Server does not advertise supported HTTP/3 or QUIC version on the same port.
The HTTPS Connection is established to Port 443, the firewall forwards to 8443 and the HTTP Response Header from Caddy contains that H3 support is available port 8443.
I want that Caddy returns Port 443 in the alt-svc response header.
4. Error messages and/or full log output:
5. What I already tried:
I have removed the https_port and http_port global options, but then caddy wants to bind to port 80 which is not possible.
2022/01/16 11:51:02.721 ERROR admin.api request error {"error": "loading config: loading new config: http app module: start: tcp: listening on :80: listen tcp :80: bind: permission denied", "status_code": 400}
reload: sending configuration to instance: caddy responded with error: HTTP 400: {"error":"loading config: loading new config: http app module: start: tcp: listening on :80: listen tcp :80: bind: permission denied"}
@stbu , you need to allow the service to binding to privileged ports. Here is an example of the end-to-end reconfiguration. The important command is setcap.
Thanks for your input @greenpau
If setcap cap_net_bind_service=+ep isnāt allowed because of restrictive environments, shouldnāt there be any other possibility to enable h3 support?
Anything else from certificate handling to http->https redirects is working perfectly fine when Iām running caddy on 8080 and 8443 behind the firwall-port forwarding of these two ports. The only thing bothering me is that h3 is advertised on 8443.
Iām coming from the Java Servlet World and even when a Servlet Container is listening on Port 8443, the getServerPort() would still return 443 when the Request was sent on the default https port 443 and forwarded by letās say firewall-cmd --zone=public --permanent --add-forward-port=port=443:proto=tcp:toport=8443 to the Servlet Container.
And thatās what I would expect from Caddy as well in the Alt-Svc header for h3.
Yeah, something like that maybe. Really whatās most important to think about is where it goes in the JSON config first, then how itās configured in the Caddyfile comes second.
Take a look at the JSON config for the HTTP app, youāll see that experimental_http3 is just a boolean flag for now:
I donāt think we really want to break this option for everyone by turning the boolean into an object, like "experimental_http3": {"enabled": true, "advertised_port": 443}, but we could do that since itās still marked experimental. The Caddyfile adapter could still generate the right thing in a backwards compatible way.
We could also add a new http3_port option alongside http_port and https_port on the HTTP app which would do this. Downside is itās further away from the option where http3 is enabled, but I think itās probably a better place to put the option, since itās related with the fact that https_port is configured to some non-default. Weād have to mark that option as experimental in the docs as well until HTTP3 is made stable.
That makes sense too, re: bool types and backwards compatibility.
My golang proficiency is quite basic (coming from a python background) - but i can read the docs and see how far i get. (I may be more suited to testing!)
If iām not too far off though, i think itās having to set the port prior to calling the setQuickHeaders method (line 147)
Like maybe(?): s.h3server.Port = <some caddy config global option. eg. "http3_port">
Which may then set the value here:
Again, not sure how it all getās wired up/passed through. (More reading for me required! )