Rationale of :443 in ":443, example.com"

[Lingxi-Li]

The doc says

In the Caddyfile the addresses must start with :443 for the forward_proxy to work for proxy requests of all origins.

Could you help further clarify? I thought example.com alone should have both 80 and 443 covered. The magic :443, example.com looks a self contradiction to me.

[mholt]

It's not a contradiction. (But this is a good question.) A site block name in the Caddyfile serves three purposes (somewhat regrettably):

1. To tell the web server what port to listen on
2. To tell the web server what domain name(s) to manage certs for
3. To tell the web server how to route HTTP requests

In most cases, these are correlate and align identically as long as we assume the default port(s) of 80/443: you can tell the server you have example.com and it will listen on 443, get a cert for example.com, and serve HTTP requests with a Host header of example.com accordingly.

But when you're running a forward proxy, the Host header can contain basically anything, so you need to listen on :443 to not black-hole those HTTP requests (no. 3). But without a domain name it can't get a cert (no. 2), so you need to tell which certificate to serve in the TLS handshake. Hence, both :443, example.com.