Cannot change the admin endpoint

nyuware · May 8, 2023, 11:48am

1. The problem I’m having:

I am currently setting up a caddy + prometheus + grafana monitoring,
caddy is installed natively on the server while prometheus and grafana are dockerized.

once I run curl -s http://localhost:2019/metrics I get the metric just fine

I’m trying to change the admin endpoint to either 10.0.0.146 or 0.0.0.0 but it won’t let me and just give a 403 host not allowed

2. Error messages and/or full log output:

Error: sending configuration to instance: caddy responded with error: HTTP 403: {"error":"host not allowed: 10.0.0.146:2019"}

3. Caddy version:

v2.6.4 h1:2hwYqiRwk1tf3VruhMpLcYTg+11fCdr8S3jhNAdnPy8=

4. How I installed and ran Caddy:

ran the lines on the caddy documentation
with sudo apt install caddy
and caddy reload --config /etc/caddy/Caddyfile

d. My complete Caddy config:

{
        admin 10.0.0.146:2019
        servers {
                metrics
        }
}
https://www.nyuware.pw, https://nyuware.pw {
        tls nyuware@protonmail.com
        root * /var/www/nyuware
        file_server
        encode zstd gzip
        route {
                respond /.well-known/matrix/server `{"m.server": "matrix.nyuware.pw:443"}`
        }
        header / {
                -Server
                Strict-Transport-Security "max-age=31536000; includesubdomains; preload"
                X-Content-Type-Options nosniff
                X-Frame-Options deny
                X-XSS-Protection 1; mode=block
                Referrer-Policy same-origin
                Content-Security-Policy "default-src 'none'; base-uri 'self'; style-src 'self' 'unsafe-inline';script-src 'self'; font-src 'self'; img-src 'self'; form-action 'self'; connect-src 'self'; frame-ancestors 'none';"
        }
        handle_errors {
                rewrite * /error.html
                templates
                file_server
        }
        log {
                output file /var/log/caddy/nyuware.pw-access.log {
                        roll_size 10mb
                        roll_keep 20
                        roll_keep_for 720h
                }
        }
}
132.145.254.107:80 {
        route {
                redir https://nyuware.pw
        }
}
132.145.254.107:443 {
        route {
                redir https://nyuware.pw
        }
}
mumble.nyuware.pw {
        reverse_proxy http://localhost:64738
}

matrix.nyuware.pw {
        reverse_proxy /_matrix/* http://localhost:8008
        reverse_proxy /_synapse/client/* http://localhost:8008
}

bitwarden.nyuware.pw {
        reverse_proxy /* http://localhost:8080
        log {
                output file /var/log/caddy/bitwarden/bitwarden.nyuware.pw-access.log {
                        roll_size 10mb
                        roll_keep 20
                        roll_keep_for 720h
                }
        }
}

wireguard.nyuware.pw {
        reverse_proxy /* http://localhost:51820
        log {
                output file /var/log/wireguard/wireguard.nyuware.pw-access.log {
                        roll_size 10mb
                        roll_keep 20
                        roll_keep_for 720h
                }
        }
}

element.nyuware.pw {
        root * /var/www/element
        file_server
}

grafana.nyuware.pw {
        reverse_proxy /* http://localhost:3000
}

5. Links to relevant resources:

nyuware · May 8, 2023, 11:59am

I want to note that if I change the Caddyfile to an other port like so:

{
        admin :2020
}

I now get an other error, which is the following:

Error: sending configuration to instance: performing request: Post "http://:2020/load": dial tcp :2020: connect: connection refused

Thanks for the help

francislavoie · May 8, 2023, 4:45pm

Hmm. I think if you change the admin address away from port 2019, you’ll probably need to use the --address flag of the caddy reload command so that the command can correctly communicate to the current admin.

So if it’s currently listening on port 2019 and you want to change it to 2020, you need to use --address localhost:2019.

The reload command reads the current address from the config specified in --config, so if it’s different than the currently running server, it won’t work.

I think it’s the same problem when trying to change the address away from localhost to an IP address, the reload command will use the new address, but the old server is validating the origins and since that IP address does not match localhost you’ll see host not allowed.

The other option is to just restart the Caddy process completely with sudo systemctl caddy restart which won’t have any problems with mismatching the old vs new addresses, since it’s starting up fresh.

matt · May 8, 2023, 8:31pm

Yep, basically, Caddy follows these rules to get the admin address:

If --address is specified, use that
Use address as specified in the config being loaded (assumes it was the same as previous)
Use default admin address

If changing the admin port, the use of --address is basically required if it’s not currently listening on the default address because otherwise there’s no way for Caddy to know how to post the config.

nyuware · May 8, 2023, 9:35pm

That was the solution, thanks a lot
Right now --address is only mentioned on the : caddy reload and caddy stop cli commands, maybe it would be worth to mention it on the global admin directives if in the future other people want to modify their endpoint and face the same issue as I did

matt · May 8, 2023, 10:25pm

Makes sense. I’ll add it, thanks!

system · June 7, 2023, 10:26pm

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.