Private instance that can redirect port?

1. The problem I’m having:

I’ve created a Vaultwarden instance that can be accessed only from my local network with HTTPS-enabled using Cloudflare DNS challenge. The A name on Cloudflare points to the internal IP address of my server.
It works perfectly. I am currently exposing the Caddy instance on port 8443. So my users have to type the URL vaultwarden.example.com:8443

Is there anything I can do so that my users can enter just the URL without the port? I’m already using 443 for another instance of Caddy that exposes services to the internet.

2. Error messages and/or full log output:

N/A

3. Caddy version:

v2.7.6

4. How I installed and ran Caddy:

Docker and Xcaddy

a. System environment:

Ubuntu 22.04 with Docker

c. Service/unit/compose file:

version: '3'

services:
  vaultwarden:
    image: vaultwarden/server:1.30.5
    container_name: vaultwarden_server
    restart: always
    env_file: .env
    volumes:
      - /myDrive/docker-volumes/vaultwarden/vw-data:/data
      - vw-logs:/var/log/vaultwarden

  caddy:
    image: caddy:2
    container_name: vaultwarden_caddy
    restart: always
    ports:
      - 8443:443
    env_file: caddy.env
    volumes:
      - ./caddy:/usr/bin/caddy  # Your custom build of Caddy.
      - ./Caddyfile:/etc/caddy/Caddyfile:ro
      - caddy-config:/config
      - caddy-data:/data
      - caddy-logs:/var/log/caddy

volumes:
  vw-logs:
  caddy-config:
  caddy-data:
  caddy-logs:

d. My complete Caddy config:

{$DOMAIN} {
  log {
    level DEBUG
    output file {$LOG_FILE} {
      roll_size 10MB
      roll_keep 10
    }
  }
  tls {
    dns cloudflare {$CLOUDFLARE_API_TOKEN}
  }
  encode gzip
  reverse_proxy /notifications/hub vaultwarden:3012
  reverse_proxy vaultwarden:8001

5. Links to relevant resources:

Used instructions below to set up private instance of Vaultwarden

You’d have to use one Caddy instance instead of two. You can’t have both listening on the same port if they’re on the same server (unless they had different IPs and could bind on 2 different interfaces).

Thank you! That makes sense!

Let me ask my question another way… So in the below setup assuming this is the only Caddy instance running, I have memos being served on two different sub-domains. Memos-int points to my internal server address, whereas the Memos-ext points to my external IP address. Port 443 is forwarded to port 60443 on my router. I can access the external site using https://memos-ext.example.com, but for the internal site I need to specify the port: https://memos-int.example.com:60443
Is there any way to avoid using the port in this scenario?

In addition to this, what the is best practice / recommended way of disabling access from external IPs? Would it be using the remote_ip matcher?
Thanks for all the input!!

Compose file

version: "3"
services:
  memos:
    image: neosmemo/memos:0.20
    container_name: memos
    volumes:
      - /myDrive/docker-volumes/memos/memos-db:/var/opt/memos
    ports:
      - 5230:5230
    environment:
      - TZ=America/Toronto
    restart: unless-stopped
  caddy:
    image: caddy:2
    container_name: memos_caddy
    restart: unless-stopped
    ports:
      - 60443:443
    volumes:
      - ./caddy:/usr/bin/caddy:ro
      - caddy-data:/data
      - caddy-config:/config
      - ./Caddyfile:/etc/caddy/Caddyfile:ro
      - caddy-logs:/var/log/caddy
    env_file: .env
volumes:
  caddy-config:
  caddy-data:
  caddy-logs:

Caddyfile

{
        log {
                level DEBUG
                output file {$LOG_FILE} {
                        roll_size 50MB
                        roll_keep 50
                        roll_keep_for 365d
                }
        }
}
(cloudflare-tls) {
        tls {
                dns cloudflare {$CLOUDFLARE_API_TOKEN}
                propagation_delay 30s
                propagation_timeout -1
        }
}
memos-ext.{$DOMAIN} {
        import cloudflare-tls
        reverse_proxy memos:5230
}

memos-int.{$DOMAIN} {
        import cloudflare-tls
        reverse_proxy memos:5230
}

The problem is you’re publishing port 60443 to the host in your Docker Compose config:

You’d need to publish 443 with - 443:443 instead, which is the default HTTPS port.

Since your router’s port forwarding is not involved when the request is being made inside the LAN, you’d need something on your server in front of Docker doing the port forwarding or something… but why not just publish port 443 instead? Simplifies the setup significantly.

Yep. You can pair it with the abort directive to close connections as soon as possible.

Thank you!

Yes - you’re right. I should just do this and simplify everything.

Really appreciate your input!