Caddy binds tls_alpn and http policy ports to all interfaces #7210
Description
I'm trying to bind caddy only to loopback interface. But it always opens *.8080 or *:8443 randomly.
I think its the ALPN or HTTP-01 policies that do not adhere to this default bind.
adapted JSON config has this:
{"challenges":{"http":{"alternate_port":8080},"tls-alpn":{"alternate_port":8443}}
Tested in Caddy v2.10.0 and Caddy v2.10.2 on a clean FreeBSD 14.2-RELEASE VM.
I followed this example: https://caddyserver.com/docs/caddyfile/options#default-bind
Caddyfile for reproduction:
{
http_port 8080
https_port 8443
default_bind ::1 127.0.0.1
servers {
protocols h1 h2
}
email [email protected]
grace_period 10s
}
http:// {
}
example.com {
reverse_proxy 172.16.1.113:8000
}
Results:
- Tested with different users just to be sure
(www user)
# sockstat -l | grep -i caddy
www caddy 68865 4 stream /var/run/caddy/caddy.sock
www caddy 68865 5 tcp4 127.0.0.1:8443
www caddy 68865 6 tcp6 ::1:8443
www caddy 68865 7 tcp4 127.0.0.1:8080
www caddy 68865 8 tcp6 ::1:8080
www caddy 68865 12 tcp46 *:8080
(root user)
root@bsd01:~ # service caddy onestart
Starting caddy... done
Log: /var/log/caddy/caddy.log
root@bsd01:~ # sockstat -l | grep -i caddy
root caddy 30602 4 stream /var/run/caddy/caddy.sock
root caddy 30602 5 tcp4 127.0.0.1:8080 *:*
root caddy 30602 6 tcp6 ::1:8080 *:*
root caddy 30602 7 tcp4 127.0.0.1:8443 *:*
root caddy 30602 8 tcp6 ::1:8443 *:*
root caddy 30602 11 tcp46 *:8443 *:*
root@bsd01:~ # caddy -v
v2.10.2
It is entirely random if 8443 or 8080 binds to the any (*) interface.
My expectation with the above configuration would be that every socket stays localhost only.
Usecase:
The packet filter kernel module (pf) handles NATing and redirecting packets to the localhost socket(s). Caddy does not need to listen on any real interfaces.