Do not listen on port 80 by default.

jum · jum · commit 30e73ac3c6f4 · 2024-05-08T20:44:12.000-05:00
diff --git a/README.md b/README.md
@@ -193,6 +193,13 @@ domains using multiple godaddy accounts I can now update all my domains
 using a single CF_API_KEY for cloudflare. I have thus moved this into
 the main Caddyfile under the acme_dns global configuration.
 
+For all of my domains (except one, for backward compatibility) I also do
+not expect any unencrypted traffic on port 80, I have thus added
+"auto_https disable_redirects" to the base Caddfile to let caddy not
+listen on port 80 by default. As I only use the ACME DNS challenge, I do
+not need to open that port und thus save myself the headache of the many
+probes for security problems, which conveniently only happen on port 80.
+
 ### Surviving a tailscaled restart
 
 The docker container mounts the runtime directory of tailscale and not
diff --git a/caddy/config/Caddyfile b/caddy/config/Caddyfile
@@ -2,6 +2,7 @@
         email jens-uwe@mager.org
         cert_issuer acme
 	acme_dns cloudflare {env.CF_API_KEY}
+	auto_https disable_redirects
         default_sni {env.CADDY_HOST}
         storage redis {
                 host "{env.CADDY_REDIS_HOST}"
@@ -86,11 +87,6 @@
         header @woff2 Cache-Control "max-age=604800"
 }
 
-http:// {
-        import defaulthdr
-        redir https://{env.CADDY_HOST} 308
-}
-
 {env.CADDY_TAILNET_HOST} {
         import defaulthdr
         skip_log /health
