Setting default block (:80) alongside http domain triggers auto-https

[iUnknwn]

While setting up a pihole on my local network, I noticed an odd behavior with the default site.

If I wrote the following in my caddy file, it would attempt to acquire a TLS certificate for pi.hole:

:80, http://pi.hole {
  reverse_proxy localhost:8001
}

However, if I broke the blocks into separate entries, like this:

:80 {
  reverse_proxy localhost:8001
}

http://pi.hole {
  reverse_proxy localhost:8001
}

Then it worked as expected (no tls certificate issued).

I'm currently running Caddy v2.3.0 on Ubuntu 20.04 (arm64).

[francislavoie]

Could you please try with v2.4.0-beta.2 to see if it has the same behaviour? It's possible that's already been fixed.

[iUnknwn]

Just tested on v2.4.0-beta.2 - issue is still there.

Caddyfile entry:

:80, http://pi.hole {
        reverse_proxy localhost:8001
}

From the log:

2021/04/15 07:21:27.266 ERROR   tls.obtain      will retry      {"error": "[pi.hole] Obtain: [pi.hole] creating new order: request to https://acme.zerossl.com/v2/DV90/newOrder failed after 1 attempts: HTTP 400 urn:ietf:params:acme:error:rejectedIdentifier - Invalid DNS identifier [pi.hole] (ca=https://acme.zerossl.com/v2/DV90)", "attempt": 1, "retrying_in": 60, "elapsed": 1.34792855, "max_duration": 2592000}

[francislavoie]

I can confirm the issue, the adapted JSON looks like this, for this Caddyfile:

:80, http://example.com {
	respond "Foo"
}

{
    "apps": {
        "http": {
            "servers": {
                "srv0": {
                    "listen": [
                        ":80"
                    ],
                    "routes": [
                        {
                        	"handle": [
                            	{
                                	"body": "Foo",
                                	"handler": "static_response"
                            	}
                        	]
                    	}
                	]
            	}
        	}
    	},
    	"tls": {
        	"certificates": {
	            "automate": [
                    "example.com"
                ]
            }
        }
    }
}

But to be clear, having a host matcher there is ineffectual, because :80 will already match any hostname. So you can just do this:

:80 {
	reverse_proxy localhost:8001
}

[iUnknwn]

Oh, I'd agree - they both have the same functionality.

That said, I do feel like :80, [name] is more readable in some cases (even if it's not adding any function), since it adds information about what the is default site (it's easy to see :80, http://pi.hole is the pihole service)

[francislavoie]

I'd just put a comment with # 🤷‍♂️

[mholt]

Thanks for the easily reproducible report, I think I fixed it.