roof/pic
1
0
Fork 0
Code Issues Pull Requests Actions Wiki Activity

fix: LAN Caddyfile serves TLS on an https:// site, not an http:// one
Unit Tests / test (push) Successful in 9m46s
Details

Browse Source 
_caddyfile_lan emitted the internal-CA `tls` directive inside an
`http://<cell>.cell, http://172.20.0.2:80` block. Caddy rejects a tls
directive on a port-80 (HTTP) listener ("server listening on [:80] is HTTP,
but attempts to configure TLS connection policies"), so cell-caddy crash-looped
in LAN mode. Split into a `https://<cell>.cell` site (internal-CA tls) plus a
separate plain-HTTP block for :80 — both needed because the WireGuard server
DNATs peer traffic to Caddy on 80 and 443.

Note: LAN mode still needs the internal serving cert wired to the mounted certs
dir (a separate gap) before cell-caddy comes fully up.

Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
This commit is contained in:
Dmitrii Iurco
2026-06-16 07:26:15 -04:00
parent 1bb8a5eb59
commit c7e01d4aa7
2 changed files with 22 additions and 6 deletions
Download Patch File Download Diff File Expand all files Collapse all files
api/caddy_manager.py
+14 -2
View File
@@ -310,7 +310,15 @@ class CaddyManager(BaseServiceManager):
service_routes: str, core_routes: str,
cert_path: str = _CADDY_INTERNAL_CERT,
key_path: str = _CADDY_INTERNAL_KEY) -> str:
"""LAN mode: HTTP only + internal-CA TLS, no ACME."""
"""LAN mode: internal-CA TLS on 443, plain HTTP on 80, no ACME.
The same routes are served on both an HTTPS site (the internal-CA cert)
and an HTTP site. They must be SEPARATE site blocks: a `tls` directive on
an `http://` (port 80) address is rejected by Caddy ("server listening on
[:80] is HTTP, but attempts to configure TLS connection policies"). Both
are needed because the WireGuard server DNATs peer traffic to Caddy on
both 80 and 443.
"""
body = []
if service_routes:
body.append(self._indent_routes(service_routes))
@@ -325,10 +333,14 @@ class CaddyManager(BaseServiceManager):
" auto_https off\n"
"}\n"
"\n"
f"http://{cell_name}.cell, http://172.20.0.2:80 {{\n"
f"https://{cell_name}.cell {{\n"
f" tls {cert_path} {key_path}\n"
f"{inner}\n"
"}\n"
"\n"
f"http://{cell_name}.cell, http://172.20.0.2:80 {{\n"
f"{inner}\n"
"}\n"
)
def _caddyfile_pic_ngo(self, cell_name: str,