-
-
Notifications
You must be signed in to change notification settings - Fork 4k
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
httpcaddyfile: Set challenge ports when http_port or https_port are used
- Loading branch information
Showing
2 changed files
with
27 additions
and
1 deletion.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
583c585
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Hmm. Are you sure about this? What does this end up doing? Many users use
http_port
to say "this is the port running in Docker but publicly I'm using80
", will that still work?583c585
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Yeah. It tells the ACME challenge solvers to bind to the ports designated for HTTP and HTTPS by the config. Those are only for internal interpretation anyway -- you can't change what port the world uses as HTTP and HTTPS. So this implies a port forwarding scenario.
Without this change, setting http_port or https_port while using a global option like
acme_ca
will cause the HTTP/TLS challenges to still happen on 80/443, but because http_port and https_port are set, we are to understand that those ports are being forwarded and we should serve the challenges on the altered ports. I saw this happening when I was testing that Cloudflare thing on my home machine, and got permission errors when it tried binding to port 80+443, even though I set ports > 1024.The bug only happens, AFAICT, when a global option sets an ACME issuer. Without another relevant global option such as
acme_ca
, you'd see that the challenges happen on the adjusted ports as expected.583c585
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Why would it behave differently with global option
acme_ca
vstls
directive? 🤔 I feel like we would've noticed this if it was a problem withtls
as well.583c585
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Because with another ACME global option set like
acme_ca
, it creates an explicit automation policy & issuer, so it needs to have the ports specified. Before this change the logic only covers implicit automation policies.