Provide metrics on a different port

anujs · September 26, 2023, 9:42am

1. The problem I’m having:

I have a reverse_proxy serving on port :443 and the domain is pointing A record to the server, which is working fine as https://caddy.example.com.

In order to measure the metrics, I want to access the metrics on a different port like

http://xx.xx.xx.xx:2020/metrics

Please note, that I do not want to use the domain name here and use directly the IP address of the instance.

2. Error messages and/or full log output:

Error: automation policy from site block is also default/catch-all policy because of key without hostname, and the two are in conflict: []certmagic.Issuer(nil) != []certmagic.Issuer{(*caddytls.ACMEIssuer)(0x40002aee00), (*caddytls.ZeroSSLIssuer)(0x400047fa40)}

3. Caddy version:

v2.7.4 h1:J8nisjdOxnYHXlorUKXY75Gr6iBfudfoGhrJ8t7/flI=

4. How I installed and ran Caddy:

a. System environment: Ubuntu 22.04 (Linux)

b. Command:

caddy adapt 
caddy reload

c. Service/unit/compose file:

PASTE OVER THIS, BETWEEN THE ``` LINES.
Please use the preview pane to ensure it looks nice.

d. My complete Caddy config:

{
        email anuj.sharma@example.io

        on_demand_tls {
                ask https://webhook.site/69c70c2e-818d-4c9d-940e-43daaed3c0c9
        }

        servers {
                metrics
        }
}

:2020 {
        handle {
                metrics
        }
}


:443 {

        reverse_proxy {
                to my-app-load-balancer-207asdf23690.us-west-2.elb.amazonaws.com
        }

        tls anuj.sharma@example.io {
                on_demand
        }

        header {
                # Response Headers
                set X-Content-Type-Options nosniff
                set X-Frame-Options DENY
                set X-XSS-Protection "1; mode=block"
                set Referrer-Policy no-referrer-when-downgrade
        }
}

5. Links to relevant resources:

francislavoie · September 27, 2023, 12:15am

Strange. I’d expect that config to work as-is

You can fix it by changing it to http://:2020 and it won’t attempt to set up an automation policy.

set is not a thing. Please review the docs. This will be using the header value replacement syntax, trying to change a header called Set, which is not your intent.

matt · September 27, 2023, 4:50am

It’s so hard… willing to revisit this but that code is super duper complicated.

francislavoie · September 27, 2023, 8:26am

Found an alternative fix; remove the email from the tls directive in your :443 block, because it’s redundant since you already defined the email global option. Or use a different email address.

The reason why it actually fixes the error is really in-depth and tricky and probably not something we care to solve, frankly, because it’s very much an edge-case.

@matt if you’re feeling adventurous… the gist is that the :2020 block sets catchAllAP = ap because if len(sblockHosts) == 0 && catchAllAP == nil passes since it’s first… I think we should avoid that line if the port is not the https_port and there are no hosts.

system · October 27, 2023, 8:26am

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.