Initial skills documentation — 25 categories, all SKILL.md + references + scripts
This commit is contained in:
@@ -0,0 +1,57 @@
|
||||
# Caddy + Tailscale Port 443 Conflict
|
||||
|
||||
On servers running both Caddy (public HTTPS) and Tailscale (tailnet HTTPS), both services want port 443. This conflict causes Caddy's systemd service to fail with:
|
||||
|
||||
```
|
||||
listen tcp :443: bind: address already in use
|
||||
```
|
||||
|
||||
## Root Cause
|
||||
|
||||
Tailscale binds `100.x.x.x:443` (its specific Tailnet interface IP). Caddy by default binds `:443` (all interfaces), which includes the Tailscale IP. The kernel rejects Caddy's bind because the port is already claimed on that specific address.
|
||||
|
||||
The public interface IP (e.g. `152.53.192.33:443`) is completely unused — only Tailscale's tailnet IP is occupied.
|
||||
|
||||
## The Fix
|
||||
|
||||
Add a global `default_bind` directive at the top of Caddyfile to restrict Caddy to the public IP only:
|
||||
|
||||
```
|
||||
{
|
||||
default_bind <PUBLIC_IP>
|
||||
}
|
||||
```
|
||||
|
||||
Where `<PUBLIC_IP>` is the server's public-facing interface IP (e.g. `152.53.192.33` for Core).
|
||||
|
||||
### After the fix
|
||||
|
||||
| Service | IP Binding | Purpose |
|
||||
|---------|-----------|---------|
|
||||
| Caddy | `<PUBLIC_IP>:443` | Public HTTPS for all domains |
|
||||
| Tailscale | `<TAILNET_IP>:443` | Tailnet HTTPS only |
|
||||
| Both | | **No conflict** — different IPs |
|
||||
|
||||
## Verification
|
||||
|
||||
```bash
|
||||
# Caddy should start cleanly
|
||||
systemctl start caddy
|
||||
systemctl is-active caddy # → "active"
|
||||
|
||||
# Both should be bound without conflict
|
||||
ss -tlnp | grep ':443 '
|
||||
# Expected: two listeners — one on public IP (Caddy), one on tailnet IP (tailscaled)
|
||||
|
||||
# Public-facing sites should respond
|
||||
curl -sS -o /dev/null -w '%{http_code}' https://core.itpropartner.com/health
|
||||
# → 200
|
||||
```
|
||||
|
||||
## When This Pattern Applies
|
||||
|
||||
Any server running both:
|
||||
- **Caddy** (or any reverse proxy) wanting `:443` for Let's Encrypt + public HTTPS
|
||||
- **Tailscale** (which binds `:443` on its tailnet interface)
|
||||
|
||||
This is expected on all servers where Tailscale is used for private infrastructure access AND Caddy serves public web traffic.
|
||||
Reference in New Issue
Block a user