Use Port 80 only for ACME, not for serving a website?

schichtnudelauflauf · August 7, 2025, 5:04pm

1. The problem I’m having:

I have a working caddy reverse proxy with auto tls as it is recommended. But I want it to use port 80 only when doing ACME, otherwise not.
While not doing ACME, it should just not listen at all.

3. Caddy version:

2.6.2

4. How I installed and ran Caddy:

install caddy package, write simple " hostname { reverse_proxy 127.0.0.1:1234 }" config. Run using included systemd unit.
Have firewall only allow incoming port 80 from external, not 443.
I want Caddy to handle ACME http-01 but not the site reachable to the outside.

Use DNS challenge!
I can’t, I don’t have DNS access for crazy reasons.

a. System environment:

Debian package on stable. X86_64

timelordx · August 7, 2025, 5:55pm

How would that even work? The HTTP-01 challenge requires access to:

http://<YOUR_DOMAIN>/.well-known/acme-challenge/<TOKEN>

That means port 80 has to be open and listening.

By default, Caddy uses port 80 only for the HTTP-01 challenge and to redirect to HTTPS. If you don’t want port 80 to be in use at all, you can disable it entirely and Caddy will then switch to using TLS-ALPN-01 instead. That challenge only uses port 443 and doesn’t depend on port 80 at all.

timelordx · August 7, 2025, 6:02pm

I somehow missed this:

hostname {
   @acme path /.well-known/acme-challenge/*
   handle @acme {
       reverse_proxy 127.0.0.1:1234
   }
   abort
}

This should only forward the ACME path to your backend and drop everything else.

schichtnudelauflauf · August 7, 2025, 8:10pm

Not quite the thing I think yet.

I do not want to forward the ACME challenge.

What I want:

Caddy handles the ACME challenge
- via HTTP-01
- on Port 80
Caddy forwards incoming TLS traffic
- on Port 443
- to the backend
Caddy discards any requests
- On Port 80
  - That aren’t the requests from the ACME Provider

OT: The ratelimiting here is really extreme. waiting half an hour between replies is daunting.

matt · August 7, 2025, 8:13pm

Sorry, but it’s necessary since we’ve been attacked by spam bots several times in the past where the volume was overwhelming – hundreds of spam replies and topics within an hour or two. So we limit new accounts until they grow in trust levels.

system · September 6, 2025, 8:14pm

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.