I’m running Caddy on a LXC on local IP: 192.168.1.21 .
Currently I have Port 80 and 443 forwarded on the router, on which caddy works perfectly fine. But I have different usage for that port and cannot use those port for caddy.
So I was trying to setup Caddy to listen on Port 8080 and 8443 for HTTP and HTTPS respectively. But by doing so, the reverse proxy doesn’t work properly. And the site doesn’t work.
I’ve forwarded the Port correctly but something might be wrong on caddy config on how to setup other port.
2. Error messages and/or full log output:
N/A
3. Caddy version:
v.2.7.5
4. How I installed and ran Caddy:
a. System environment:
Ubuntu LXC on Proxmox PVE 8.0.3
Ubuntu 22.04.3 LTS
b. Command:
caddy run
or
caddy start
c. Service/unit/compose file:
N/A
d. My complete Caddy config:
#trying to set the global port
{
http_port 8080
https_port 8443
}
vw.hakunamatataa.com: {
tls {EMAIL}
reverse_proxy 192.168.1.14:80
}
You have a weird colon : here. That looks invalid.
Where are your logs? It’s important.
You must have public access on port 80 and 443 reach Caddy so that it can solve ACME challenges. It’s a requirement of the ACME HTTP and TLS-ALPN challenges. It won’t work if you use different ports.
I suggest you move your other service off those ports, then use Caddy to proxy to that service by hostname.
You have a weird colon : here. That looks invalid.
I was trying with :443 and without any port. Fixed.
Logs:
root@caddy:/etc/caddy# caddy run
2023/10/16 23:41:12.971 INFO using adjacent Caddyfile
2023/10/16 23:41:12.973 WARN Caddyfile input is not formatted; run 'caddy fmt --overwrite' to fix inconsistencies {"adapter": "caddyfile", "file": "Caddyfile", "line": 10}
2023/10/16 23:41:12.975 INFO admin admin endpoint started {"address": "localhost:2019", "enforce_origin": false, "origins": ["//127.0.0.1:2019", "//localhost:2019", "//[::1]:2019"]}
2023/10/16 23:41:12.975 INFO http.auto_https server is listening only on the HTTPS port but has no TLS connection policies; adding one to enable TLS {"server_name": "srv0", "https_port": 8443}
2023/10/16 23:41:12.975 INFO http.auto_https enabling automatic HTTP->HTTPS redirects {"server_name": "srv0"}
2023/10/16 23:41:12.976 INFO http enabling HTTP/3 listener {"addr": ":8443"}
2023/10/16 23:41:12.976 INFO failed to sufficiently increase receive buffer size (was: 208 kiB, wanted: 2048 kiB, got: 416 kiB). See https://github.com/quic-go/quic-go/wiki/UDP-Buffer-Sizes for details.
2023/10/16 23:41:12.976 INFO http.log server running {"name": "srv0", "protocols": ["h1", "h2", "h3"]}
2023/10/16 23:41:12.976 INFO http.log server running {"name": "remaining_auto_https_redirects", "protocols": ["h1", "h2", "h3"]}
2023/10/16 23:41:12.976 INFO http enabling automatic TLS certificate management {"domains": ["vw.hakunamatataa.com"]}
2023/10/16 23:41:12.981 INFO autosaved config (load with --resume flag) {"file": "/root/.config/caddy/autosave.json"}
2023/10/16 23:41:12.981 INFO serving initial configuration
2023/10/16 23:41:12.982 INFO tls.cache.maintenance started background certificate maintenance{"cache": "0xc0004e6800"}
2023/10/16 23:41:12.982 INFO tls cleaning storage unit {"description": "FileStorage:/root/.local/share/caddy"}
2023/10/16 23:41:12.982 INFO tls finished cleaning storage units
You must have public access on port 80 and 443 reach Caddy so that it can solve >ACME challenges. It’s a requirement of the ACME HTTP and TLS-ALPN challenges. >It won’t work if you use different ports.
I suggest you move your other service off those ports, then use Caddy to proxy to >that service by hostname.
So I cannot have it run on other port for reverse_proxy ?
What do you mean by this exactly? Section 2 was left blank. (And the logs you posted later don’t show any indication of a problem, or an error message.)
Are you sure? I’m not really sure what to make of the screenshot:
It’s not clear what the columns are. There’s only one port column. Is it source or destination? And where is the other one?
What do you mean by this exactly? Section 2 was left blank. (And the logs you posted > later don’t show any indication of a problem, or an error message.)
The reverse proxy works when the target machine which is running caddy (192.168.1.21) has access to Port 80/443
But when I delete those port and switch it 8080/8443, The reverse_proxy doesn’t work.
I cannot access to the site.
Didn’t post logs, because it didn’t have any useful info.
Screenshot reference is the open port and the device that is using the open port.
Your other option is to use the ACME DNS challenge which has no particular port requirement (because the challenge is solved via writing a DNS TXT record). This is more complicated to set up though, because you need to get a custom build of Caddy with the plugin for your DNS provider, and set up the plugin to authenticate with your DNS provider.
Show an example request with curl -v. In what way does it “not work”?
It is useful, it showed that you already have a certificate issued (which is good). But know that if you change ports, when time comes for a renewal, Caddy won’t have a way to actually renew the certificate, so it will expire and become invalid. Unless you switch to the DNS challenge, or keep using ports 80/443.
* Connected to vw.hakunamatataa.com (104.21.50.16) port 80 (#0)
> GET / HTTP/1.1
> Host: vw.hakunamatataa.com
> User-Agent: curl/7.81.0
> Accept: */*
>
* Mark bundle as not supporting multiuse
< HTTP/1.1 522
< Date: Tue, 17 Oct 2023 00:22:03 GMT
< Content-Length: 0
< Connection: keep-alive
< Cache-Control: no-store, no-cache
< CF-Cache-Status: DYNAMIC
< Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=uh9GxCvCDmQVdYsop9P3xJ2WabipjIrNamHH62yd1LwryL45xorxWFlQoV2O03Ul9DFY2aKh%2BeXPmDdnFcNvBdQIJGp6y5lLMDL%2BTX9zM8rTVT066Ly3fHKFJfryu7cC18Y%3D"}],"group":"cf-nel","max_age":604800}
< NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
< Server: cloudflare
< CF-RAY: 817461ca9f20679a-SJC
< alt-svc: h3=":443"; ma=86400
<
* Connection #0 to host vw.hakunamatataa.com left intact
on web: Its giving Error code 522 Host error,
Changing the open port back to 80/443 will work, but I do not want that.
This is more complicated to set up though, because you need to get a custom build >of Caddy with the plugin for your DNS provider, and set up the plugin to >authenticate with your DNS provider.
Im using CF, so with CF API key with caddy trust ?
That looks like you made a request to port 80. Cloudflare is probably proxying to your server also on port 80, but Caddy is not there to listen, so the connection fails.
You can’t just change the port on your router without also changing Cloudflare (and changing how you make the request).
No, caddy trust is to set up trust for Caddy’s internal CA, it has nothing to do with Cloudflare.
See this article:
But again, I strong recommend having Caddy use ports 80 and 443, and moving away whatever other app you have using those ports, and then have Caddy proxy to that app instead. That way, Caddy can manage HTTPS for everything you want to serve, and it can continue to renew your certs.
I’m running nginx on different VM which is using the forwarded 80 and 443 port for reverse proxy. which has multiple different apps.
I do not want to disrupt that. I want caddy reverse proxy to run service like vault warden for higher availability, that’s why I’m using different machine to run caddy and reverse proxy it. The machine running caddy will have low to no downtime, so it will be available most of the time.
So, If i were to use caddy for 80/443 and have it reverse proxy the nginx_reverse_proxy is it possible?
Or can I do vice-versa? Listen on 80 on nignx and rever_proxy it to caddy to handle what I’m trying to achieve?
So you’ve opened the port, but you’re still forwarding 8080 outside → 8080 inside? And 8443 outside → 8443 inside? (and so on)
If so, then the http_port and https_port directives aren’t really the right tool for the job. Those options are for when you’ve forwarded those ports to alternate ports that aren’t 80 and 443. I guess right now you’re just routing external ports to the same port number on your machine.
In order for the ACME challenges to succeed, they HAVE to happen on ports 80 and 443 (unless you set up the DNS challenge), which you can forward to Caddy on different ports, but the external ports have to be 80 and 443.
