Can't get Caddy to serve http and https for different sites

eip · September 27, 2020, 2:33am

1. Caddy version (`caddy version`): 2.2.0

2. How I run Caddy: service file called by systemctl start

a. System environment: vps on ubuntu 18.04.5 with xcaddy compiled caddy version

b. Command:

sudo systemctl start caddy

c. Service/unit/compose file:

taken directly from https://github.com/caddyserver/dist/blob/master/init/caddy.service

d. My complete Caddyfile or JSON config:

there are a lot of other sites in here which are working, but it says not to redact anything.

{
    auto_https disable_redirects
}

https://eiphax.tech {
    header / {
    Strict-Transport-Security "max-age=31536000; includeSubdomains; preload"
    X-XSS-Protection "1; mode=block"
    X-Content-Type-Options "nosniff"
    X-Frame-Options "DENY"
    }
    root * /var/www/eipdox
    try_files {path} {path}.html
    file_server
    encode gzip
    tls {
	dns digitalocean token redacted
    }
}

https://facts.eiphax.tech {
    header / {
    Strict-Transport-Security "max-age=31536000; includeSubdomains; preload"
    X-XSS-Protection "1; mode=block"
    X-Content-Type-Options "nosniff"
    X-Frame-Options "DENY"
    }
    root * /var/www/eipdox/facts
    try_files {path} {path}.html
    file_server
    encode gzip
    tls {
	dns digitalocean token redacted
    }
}

https://soultrader.net.au {
    header / {
    Strict-Transport-Security "max-age=31536000; includeSubdomains; preload"
    X-XSS-Protection "1; mode=block"
    X-Content-Type-Options "nosniff"
    X-Frame-Options "DENY"
    }
    root * /var/www/st
    try_files {path} {path}.html
    php_fastcgi unix//var/run/php/php7.4-fpm.sock
    file_server
    encode gzip
    tls {
	dns digitalocean token redacted
    }
}

https://blog.eiphax.tech {
    header / {
    Strict-Transport-Security "max-age=31536000; includeSubdomains; preload"
    X-XSS-Protection "1; mode=block"
    X-Content-Type-Options "nosniff"
    X-Frame-Options "DENY"
    }
    root * /var/www/blog
    file_server
    encode gzip
    tls {
	dns digitalocean token redacted
    }
    try_files {path} {path}/ /index.php?{query}&p={path}
    php_fastcgi unix//var/run/php/php7.4-fpm.sock
}

https://album.eiphax.tech {
    header / {
    Strict-Transport-Security "max-age=31536000; includeSubdomains; preload"
    X-XSS-Protection "1; mode=block"
    X-Content-Type-Options "nosniff"
    X-Frame-Options "DENY"
    }
    root * /var/www/lychee/public
    file_server
    encode gzip
    tls {
	dns digitalocean token redacted
    }
    try_files {path} {path}/ /index.php?{query}&p={path}
    php_fastcgi unix//var/run/php/php7.4-fpm.sock
}

https://bin.eiphax.tech {
    header / {
    Strict-Transport-Security "max-age=31536000; includeSubdomains; preload"
    X-XSS-Protection "1; mode=block"
    X-Content-Type-Options "nosniff"
    X-Frame-Options "DENY"
    }
    root * /var/www/eipbin
    file_server
    encode gzip
    tls {
	dns digitalocean token redacted
    }
    try_files {path} {path}/ /index.php?{query}&p={path}
    php_fastcgi unix//var/run/php/php7.4-fpm.sock
}

https://3ds.eiphax.tech {
    header / {
    Strict-Transport-Security "max-age=31536000; includeSubdomains; preload"
    X-XSS-Protection "1; mode=block"
    X-Content-Type-Options "nosniff"
    X-Frame-Options "DENY"
    }
    root * /var/www/eipdox/3ds
    try_files {path} {path}.html
    file_server
    encode gzip
    tls {
	dns digitalocean token redacted
    }
}

https://tinydb.eiphax.tech {
    header / {
    Strict-Transport-Security "max-age=31536000; includeSubdomains; preload"
    X-XSS-Protection "1; mode=block"
    X-Content-Type-Options "nosniff"
    X-Frame-Options "DENY"
    }
    root * /var/www/eipdox/tinydb
    file_server
    encode gzip
    tls {
	dns digitalocean token redacted
    }
}

http://wiiu.eiphax.tech:80 {
    root * /var/www/eipdox/wiiu
    file_server
    encode gzip
    log {
    output file /var/log/access.log {
        roll_size 1gb
        roll_keep 5
        roll_keep_for 720h
    }
}
}

https://nx.eiphax.tech {
    header / {
    Strict-Transport-Security "max-age=31536000; includeSubdomains; preload"
    X-XSS-Protection "1; mode=block"
    X-Content-Type-Options "nosniff"
    X-Frame-Options "DENY"
    }
    root * /var/www/eipdox/nx
    try_files {path} {path}.html
    file_server
    encode gzip
    tls {
	dns digitalocean token redacted
    }
}

https://nintendohomebrew.com {
    header / {
    Strict-Transport-Security "max-age=31536000; includeSubdomains; preload"
    X-XSS-Protection "1; mode=block"
    X-Content-Type-Options "nosniff"
    X-Frame-Options "DENY"
    }
    root * /var/www/eipdox/nh
    try_files {path} {path}.html
    file_server
    encode gzip
    tls {
	dns digitalocean token redacted
    }
}

https://bhax.nintendohomebrew.com {
    header / {
    Strict-Transport-Security "max-age=31536000; includeSubdomains; preload"
    X-XSS-Protection "1; mode=block"
    X-Content-Type-Options "nosniff"
    X-Frame-Options "DENY"
    }
    root * /var/www/bhax/web/nbhax
    try_files {path} {path}.html
    file_server
    encode gzip
    tls {
    protocols tls1.2 tls1.2
	dns digitalocean token redacted
    }
}

https://bfm.nintendohomebrew.com {
    header / {
    Strict-Transport-Security "max-age=31536000; includeSubdomains; preload"
    X-XSS-Protection "1; mode=block"
    X-Content-Type-Options "nosniff"
    X-Frame-Options "DENY"
    }
    root * /var/www/eipdox/nh/seed
    reverse_proxy localhost:8082
    try_files {path} {path}.html
    file_server
    encode gzip
    tls {
	dns digitalocean token redacted
    }
}

http://part1dumper.nintendohomebrew.com {
    reverse_proxy localhost:8081
}

https://shitpost.lol {
    header / {
    Strict-Transport-Security "max-age=31536000; includeSubdomains; preload"
    X-XSS-Protection "1; mode=block"
    X-Content-Type-Options "nosniff"
    X-Frame-Options "DENY"
    }
    root * /var/www/sp
    try_files {path} {path}.html
    file_server
    encode gzip
    tls {
	dns digitalocean token redacted
    }
}

https://hacc.me https://please.hacc.me {
    header / {
    Strict-Transport-Security "max-age=31536000; includeSubdomains; preload"
    X-XSS-Protection "1; mode=block"
    X-Content-Type-Options "nosniff"
    X-Frame-Options "DENY"
    }
    root * /var/www/hacc
    try_files {path} {path}.html
    file_server
    encode gzip
    tls {
	dns digitalocean token redacted
    }
}

https://friigaemsworld.com {
    header / {
    Strict-Transport-Security "max-age=31536000; includeSubdomains; preload"
    X-XSS-Protection "1; mode=block"
    X-Content-Type-Options "nosniff"
    X-Frame-Options "DENY"
    }
    root * /var/www/frigam
    try_files {path} {path}.html
    file_server
    encode gzip
    tls {
	dns digitalocean token redacted
    }
}

https://uwu.tax {
    header / {
    Strict-Transport-Security "max-age=31536000; includeSubdomains; preload"
    X-XSS-Protection "1; mode=block"
    X-Content-Type-Options "nosniff"
    X-Frame-Options "DENY"
    }
    root * /var/www/uwu
    try_files {path} {path}.html
    file_server
    encode gzip
    tls {
	dns digitalocean token redacted
    }
}

https://conversation.id {
    header / {
    Strict-Transport-Security "max-age=31536000; includeSubdomains; preload"
    X-XSS-Protection "1; mode=block"
    X-Content-Type-Options "nosniff"
    X-Frame-Options "DENY"
    }
    root * /var/www/conv
    file_server
    encode gzip
    tls {
	dns digitalocean token redacted
    }
}

3. The problem I’m having:

trying to serve wiiu.eiphax.tech on http, and everything else on https
wiiu.eiphax.tech still seems to be redirecting to https even though 1. http is explicitly specified 2. http auto redirect is turned off

4. Error messages and/or full log output:

although logging is enabled, it doesn’t seem to output to an actual log file.
i did manage to get this from sudo systemctl status caddy:

Sep 27 02:26:56 eiphax.tech caddy[18946]: {"level":"info","ts":1601173616.9546394,"logger":"http.log.access","msg":"handled request","request":{"remote_addr":"74.125.212.46:51454","proto":"HTTP/1.1","method":"GET","host":"3ds.eiphax.tech","uri":"/favicon.ico","headers":{"Connection":["keep-alive"],"Accept":["image/*"],"User-Agent":["Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/49.0.2623.75 Safari/537.36 Google Favicon"],"Accept-Encoding":["gzip,deflate,br"],"X-Forwarded-For":["98.174.197.88"]}},"common_log":"74.125.212.46 - - [27/Sep/2020:02:26:56 +0000] \"GET /favicon.ico HTTP/1.1\" 0 0","duration":0.000008092,"size":0,"status":0,"resp_headers":{"Server":["Caddy"]}}

5. What I already tried:

unfortunately my knowledge in this field is somewhat limited, as i dont usually need to disable https.

6. Links to relevant resources:

francislavoie · September 27, 2020, 2:50am

That’s probably because at some point, you sent a Strict-Transport-Security header to your browser telling it to remember for 31536000 seconds (1 year) that it should always redirect HTTP to HTTPS.

You should only ever enable Strict-Transport-Security if you’re 100% sure you’ll only ever want to serve a site over HTTPS, basically forever. IMO it’s pointless to use because Caddy can do the redirects itself, and only creates a possible point of failure.

FYI, header / means "only send these headers on requests to /. Where did you copy this from? That’s incorrect, you probably want to send those headers on every request, so remove the /.

eip · September 27, 2020, 3:05am

Hi, thanks for your response.

The wiiu domain never had https enabled or had any header directives associated with it, unless it’s reading the hsts portion from the base domain?

I probably misunderstood the slash portion, I’ll remove that, thank you.

francislavoie · September 27, 2020, 3:09am

Yeah, that’s the problem. The includeSubdomains part of the HSTS header tells the browser to also apply it to any subdomains.

eip · September 27, 2020, 3:12am

yeah, more fool me for treating server config like lego i can just put together and take apart at will…

what would you suggest the implementation would be to serve wiiu as non-https?

francislavoie · September 27, 2020, 3:19am

Well, you’re kinda screwed for any clients that you don’t control, but you can clear the flag on your browser – a quick google should tell you how.

Using http:// on the site address is enough in Caddy to make sure it’s served over HTTP. You don’t need to use auto_https disable_redirects for this.

eip · September 27, 2020, 3:29am

okay, so i can continue serving all other sites as example.com without explicit https, but i can serve http://wiiu.eiphax.tech to explicitly use http?

would i need to remove the includeSubdomains header from eiphax.tech?

francislavoie · September 27, 2020, 3:38am

Yep. That’s correct.

system · October 27, 2020, 2:33am

This topic was automatically closed after 30 days. New replies are no longer allowed.