Caddy stopping listening to port 80 randomly

neonota · April 2, 2023, 4:02pm

1. The problem I’m having:

I have migrated from nginx to Caddy due to the simpler HTTPS configuration. It worked very well out of the box however, there are times where Caddy suddenly stop listening to port 80 and all the websites being served by caddy is inaccessible from the external network(tested from the port open tool). The weird thing is that caddy serves port 80 normally in the internal network, where the most of the DNS are pointed to the Caddy web server, port 80 seems to be open.

I tried restarting the Caddy service but to no avail. A simple restart of the linux server where Caddy is solves the problem. Does anyone knows what happened and why this issue will occur?

2. Error messages and/or full log output:

aborting with incomplete response","error":"write tcp 172.31.46.175:443->172.107.226.134:45398: write: broken pipe"}

3. Caddy version:

v2.6.4 h1:2hwYqiRwk1tf3VruhMpLcYTg+11fCdr8S3jhNAdnPy8=

4. How I installed and ran Caddy:

Caddy is running as a systemd service. I followed the official documentation for installing Caddy.

Website which is being served by caddy : nixorigin.one

a. System environment:

AWS EC2 Instance
OS : Ubuntu 22.04
Using : Systemd

b. Command:

c. Service/unit/compose file:

d. My complete Caddy config:

nixorigin.one {
        # Set this path to your site's directory.
        root * /var/www/html/public

        header {
                X-Frame-Options "SAMEORIGIN"
                X-XSS-Protection "1; mode=block"
                X-Content-Type-Options "nosniff"
        }

        php_fastcgi unix//run/php/php8.1-fpm.sock
        # Enable the static file server.
        file_server

        # Another common task is to set up a reverse proxy:
        # reverse_proxy localhost:8080

        # Or serve a PHP site through php-fpm:
        # php_fastcgi localhost:9000
}

5. Some screenshots:

neonota · April 2, 2023, 4:04pm

I’m pretty bad at explaining things. Kindly take a look at this :

github.com/caddyserver/caddy

Frequent hangs when using http/2 push

opened 10:57AM - 02 Dec 20 UTC

closed 09:02PM - 04 Oct 22 UTC

aDorofeev

bug

help wanted

deferred

upstream

My team and I use Caddy as a reverse proxy, and we rely on HTTP/2 Push a lot. We…'ve started with v2.2.1, on certain configurations we experienced random hangs. We thought that the problem was fixed with this merge request: https://github.com/caddyserver/caddy/pull/3875 (more details can be found in the net/http issue: https://github.com/golang/go/issues/42534) Because it didn't occur for past couple weeks, since it was merged. But today we've found another configuration that makes it very easy to reproduce the problem again, on any of the recent Caddy versions. ### Caddy behavior when hangs happen - Web browser hangs infinitely on some resources during webpage assets download: ![image](https://user-images.githubusercontent.com/1867204/100858277-72c23100-3496-11eb-9c20-c221b2ac73d3.png) - When it happens, Caddy doesn't output any error messages - During that hang, if I try to download those "pending" assets with a different browser or console `curl` - it might work for some assets (usually, smaller ones), but for many assets, it hangs infinitely, i.e. when the problem happens for one user - i basically makes the whole website inaccessible for other users too, till that one user hits "stop" button - When I hit the "stop" button in a browser tab with hanging downloads, Caddy outputs lots of errors to console: ```ERROR http.handlers.reverse_proxy aborting with incomplete response {"error": "http2: stream closed"}``` ### How to reproduce It depends on the proxied website and caddy config, and some random factors, thus it occurs with different frequency on different hardware. The steps are: 1. Start caddy with the configuration provided below 2. Open developer tools network tab, to visually see the hangs; checking the "disable cache" toggle will help reproduce the problem faster, but is not necessary 3. Navigate to `/` page in a browser (i.e., https://terem-pro.localhost) 4. Wait till it fully loads 5. If it didn't hang on step 4 - hit f5, and again, wait till it fully loads; repeat several times if needed On our test server, it usually hangs after 2-3 reloads. On some devices, it might require 10-15 attempts but still hangs at some point. ### Caddy version Reproduces on: - v2.2.1 - v2.3.0-beta.1 - current head of master (4cff36d731390915649261f0e9c088be0eeafcf1), "caddyauth: Use buffered channel passed to signal.Notify" Built with: `CADDY_RACE_DETECTOR=1 xcaddy build <revision>` ### Caddy configuration ``` https://terem-pro.localhost { handle { reverse_proxy https://www.terem-pro.ru { header_up host {http.reverse_proxy.upstream.host} } push / { /local/components/terem/catalog.list/templates/index.best.seller/style.css /local/components/terem/new_services.content/templates/home.banner.lots/style.css /local/components/terem/slider.blocks/templates/slider.useful/style.css /local/components/terem/standard.blocks/templates/call.action.white/style.css /local/components/terem/review.list/templates/carousel.home/style.css /local/components/terem/standard.blocks/templates/promo.red.home/style.css /local/components/terem/promotion.list/templates/home.slider/style.css /local/components/terem/form.form/templates/template.pdf/style.css /local/templates/terem/components/bitrix/menu/template.header.menu.top/desktop-menu.css /local/components/terem/form.form/templates/template.taxi/style.css /assets/resources/css/home.css /local/templates/terem/components/bitrix/menu/template.header.menu-mobile/style_menu.css /local/components/terem/catalog.type.list/templates/.default/style.css /assets/resources/css/styles.css /bitrix/cache/css/s1/terem/template_ad73b02503569e1113abf0b013fdbb28/template_ad73b02503569e1113abf0b013fdbb28_v1.css?16067202133580 /bitrix/cache/css/s1/terem/page_074396ca6d41424fe878cb365c109aa1/page_074396ca6d41424fe878cb365c109aa1_v1.css?160672023225970 } } } ``` #### System environment: Both test server and my PC run on Ubuntu 20.04.1 LTS, x86_64, No-docker Caddy installation ### Highlights - it allows an easy Denial of Service attack: a single client makes the whole server non-functional - there seems to be no timeout, so it might keep the server locked for a while - there's no log message when it hangs (only a message when user hits stop, but it's not very useful, because the same message appears when user just hits stop in the middle of a normal transfer); thus, this one or other similar situations might be happening on production servers right now, and if it happens with a low enough frequency - it might be tough to catch the problem or distinguish it from just a random network glitch

(I dont use HTTP Push, but the issue is kinda similar)

francislavoie · April 3, 2023, 2:21pm

I don’t understand why you’re saying the problem is with port 80. That’s the HTTP port, whereas port 443 is the HTTPS port. What’s your evidence that the problem is specifically with that port?

This log message is also saying Caddy wasn’t able to write back to the client who connected on port 443. “Broken pipe” typically implies that the connecting client closed or broke off the connection, meaning the server isn’t able to write back to it. That might be “fine”.

Your config is setting up Caddy to listen on port 443 for HTTPS connections, and Automatic HTTPS implicitly enables a listener on port 80 for HTTP->HTTPS redirects and for solving the ACME HTTP challenge. No other regular traffic will happen on that port, since your users should all be redirected to use port 443 for HTTPS anyway.

What do you see when you make a request with curl -v? What else is in your logs? Please show some more evidence.

ashton · April 4, 2023, 11:27am

Basically, you already have a service running on port 80, so Caddy cannot start. You must figure out what is this service and stop it. In most cases, it’s either Apache or Nginx: sudo netstat -nlptu | grep 80 sudo systemctl stop nginx sudo systemctl stop apache.

francislavoie · April 5, 2023, 2:32am

@ashton I don’t think that’s their issue, because they showed a log message from Caddy that could only be written after Caddy successfully started.

neonota · April 5, 2023, 6:11am

Thanks for you explanatio.
Here’s what I got after running curl -v nixorigin.one :

*   Trying 2a05:d016:dba:a600:2ecd:d656:86a0:e70f:80...
* Connected to nixorigin.one (2a05:d016:dba:a600:2ecd:d656:86a0:e70f) port 80 (#0)
> GET / HTTP/1.1
> Host: nixorigin.one
> User-Agent: curl/7.81.0
> Accept: */*
>
* Mark bundle as not supporting multiuse
< HTTP/1.1 308 Permanent Redirect
< Connection: close
< Location: https://nixorigin.one/
< Server: Caddy
< Date: Wed, 05 Apr 2023 06:09:57 GMT
< Content-Length: 0
<
* Closing connection 0

francislavoie · April 5, 2023, 7:06am

That tells me port 80 is working just fine. That’s Caddy serving an HTTP->HTTPS redirect, see the Location header.

neonota · April 5, 2023, 10:11am

Yeah. Its working fine now. But I don’t understand why caddy sometimes stops serving requests. I see only “broken pipe” error when this happens. Most of the times it automatically starts to work again after 1-5 minutes of downtime.

francislavoie · April 5, 2023, 10:26am

Well,

Without more evidence, there’s not much I can suggest. I doubt it’s a problem with Caddy, it probably has to do with other parts of your network in front of Caddy.

neonota · April 12, 2023, 11:35am

You might want to take look at this ; Frequent hangs when using http/2 push · Issue #3896 · caddyserver/caddy · GitHub

Why I think this could be the issue ?

Maybe Its not related to HTTP2/Push explicitly. The actual issue is similar. Caddy hangs …

More info about api/v1/push : push API methods - Mastodon documentation

francislavoie · April 12, 2023, 11:38am

That issue is a problem in Go itself. See https://github.com/golang/go/issues/42534, which is linked from that issue.

It may or may not be the cause, but there’s nothing we can do about it right now.

system · May 12, 2023, 11:39am

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.