Caddy try to bind tcp port even explicitly asked to use h3 protocol only (should bind udp port only).

[ha-ku]

I tried to start caddy with servers { protocols h3 } in global settings. However, caddy seems still trying to bind to tcp port. My Caddyfile is something like this:

{
    debug
    servers {
        protocols h3
    }
    auto_https off
}

:443, www.example.site:443 {
    log {
        output stderr
    }
    tls /etc/cert/example.site/fullchain.pem /etc/cert/example.site/privkey.pem {
        protocols tls1.2
    }
    reverse_proxy * http://127.0.0.1:3000
}

Here is the caddy log output when I run sudo ./caddy run --config ./Caddyfile with something else listening on 443/tcp:

xxxx/xx/xx xx:xx:xx.xxx INFO    using provided configuration    {"config_file": "./Caddyfile", "config_adapter": ""}
xxxx/xx/xx xx:xx:xx.xxx WARN    Caddyfile input is not formatted; run the 'caddy fmt' command to fix inconsistencies    {"adapter": "caddyfile", "file": "./Caddyfile", "line": 3}
xxxx/xx/xx xx:xx:xx.xxx INFO    admin   admin endpoint started  {"address": "localhost:2019", "enforce_origin": false, "origins": ["//localhost:2019", "//[::1]:2019", "//127.0.0.1:2019"]}
xxxx/xx/xx xx:xx:xx.xxx INFO    tls.cache.maintenance   started background certificate maintenance      {"cache": "0xc000307570"}
xxxx/xx/xx xx:xx:xx.xxx DEBUG   events  event   {"name": "cached_unmanaged_cert", "id": "1f99ad13-6401-4800-b4b8-0608c329c138", "origin": "tls", "data": {"sans":["*.example.site","example.site"]}}
xxxx/xx/xx xx:xx:xx.xxx DEBUG   tls.cache       added certificate to cache      {"subjects": ["*.example.site","example.site"], "expiration": "xxxx/xx/xx xx:xx:xx.xxx", "managed": false, "issuer_key": "", "hash": "b0f70c934136bad92ab566c99cdb16fc621d325e9b57701064cfd71ff8642344", "cache_size": 1, "cache_capacity": 10000}
xxxx/xx/xx xx:xx:xx.xxx WARN    http    automatic HTTPS is completely disabled for server       {"server_name": "srv0"}
xxxx/xx/xx xx:xx:xx.xxx INFO    tls     cleaning storage unit   {"description": "FileStorage:/root/.local/share/caddy"}
xxxx/xx/xx xx:xx:xx.xxx INFO    tls.cache.maintenance   stopped background certificate maintenance      {"cache": "0xc000307570"}
Error: loading initial config: loading new config: http app module: start: listening on :443: listen tcp :443: bind: address already in use

Is there a way to make caddy really just bind to the udp port only?

By the way, I'm using caddy 2.6.2.

[klausenbusk]

@ha-ku did you manage to find a workaround?

[ha-ku]

@klausenbusk I just made caddy listening on another port and placed a udp forwarder in front of caddy to avoid the port conflict. No better solutions for now.

[aretsan]

Same issue encountered. Specified protocols h3, but both tcp and udp are being listened.

[Forza-tng]

Doesn't browsers use h1/h2 to first check for h3 support?

[aretsan]

It does now, but it does not have to. There's a QUIC-only mode for Chromium if I'm not mistaken, also if you use curl there's a --http3-only that use QUIC directly without checking with h1/h2 for h3 support.

[ha-ku]

Doesn't browsers use h1/h2 to first check for h3 support?

What does this have to do with browsers in particular? On the one hand, users may want to provide different services through different versions of http, and on the other hand, caddy does not only communicate with browsers, right?

[ankon]

Mostly to subscribe to the discussion: We ran into the same issue, but decided that it's ok in our case to let caddy bind to both TCP and UDP and restrict access to the TCP part of things using the network configuration.

[mholt]

Remind me to revisit this in a little while... we could probably implement some logic in the HTTP server that treats H3-only config or UDP listeners as special.