caddy: Caddy ignores -https-port and breaks custom port mapping with recent change
1. What version of Caddy are you using (caddy -version)?
broken (latest master): 0b83014ff81b68b8fde21521662339396c277ab8
a working revision: 4f5df39bdd9ce05146da14bb60f5a17a163d5262
2. What are you trying to do?
Proper security by explicit port forwarding and explicitly limited capabilities.
3. What is your entire Caddyfile?
http://example.com:8080 {
redir https://asdas.net{uri}
}
https://example.comt:8443 {
tls postmaster@example.com
limits 1mb
log stdout
errors stdout
}
4. How did you run Caddy (give the full command and describe the execution environment)?
caddy -agree -http-port 8080 -https-port 8443 -conf /path/to/config/Caddyfile -log stdout
- external port mapping from external ports 80 and 443 to internal 8080 and 8443 by SDN.
6. What did you expect to see?
Older versions including the “working” revision respect the flags and are able to request and and renew LE/ACME certificates fine with the config. At least the version defined as “broken” tries to bind to port 443 ignoring the given CLI flag.
About this issue
- Original URL
- State: closed
- Created 6 years ago
- Comments: 58 (18 by maintainers)
Commits related to this issue
- caddytls: Don't overwrite certmagic Manager (fixes #2407) Supersedes #2447 — committed to caddyserver/caddy by mholt 5 years ago
- caddytls: Fix handling of IP-only TLS configs and empty-SNI handshakes (#2452) * caddytls: Fix empty SNI handling (new -default-sni flag) vendor: update certmagic, needed to support this Hopefu... — committed to caddyserver/caddy by mholt 5 years ago
works for me. test case https://github.com/rmoriz/caddy_example_issue_2407/tree/patch_2452
I have actually have not seen it work with the HTTP port now that I think about it because it has only been using the HTTPS challenge. Sorry, that was an incorrect assumption. Did my fix work for you @rmoriz?
Sorry, that was a bit unclear. Yes it does fix the issue. I will upload a binary later with my change and @whitestrake and @rmoriz can test it.
I got my demo working by adding the
AltTLSALPNPortvalue to thecertmagic.Configas shown here. This same value is set in Caddy but somewhere in between it being set here and it being used by Certmagic here the value is changing. If I add the linec.TLS.Manager.AltTLSALPNPort = 8443just before theObtainCertis run everything works as expected. I am struggling to work out what specifically is changing it, any ideas @mholt? I saw something like this line which would cause an issue like this but that line isn’t being executed with my config.I have started poking around in the code and found that the change made in d1171af should not be affecting the issue because the code in the if statement was never called. I believe this is an issue with certmagic because I can reproduce the issue with this small go program that uses Certmagic. (It is possible I am completely wrong, so if someone else has time it would probably be good for them to have a look)
Probably, but that’ll take more time I don’t have. I reallllly gotta get my thesis done by February.
Did some quick testing and replicated the issue quite easily with the provided repo rmoriz/caddy_example_issue_2407. It doesn’t seem related to the Docker environment itself, because I can pull the built binary out of the container and run it on the host with the same problem.
Next step to check is whether building it outside of the Docker environment using the same steps as the Dockerfile produces the same results. Since @mholt can build that revision without this issue appearing, we need to narrow down whether it’s an environment issue (i.e. Docker ?? or Alpine 3.8 or Golang 1.11) or a problem with the steps used to build it.
I was just trying to reproduce the bug and I managed to make it work. It must be something about the way @rmoriz and I are building our Docker containers that is causing the issue. You can see how I set up the system here. Now i’m going to step through my Docker container and try and see what is causing the issue.