1. Caddy version (caddy version
):
2.3.0
2. How I run Caddy:
a. System environment:
Docker-based, base OS is Debian.
c. Service/unit/compose file:
services:
caddy:
build: .
container_name: caddy
networks:
- web_proxy
ports:
- 80:80
- 443:443
restart: always
volumes:
- /etc/docker_services/caddy/conf:/etc/caddy
- /srv/caddy:/data
- /srv/web:/srv
- /etc/letsencrypt:/certs
networks:
web_proxy:
external: true
d. My complete Caddyfile or JSON config:
example.com {
file_server
root * /srv/example.com
}
example.org {
file_server
root * /srv/example.org
tls /certs/live/example.org/fullchain.pem /certs/live/example.org/privkey.pem
}
:443 {
redir https://example.org/owa
tls internal {
on_demand
}
}
3. The problem I’m having:
My Caddy instance serves multiple domains, some with externally provided TLS certs and mounted into the container, others relying on ACME via Caddy. In case someone connects directly to the public IP address, I would like for Caddy to serve a default redirection to one of the other domains. However, with the configuration above the matcher :443
seems to overwrite the TLS config for example.com
, but not the one for example.org
. More specifically, with the config above (and real domain names),
-
example.org
serves the correct site and uses the external TLS certificate -
example.com
also serves the correct site, but doesn’t rely on ACME anymore and suddenly also uses a certificate generated fromtls internal
-
https://<IP>
redirects as expected and uses an internal cert, as intended.
5. What I already tried:
As an alternative, I tried to specify just the external IP of the host:
1.2.3.4 {
redir https://example.org/owa
tls internal
}
However, Caddy doesn’t like that:
{"level":"debug","ts":1616175933.7395344,"logger":"http.stdlib","msg":"http: TLS handshake error from 1.2.3.4:55544: no certificate available for '172.18.0.3'"}
172.18.0.3
being the internal docker IP and subject to change. It does work when adding that one as a second IP, though:
1.2.3.4, 172.18.0.3 {
redir https://example.org/owa
tls internal
}
But since that internal IP is unpredictable, I don’t like to fix that in my config. Is there some sort of generic IP catch-all matcher?
Just for the sake of completion: Just using the internal IP as a matcher returns a HTTP 200 without any content when accessing the site via IP directly. The debug log is empty in that case. Why is that?
172.18.0.3 {
redir https://example.org/owa
tls internal
}
$ curl -vk https://1.2.3.4
...
< HTTP/2 200
< server: Caddy
< content-length: 0
...