Provide metrics on a different port

1. The problem I’m having:

I have a reverse_proxy serving on port :443 and the domain is pointing A record to the server, which is working fine as

In order to measure the metrics, I want to access the metrics on a different port like


Please note, that I do not want to use the domain name here and use directly the IP address of the instance.

2. Error messages and/or full log output:

Error: automation policy from site block is also default/catch-all policy because of key without hostname, and the two are in conflict: []certmagic.Issuer(nil) != []certmagic.Issuer{(*caddytls.ACMEIssuer)(0x40002aee00), (*caddytls.ZeroSSLIssuer)(0x400047fa40)}

3. Caddy version:

v2.7.4 h1:J8nisjdOxnYHXlorUKXY75Gr6iBfudfoGhrJ8t7/flI=

4. How I installed and ran Caddy:

a. System environment: Ubuntu 22.04 (Linux)

b. Command:

caddy adapt 
caddy reload

c. Service/unit/compose file:

Please use the preview pane to ensure it looks nice.

d. My complete Caddy config:


        on_demand_tls {

        servers {

:2020 {
        handle {

:443 {

        reverse_proxy {

        tls {

        header {
                # Response Headers
                set X-Content-Type-Options nosniff
                set X-Frame-Options DENY
                set X-XSS-Protection "1; mode=block"
                set Referrer-Policy no-referrer-when-downgrade

5. Links to relevant resources:

Strange. I’d expect that config to work as-is :frowning:

You can fix it by changing it to http://:2020 and it won’t attempt to set up an automation policy.

set is not a thing. Please review the docs. This will be using the header value replacement syntax, trying to change a header called Set, which is not your intent.

1 Like

It’s so hard… willing to revisit this but that code is super duper complicated.

Found an alternative fix; remove the email from the tls directive in your :443 block, because it’s redundant since you already defined the email global option. Or use a different email address.

The reason why it actually fixes the error is really in-depth and tricky and probably not something we care to solve, frankly, because it’s very much an edge-case.

@matt if you’re feeling adventurous… the gist is that the :2020 block sets catchAllAP = ap because if len(sblockHosts) == 0 && catchAllAP == nil passes since it’s first… I think we should avoid that line if the port is not the https_port and there are no hosts.

1 Like

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.