Caddy service not starting, DDNS shows ip lookup failure

Started by gouthamravee, Today at 06:10:10 AM

Previous topic - Next topic
Print
Go Down Pages1
User actions
Today at 06:10:10 AM Last Edit: Today at 05:10:45 PM by gouthamravee Reason: Solution added
SOLVED: I forgot to enable the rule "Disable web GUI redirect rule" in the system settings. This was causing lighttpd to hold the port, preventing caddy from starting.

Hello! I'm trying to move my reverse proxy to Opnsense, and figured it'd be a good time to move from Nginx to Caddy.
I'm trying to test it out with one domain, I've disabled the config in my Nginx Proxy and tried to set it up in Caddy, but the service refuses to start or work.

I am using Cloudflare for my domain.
I want to use DNS-01 challenge.
I am only using CF as a DDNS, my traffic isn't being proxied through the CF network.
I have a firewall rule on my WAN interface for port 443 only, the destination is set as "This firewall", protocol is TCP/UDP.
I can resolve and get a response from `http://api.ipify.org/` from the opnsense shell.
I have a scoped api token in CF for the domain I want to use, it has Zone.Zone read and Zone.DNS edit rights.
I have it configured as a wild card domain with a subdomain as described in the docs as recommended for cloudflare.

I've attached the latest logs from the last time I tried, and the config from the diagnostic page. Both are sanitized so the domains are placeholders. The same domain works fine if I enable the config in my nginx reverse proxy.

I know the IP lookup failures are happening because of the DDNS options, but even if I disable that the service keeps stopping, aka doesn't show as running on the dashboard, and the external domain doesn't work.

Thank you!
Today at 08:26:41 AM #1
Can you check out /var/log/caddy/caddy.log, it should show any start up errors (e.g. if ports cannot be bound for example). They happen before being redirected to the syslog.
Hardware:
DEC740
Today at 05:09:06 PM #2 Last Edit: Today at 05:27:25 PM by gouthamravee
Lol damn sometimes it just takes someone to repeat the obvious.

So first off I did check that file,
I saw these errors in the caddy.log file

Code Select
Error: caddy process exited with error: exit status 1
Error: loading initial config: loading new config: http app module: start: listening on :80: listen tcp :80: bind: address already in use
Error: caddy process exited with error: exit status 1
Error: loading initial config: loading new config: http app module: start: listening on :80: listen tcp :80: bind: address already in use
Error: caddy process exited with error: exit status 1

Looking at the used ports I saw

Code Select
sockstat -4 -6 -l | grep ':80'
root     lighttpd   50842 9   tcp4   *:80                  *:*
root     lighttpd   50842 10  tcp6   *:80                  *:*
root     suricata   91301 6   div4   *:8000                *:*
root     suricata   91301 7   div4   *:8000                *:*
root     suricata   91301 8   div4   *:8000                *:*
root     suricata   91301 9   div4   *:8000                *:*
root     crowdsec    4445 18  tcp4   127.0.0.1:8080        *:*
root     kea-ctrl-a 72069 7   tcp4   127.0.0.1:8000        *:*

At first, I thought this was the web-gui, I did move it to a different port in the admin settings and I figured since I only use https I didn't have to do anything else.

Restarting the web-gui service did stop lighttpd from using port 80, but when I started caddy it would come back.

Any way, looking at it again this morning I realized I missed a setting in the web gui,  "Disable web GUI redirect rule".

I just enabled that setting, and Caddy was able to start up.
But I'm still having problems with the reverse proxying and DDNS.

The reverse proxy isn't working at all for the subdomain and the DDNS part is still erroring out with
Code Select
"error","ts":"2026-03-09T16:12:02Z","logger":"dynamic_dns","msg":"looking up IP address","ip_source":"interface","error":"no IP addresses returned"}
With my Nginx based reverse proxy, along with the firewall rules I also have a NAT rule to direct the external ports to the internal IP of the reverse proxy. Do I need to do add a similar NAT rule for but "this firewall" like the firewall rule?

Sorry about all the edits and the way I wrote this post, I got a little too excited when the caddy server actually started.

Today at 05:38:19 PM #3
Now that the server started it should be fine.

You dont need NAT rules at all, you only need a firewall rule that allows access to the caddy ports on This Firewall.

And for dynamic dns, use a different check type? Maybe interface check doesnt work for some reason in your setup?

Check the FAQ and troubleshooting here:
https://docs.opnsense.org/manual/how-tos/caddy.html#caddy-troubleshooting

Try to pinpoint the issue.
Hardware:
DEC740
Print
Go Up Pages1
User actions