1. The problem I’m having:
I recently converted my caddy container to a socket-activated service (rootless podman). It all works fine, but I’m seeing a warning that I didn’t see before and I’m wondering if there is a way to get rid of it. caddy complains it would be “listening only on the HTTP port” (see 2). I’m assuming that’s because I’m now using sockets and caddy doesn’t actually know that the socket is bound to port 443. But even if I add the global option auto_https disable_redirects to my Caddyfile, the warning doesn’t go away.
Please note: My setup is HTTPS-only. Even before I converted to socket-activation, I did not publish the container port 80 and it works fine for me.
2. Error messages and/or full log output:
The warning in question is this:
{"level":"warn","ts":1766460731.6730514,"logger":"http.auto_https","msg":"server is listening only on the HTTP port, so no automatic HTTPS will be applied to this server","server_name":"srv1","http_port":80}
Here’s the full log of a caddy start:
{"level":"info","ts":1766460731.6658342,"msg":"maxprocs: Leaving GOMAXPROCS=4: CPU quota undefined"}
{"level":"info","ts":1766460731.6664908,"msg":"GOMEMLIMIT is updated","package":"github.com/KimMachineGun/automemlimit/memlimit","GOMEMLIMIT":7312700620,"previous":9223372036854775807}
{"level":"info","ts":1766460731.6666188,"msg":"using config from file","file":"/etc/caddy/Caddyfile"}
{"level":"info","ts":1766460731.6695788,"msg":"adapted config to JSON","adapter":"caddyfile"}
{"level":"warn","ts":1766460731.6720648,"logger":"admin","msg":"admin endpoint disabled"}
{"level":"info","ts":1766460731.6728003,"logger":"http.auto_https","msg":"automatic HTTP->HTTPS redirects are disabled","server_name":"srv0"}
{"level":"warn","ts":1766460731.6730514,"logger":"http.auto_https","msg":"server is listening only on the HTTP port, so no automatic HTTPS will be applied to this server","server_name":"srv1","http_port":80}
{"level":"info","ts":1766460731.672807,"logger":"tls.cache.maintenance","msg":"started background certificate maintenance","cache":"0xc00069c080"}
{"level":"info","ts":1766460731.6744874,"logger":"http","msg":"enabling HTTP/3 listener","addr":"4"}
{"level":"info","ts":1766460731.6754286,"logger":"http.log","msg":"server running","name":"srv0","protocols":["h1","h2","h3"]}
{"level":"info","ts":1766460731.6759398,"logger":"http.log","msg":"server running","name":"srv1","protocols":["h1","h2","h3"]}
{"level":"info","ts":1766460731.6762023,"logger":"http","msg":"enabling automatic TLS certificate management","domains":["cloud.xusig.net","vault.xusig.net","feeds.xusig.net"]}
{"level":"warn","ts":1766460731.6770608,"logger":"tls","msg":"stapling OCSP","identifiers":["cloud.xusig.net"]}
{"level":"warn","ts":1766460731.6782777,"logger":"tls","msg":"stapling OCSP","identifiers":["vault.xusig.net"]}
{"level":"warn","ts":1766460731.6791735,"logger":"tls","msg":"stapling OCSP","identifiers":["feeds.xusig.net"]}
{"level":"info","ts":1766460731.6796975,"msg":"autosaved config (load with --resume flag)","file":"/config/caddy/autosave.json"}
{"level":"info","ts":1766460731.6805043,"msg":"serving initial configuration"}
3. Caddy version:
v2.10.2 h1:g/gTYjGMD0dec+UgMw8SnfmJ3I9+M2TdvoRL/Ovu6U8=
4. How I installed and ran Caddy:
a. System environment:
Debian 13.2
systemd 257.9-1~deb13u1
podman 5.4.2+ds1-2+b1
caddy:latest from docker.io
b. Command:
I use a systemd/podman quadlet and a systemd socket to start caddy (see below). The container runs as a user unit (rootless).
c. Service/unit/compose file:
My caddy.container quadlet:
[Unit]
Description=Caddy container
BindsTo=caddy.socket
Wants=podman-user-wait-network-online.service
After=caddy.socket podman-user-wait-network-online.service
[Container]
ContainerName=caddy
Image=docker.io/library/caddy:latest
Environment="https_proxy=http://proxy.lan.xusig.net:8080/"
UserNS=auto
AutoUpdate=registry
Volume=%h/podman/caddy/Caddyfile:/etc/caddy/Caddyfile:ro
Volume=caddy-data:/data:U
Notify=true
[Service]
Restart=on-failure
TimeoutStopSec=70
And here’s my caddy.socket file:
[Unit]
Description=HTTPS socket for Caddy
[Socket]
BindIPv6Only=both
ListenStream=[::]:443
ListenDatagram=[::]:443
[Install]
WantedBy=sockets.target
d. My complete Caddy config:
Caddyfile:
{
admin off
# 1st socket in the file caddy.socket
default_bind fd/3 {
protocols h1 h2
}
# 2nd socket in the file caddy.socket
default_bind fdgram/4 {
protocols h3
}
auto_https disable_redirects
cert_issuer acme {
disable_http_challenge
}
ocsp_stapling off
email <REDACTED>
}
cloud.xusig.net {
redir /.well-known/carddav /remote.php/dav 301
redir /.well-known/caldav /remote.php/dav 301
header Strict-Transport-Security max-age=15552000;
reverse_proxy host.containers.internal:9080 {
header_up X-Real-IP {remote_host}
}
}
vault.xusig.net {
# Restrict access to local networks
@denied not remote_ip 192.168.0.0/24
abort @denied
reverse_proxy host.containers.internal:9081 {
header_up X-Real-IP {remote_host}
}
}
feeds.xusig.net {
reverse_proxy host.containers.internal:9082 {
header_up X-Real-IP {remote_host}
}
}
Compared to my old setup without socket activation, the only new options in the Caddyfile are the two default_bind statements and the auto_https disable_redirects option which I added hoping that that would silence the warning.
5. Links to relevant resources:
My socket activation setup is based on this example, with the intentional difference that I don’t use a socket for port 80:
What surpises me as well is that the documentation on the default_bind option says that the HTTP server does not inherit these binds:
So, why would it then complain that it’s listening on HTTP only?
And one last note: As I said, everything works fine. The traffic is encrypted as I verified in my browser. And if I send a HTTP request to port 443, caddy replies with
“Client sent an HTTP request to an HTTPS server.”
So, everything looks good except the warning when starting caddy.