How to make auto-https redirect to my custom https_port?

Haven_L · May 9, 2020, 3:16pm

1. Caddy version (`caddy version`):

Caddy2

2. How I run Caddy:

caddy run

a. System environment:

docker

b. Command:

i use docker

c. Service/unit/compose file:

  1 version: '3.1'
  2 services:
  3   caddy:
  4     container_name: caddy
  5     image: caddy
  6     volumes:
  7       - ./www/:/www/
  8       - ./data/:/data/
  9       - ./config/:/config/
 10       - ./certs/:/certs/
 11       - ./log:/log
 12       - ./Caddyfile:/etc/caddy/Caddyfile
 13     #command: caddy run --resume
 14     network_mode: host
 15     restart: always

d. My complete Caddyfile or JSON config:

   {
     debug
       experimental_http3
       http_port 10080
       https_port 10443
       email 32424324311@gamil.com
       admin 0.0.0.0:12019
   }
   
  
  ts.i.oonlyone.com {
     # tls /certs/i.oonlyone.com/fullchain.cer /certs/i.oonlyone.com/i.oonlyone.com.key
      encode gzip
      reverse_proxy http://192.168.123.101:9080 {
      }
  }
}

3. The problem I’m having:

I’ve set the https_port as 10443 in the global option, but when i visit the 10080 port, my browser still auto redirect to 443 port. I except it should auto redirect to 10443 port.
2.
When caddy auto issue certifacates from Let’s Encrypt, it failed because caddy still use 80 port to host the .well-known files instead of using 10080 port.

4. Error messages and/or full log output:

[  ts.i.oonlyone.com] acme: error: 403 :: urn:ietf:params:acme:error:unauthorized :: Invalid response from http://ts.i.oonlyone.com/.well-known/acme-challenge/_uCEbQfaAxqrUfh3yNyOgybuQf9dhboazlOakCqbIBQ [45.15.131.89]: 404, url:
 (challenge=http-01 remaining=[])
2020/05/09 15:13:02 [ERROR] attempt 2: [ts.i.oonlyone.com] Obtain: [ts.i.oonlyone.com] error: one or more domains had a problem:
[  ts.i.oonlyone.com] acme: error: 403 :: urn:ietf:params:acme:error:unauthorized :: Invalid response from http://ts.i.oonlyone.com/.well-known/acme-challenge/_uCEbQfaAxqrUfh3yNyOgybuQf9dhboazlOakCqbIBQ [45.15.131.89]: 404, url:
 - retrying in 2m0s (1m44.096652041s/720h0m0s elapsed)...

5. What I already tried:

6. Links to relevant resources:

francislavoie · May 9, 2020, 4:40pm

Those port global options are only meant to change the ports from the perspective of your local machine. Externally, they still need to be mapped to 80 and 443. Let’s Encrypt will only try to connect on those ports, and the HTTP->HTTPS redirect will always assume your site is accessible on port 443 externally.

Haven_L · May 10, 2020, 4:14am

So is this feature supported in current version with other workround? Or will be supported in the future?

francislavoie · May 10, 2020, 4:18am

It’s simply an impossibility. Let’s Encrypt will never make requests for the HTTP challenge on any port other than 80, and will never make requests for the ALPN challenge on any port other than 443.

If you must run it on different ports, then you should consider using the ACME DNS challenge instead, which doesn’t have any specific port requirements.

You can also implement the HTTP->HTTPS redirect yourself by adding a site block like this:

http://ts.i.oonlyone.com {
    redir https://{host}:10443{uri}
}

Whitestrake · May 11, 2020, 12:32am

The http_port and https_port changes what Caddy assumes to be the default port.

To clarify, it’s not issuing a redirect to 443. It’s issuing a redirect to https:// and your browser is assuming port 443.

To have Caddy issue redirects from/to non-standard ports, you’ll need to specify them in your Caddyfile, e.g.

http://example.com:10080 {
  redir https://example.com:10443{uri}
}

https://example.com:10443 {
  ...
}

The usage of http_port and https_port is effectively intended for scenarios where your public ports remain default but your internal ports are different, e.g. your router is port forwarding from port 80 externally to port 10080 on your server.

Wrong way around - with http_port, Caddy will be listening on port 10080 for the challenge, but as @francislavoie has shared, the ACME server actually needs it to be on port 80!

Technically, Caddy 2 does support ACME challenges on arbitrary ports, and you’ve got the right settings for them! Downside is, no trusted ACME provider I know of actually does issue challenges on non-standard ports!

If you somehow do find one, you can specify the acme_ca in your global options alongside http_port/https_port and you’ll be off to the races… Just make sure to specify your ports manually in your redirects and it’ll work.

system · June 10, 2020, 12:32am

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.