /{1}
# }
#header (.png|.jpg|.css|.js)$ {
# Cache-Control "public, max-age=11116000"
#}
rewrite {
if {path} not_match ^\/wp-admin
to {path} {path}/ /wp-content/cache/supercache/{host}{uri}/index-https.html /index.php?_url={uri}
}
fastcgi / 106.3.61.104:9000 php
}
Can someone also look at the commented out header block? Does path take wildcards like that?
PS: Is there any way to find out how much of the traffic is going out as UDP and how much is going out as TCP from the Linux server? (I just wanted to know if anyone’s getting Quic traffic at all).