Disable IPv6 entirely?

rwv37 · September 23, 2025, 9:55pm

1. The problem I’m having:

I’m sorry for what seems to me like an extremely basic question, but I just noticed that Caddy is listening on IPv6, and I don’t want that. So I went to the docs and looked for something to say “don’t do that”, but haven’t found anything yet. I’ve looked at the Caddyfile docs, the command line docs, and the startup script that came with the standard FreeBSD port, and I have searched the web, the GitHub repo, these forums, and the wiki thereof.

Closest I’ve found is the “versions” thing for the dynamic DNS module, wherein you can specify the IP type. That’s obviously not what I want, but of an abundance of hope and a lack of knowledge, I tried putting its versions ipv4 into the global section of my Caddyfile, which only caused Caddy to be unable to start.

Is there a way (preferably but not necessarily via the Caddyfile) to tell Caddy to listen only on IPv4, not IPv6?

Many of the required sections below do not seem relevant. I’ve had Caddy working just fine for a long time. I just want to know how to tell it to only listen on IPv4.

2. Error messages and/or full log output:

# sockstat -6 | rg caddy
www      caddy      33970 5   tcp46  *:443                 *:*
www      caddy      33970 6   udp46  *:443                 *:*
www      caddy      33970 7   tcp46  *:80                  *:*

3. Caddy version:

v2.10.2 h1:g/gTYjGMD0dec+UgMw8SnfmJ3I9+M2TdvoRL/Ovu6U8=

4. How I installed and ran Caddy:

Standard FreeBSD port.

a. System environment:

14.3-RELEASE-p3 FreeBSD 14.3-RELEASE-p3 GENERIC amd64

b. Command:

service caddy start

c. Service/unit/compose file:

d. My complete Caddy config:

# caddy fmt usr/local/etc/caddy/config/Caddyfile
{
        import SENSITIVE/acme.SENSITIVE
        order cgi before respond
}

(denyExternal) {
        @denyExternalClient not client_ip private_ranges
        @denyExternalRemote not remote_ip private_ranges
        abort @denyExternalClient
        abort @denyExternalRemote
}

http:// {
        import denyExternal
}

https:// {
        import denyExternal
}

import imports/*
Error: usr/local/etc/caddy/config/Caddyfile:2: Caddyfile input is not formatted; Tip: use '--overwrite' to update your Caddyfile in-place instead of previewing it. Consult '--help' for more options

The imports in imports/* are just individual small things for each for individual application.

5. Links to relevant resources:

hmoffatt · September 24, 2025, 12:41am

I guess you can achieve this using default_bind with 0.0.0.0. See Global options (Caddyfile) — Caddy Documentation

I would be curious why you want to do this though.

rwv37 · September 24, 2025, 9:56pm

Thank you! I tried it out, and it didn’t seem to help, but then I tried it with my explicit IPv4 address, and that seems to have done the trick.

As to why: Surfeit of paranoia, I suppose. I’m not super-concerned about it, but just generally speaking if I have no intention of using something, I’d rather just not have it enabled in the first place.

Typing this out 20 hours in advance and keeping the browser tab open because these forums apparently don’t let new users post things more often than that, not even to say “thank you” in a comment in a thread that they themselves started

hmoffatt · September 24, 2025, 11:28pm

It’s quite normal for programs to be listening on dual-stack sockets even if you don’t actually have any IPv6 addresses on any interface.

system · October 24, 2025, 11:28pm

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.