Caddy2 Not running on Linux with non privileged user

Help
1

1. My Caddy version (caddy version):

v2.0.0-beta12 h1:LZnXOGDr1SbeJNyln8Xc/hXjWCa/a9qFpCbWt2iwJPw=

2. How I run Caddy:

Using CLI as below:
./caddy2 run --resume --config caddy.json

a. System environment:

Linux version 2.6.32-954.3.5.lve1.4.76.el6.x86_64 (mockbuild@buildfarm02.cloudlinux.com) (gcc version 4.4.7 20120313 (Red Hat 4.4.7-23) (GCC) ) #1 SMP Mon Dec 23 07:33:14 EST 2019

b. Command:

paste command here

c. Service/unit/compose file:

paste full file contents here

d. My complete Caddyfile or JSON config:

{
  "admin": {
    "listen": ":2019"
  },
  "apps": {
    "http": {
      "servers": {
        "reverse_proxy_master": {
          "listen": [
            "0.0.0.0:443"
          ],
          "@id": "reverse_proxy_master",
          "routes": [],
          "experimental_http3": false
        }
      }
    },
    "tls": {
      "automation": {
        "policies": [
          {
            "hosts": [],
            "management": {
              "ca": "https://acme-staging-v02.api.letsencrypt.org/directory",
              "module": "acme"
            }
          }
        ]
      }
    }
  }
}

3. The problem I’m having:

Running with non priveleged user as its shared host running wordpress site:
Caddy failing to start with Bind Permission error.

4. Error messages and/or full log output:

2020/04/06 08:10:58.192 INFO no autosave file exists {“autosave_file”: “/home/eeei3y3f7ygf/.config/caddy/autosave.json”}
2020/04/06 08:10:58.193 INFO using provided configuration {“config_file”: “caddy.json”, “config_adapter”: “”}
2020/04/06 08:10:58.196 INFO admin admin endpoint started {“address”: “:2019”, “enforce_origin”: false, “origins”: [":2019"]}
2020/04/06 08:10:58.197 INFO http server is only listening on the HTTPS port but has no TLS connection policies; adding one to enable TLS {“server_name”: “reverse_proxy_master”, “https_port”: 443}
run: loading initial config: loading new config: http app module: start: tcp: listening on 0.0.0.0:443: listen tcp 0.0.0.0:443: bind: permission denied

5. What I already tried:

6. Links to relevant resources:

2

Change reverse proxy bind port to 8443 it works fine now. However just question do i need t ochange anything in wordpress ? Want to get reverse proxy and automatic https both for worpdress site

3

The problem which you’re facing is the fact that non-root users or users which are not in a special group can not listen to ports lower than 1024. Either you can live with 8443 (which i doubt, since clients from the internet would expect :80 or :443 ports to be open) or you can manage to escalate the caddy user to an level where it can listen to ports lower than 1024.

4

Caddy comes up, but when i try to create reverse proxy mapping:

{
@id”:“sslzen.info”,
“match”: [
{
“host”: [
“sslzen.info”
]
}
],
“handle”: [
{
“handler”: “subroute”,
“routes”: [
{
“handle”: [
{
“handler”: “reverse_proxy”,
“transport” : {
“protocol”: “http”
},
“headers”: {
“request”: {
“set”: {
“Host”: [
“{http.request.host}”
],
“X-Forwarded-For”: [
“{http.request.remote}”
],
“X-Forwarded-Port”: [
“{http.request.port}”
],
“X-Forwarded-Proto”: [
“{http.request.scheme}”
],
“X-Real-Ip”: [
“{http.request.remote}”
]
}
}
},
“upstreams”: [
{
“dial”: “166.62.28.143”
}
]
}

                ],
                "match": [
                    {
                        "path": [
                            "/"
                        ]
                    }
                ]
            }
        ]
    }
],
"terminal": false

}

i get below error

2020/04/06 10:30:36.102 ERROR admin.api request error {“error”: “loading new config: http app module: start: tcp: listening on 0.0.0.0:80: listen tcp 0.0.0.0:80: bind: permission denied”, “status_code”: 500}
{“error”:“loading new config: http app module: start: tcp: listening on 0.0.0.0:80: listen tcp 0.0.0.0:80: bind: permission denied”}

5

Just to clarify requirement my wordpress using Apache and Caddy server are running on same server. I want request received from domain via DNS resolver to caddy server to handle automatic https and then reverse proxy back to wordpress.

6

can you sudo? otherwise it won’t be able to bind the port! You got a permission denied.
netstat -napt | grep 80 does show something?

7

no super user access. Just a question if i have tomcat hosted wordpress running on same machine as caddy will it possible to still bind given wordpress also listens to 80 and 443 port of http and https

8

nope, only one process can listen on an given port, therefore everyone uses reverse Proxies :slight_smile: you could set wordpress to listen on an alternative port and let caddy do the rest for the outside traffic, that’s how it’s supposed to work

9

So ideally caddy should run on 443 aa dns mapping just maps IP and binds to 443. And wordpress can run on other port and we use reverse proxy dial back to origin port.

10

Yes, Caddy is your only entry/exit Point for http/https/wss

e.g. Gitlab:

git.example.com {

reverse_proxy * {
to 172.16.0.3:9080
transport http {
read_buffer 8192
}
}
}

Or if you have https only backend with self-signed cert:

unms.example.com {

reverse_proxy * {
to 172.16.0.3:18443
transport http {
tls
tls_insecure_skip_verify
read_buffer 8192
}
}
}

11

thank you so with out reverse proxy no solutions. With 443 and 80 port not accessible, best bet would be to host Caddy on new server and make it bind to 443.

12

For Caddy to be able to issue TLS certificates from Let’s Encrypt, it needs access to ports 80 and 443. Some more info here on how the challenges work: Challenge Types - Let's Encrypt

I recommend you edit your apache configuration to listen on a different port, like 8080 or something like that, so that Caddy can proxy to it.

Also, Caddy has a php_fastcgi directive that you can use to run Wordpress, so you probably don’t even need Apache at all!

Btw, you’re using a pretty old version of Caddy, the latest is v2.0.0-rc1

13

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.