From 71dd1a69da08811891b3faa0cd2dbad0d86c5310 Mon Sep 17 00:00:00 2001
From: Monviech <79600909+Monviech@users.noreply.github.com>
Date: Wed, 3 Jul 2024 14:13:11 +0200
Subject: [PATCH] www/caddy: Allow bind to non standard ports (#4069)

* www/caddy: Allow bind to default loopback interface and bind to non standard http and https ports.

* www/caddy: Improve validation to include new custom ports. Remove wrong default_bind option.

* Remove keys that are already defaults.

* Allowing WellKnown is wrong in this context.
---
 .../controllers/OPNsense/Caddy/forms/general.xml | 16 ++++++++++++++++
 .../mvc/app/models/OPNsense/Caddy/Caddy.php      |  9 +++++++--
 .../mvc/app/models/OPNsense/Caddy/Caddy.xml      |  2 ++
 .../service/templates/OPNsense/Caddy/Caddyfile   | 11 +++++++++++
 4 files changed, 36 insertions(+), 2 deletions(-)

diff --git a/www/caddy/src/opnsense/mvc/app/controllers/OPNsense/Caddy/forms/general.xml b/www/caddy/src/opnsense/mvc/app/controllers/OPNsense/Caddy/forms/general.xml
index 66ee187088..4ac84664ed 100644
--- a/www/caddy/src/opnsense/mvc/app/controllers/OPNsense/Caddy/forms/general.xml
+++ b/www/caddy/src/opnsense/mvc/app/controllers/OPNsense/Caddy/forms/general.xml
@@ -5,6 +5,22 @@
         <type>checkbox</type>
         <help><![CDATA[Enable or disable the Caddy web server.]]></help>
     </field>
+    <field>
+        <id>caddy.general.HttpPort</id>
+        <label>HTTP Port</label>
+        <type>text</type>
+        <hint>80</hint>
+        <help><![CDATA[If the default HTTP port is changed to e.g. 8080, then a port forward from port 80 to 8080 is necessary to issue automatic certificates with the HTTP-01 challenge and serve clients the reverse proxied resources.]]></help>
+        <advanced>true</advanced>
+    </field>
+    <field>
+        <id>caddy.general.HttpsPort</id>
+        <label>HTTPS Port</label>
+        <type>text</type>
+        <hint>443</hint>
+        <help><![CDATA[If the default HTTPS port is changed to e.g. 8443, then a port forward from port 443 to 8443 is necessary to issue automatic certificates with the TLS-ALPN-01 challenge and serve clients the reverse proxied resources.]]></help>
+        <advanced>true</advanced>
+    </field>
     <field>
         <id>caddy.general.TlsEmail</id>
         <label>ACME Email</label>
diff --git a/www/caddy/src/opnsense/mvc/app/models/OPNsense/Caddy/Caddy.php b/www/caddy/src/opnsense/mvc/app/models/OPNsense/Caddy/Caddy.php
index 85254166fb..f66497fdd3 100644
--- a/www/caddy/src/opnsense/mvc/app/models/OPNsense/Caddy/Caddy.php
+++ b/www/caddy/src/opnsense/mvc/app/models/OPNsense/Caddy/Caddy.php
@@ -129,13 +129,18 @@ private function getWebGuiPorts()
 
     private function checkWebGuiSettings($messages)
     {
-        $overlap = array_intersect($this->getWebGuiPorts(), ['80', '443']);
+        // Get custom caddy ports if set. If empty, default to 80 and 443.
+        $httpPort = !empty((string)$this->general->HttpPort) ? (string)$this->general->HttpPort : '80';
+        $httpsPort = !empty((string)$this->general->HttpsPort) ? (string)$this->general->HttpsPort : '443';
         $tlsAutoHttpsSetting = (string)$this->general->TlsAutoHttps;
 
+        // Check for conflicts
+        $overlap = array_intersect($this->getWebGuiPorts(), [$httpPort, $httpsPort]);
+
         if (!empty($overlap) && $tlsAutoHttpsSetting !== 'off') {
             $portOverlap = implode(', ', $overlap);
             $messages->appendMessage(new Message(
-                sprintf(gettext('To use "Auto HTTPS", resolve these conflicting ports (%s) that are currently configured for the OPNsense WebGUI. Go to "System - Settings - Administration". To release port 80, enable "Disable web GUI redirect rule". To release port 443, change "TCP port" to a non-standard port, e.g., 8443.'), $portOverlap),
+                sprintf(gettext('To use "Auto HTTPS", resolve these conflicting ports (%s) that are currently configured for the OPNsense WebGUI. Go to "System - Settings - Administration". To release port 80, enable "Disable web GUI redirect rule". To release port %s, change "TCP port" to a non-standard port, e.g., 8443.'), $portOverlap, $httpsPort),
                 "general.TlsAutoHttps"
             ));
         }
diff --git a/www/caddy/src/opnsense/mvc/app/models/OPNsense/Caddy/Caddy.xml b/www/caddy/src/opnsense/mvc/app/models/OPNsense/Caddy/Caddy.xml
index 93960a2ecc..db4388ee43 100644
--- a/www/caddy/src/opnsense/mvc/app/models/OPNsense/Caddy/Caddy.xml
+++ b/www/caddy/src/opnsense/mvc/app/models/OPNsense/Caddy/Caddy.xml
@@ -8,6 +8,8 @@
                 <Default>0</Default>
                 <Required>Y</Required>
             </enabled>
+            <HttpPort type="PortField"/>
+            <HttpsPort type="PortField"/>
             <TlsEmail type="EmailField">
                 <ValidationMessage>Please enter a valid email address.</ValidationMessage>
             </TlsEmail>
diff --git a/www/caddy/src/opnsense/service/templates/OPNsense/Caddy/Caddyfile b/www/caddy/src/opnsense/service/templates/OPNsense/Caddy/Caddyfile
index 5070878d57..4cc17cd6ba 100644
--- a/www/caddy/src/opnsense/service/templates/OPNsense/Caddy/Caddyfile
+++ b/www/caddy/src/opnsense/service/templates/OPNsense/Caddy/Caddyfile
@@ -53,6 +53,17 @@
         {% endif %}
     }
 
+    {# Change default ports on demand #}
+    {% set httpPort = generalSettings.HttpPort %}
+    {% set httpsPort = generalSettings.HttpsPort %}
+
+    {% if httpPort %}
+        http_port {{ httpPort }}
+    {% endif %}
+    {% if httpsPort %}
+        https_port {{ httpsPort }}
+    {% endif %}
+
     {#
     #   Section: Global Trusted Proxy and Credential Logging
     #   Purpose: The trusted proxy section is important when using CDNs so that headers are trusted.