Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

No 443 port listener #29

Closed
pwFoo opened this issue Apr 30, 2018 · 11 comments
Closed

No 443 port listener #29

pwFoo opened this issue Apr 30, 2018 · 11 comments

Comments

@pwFoo
Copy link

pwFoo commented Apr 30, 2018
edited
Loading

Tried a new test deploy with tls, but caddy have no 443 listener?

docker exec -ti proxy_webproxy.1.xdspyx2d6lduvfyle7tkymx57 netstat -punta |grep LISTEN
tcp        0      0 127.0.0.11:45748        0.0.0.0:*               LISTEN      -
tcp        0      0 :::80                   :::*                    LISTEN      1/caddy

But should have tls vhosts?

2018/04/30 15:38:27 [INFO] New CaddyFile:
example.com www.example.com {
  errors stdout
  log stdout
  proxy / 10.0.2.104:2015
}
sub3.example.com {
  basicauth / <USER> <PW>
  proxy / 10.0.2.98:8080
}
2018/04/30 15:38:27 [INFO] SIGUSR1: Reloading
2018/04/30 15:38:27 [INFO] Reloading
2018/04/30 15:38:27 [INFO] Reloading complete
2018/04/30 15:38:27 http: Server closed

http works fine, but without the 443 port listener all the redirected http to https traffic will fail...
Tested with 0.1.0-alpine and 0.1.2-alpine.

Works fine with manual deployment (docker run...), but first docker stack deploy failed today.
@pwFoo
Copy link
Author

pwFoo commented Apr 30, 2018
edited
Loading

ports exposed from host with

    ports:
    - 80:80
    - 443:443

DNAT looks ok...

iptables -t nat -vnL | grep 443
    2   104 DNAT       tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp dpt:443 to:172.19.0.3:443

@pwFoo
Copy link
Author

pwFoo commented Apr 30, 2018

Maybe related to #26

@pwFoo pwFoo mentioned this issue May 3, 2018
Closed
@pwFoo
Copy link
Author

pwFoo commented May 3, 2018

It looks like a bug in caddy, but I don't know...

Started caddy with -port 80 to move the default port from 2015 to http/80. That is important to serve sites without tls on default port 80. But some times -port 80 removes the https/443 listener.

So site get an LE cert, user is redirected to 443, but caddy haven't a 443 listener...?!

Problem isn't persistent over all installations. Started with docker run ... it works fine for some days, but lose the listener http/80 after some days.
Started caddy with -port 80 as docker stack no chance to get it listen to 443, but get certificates and clients are redirected to 443 with an error message.

Removed -port 80 and 443 is working again. But if I'll deploy an website without tls now :80 is needed for http/80 because auf default port 2015.

@OmgImAlexis
Copy link

OmgImAlexis commented May 3, 2018
edited
Loading

You shouldn't need to use -port unless you're using self_signed certs.

Make sure if you're wanting a site without tls use something like this.

http://domain.tld:80 {
    tls off
}

This seems more like an issue with how you're using caddy than this plugin.

@pwFoo
Copy link
Author

pwFoo commented May 3, 2018

At the moment I use it without -port and just with <domain>:80 if needed to disable tls.

@OmgImAlexis
Copy link

OmgImAlexis commented May 3, 2018
edited
Loading

That's what's causing the issue though, have a look at the caddy docs on what that's meant to be used for.

The -port should be used for the TLS/SSL port so it shouldn't be set to 80. If anything it should be set to 443 and only if you're using self_signed certs, if you're just using http then you don't need todo anything apart from disable tls using tls off or using http://domain.tld:80.

Ref: caddyserver/caddy#1673 (comment)

@pwFoo
Copy link
Author

pwFoo commented May 3, 2018

Shouldn't tls off and domain.com serve the website on the default port? Default port is 2015. I tried to change the default port 2015 with -port 80.

-port
The default port to listen on. This is usually used with -host to quickly get simple sites up and running without a Caddyfile.

Is it really only https port related? I know additional options -http-port and -https-port, but -port should be change the default listen port I think...

@OmgImAlexis
Copy link

OmgImAlexis commented May 3, 2018
edited
Loading

Why do you want to change the default port though? HTTP is served on 80 and HTTPS is served on 2015 or the -port number if you're using self_signed certs.

I think this and the port 80 issue can be closed.

@pwFoo
Copy link
Author

pwFoo commented May 4, 2018

I tried to change the port because http for example.com is served on port 2015 instead of 80. And after some days caddy-docker-proxy changed listen port during reload from 80+443 to 2015+443. And without a tcp port listener on port 80 http won't work...

We can close the issue because it works with example.com:80 as workaround.

@lucaslorentz
Copy link
Owner

lucaslorentz commented May 4, 2018
edited
Loading

Thanks @pwFoo

For the record. That's caddy behavior, this plugin doesn't change it.

So, the solution is to change site address to force it to use the desired port.
Following Caddy docs: https://caddyserver.com/docs/http-caddyfile

@pwFoo
Copy link
Author

pwFoo commented May 4, 2018

So any domain without tls (tls off) uses port 2015

localhost # Host: localhost; Port: 2015

So yes, it's caddy behavior... Workaround add port to domain.

Closed

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@pwFoo @lucaslorentz @OmgImAlexis