From 71dd1a69da08811891b3faa0cd2dbad0d86c5310 Mon Sep 17 00:00:00 2001
From: Monviech <79600909+Monviech@users.noreply.github.com>
Date: Wed, 3 Jul 2024 14:13:11 +0200
Subject: [PATCH] www/caddy: Allow bind to non standard ports (#4069)
* www/caddy: Allow bind to default loopback interface and bind to non standard http and https ports.
* www/caddy: Improve validation to include new custom ports. Remove wrong default_bind option.
* Remove keys that are already defaults.
* Allowing WellKnown is wrong in this context.
---
.../controllers/OPNsense/Caddy/forms/general.xml | 16 ++++++++++++++++
.../mvc/app/models/OPNsense/Caddy/Caddy.php | 9 +++++++--
.../mvc/app/models/OPNsense/Caddy/Caddy.xml | 2 ++
.../service/templates/OPNsense/Caddy/Caddyfile | 11 +++++++++++
4 files changed, 36 insertions(+), 2 deletions(-)
diff --git a/www/caddy/src/opnsense/mvc/app/controllers/OPNsense/Caddy/forms/general.xml b/www/caddy/src/opnsense/mvc/app/controllers/OPNsense/Caddy/forms/general.xml
index 66ee187088..4ac84664ed 100644
--- a/www/caddy/src/opnsense/mvc/app/controllers/OPNsense/Caddy/forms/general.xml
+++ b/www/caddy/src/opnsense/mvc/app/controllers/OPNsense/Caddy/forms/general.xml
@@ -5,6 +5,22 @@
checkbox
+
+ caddy.general.HttpPort
+
+ text
+ 80
+
+ true
+
+
+ caddy.general.HttpsPort
+
+ text
+ 443
+
+ true
+
caddy.general.TlsEmail
diff --git a/www/caddy/src/opnsense/mvc/app/models/OPNsense/Caddy/Caddy.php b/www/caddy/src/opnsense/mvc/app/models/OPNsense/Caddy/Caddy.php
index 85254166fb..f66497fdd3 100644
--- a/www/caddy/src/opnsense/mvc/app/models/OPNsense/Caddy/Caddy.php
+++ b/www/caddy/src/opnsense/mvc/app/models/OPNsense/Caddy/Caddy.php
@@ -129,13 +129,18 @@ private function getWebGuiPorts()
private function checkWebGuiSettings($messages)
{
- $overlap = array_intersect($this->getWebGuiPorts(), ['80', '443']);
+ // Get custom caddy ports if set. If empty, default to 80 and 443.
+ $httpPort = !empty((string)$this->general->HttpPort) ? (string)$this->general->HttpPort : '80';
+ $httpsPort = !empty((string)$this->general->HttpsPort) ? (string)$this->general->HttpsPort : '443';
$tlsAutoHttpsSetting = (string)$this->general->TlsAutoHttps;
+ // Check for conflicts
+ $overlap = array_intersect($this->getWebGuiPorts(), [$httpPort, $httpsPort]);
+
if (!empty($overlap) && $tlsAutoHttpsSetting !== 'off') {
$portOverlap = implode(', ', $overlap);
$messages->appendMessage(new Message(
- sprintf(gettext('To use "Auto HTTPS", resolve these conflicting ports (%s) that are currently configured for the OPNsense WebGUI. Go to "System - Settings - Administration". To release port 80, enable "Disable web GUI redirect rule". To release port 443, change "TCP port" to a non-standard port, e.g., 8443.'), $portOverlap),
+ sprintf(gettext('To use "Auto HTTPS", resolve these conflicting ports (%s) that are currently configured for the OPNsense WebGUI. Go to "System - Settings - Administration". To release port 80, enable "Disable web GUI redirect rule". To release port %s, change "TCP port" to a non-standard port, e.g., 8443.'), $portOverlap, $httpsPort),
"general.TlsAutoHttps"
));
}
diff --git a/www/caddy/src/opnsense/mvc/app/models/OPNsense/Caddy/Caddy.xml b/www/caddy/src/opnsense/mvc/app/models/OPNsense/Caddy/Caddy.xml
index 93960a2ecc..db4388ee43 100644
--- a/www/caddy/src/opnsense/mvc/app/models/OPNsense/Caddy/Caddy.xml
+++ b/www/caddy/src/opnsense/mvc/app/models/OPNsense/Caddy/Caddy.xml
@@ -8,6 +8,8 @@
0
Y
+
+
Please enter a valid email address.
diff --git a/www/caddy/src/opnsense/service/templates/OPNsense/Caddy/Caddyfile b/www/caddy/src/opnsense/service/templates/OPNsense/Caddy/Caddyfile
index 5070878d57..4cc17cd6ba 100644
--- a/www/caddy/src/opnsense/service/templates/OPNsense/Caddy/Caddyfile
+++ b/www/caddy/src/opnsense/service/templates/OPNsense/Caddy/Caddyfile
@@ -53,6 +53,17 @@
{% endif %}
}
+ {# Change default ports on demand #}
+ {% set httpPort = generalSettings.HttpPort %}
+ {% set httpsPort = generalSettings.HttpsPort %}
+
+ {% if httpPort %}
+ http_port {{ httpPort }}
+ {% endif %}
+ {% if httpsPort %}
+ https_port {{ httpsPort }}
+ {% endif %}
+
{#
# Section: Global Trusted Proxy and Credential Logging
# Purpose: The trusted proxy section is important when using CDNs so that headers are trusted.