Https on non-standard port, keeps wanting to bind on 80

Znuff · September 24, 2019, 5:37am

I’m trying to get Caddy working on a different https port, but even tough, based on my understanding of the documentation and the different answers I’ve found around the web, defining no http listener and a DNS plugin should make the auto-ssl part not bind to 80.

Yet with the following config caddy still tries to bind to 80:

https://*.domain.ro:60443, https://domain.ro:60443 {
  tls {
	dns route53
  }

  root /home/domain/www

  gzip

  header / {
	alt-svc "quic=\":443\"; ma=2592000; v=\"44,43,39\""
  }

  proxy / https://www.domain.ro {
	except /img /wp-includes/js /wp-content/themes/domain/js /wp-content/themes/domain/images /wp-content/themes/domain/font /wp-includes/fonts /wp-includes/css /wp-includes/images
	header_downstream server "nginx"
	header_downstream x-proxied "Caddy; QUIC"
	transparent
  }

  log / /var/log/caddy_access.log "{combined}" {
	rotate_size 1000
	rotate_age 90
	rotate_keep 20
	rotate_compress
  }
}

Getting me:

# caddy -conf=/etc/caddy/Caddyfile -quic
Activating privacy features... done.
2019/09/24 07:36:49 Listen: listen tcp :80: bind: address already in use

What am I doing wrong?

Whitestrake · September 24, 2019, 6:15am

Hi @Znuff, welcome to the Caddy community!

Caddy will always try to bind a redirect listener on port 80 unless you disable Automatic HTTPS.

You could use -http-port to move the default port somewhere inconsequential and leave it firewalled.

https://caddyserver.com/docs/cli

Znuff · September 24, 2019, 6:56am

Could you please clarify on the first part?

I’ve read that before, but there’s no actual example on how to do it (disable automatic https).

I would like to NOT to use -http-port while still using the DNS plugin (route53) to get a valid wildcard certificate.

Whitestrake · September 24, 2019, 10:53am

These are the criteria under which Automatic HTTPS is enabled:

The hostname:

is not empty

is not localhost

is not an IP address

has no more than 1 wildcard (*)

wildcard must be left-most label

The port is not explicitly 80

The scheme is not explicitly http

TLS is not turned off in site’s definition

Certificates and keys are not provided by you

Caddy is able to bind to ports 80 and 443 (unless you use the DNS challenge)

—Automatic HTTPS — Caddy Documentation

Breaking any of these conditions will disable Automatic HTTPS (except the last one, that will just have Caddy exit out). Basically, good options are to provide your own keys (or use self-signed, although those self-signed certs are short-lived and not renewed, so this isn’t good long term) or turn TLS off.

-http-port will not break your DNS challenges. It just moves the redirect listener to a different port, essentially (as a side-effect of changing the default HTTP port for all sites).

Znuff · September 24, 2019, 2:41pm

This doesn’t seem exactly on-point. If Caddy can’t bind to 80 and/or 443, it just exits.

As much as I understand, my config should do exactly that.

matt · September 24, 2019, 5:34pm

Er, that is true I suppose, as not exiting is itself a prerequisite to enabling automatic HTTPS. I see what you mean about why this is confusing.

Caddy 1 also enables HTTP->HTTPS redirects, using the -http-port flag to know what the HTTP port is supposed to be. Because web browsers still default to HTTP, Caddy 1 doesn’t allow these automatic redirects to be disabled. (But Caddy 2 does, FWIW.)

system · December 23, 2019, 5:34pm

This topic was automatically closed 90 days after the last reply. New replies are no longer allowed.