Caddy Listening Port

vClouds · July 27, 2017, 8:30pm

Caddy were installed as per the following,

curl -fsSL https://getcaddy.com
sudo chown root:root /usr/local/bin/caddy
sudo chmod 755 /usr/local/bin/caddy
sudo setcap ‘cap_net_bind_service=+ep’ /usr/local/bin/caddy

It results in listening to ports 80 (HTTP) and 443 (HTTPS).
How can instruct or modify setcap to listen only to HTTPS?

matt · July 27, 2017, 8:31pm

I’m not sure what you’re saying; because setcap doesn’t open ports. It only sets file permissions. There must be another command you’re running to use up those ports.

vClouds · July 27, 2017, 8:33pm

I’m looking for how to get caddy listening only to port 443.

after caddy installation,

netstat -tlpn

shows that caddy is capturing ports 80 and 443 at the same time.

matt · July 27, 2017, 8:38pm

Ah, so Caddy is listening on ports 80 and 443? In those commands you gave above, though, Caddy isn’t executed at all. That’s why I was confused.

You can change the HTTP port to something else by setting -http-port CLI option, but beware this will break the http ACME challenge (unless you know what you’re doing, like forwarding the port). But currently with automatic HTTPS, there has to be a redirect from HTTP to HTTPS, because browsers still request HTTP by default when no scheme is present.

vClouds · July 27, 2017, 8:46pm

Can you please share documentation link on -http-port CLI option?
Is it during installation? or within upstart script?

What if that command,

sudo setcap ‘cap_net_bind_service=+ep’ /usr/local/bin/caddy

were completely ignored during installation? I didn’t try yet, please advise.

In other words, the question might be, what and where exactly instructions to caddy to listen to specific ports?
I think it is only caddyfile, In my case all import nodes instructions are in the form https://sub.domain.com

On other note, I think no impact on ACME connections as at my side port 80 already blocked by ISP and yet I’m using ACME certificates and renewal normally with no issue.

Whitestrake · July 28, 2017, 12:25am

https://caddyserver.com/docs/cli#http-port

I don’t think this can be used to disable the HTTP port, only to change it to something else.

If you did not run this command, Caddy would be unable to bind to privileged ports (any port below 1024). setcap is not going to help you change which ports Caddy listens on.

If you’re serving sites without Automatic HTTPS, Caddy will only bind to the ports you’ve nominated in your Caddyfile, or the default (:2015), but Caddy won’t manage your certificates for you.

If you want Caddy to manage your certificates, you need to either:

Let Caddy bind to :80 and :443, or;
Use the DNS challenge

If you can’t use the DNS challenge, and you want Caddy not to bind :80, but you want to serve HTTPS on port :443, you will need to provide your own valid certificate:

example.com:443 {
	tls [cert] [key]
	...
}