Skip to content

httpcaddyfile: Map default_bind to BindHost in globalACMEDefaults #7278

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 2 commits into
base: master
Choose a base branch
from
Open

httpcaddyfile: Map default_bind to BindHost in globalACMEDefaults #7278

wants to merge 2 commits into from
+14 −0

Conversation

Monviech
Copy link

Fixes: #7210

This attempts to fix issues with default_bind not being used for the tls automation policies.

In my tests with a local caddy build, I do not see the behavior described in the issue anymore.

Caddyfile for testing:

{
        http_port 8080
        https_port 8443
        default_bind ::1 127.0.0.1
        email [email protected]
}

http:// {
}

example.com {
        reverse_proxy 172.16.1.113:8000 
}

The generated json, in which we can see that challenges is now populated with ::1 (first address from default_bind):

{
	"apps": {
		"http": {
			"http_port": 8080,
			"https_port": 8443,
			"servers": {
				"srv0": {
					"listen": [
						"127.0.0.1:8080",
						"[::1]:8080"
					]
				},
				"srv1": {
					"listen": [
						"127.0.0.1:8443",
						"[::1]:8443"
					],
					"routes": [
						{
							"match": [
								{
									"host": [
										"example.com"
									]
								}
							],
							"handle": [
								{
									"handler": "subroute",
									"routes": [
										{
											"handle": [
												{
													"handler": "reverse_proxy",
													"upstreams": [
														{
															"dial": "172.16.1.113:8000"
														}
													]
												}
											]
										}
									]
								}
							],
							"terminal": true
						}
					]
				}
			}
		},
		"tls": {
			"automation": {
				"policies": [
					{
						"subjects": [
							"example.com"
						],
						"issuers": [
							{
								"challenges": {
									"bind_host": "::1",
									"http": {
										"alternate_port": 8080
									},
									"tls-alpn": {
										"alternate_port": 8443
									}
								},
								"email": "[email protected]",
								"module": "acme"
							},
							{
								"ca": "https://acme.zerossl.com/v2/DV90",
								"challenges": {
									"bind_host": "::1",
									"http": {
										"alternate_port": 8080
									},
									"tls-alpn": {
										"alternate_port": 8443
									}
								},
								"email": "[email protected]",
								"module": "acme"
							}
						]
					}
				]
			}
		}
	}
}

Assistance Disclosure

I have used ChatGPT5 Thinking to generate the code, I have authored and tested the result in a local caddy build.

I have written the code comment myself.

@CLAassistant
Copy link

CLAassistant commented Sep 27, 2025
edited
Loading

CLA assistant check
All committers have signed the CLA.

@Monviech Monviech changed the title Implement BindHost fallback in ACME issuer for Caddyfile httpcaddyfile/tlsapp: Map default_bind to BindHost in globalACMEDefaults Sep 28, 2025
@Monviech Monviech changed the title httpcaddyfile/tlsapp: Map default_bind to BindHost in globalACMEDefaults httpcaddyfile: Map default_bind to BindHost in globalACMEDefaults Oct 2, 2025
mholt
mholt reviewed Oct 3, 2025
View reviewed changes
caddyconfig/httpcaddyfile/tlsapp.go Outdated
// In BSD it is valid to bind to the wildcard socket even though a more selective socket is already open (still unexpected behavior by the caller though)
// In Linux the same call will error with EADDRINUSE whenever the listener for the automation policy is opened
if acmeIssuer.Challenges == nil {
acmeIssuer.Challenges = new(caddytls.ChallengesConfig)
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

An extra tab here is causing the lint to fail I think

Copy link
Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Sorry I didn't notice, thanks!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@mholt mholt mholt left review comments

At least 1 approving review is required to merge this pull request.

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Caddy binds tls_alpn and http policy ports to all interfaces
3 participants
@Monviech @CLAassistant @mholt