caddy
caddy copied to clipboard
caddyserver
QUIC-only Mode
I'd like to play with Caddy's QUIC feature while maintaining my current nginx setup. Would it be possible to implement a QUIC-only mode that could be enabled by command-line option?
🤔 What exactly do you mean by "QUIC-only"? Is that different from using -quic? QUIC will be preferred where the client and protocols support it.
By that I mean an option for Caddy to accept connections only over QUIC (only listen on UDP?), leaving the TCP port open for another server to listen on. What I'm trying to do is use Caddy as a reverse proxy to experiment with QUIC connectivity on top of my existing nginx setup.
Oh. No, there's no way to do that with Caddy. It's extremely niche, and severely limits the kinds of clients that can connect. Why do you need this?
I'd like to experiment with QUIC while keeping nginx for handling other connections since Caddy's cipher suites don't support some legacy clients that I need.
Previously, I tested with quic-reverse-proxy, which had a flag (-quic_only) that changed it into only handling QUIC connections. I know that it's a niche feature request, but perhaps it could still be sane to add in, because I'm guessing that it wouldn't require too much code change.
Hmm... so, I am not really inclined to implement this (doesn't seem generally useful) -- I would recommend just testing on a separate machine or a different port.
Thanks for your request though!
You can use --origin-to-force-quic-on=
I'm aware of that flag, but I'm trying to force QUIC on the server, as opposed to the client side.
I've found a way to split TCP/UDP traffic incoming on port 443 with iptables NAT, but if anybody knows of a better method, please do let me know.
@Injust How did you manage to split the traffic, so you can do QUIC-only with Caddy?
I know the time passed since this answer but can you still explain how to do it or did you find another, better solution, yet?
@Henrocker Here is a series of iptables rules that will split the traffic:
-A PREROUTING -p tcp -m tcp --dport 443 -j REDIRECT --to-ports 60443
-A PREROUTING -p tcp -m tcp --dport 60443 -j REDIRECT --to-ports 0
-A INPUT -p tcp -m multiport --dports 80,60443 -j ACCEPT
-A INPUT -p udp -m udp --dport 443 -j ACCEPT
TCP traffic on port 443 is redirected to 60443 (or any other port you prefer), and UDP traffic remains untouched. Have Caddy listen to https://domain.tld as usual, and have nginx listen to the high port to handle the TCP traffic.
This would be indeed a good feature for those people who would like to use caddy only for quic on 443/udp but another webserver on 443/tcp.
I personally run caddy in a container which then only 443/udp is forwarded to.
I deploy my services in Docker, and this problem could be solved naturally.
nginx:
ports:
- '443:443'
caddy:
ports:
- '443:443/udp'
+1
docker is good solution but I'm not using docker. :(
firewall require root and may need edit kernel setting.
@injust @maltris @GongT (and all others subscribed to this)
This has been Caddy's oldest open issue for quite some time. I am pleased to report that we are enabling HTTP/3 by default and also providing the option to serve only HTTP/3 as well: https://github.com/caddyserver/caddy/pull/4707
Please try it out!
Implemented in #4707. HTTP/3 can be enabled exclusive to other HTTP versions.
Implemented in #4707. HTTP/3 can be enabled exclusive to other HTTP versions.
I tried with servers { protocols h3 } but caddy seems still trying to bind to tcp port. Is there anything wrong with my config?
My Caddyfile is something like this:
{
servers {
protocols h3
}
auto_https off
}
:443, www.example.site:443 {
log {
output stderr
}
tls /etc/cert/example.site/fullchain.pem /etc/cert/example.site/privkey.pem {
protocols tls1.2
}
reverse_proxy * http://127.0.0.1:3000
}
Here is the caddy log output when I run sudo caddy run --config ./Caddyfile with something else listening on 443/tcp:
xxxx/xx/xx xx:xx:xx.xxx
xxxx/xx/xx xx:xx:xx.xxx INFO using provided configuration {"config_file": "./Caddyfile", "config_adapter": ""}
xxxx/xx/xx xx:xx:xx.xxx INFO admin admin endpoint started {"address": "localhost:2019", "enforce_origin": false, "origins": ["//127.0.0.1:2019", "//localhost:2019", "//[::1]:2019"]}
xxxx/xx/xx xx:xx:xx.xxx INFO tls.cache.maintenance started background certificate maintenance {"cache": "0xc000191180"}
xxxx/xx/xx xx:xx:xx.xxx WARN http automatic HTTPS is completely disabled for server {"server_name": "srv0"}
xxxx/xx/xx xx:xx:xx.xxx INFO tls cleaning storage unit {"description": "FileStorage:/root/.local/share/caddy"}
xxxx/xx/xx xx:xx:xx.xxx INFO tls finished cleaning storage units
xxxx/xx/xx xx:xx:xx.xxx INFO tls.cache.maintenance stopped background certificate maintenance {"cache": "0xc000191180"}
Error: loading initial config: loading new config: http app module: start: listening on :443: listen tcp :443: bind: address already in use
By the way, I'm using caddy 2.6.2.
@ha-ku What logs show if you turn on debug mode (add debug to your global options)?
I know this works, at least it did in my testing. So I'm curious what's different in your case.
@ha-ku What logs show if you turn on debug mode (add
debugto your global options)?I know this works, at least it did in my testing. So I'm curious what's different in your case.
Logs go like this with debug:
xxxx/xx/xx xx:xx:xx.xxx INFO using provided configuration {"config_file": "./Caddyfile", "config_adapter": ""}
xxxx/xx/xx xx:xx:xx.xxx WARN Caddyfile input is not formatted; run the 'caddy fmt' command to fix inconsistencies {"adapter": "caddyfile", "file": "./Caddyfile", "line": 3}
xxxx/xx/xx xx:xx:xx.xxx INFO admin admin endpoint started {"address": "localhost:2019", "enforce_origin": false, "origins": ["//localhost:2019", "//[::1]:2019", "//127.0.0.1:2019"]}
xxxx/xx/xx xx:xx:xx.xxx INFO tls.cache.maintenance started background certificate maintenance {"cache": "0xc000307570"}
xxxx/xx/xx xx:xx:xx.xxx DEBUG events event {"name": "cached_unmanaged_cert", "id": "1f99ad13-6401-4800-b4b8-0608c329c138", "origin": "tls", "data": {"sans":["*.example.site","example.site"]}}
xxxx/xx/xx xx:xx:xx.xxx DEBUG tls.cache added certificate to cache {"subjects": ["*.example.site","example.site"], "expiration": "xxxx/xx/xx xx:xx:xx.xxx", "managed": false, "issuer_key": "", "hash": "b0f70c934136bad92ab566c99cdb16fc621d325e9b57701064cfd71ff8642344", "cache_size": 1, "cache_capacity": 10000}
xxxx/xx/xx xx:xx:xx.xxx WARN http automatic HTTPS is completely disabled for server {"server_name": "srv0"}
xxxx/xx/xx xx:xx:xx.xxx INFO tls cleaning storage unit {"description": "FileStorage:/root/.local/share/caddy"}
xxxx/xx/xx xx:xx:xx.xxx INFO tls.cache.maintenance stopped background certificate maintenance {"cache": "0xc000307570"}
Error: loading initial config: loading new config: http app module: start: listening on :443: listen tcp :443: bind: address already in use
I think that's because even though HTTP/3 is being served exclusively, it still binds to TCP first before wrapping the listener. Can you open a new issue to request that feature (UDP-only)?
I think that's because even though HTTP/3 is being served exclusively, it still binds to TCP first before wrapping the listener. Can you open a new issue to request that feature (UDP-only)?
OK, I'll do it.