301 redirect for specific matcher?

[benwiley4000]

Hi, apologies if this is a naive question, I'm new to Caddy and I came here after reading this thread because I need to handle http and https on the same port (redirect from http to https, nginx 497-style). I'm using Caddy instead of nginx because I can't get nginx to handle the proxy to my other server without a bunch of 504 gateway timeouts, and Caddy seems to handle it ok.

What I'm not sure about with caddy-l4 is how to return a 301 redirect as a handler for a matcher. Here is an example configuration where I do a reverse proxy if the connection is already HTTPS, but if it's plain HTTP, I just do a 301 redirect to HTTPS on the same port. The first handler ("redirect 301") is a made-up configuration format I invented to explain what I am trying to achieve.

{
	"apps": {
		"layer4": {
			"servers": {
				"example": {
					"listen": [":9600"],
					"routes": [
						{
							"match": [
								{
									"http": []
								}
							],
							"handle": [
								{
									"handler": "redirect 301",
									"redirect": "https://{host}{uri}"
								}
							]
						},
						{
							"match": [
								{
									"tls": {}
								}
							],
							"handle": [
								{
									"handler": "proxy",
									"upstreams": [
										{"dial": ["172.17.0.4:9700"]}
									]
								}
							]
						}
					]
				}
			}
		}
	}
}

I know it would be easier if I used ports 80 and 443, but this isn't an option for me.

[francislavoie]

Vanilla Caddy has a listener wrapper http_redirect which can detect if a connection is HTTP (and not TLS) and write a simple redirect response if so: https://caddyserver.com/docs/caddyfile/options#listener-wrappers

But that's not useful for you here I think because it seems like you're trying to proxy traffic to your upstream without terminating TLS, right? And that definitely requires use of caddy-l4.

[benwiley4000]

@francislavoie I have a regular Caddyfile config that does terminate TLS and I can use that instead. I haven't totally decided yet whether to implement TLS on the proxy server or the backend. It just seemed simpler to not terminate TLS while using caddy-l4.

:9600 {
        tls /certs/mycert.cer /certs/mycert.key

        reverse_proxy 176.16.0.5:9650
}

Will the http-redirect listener wrapper work for a non-standard port? When this thread (same as above) was opened previously it seemed like this wasn't possible.

[benwiley4000]

Answered my own question; this listener wrapper was exactly what I needed. I guess the tech did evolve after all (could be nice to put a comment saying the same in the lock thread I linked above). Thank you!

[francislavoie]

Yep, it was added in caddyserver/caddy#4585

[benwiley4000]

For anyone who ends up here, this is the Caddyfile that worked for me (8000 is an opened port that needs TLS and othermachine:9000 is a local network host serving over http only):

{
        servers {
                listener_wrappers {
                        http_redirect
                        tls
                }
        }
}

:8000 {
        tls /certs/mycert.cer /certs/mycert.key

        reverse_proxy othermachine:9000
}

Thank you for implementing that feature, it works so much better than Nginx. I tore my hair out for many hours trying to make Nginx do what I wanted and Caddy worked with very minimal configuration and no runtime issues.