Command line through SSH on Raspberry Pi 4. I downloaded it from the tutorial page. There was something about fury.io. I am very new to all of this and still don’t know exactly what these things are.
a. System environment:
Raspberry Pi4
Rasbian Buster Lite
b. Command:
caddy start
c. Service/unit/compose file:
paste full file contents here
d. My complete Caddyfile or JSON config:
localhost:2015
respond "Hey Ya'll"
or
localhost:2015
file-server browse
3. The problem I’m having:
I was following the beginners tutorial but just can’t seem to get things working. I built the Hello World file and here’s what I get (I used Hey Ya’ll instead)
I can’t seem to get anything to appear in a web browser like the file-server part of the tutorial. I am supposed to see something when I type localhost:2015 into the browser, correct?
I have also tried changing localhost in the caddyfile to my DNS but nothing is working. I don’t recall Caddy asking me anything about letsencrypt either when I ran it which makes me wonder if I have it installed or not. I thought it was automatic with Caddy. Like I said I’m very new to any of this.
When type in $ caddy validate I get:
validate: decoding config: unexpected end of JSON input
I also want to keep my caddyfile on my external drive so I used the caddy adapt --config command. Does this keep it permanent? Will I have to run that everytime I want it to look there for the file?
4. Error messages and/or full log output:
5. What I already tried:
I tried the stuff mentioned above. All I am looking to do is get my server secured. I have been going at this for a couple weeks now and finally gave up on using the Docker in OMV5 thinking I might be able to figure it out this way but no luck again.
Hold up. What step are you at? The Caddyfile you have above is good. Did you run caddy run in the same directory as that Caddyfile (or caddy run --config /path/to/Caddyfile instead)? Shouldn’t be any need to validate JSON at this step of the Getting Started doc.
Thanks for the assist and please bear with me as I don’t understand much about networking and Linux systems.
I have done many things since my post trying to get something to behave like I think it should. I am going to go back to the beginning here and as of right now my Caddyfile has the flowing in it:
localhost
respond “Hello World”
Here is the last command I ran after changing it back to hello world:
pi@raspberrypi:~ $ caddy run --config /srv/dev-disk-by-label-HomeDrive/“config files”/Caddyfile2020/05/07 13:30:14.511 INFO using provided configuration {“config_file”: “/srv/dev-disk-by-label-HomeDrive/config files/Caddyfile”, “config_adapter”: “”}
run: loading initial config: loading new config: starting caddy administration endpoint: listen tcp 127.0.0.1:2019: bind: address already in use
I was also getting a lot of port 80 errors and after some research I found out only one server can use a port at a time so I switched OpenMediaVault to port 81. Please let me know if that will cause any problems. It did clear up the port 80 errors that Caddy was giving me and OMV seems to be working fine still.
I still only get “Hmmm…Can’t reach this page” error when I type in 127.0.0.1:2015 or 80 or 2019. I also tried with typing localhost and the same ports.
Something else on the server is running and is already listening on port 2019.
Caddy wants this for its admin endpoint and won’t start up without it. So it stopped - no running Caddy, no website served.
You can netstat -tulpn | grep 2019 for the culprit.
If it’s something that you need / don’t want to disable / don’t or can’t change away from port 2019, you can tell Caddy to use a different port for its admin endpoint. You can do that with some Caddyfile config (the admin global option). But this is jumping a bit ahead of things - so if you get the chance to proceed normally (maybe by turning off whatever’s on port 2019 temporarily while you go through the tutorial), that might be best.
pi@raspberrypi:~ $ netstat -tulpn | grep 2019
(Not all processes could be identified, non-owned process info
will not be shown, you would have to be root to see it all.)
pi@raspberrypi:~ $ sudo netstat -tulpn | grep 2019
pi@raspberrypi:~ $
I didn’t give me any information back after I ran as sudo
pi@raspberrypi:~ $ sudo netstat
Active Internet connections (w/o servers)
Proto Recv-Q Send-Q Local Address Foreign Address State
tcp 0 0 localhost.localdom:2019 localhost.localdo:60820 TIME_WAIT
tcp 0 176 raspberrypi:ssh 192.168.1.18:53698 ESTABLISHED
tcp 0 0 raspberryp:microsoft-ds 192.168.1.18:54183 ESTABLISHED
tcp 0 0 raspberryp:microsoft-ds 192.168.1.26:54462 ESTABLISHED
Active UNIX domain sockets (w/o servers)
Proto RefCnt Flags Type State I-Node Path
.………………………………….
Should I just uninstall Caddy and letsencrypt and any other related things and start over? I don’t know if it’ll make a difference or not. Not sure how to get rid of everything either.
I am also unsure about the port forwarding of 80 and 443 to point towards Caddy. I forwarded the port on my Orbi router to the Raspberry Pis IP address. I haven’t a clue if that is right or not.
Probably not. There’s some other stuff for us to try, first. Namely, netstat says there’s nothing on port 2019 right now. Give Caddy another shot (with that caddy run ... command from earlier) and see what it outputs this time.
pi@raspberrypi:~ $ caddy run --config /srv/dev-disk-by-label-HomeDrive/“config files”/Caddyfile
2020/05/07 14:37:27.741 INFO using provided configuration {“config_file”: “/srv/dev-disk-by-label-HomeDrive/config files/Caddyfile”, “config_adapter”: “”}
2020/05/07 14:37:27.746 INFO admin admin endpoint started {“address”: “tcp/localhost:2019”, “enforce_origin”: false, “origins”: [“localhost:2019”, “[::1]:2019”, “127.0.0.1:2019”]}
2020/05/07 14:37:27.746 INFO http enabling automatic HTTP->HTTPS redirects {“server_name”: “srv0”}
2020/05/07 10:37:27 [INFO][cache:0x2c50180] Started certificate maintenance routine
2020/05/07 14:37:27.751 INFO tls setting internal issuer for automation policy that has only internal subjects but no issuer configured {“subjects”: [“localhost”]}
2020/05/07 14:37:27.751 INFO tls cleaned up storage units
2020/05/07 14:37:27.883 INFO pki.ca.local root certificate is already trusted by system {“path”: “storage:pki/authorities/local/root.crt”}
run: loading initial config: loading new config: http app module: start: tcp: listening on :80: listen tcp :80: bind: permission denied
The last line is giving me permission denied error. Seems like that would be significant. Any ideas?
pi@raspberrypi:~ $ netstat -tulpn | grep 80
(Not all processes could be identified, non-owned process info
will not be shown, you would have to be root to see it all.)
tcp 0 0 0.0.0.0:34803 0.0.0.0:* LISTEN -
tcp6 0 0 :::8096 :::* LISTEN -
tcp6 0 0 :::8000 :::* LISTEN -
udp 0 0 0.0.0.0:39680 0.0.0.0:* -
pi@raspberrypi:~ $
pi@raspberrypi:~ $ sudo caddy run --config /srv/dev-disk-by-label-HomeDrive/“config files”/Caddyfile
2020/05/07 14:41:44.486 INFO using provided configuration {“config_file”: “/srv/dev-disk-by-label-HomeDrive/config files/Caddyfile”, “config_adapter”: “”}
2020/05/07 14:41:44.489 INFO admin admin endpoint started {“address”: “tcp/localhost:2019”, “enforce_origin”: false, “origins”: [“localhost:2019”, “[::1]:2019”, “127.0.0.1:2019”]}
2020/05/07 14:41:44.489 INFO http enabling automatic HTTP->HTTPS redirects {“server_name”: “srv0”}
2020/05/07 10:41:44 [INFO][cache:0x40b7440] Started certificate maintenance routine
2020/05/07 14:41:44.493 INFO tls setting internal issuer for automation policy that has only internal subjects but no issuer configured {“subjects”: [“localhost”]}
2020/05/07 14:41:44.495 INFO tls cleaned up storage units
2020/05/07 14:41:44.641 INFO pki.ca.local root certificate is already trusted by system {“path”: “storage:pki/authorities/local/root.crt”}
2020/05/07 14:41:44.641 INFO http enabling automatic TLS certificate management {“domains”: [“localhost”]}
2020/05/07 10:41:44 [WARNING] Stapling OCSP: no OCSP stapling for [localhost]: no OCSP server specified in certificate
2020/05/07 14:41:44.644 INFO autosaved config {“file”: “/root/.config/caddy/autosave.json”}
2020/05/07 14:41:44.644 INFO serving initial configuration
Ok please stick with me as I keep poking at this. When I run sudo caddy reverse proxy with the --from and --to the last line I get says
reverse-proxy: loading new config: http app module: start: tcp: listening on :443: listen tcp :443: bind: address already in use
So I used the netstat grep command you showed me and 443 is used by tcp6. I then ran netstat by itself and tcp6 is my Pi’s IP address with port 81. Since I changed OMV5 to port 81 earlier does that mean OMV is listening to port 443 so Caddy can’t?
I figured since it says already in use that may be causing me issues.
I’m jumping in late and am a little lost, but the bottom line is, for any system or server (in general, there are some slight exceptions, but that’s not really relevant here):
Only one process can listen on a single port at a time
You need to have privileges to bind to low ports (< 1024) on Linux
Caddy uses ports 80 and 443 by default, so you need them to be available and you need privileges, either by running as root (not ideal, but not a big deal for local dev setups either) or with setcap cap_net_bind_service=+ep $(which caddy) will do the trick.
Thanks Matt. I’m not sure how familiar you are with Open Media Vault but since it’s listening to 443 will that cause any problems if I bind it to Caddy instead?