Merge pull request #920 from openziti/docker-instance-set-caddy-port

override caddy https port
2025-06-19 08:17:05 +02:00 · 2025-03-24 15:52:41 -04:00 · 2025-03-24 15:52:41 -04:00 · 00b57e9f99
commit 00b57e9f99
parent 4b3f7493d1 028d76700d
7 changed files with 18 additions and 29 deletions
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@ -1,5 +1,9 @@
 # CHANGELOG

+## v1.0.1
+
+CHANGE: let the Docker instance set the Caddy HTTPS port (https://github.com/openziti/zrok/pull/920)
+
 ## v1.0.0

 MAJOR RELEASE: zrok reaches version 1.0.0!
--- a/docker/compose/zrok-instance/Caddyfile
+++ b/docker/compose/zrok-instance/Caddyfile
@ -8,7 +8,7 @@
 # 	redir https://{host}{uri} permanent
 # }

-*.{$ZROK_DNS_ZONE} {
+*.{$ZROK_DNS_ZONE}:{$CADDY_HTTPS_PORT} {
 	tls {
 		dns {$CADDY_DNS_PLUGIN} {$CADDY_DNS_PLUGIN_TOKEN}
 		propagation_timeout 60m
--- a/docker/compose/zrok-instance/README.md
+++ b/docker/compose/zrok-instance/README.md
@ -64,7 +64,7 @@ ZROK_ADMIN_TOKEN=zroktoken
 ```

 ```bash title=".env options"
-# Caddy TLS option: rename compose.caddy.yml to compose.override.yml and set these vars; allow 80,443 in firewall
+# Caddy TLS option: rename compose.caddy.yml to compose.override.yml; allow CADDY_HTTPS_PORT in firewall

 #
 ## set these in .env for providers other than Route53
@ -94,9 +94,10 @@ ZROK_CTRL_PORT=18080
 ZROK_FRONTEND_PORT=8080
 ZROK_OAUTH_PORT=8081

-# these secure ziti ports must be published to the internet
+# these secure ports must be published to the internet
 ZITI_CTRL_ADVERTISED_PORT=80
 ZITI_ROUTER_PORT=3022
+CADDY_HTTPS_PORT=443

 # optionally configure oauth for public shares
 #ZROK_OAUTH_HASH_KEY=oauthhashkeysecret
@ -264,9 +265,10 @@ See "My internet connection can only send traffic to common ports" below about c

 1. My internet connection can only send traffic to common ports like 80, 443, and 3389.

-    You can change the required ports in the `.env` file. Caddy will still use port 443 for zrok shares and API if you renamed `compose.caddy.yml` as `compose.override.yml` to enable Caddy.
+    You can change the required ports in the `.env` file before the first run of the Docker Compose project.

    ```bash title=".env"
    ZITI_CTRL_ADVERTISED_PORT=80
    ZITI_ROUTER_PORT=3389
+    CADDY_HTTPS_PORT=443
    ```
--- a/docker/compose/zrok-instance/bootstrap-frontend.bash
+++ b/docker/compose/zrok-instance/bootstrap-frontend.bash
@ -87,7 +87,7 @@ until [[ -n "${ZITI_PUBLIC_ID}" ]]; do
 done
 echo "DEBUG: 'public' ZITI_PUBLIC_ID=$ZITI_PUBLIC_ID"

-until curl -sSf "${ZROK_API_ENDPOINT}/api/v1/version"; do
+until curl -sSf "${ZROK_API_ENDPOINT}" &>/dev/null; do
    echo "DEBUG: waiting for zrok controller API version endpoint to respond"
    sleep 3
 done
--- a/docker/compose/zrok-instance/compose.caddy.yml
+++ b/docker/compose/zrok-instance/compose.caddy.yml
@ -8,6 +8,7 @@ services:
        CADDY_DNS_PLUGIN: ${CADDY_DNS_PLUGIN} # e.g., "digitalocean" (see github.com/caddy-dns)
    restart: unless-stopped
    environment:
+      CADDY_HTTPS_PORT: ${CADDY_HTTPS_PORT:-443}
      #
      ## set these in .env for providers other than Route53
      #
@ -31,12 +32,12 @@ services:
      ZROK_OAUTH_PORT: ${ZROK_OAUTH_PORT:-8081}
    expose:
      # - 80/tcp
-      - 443/tcp
-      - 443/udp   # Caddy's HTTP/3 (QUIC) (not published)
+      - ${CADDY_HTTPS_PORT:-443}/tcp
+      - ${CADDY_HTTPS_PORT:-443}/udp   # Caddy's HTTP/3 (QUIC) (not published)
      - 2019/tcp  # Caddy's admin API     (not published)
    ports:
-      # - ${CADDY_INTERFACE:-0.0.0.0}:80:80
-      - ${CADDY_INTERFACE:-0.0.0.0}:443:443
+      # - ${CADDY_INTERFACE:-0.0.0.0}:80:80         # port occupied by ziti
+      - ${CADDY_INTERFACE:-0.0.0.0}:${CADDY_HTTPS_PORT:-443}:${CADDY_HTTPS_PORT:-443}
      # - ${CADDY_INTERFACE:-0.0.0.0}:443:443/udp"  # future: HTTP/3 (QUIC)
    volumes:
      - caddy_data:/data
@ -47,7 +48,7 @@ services:
  zrok-frontend:
    environment:
      ZROK_FRONTEND_SCHEME: https
-      ZROK_FRONTEND_PORT: 443
+      ZROK_FRONTEND_PORT: ${CADDY_HTTPS_PORT:-443}

 volumes:
  caddy_data:
--- a/docker/compose/zrok-instance/route53.Caddyfile
+++ b/docker/compose/zrok-instance/route53.Caddyfile
@ -8,7 +8,7 @@
 # 	redir https://{host}{uri} permanent
 # }

-*.{$ZROK_DNS_ZONE} {
+*.{$ZROK_DNS_ZONE}:{$CADDY_HTTPS_PORT} {
 	tls {
 		dns route53 {
 			access_key_id {$AWS_ACCESS_KEY_ID}
--- a/docker/compose/zrok-public-reserved/compose.override.yml
+++ b/docker/compose/zrok-public-reserved/compose.override.yml
@ -1,18 +0,0 @@
-services:
-  my-other-zrok-share:
-    image: ${ZROK_CONTAINER_IMAGE:-docker.io/openziti/zrok}
-    restart: unless-stopped
-    entrypoint: zrok-share.bash
-    depends_on:
-      zrok-enable:
-        condition: service_completed_successfully
-    volumes:
-      - zrok_env:/mnt
-      - ./Caddyfile:/Caddyfile
-    environment:
-      # most relevant options
-      ZROK_UNIQUE_NAME:     "butter"
-      ZROK_BACKEND_MODE:    caddy
-      ZROK_TARGET:          /Caddyfile
-      # internal configuration
-      HOME: /mnt  # zrok homedir in container