Caddy stops listening to port 80 if there is explicit bind in another section

anti-social · October 9, 2023, 8:26pm

1. The problem I’m having:

Initially I only had a config without an explicit bind directive. Something just like following one:

bagspace.castle.mk {
        reverse_proxy 10.89.1.35:8000
}

With this config caddy listened to both 80 and 443 ports.

Then I wanted to launch another site only for my internal network. So I just added a section:

http://cockpit.bagspace.vpn { 
        bind 192.168.51.1
        reverse_proxy 127.0.0.1:9090
}

And after doing that caddy stopped listening to 80 port on an external interface. So as a result redirection from 80 to 443 port for site my.external.site stopped working.

2. Error messages and/or full log output:

Before adding internal site I could see that caddy listens to all interfaces:

LISTEN 0      4096               *:80               *:*    users:(("caddy",pid=1311048,fd=9))                                                                                              
LISTEN 0      4096               *:443              *:*    users:(("caddy",pid=1311048,fd=7))

After modification caddy only listens to port 80 on the internal interface:

LISTEN 0      4096               *:443              *:*    users:(("caddy",pid=1312400,fd=8))            
LISTEN 0      4096    192.168.51.1:80         0.0.0.0:*    users:(("caddy",pid=1312400,fd=7))

3. Caddy version:

I use caddy-docker-proxy of version 2.8.8 run in a podman, but I also tried original caddy 2.7.4 that was run as systemd service.

4. How I installed and ran Caddy:

a. System environment:

NixOS 23.05, amd64

b. Command:

c. Service/unit/compose file:

d. My complete Caddy config:

Initial config:

bagspace.castle.mk {
        reverse_proxy 10.89.1.35:8000
}

The broken one:

bagspace.castle.mk {
        reverse_proxy 10.89.1.35:8000
}
http://cockpit.bagspace.vpn { 
        bind 192.168.51.1
        reverse_proxy 127.0.0.1:9090
}

And the fixed one:

http://bagspace.castle.mk {
       redir https://bagspace.castle.mk
}
https://bagspace.castle.mk {
        reverse_proxy 10.89.1.35:8000
}
http://cockpit.bagspace.vpn { 
        bind 192.168.51.1
        reverse_proxy 127.0.0.1:9090
}

5. Links to relevant resources:

anti-social · October 9, 2023, 8:43pm

So the question is this is expected behavior or a bug?

francislavoie · October 10, 2023, 5:30am

Hmm, that is tricky. Not an edgecase we expected. Might be hard to solve properly

I think you can make it work by adding a dummy site block like this just so that there’s a site binding to all interfaces:

http:// {
}

Hopefully that workaround works for now. I’m on mobile right now so I didn’t double-check.

anti-social · October 10, 2023, 10:56am

Got an error after adding the proposed block:

Error: adapting config using caddyfile: /etc/caddy/Caddyfile:2: unrecognized directive: py.bagspace.ua
Did you mean to define a second site? If so, you must use curly braces around each site to separate their configurations.

Looks like it fails when parsing next block.

francislavoie · October 10, 2023, 11:07am

I mean like this:

http:// {
}

bagspace.castle.mk {
        reverse_proxy 10.89.1.35:8000
}

http://cockpit.bagspace.vpn { 
        bind 192.168.51.1
        reverse_proxy 127.0.0.1:9090
}

Please always post your current config along with the error message. It’s impossible to know what caused it without seeing your config. But it seems like you have a syntax error somewhere.

anti-social · October 10, 2023, 12:26pm

Yeah, it works.

First time I tried just to add that http:// block in my config with explicit redirects.

anti-social · October 10, 2023, 12:55pm

Interesting case. It looks like it works with caddy but does not work with caddy-docker-proxy.
When run with caddy-docker-proxy it does not like next block (the exact error I sent in one of previous messages). Also I can only see one line in the Caddyfile.autosave:

http://

francislavoie · October 10, 2023, 7:10pm

You can put in any garbage handler to make CDP accept it. E.g. you can put in vars dummy 1 or something inside the handler just so it’s not empty.

anti-social · October 10, 2023, 9:22pm

I don’t know why but it does not work with CDP. No redirects, just empty 200 page.

francislavoie · October 10, 2023, 9:30pm

What did you try exactly? What docker labels are you using, etc? What’s in the generated Caddyfile output?

anti-social · October 11, 2023, 7:30am

Caddyfile.autosave:

{                 
        debug
}                            
http:// {
        vars dummy 1                    
}                                                
py.bagspace.ua {
        log {
                output stdout                     
        }
        reverse_proxy http://127.0.0.1:5000 {
                header_up X-Real-IP {remote_host} 
        }             
}                                                          
http://cockpit.bagspace.vpn {                     
        bind 192.168.51.1
        log {
                output stdout
        }
        reverse_proxy 127.0.0.1:9090
}
api.bagspace.ua {
        @notPhpFiles not path *.php
        handle @notPhpFiles {
                file_server
                root * /var/www/bagspace.ua
                try_files current/{path} shared/public/{path} =404
        }
        log {
                output stdout
        }
        php_fastcgi 10.89.1.98:9000
        root * /var/www/bagspace.ua/current
}
bagspace.castle.mk {
        reverse_proxy 10.89.1.102:8000
}
http://kibana.bagspace.vpn {
        bind 192.168.51.1
        log {
                output stdout
        }
        reverse_proxy 10.89.1.41:5601
}
http://phpmyadmin.bagspace.vpn {
        bind 192.168.51.1
        file_server
        log {
                output stdout
        }
        php_fastcgi 10.89.1.95:9000 {
                env DOCUMENT_ROOT /var/www/html
                env SCRIPT_FILENAME /var/www/html{path}
        }
        root * /var/www/phpmyadmin/html
}
stat.bagspace.ua {
        log {
                output stdout
        }
        reverse_proxy 10.89.1.103:3000 {
                header_up X-Real-IP {remote_host}
        }
}

An example of labels:

"Labels": {    
    "caddy": "stat.bagspace.ua",
    "caddy.log.output": "stdout",
    "caddy.reverse_proxy": "{{ upstreams 3000 }}",                                                              
    "caddy.reverse_proxy.header_up": "X-Real-IP {remote_host}",            
    "maintainer": "Grafana Labs <hello@grafana.com>"
}

francislavoie · October 11, 2023, 7:45am

Can you show an example request with curl -v that shows the problem? That config looks okay to me.

anti-social · October 11, 2023, 8:38am

$ curl -v http://bagspace.castle.mk                                                                                                                                                                                                                                                                                        
*   Trying 167.235.7.183:80...                                                                                                                                                                                                                                                                                              
* Connected to bagspace.castle.mk (167.235.7.183) port 80 (#0)                                                                                                
> GET / HTTP/1.1                                                                                                                                                                                                                                                                                                            
> Host: bagspace.castle.mk                                                     
> User-Agent: curl/7.81.0                                                      
> Accept: */*                                                                                                                                                 
>                                                                              
* Mark bundle as not supporting multiuse                                       
< HTTP/1.1 200 OK                                                              
< Server: Caddy                                                                
< Date: Tue, 10 Oct 2023 21:14:08 GMT                                          
< Content-Length: 0                                                            
<                                                                              
* Connection #0 to host bagspace.castle.mk left intact

francislavoie · October 11, 2023, 9:24am

Ah, dangit. I think the HTTP redirect routes are getting added to your 192.168.51.1:80 server instead of the :80 one.

This is kinda a bug, but I’m not sure there’s really any good fix possible. It’s kinda ambiguous what the user intends to have, whether they need the redirect on both ports, or only on the one.

Anyway, you can work around it by setting up the redirects yourself like this:

http:// {
	redir https://{host}{uri} 308
}

anti-social · October 11, 2023, 10:57am

It works! Thank you for the help!

You mean it can be a bug in CDP?

francislavoie · October 11, 2023, 10:59am

No, this is a Caddyfile adapter bug, not a problem with CDP itself.

The only quirk was that an empty site block (with braces) is difficult to generate with CDP labels. But you don’t have that problem if you use a directive like redir.

system · November 10, 2023, 11:00am

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.