How can be complete disable tls

s4l1h · November 1, 2016, 7:12pm

Hi everyone,

I am doing migrate nginx to caddy.
I have only 1 ip adress.

My Caddyfile

https://www.site1.com {
    root /home

}
https://site1.com, http://www.site1.com, http://site1.com {
  redir https://www.site1.com
}


www.site2.com:80 {
	tls off
       root /home
}

everythink is working fine but…

if i am visit https://www.site2.com browser says:

"your connection is not private "
Proceed to site1.com (unsafe)
No such site at :443

Log

[INFO] www.site2.com - No such site at :443 (Remote: 212.xx.xx.xx, Referer:

Why i want complete disable this because google bot force https and index unused pages etc…

site2.com under nginx.

➜ ~ curl https://www.site2.com
curl: (7) Failed to connect to www.site2.com port 443: Connection refused

site2.com under caddy.

➜ ~ curl https://www.site2.com
curl: (60) SSL certificate problem: Invalid certificate chain
More details here: http://curl.haxx.se/docs/sslcerts.html

curl performs SSL certificate verification by default, using a “bundle”
of Certificate Authority (CA) public keys (CA certs). If the default
bundle file isn’t adequate, you can specify an alternate file
using the --cacert option.
If this HTTPS server uses a certificate signed by a CA represented in
the bundle, the certificate verification probably failed due to a
problem with the certificate (it might be expired, or the name might
not match the domain name in the URL).
If you’d like to turn off curl’s verification of the certificate, use
the -k (or --insecure) option.

Ty for help.

matt · November 1, 2016, 9:20pm

You don’t have a site defined for www.site2.com so Caddy doesn’t know how to serve it.

You could also simplify your Caddyfile, assuming you want redirects to be done properly:

www.site1.com {
    root /home
}

site1.com {
    redir https://www.site1.com{uri}
}

site2.com:80 {
    root /home
}

s4l1h · November 1, 2016, 9:49pm

I have in my config file.
site1 and site2 sample domain name.

http://site2.com/ and http://www.site2.com/ working but
I want complete disable https on site2.com

Ty for reply.

matt · November 2, 2016, 4:01am

It is disabled for that site. What do you mean? (Are you referring to the “No such site” message?)

s4l1h · November 2, 2016, 8:06am

I want reject connection https://www.site2.com

Ty for help.

s4l1h · November 2, 2016, 8:13am

This production config.

root@server:/etc/caddy# cat vhosts/*
*.akmyazilim.com.tr:80, akmyazilim.com.tr:80 {
    root /home
    browse
}
https://www.ignorex.com {
    root /home
    browse
}
https://ignorex.com, http://www.ignorex.com, http://ignorex.com {
  redir https://www.ignorex.com
}

I want reject connection on this https://www.akmyazilim.com.tr

Whitestrake · November 2, 2016, 8:45am

Did some quick testing on 0.9.3.

In a Caddyfile with only one virtual host, either prepending http:// or appending :80 to the virtual host stops Caddy from serving any content over HTTPS (Chrome gives ERR_CONNECTION_REFUSED, curl returns curl: (7) Couldn't connect to server) - I suspect it simply stops listening on port 443.

With a Caddyfile specifying multiple virtual hosts it will allow the connection and respond with No such site at :443. It looks like Caddy serves the certificate of the first site in the Caddyfile that has TLS enabled, which will very likely not match the site you don’t want to serve HTTPS content on (resulting in the curl 60 error). I am not sure if this is intended behaviour.

Just spitballing, a possible workaround might be to enable TLS and redirect to http:// with a 302, like so:

*.akmyazilim.com.tr:80, akmyazilim.com.tr:80 {
    root /home
    browse
}
*.akmyazilim.com.tr:443, akmyazilim.com.tr:443 {
    redir / http://{hostonly}{uri} 302
}

That’s assuming the {hostonly} placeholder is correct in context (I didn’t test this!). If it’s not, and it isn’t easy to get the host sans scheme/port, you might be unable to redir the wildcard; you’d only be able to rely on

*.akmyazilim.com.tr:80, akmyazilim.com.tr:80 {
    root /home
    browse
}
akmyazilim.com.tr:443 {
    redir / http://akmyazilim.com.tr{uri} 302
}

Search engines respect 302s, so that should avoid having https pages indexed. Search engines really like to see https, though. You could also consider using a robots.txt file.

s4l1h · November 2, 2016, 9:03am

Ty for help.

This fix possible with non-wilcard domain https to redict http .
But with wilcard domain not working , because letsencrypt not supported wilcard ssl.

https://akmyazilim.com.tr redict to http://akmyazilim.com.tr
https://somesub.akmyazilim.com.tr some problem…

Whitestrake · November 2, 2016, 9:12am

Caddy does support wildcard virtual hosts with HTTPS, it refers to it as On-Demand TLS (scroll down).

You will need to set a TLS directive and specify the maximum number of certs. Caddy will then provision a new certificate for each request. It’s not true wildcard SSL, but it will work unless you have a larger number of subdomains than the LetsEncrypt rate limits.

Assuming again that the {hostonly} placeholder is correct:

*.akmyazilim.com.tr:80, akmyazilim.com.tr:80 {
    root /home
    browse
}
*.akmyazilim.com.tr:443, akmyazilim.com.tr:443 {
    tls {
        max_certs 10
    }
    redir / http://{hostonly}{uri} 302
}

Naturally once you hit 10 subdomains with certs, it won’t requisition any more. Obviously this is not an ideal workaround, unfortunately.

s4l1h · November 2, 2016, 12:22pm

I think problem this line:

https://github.com/mholt/caddy/blob/master/caddyhttp/httpserver/server.go#L246

Maybe need close client connection?

matt · November 2, 2016, 2:06pm

Okay, so if you have a site listening on port 443, then browsers can connect to that port for any site because the listener is open. But the way your Caddyfile is set up, Caddy still won’t serve site2 on port 443 because it is not defined for that port, so you get the error, “No such site.” This is by design.

If you want to limit only site1 to being available on port 443 you can use the bind directive.

site1.com {
    bind site1.com
}

s4l1h · November 2, 2016, 10:13pm

Ty for effort but not working Matt ,

How can be access client connection. *net.Conn

maybe fix this problem: s.client.Close()

https://github.com/mholt/caddy/blob/master/caddyhttp/httpserver/server.go#L246

Whitestrake · November 3, 2016, 1:23am

Hey @matt, just thought I’d ask if you had any thoughts on this part:

I’m not 100% sure this is exactly the case as I’ve only actually looked at one result so far… And as I understand it, you can’t serve HTTPS without at least a self-signed cert. But in my one test case it was using a cert from an unrelated site, which I’d think would be possibly undesirable behaviour.

matt · November 3, 2016, 4:50am

You can serve a TLS listener without any certs, but no clients will be able to connect successfully.

Like nginx, Caddy will use the “default” cert to serve TLS for hostnames in the handshake it does not recognize.

Whitestrake · November 3, 2016, 5:15am

I believe nginx has an option here, return 444, which logs the error internally and aborts the connection before negotiating with the client. Is Caddy capable of something similar?

system · February 1, 2017, 5:15am

This topic was automatically closed 90 days after the last reply. New replies are no longer allowed.