Suggestions for deployment on non-standard ports

quokka · May 9, 2025, 1:22am

1. The problem I’m having:

I’m trying to get a Docker container of Caddy to listen on 8080 and 8443 (or anything other than 80/443) and reverse-proxy to other containers on the same host. But I think I’ve hit limit of my understanding/competence.

2. Error messages and/or full log output:

First question is more of a Docker one, I’ve been playing around with doing some Docker-based self-hosting of various apps. But keep hitting walls. No problem, I’m learning lots along the way. So I’ve two questions that I hope someone can help me with to progress my journey.

Nowhere in any guide or documentation can I see it described what the “ports” section in a Docker compose file is. For example:

    ports:
      - "80:80"
      - "443:443"

Does that mean it’ll listen on 80 and 443 and forward on the same ones to the app in the container? So if I change it to

    ports:
      - "8080:80"
      - "8443:443"

it’ll be listening on 8080 and 8443 and forward to 80 and 443 in the container?

Which leads me to my second question, which is to ask for ideas on how to provision an environment for Docker containers to be reverse-proxied behind Caddy and externally available, preferably with LetsEncrypt (their staging issuer first so I can not hit rate limits) or ZeroSSL or another ACME issuer certs (because who doesn’t like messing around with certs). I’m not averse to piping everything through Cloudflare. But, and this seems to be a biggy, everything needs to be externally available on ports other than 80 and 443. That’s a fixed requirement for six months before I can switch to those ports. I understand that may cause some issues with cert issuance, so self-signed may also be OK.
I have a static public IPv4 and my host is in my DMZ so I can do whatever port forwarding etc might be needed.
I’ve learned a lot around Docker and Caddy and happy with messing with configs but can’t seem to work out a fully working setup. And thank heavens for snapshots lol.

So I think my stack should look like below. Is that a good approach? Any good guides I can step by step through to achieve my oddly-ported deployment? I won’t be needing it to be load-balancing ready - it’s going to be just me accessing stuff like Etherpad and DrawIO.

	Internet
		My router
				Proxmox
					Ubuntu 22
						Docker (separate network for proxied apps? or kiss?)
							Caddy listening on 8080 and 8443
								Containered apps served over SSL

3. Caddy version:

Happy to run any version that will meet my need

4. How I installed and ran Caddy:

Any official method that people recommend.

a. System environment:

Docker latest on Ubuntu 22 on Proxmox latest

b. Command:

c. Service/unit/compose file:

d. My complete Caddy config:

5. Links to relevant resources:

ferrybig · May 9, 2025, 3:31pm

Using ports other than 80 and 443 means you have to use Letsencrypt with their DNS challenge to obtain certificates. This means Caddy needs access to your DNS provider.

You want to set http port and https port in the global settings

timelordx · May 9, 2025, 6:17pm

If you use that, it’s totally fine. Just make sure your router is also forwarding ports 8080 and 8443.

If that’s the case, you’ll want to update your Caddyfile like this:

{
    ## Disable automatic HTTP-to-HTTPS redirects
    auto_https disable_redirects
}


## Your own HTTP-to-HTTPS redirects
http://* {
    redir https://{host}:8443 308
}

By default, Caddy redirects to port 443 when doing automatic HTTPS redirects. Since you’re mapping to port 8443 instead, you’ll need to handle the redirect manually to ensure it points to the right port.

However, if your router is forwarding port 80 to Docker port 8080 (which maps to Caddy’s port 80), and port 443 to Docker port 8443 (which maps to Caddy’s port 443), then you don’t need to do any of this. Caddy’s automatic redirects will handle everything correctly in that case.