Trying to do the same as with Traefik - Caddy doesn't reply to HTTP Requests

[luckylinux]

I'm trying to do the same Systemd Socket Activation Approach as I did with Traefik, now with Caddy.

I had some learnings with Traefik, mainly that I needed to create one .socket File for each IP Address Type (IPv4 or IPv6) AND for each different Port Number. Actually I would have to duplicate everything for every different IP Address I want to bind to and for every different Port Number I want to expose.

The only Exception (to Duplication) are if the TCP and UDP Port Number are the same and bound to the same Address. Best Example for this is HTTPS3 HTTP2 TCP 443 and HTTPS HTTP3 / QUIC UDP 443 which can both be described together in a single .socket File.

Anyways, these are my Configuration Files.
Maybe Caddy just doesn't support Systemd Socket Activation the same Way that Traefik does 😕 ?

/home/podman/.config/systemd/user/example-http-80-ipv4.socket:

[Socket]
# TCP Connection
ListenStream=192.168.1.254:80

FileDescriptorName=example-http-80-ipv4
Service=example-caddy.service

[Install]
WantedBy=sockets.target

/home/podman/.config/systemd/user/example-http-80-ipv6.socket:

[Socket]
ListenStream=[2a0X:XXXX:XXXX:XXXX:0000:0000:0001:0254]:80

FileDescriptorName=example-http-80-ipv6
Service=example-caddy.service

[Install]
WantedBy=sockets.target

/home/podman/.config/systemd/user/example-https-443-ipv4.socket:

[Socket]
# TCP Connection
ListenStream=192.168.1.254:443

# UDP Connection
ListenDatagram=192.168.1.254:443

FileDescriptorName=example-https-443-ipv4
Service=example-caddy.service

[Install]
WantedBy=sockets.target

/home/podman/.config/systemd/user/example-https-443-ipv6.socket:

[Socket]
# TCP Connection
ListenStream=[2a0X:XXXX:XXXX:XXXX:0000:0000:0001:0254]:443

# UDP Connection
ListenDatagram=[2a0X:XXXX:XXXX:XXXX:0000:0000:0001:0254]:443

FileDescriptorName=example-https-443-ipv6
Service=example-caddy.service

[Install]
WantedBy=sockets.target

example-caddy.network:

[Network]
NetworkName=example-caddy
Options=isolate=true
# Internal=true

example-caddy.container:

# If using within a Pod disable this
[Install]
WantedBy=default.target

[Unit]
Description=Example Caddy
# After=caddy.socket
# Requires=caddy.socket
After=example-http-80-ipv4.socket example-https-443-ipv4.socket example-http-80-ipv6.socket example-https-443-ipv6.socket 

[Service]
Restart=always
Sockets=example-http-80-ipv4.socket example-https-443-ipv4.socket example-http-80-ipv6.socket example-https-443-ipv6.socket 

[Container]
ContainerName=example-caddy

# If using in a Pod enable this
# Pod=example.pod
# StartWithPod=true

Environment=CADDY_DOCKER_CADDYFILE_PATH=/etc/caddy/Caddyfile
EnvironmentFile=.env.caddy

Image=docker.io/library/caddy:latest
Pull=missing

# Network (Bridge)
# Network=example-caddy

# Network (Socket Activation)
Network=example-caddy.network

# Security Configuration
NoNewPrivileges=true

# Volumes
Volume=./Caddyfile:/etc/caddy/Caddyfile:ro,z
Volume=/home/podman/containers/data/example/caddy:/data/caddy:z
Volume=/home/podman/containers/log/example/caddy:/var/log:z
Volume=/home/podman/containers/config/example/caddy:/config/caddy:z
Volume=/home/podman/containers/certificates/letsencrypt:/certificates:ro,z

# Ports accessible from Remote
# PublishPort=[2a0X:XXXX:XXXX:XXXX:0000:0000:0001:0254]:80:80/tcp
# PublishPort=[2a0X:XXXX:XXXX:XXXX:0000:0000:0001:0254]:443:443/tcp
# PublishPort=[2a0X:XXXX:XXXX:XXXX:0000:0000:0001:0254]:443:443/udp
# PublishPort=192.168.1.254:80:80/tcp
# PublishPort=192.168.1.254:443:443/tcp
# PublishPort=192.168.1.254:443:443/udp

# Do NOT use API for reloading
Exec=/bin/sh -c 'caddy run --config "/etc/caddy/Caddyfile" --adapter "caddyfile"'

Caddyfile:

# Example and Guide
# https://caddyserver.com/docs/caddyfile/options

# General Options
{
    # (Optional) Debug Mode
    # debug

    # Disable Admin API
    # admin off

    # Systemd Socket Activation
    admin unix//run/admin.sock

    # TLS Options
    # (Optional) Disable Certificates Management (only if SSL/TLS Certificates are managed by certbot or other external Tools)
    auto_https disable_certs
}

# localhost {
#     reverse_proxy /api/* localhost:9001
# }

# (Optional) Only if SSL/TLS Certificates are managed by certbot or other external Tools and Custom Logging is required
{$APPLICATION_HOSTNAME} {
    tls /certificates/{$APPLICATION_CERTIFICATE_DOMAIN}/{$APPLICATION_CERTIFICATE_CERT_FILE:fullchain.pem} /certificates/{$APPLICATION_CERTIFICATE_DOMAIN}/{$APPLICATION_CERTIFICATE_KEY_FILE:privkey.pem}
    
    log {
	output file /var/log/{$APPLICATION_HOSTNAME}/http/access.json {
		roll_size 100MiB
	        roll_keep 5000
	        roll_keep_for 720h
	        roll_uncompressed
	}
    
        format json
    }

    # Reverse Proxy to example-application (unencrypted)
    # reverse_proxy http://example-application:{$APPLICATION_PORT}

    # Reverse Proxy to example-application (TLS)
    # reverse_proxy https://example-application:{$APPLICATION_PORT} {
    reverse_proxy https://example-application.MYDOMAIN.TLD:{$APPLICATION_PORT} {
           transport http {
               # Use TLS when connecting to Upstream
               tls
    
               # Skip upstream TLS Certificate Verification
               # tls_insecure_skip_verify
           }
    }
}

I am able to start up the Container Stack.
However, Caddy isn't getting the Connections "through" Systemd Socket.

Very likely it's a Configuration Error on my Side 😕. Or, possibly, Caddy just doesn't support this, whereas Traefik does.

How does exactly the Service know how/when to Bind to each Socket Activation ?
With Traefik it seems to be in the Name of the Router, e.g. --entryPoints.example-http-80-ipv4.address=:80 must match the FileDescriptorName=example-http-80-ipv4 in example-http-80-ipv4.socket.

How does Caddy handle this? I couldn't see a clear Explanation in the Example. Maybe it only supports 1 single Socket 🤔 ?

EDIT 1: I see https://github.com/eriksjolund/podman-caddy-socket-activation?tab=readme-ov-file#support-for-socket-activation-in-caddy ...

I am however confused by this Comment:

Caddy does not make use of file descriptor names that can be retrieved with sd_listen_fds_with_names(). Instead file descriptor numbers are specified. Do not use multiple socket units. Use one socket unit so that the file descriptor numbers can be mapped to the listening sockets that are configured with ListenStream= and ListenDatagram=.

Since with Traefik I couldn't get all Ports & IP Address configured in a single File, Systemd just wouldn't let me 👎.

[luckylinux]

Making some Progress.

Caddyfile:

# Example and Guide
# https://caddyserver.com/docs/caddyfile/options

# General Options
{
    # (Optional) Debug Mode
    # debug

    # Disable Admin API
    # admin off

    # Systemd Socket Activation
    # admin unix//run/admin.sock

    # TLS Options
    # (Optional) Disable Certificates Management (only if SSL/TLS Certificates are managed by certbot or other external Tools)
    auto_https disable_certs

    # (Optional) Default SNI
    # default_sni {$APPLICATION_HOSTNAME}
}

# localhost {
#     reverse_proxy /api/* localhost:9001
# }

# Systemd Socket Activation
# fd/3 (TCP): example-http-80-ipv4.socket
# fd/4 (TCP) & fdgram/4 (UDP): example-https-443-ipv4.socket
# fd/5 (TCP): example-http-80-ipv6.socket
# fd/6 (TCP) & fdgram/6 (UDP): example-https-443-ipv6.socket

http://{$APPLICATION_HOSTNAME}:80 {
    # Answer to HTTP (TCP) IPv4 Requests
    bind fd/3 {
        protocols h1 h2c
    }

    # Answer to HTTP (TCP) IPv6 Requests
    bind fd/5 {
        protocols h1 h2c
    }

  redir https://{$APPLICATION_HOSTNAME}:443{uri}
}

https://{$APPLICATION_HOSTNAME}:443 {
    tls /certificates/{$APPLICATION_CERTIFICATE_DOMAIN}/{$APPLICATION_CERTIFICATE_CERT_FILE:fullchain.pem} /certificates/{$APPLICATION_CERTIFICATE_DOMAIN}/{$APPLICATION_CERTIFICATE_KEY_FILE:privkey.pem}

    # Answer to HTTPS (TCP) IPv4 Requests
    bind fd/4 {
        protocols h1 h2
    }

    # Answer to HTTPS (TCP) IPv6 Requests
    bind fd/6 {
        protocols h1 h2
    }

    # Answer to HTTPS HTTP3 QUIC (UDP) IPv4 Requests
    bind fdgram/4 {
        protocols h3
    }

    # Answer to HTTPS HTTP3 (QUIC) IPv6 Requests
    bind fdgram/6 {
        protocols h3
    }
    
    log {
	output file /var/log/{$APPLICATION_HOSTNAME}/https/access.json {
		roll_size 100MiB
	        roll_keep 5000
	        roll_keep_for 720h
	        roll_uncompressed
	}
    
        format json
    }

    # Reverse Proxy to example-application (encrypted)
    # reverse_proxy http://example-application:{$APPLICATION_PORT}

    # Reverse Proxy to example-application (TLS)
    # reverse_proxy https://example-application:{$APPLICATION_PORT} {
    reverse_proxy https://example-application.MYDOMAIN.TLD:{$APPLICATION_PORT} {
           transport http {
               # Use TLS when connecting to Upstream
               tls
    
               # Skip upstream TLS Certificate Verification
               # tls_insecure_skip_verify
           }
    }

    # IPv4 Reverse Proxy
    # reverse_proxy http://127.0.0.1:{$APPLICATION_PORT}

    # IPv6 Reverse Proxy
    # reverse_proxy http://[::1]:{$APPLICATION_PORT}
}

Now however Caddy won't start at all with an Error Error: loading initial config: loading new config: http app module: start: listening on fd/4: file file+net fd/4: invalid argument:

Feb 16 12:10:04 example systemd[746]: Starting example-caddy.service - example Caddy...
░░ Subject: A start job for unit UNIT has begun execution
░░ Defined-By: systemd
░░ Support: https://lists.freedesktop.org/mailman/listinfo/systemd-devel
░░ 
░░ A start job for unit UNIT has begun execution.
░░ 
░░ The job identifier is 36965.
Feb 16 12:10:04 example podman[444620]: 2026-02-16 12:10:04.943759728 +0100 CET m=+0.062562977 container create 23f895673c97d8cefacfbc35577d411c2a3abf760e04657330d51feaf37ca3ed (image=docker.io/library/caddy:latest, name=example-caddy, org.opencontainers.image.description=a powerful, enterprise-ready, open source web server with automatic HTTPS written in Go, org.opencontainers.image.url=https://caddyserver.com, org.opencontainers.image.version=v2.10.2, PODMAN_SYSTEMD_UNIT=example-caddy.service, org.opencontainers.image.source=https://github.com/caddyserver/caddy-docker, org.opencontainers.image.licenses=Apache-2.0, org.opencontainers.image.vendor=Light Code Labs, org.opencontainers.image.title=Caddy, org.opencontainers.image.documentation=https://caddyserver.com/docs)
Feb 16 12:10:04 example podman[444620]: 2026-02-16 12:10:04.901953461 +0100 CET m=+0.020756720 image pull aac61abc4024c323602ccb9ee38bd68b147601f518626b2a055e06944e01c510 docker.io/library/caddy:latest
Feb 16 12:10:05 example podman[444620]: 2026-02-16 12:10:05.025279257 +0100 CET m=+0.144082496 container init 23f895673c97d8cefacfbc35577d411c2a3abf760e04657330d51feaf37ca3ed (image=docker.io/library/caddy:latest, name=example-caddy, org.opencontainers.image.url=https://caddyserver.com, org.opencontainers.image.version=v2.10.2, PODMAN_SYSTEMD_UNIT=example-caddy.service, org.opencontainers.image.source=https://github.com/caddyserver/caddy-docker, org.opencontainers.image.documentation=https://caddyserver.com/docs, org.opencontainers.image.vendor=Light Code Labs, org.opencontainers.image.description=a powerful, enterprise-ready, open source web server with automatic HTTPS written in Go, org.opencontainers.image.title=Caddy, org.opencontainers.image.licenses=Apache-2.0)
Feb 16 12:10:05 example podman[444620]: 2026-02-16 12:10:05.030193627 +0100 CET m=+0.148996856 container start 23f895673c97d8cefacfbc35577d411c2a3abf760e04657330d51feaf37ca3ed (image=docker.io/library/caddy:latest, name=example-caddy, org.opencontainers.image.url=https://caddyserver.com, org.opencontainers.image.version=v2.10.2, org.opencontainers.image.source=https://github.com/caddyserver/caddy-docker, org.opencontainers.image.vendor=Light Code Labs, org.opencontainers.image.description=a powerful, enterprise-ready, open source web server with automatic HTTPS written in Go, PODMAN_SYSTEMD_UNIT=example-caddy.service, org.opencontainers.image.title=Caddy, org.opencontainers.image.documentation=https://caddyserver.com/docs, org.opencontainers.image.licenses=Apache-2.0)
Feb 16 12:10:05 example systemd[746]: Started example-caddy.service - example Caddy.
░░ Subject: A start job for unit UNIT has finished successfully
░░ Defined-By: systemd
░░ Support: https://lists.freedesktop.org/mailman/listinfo/systemd-devel
░░ 
░░ A start job for unit UNIT has finished successfully.
░░ 
░░ The job identifier is 36965.
Feb 16 12:10:05 example example-caddy[444620]: 23f895673c97d8cefacfbc35577d411c2a3abf760e04657330d51feaf37ca3ed
Feb 16 12:10:05 example example-caddy[444645]: {"level":"info","ts":1771240205.3684182,"msg":"maxprocs: Leaving GOMAXPROCS=4: CPU quota undefined"}
Feb 16 12:10:05 example example-caddy[444645]: {"level":"info","ts":1771240205.369296,"msg":"GOMEMLIMIT is updated","package":"github.com/KimMachineGun/automemlimit/memlimit","GOMEMLIMIT":3484547481,"previous":9223372036854775807}
Feb 16 12:10:05 example example-caddy[444645]: {"level":"info","ts":1771240205.3694885,"msg":"using config from file","file":"/etc/caddy/Caddyfile"}
Feb 16 12:10:05 example example-caddy[444645]: {"level":"info","ts":1771240205.3714638,"msg":"adapted config to JSON","adapter":"caddyfile"}
Feb 16 12:10:05 example example-caddy[444645]: {"level":"warn","ts":1771240205.371476,"msg":"Caddyfile input is not formatted; run 'caddy fmt --overwrite' to fix inconsistencies","adapter":"caddyfile","file":"/etc/caddy/Caddyfile","line":6}
Feb 16 12:10:05 example example-caddy[444645]: {"level":"info","ts":1771240205.3737304,"logger":"admin","msg":"admin endpoint started","address":"localhost:2019","enforce_origin":false,"origins":["//localhost:2019","//[::1]:2019","//127.0.0.1:2019"]}
Feb 16 12:10:05 example example-caddy[444645]: {"level":"info","ts":1771240205.3739066,"logger":"tls.cache.maintenance","msg":"started background certificate maintenance","cache":"0xc00058d080"}
Feb 16 12:10:05 example example-caddy[444645]: {"level":"warn","ts":1771240205.375423,"logger":"http.auto_https","msg":"server is listening only on the HTTP port, so no automatic HTTPS will be applied to this server","server_name":"srv3","http_port":80}
Feb 16 12:10:05 example example-caddy[444645]: {"level":"warn","ts":1771240205.3757787,"logger":"http.auto_https","msg":"server is listening only on the HTTP port, so no automatic HTTPS will be applied to this server","server_name":"srv1","http_port":80}
Feb 16 12:10:05 example example-caddy[444645]: {"level":"warn","ts":1771240205.375795,"logger":"http.auto_https","msg":"skipping automated certificate management for server because it is disabled","server_name":"srv2"}
Feb 16 12:10:05 example example-caddy[444645]: {"level":"info","ts":1771240205.375798,"logger":"http.auto_https","msg":"enabling automatic HTTP->HTTPS redirects","server_name":"srv2"}
Feb 16 12:10:05 example example-caddy[444645]: {"level":"info","ts":1771240205.378045,"logger":"http.log","msg":"server running","name":"srv1","protocols":["h1","h2","h3"]}
Feb 16 12:10:05 example example-caddy[444645]: {"level":"info","ts":1771240205.3782656,"logger":"tls.cache.maintenance","msg":"stopped background certificate maintenance","cache":"0xc00058d080"}
Feb 16 12:10:05 example example-caddy[444645]: {"level":"info","ts":1771240205.3782911,"logger":"http","msg":"servers shutting down with eternal grace period"}
Feb 16 12:10:05 example example-caddy[444645]: {"level":"info","ts":1771240205.3787231,"msg":"maxprocs: No GOMAXPROCS change to reset"}
Feb 16 12:10:05 example example-caddy[444645]: Error: loading initial config: loading new config: http app module: start: listening on fd/4: file file+net fd/4: invalid argument
Feb 16 12:10:06 example podman[444689]: 2026-02-16 12:10:06.264995959 +0100 CET m=+0.854933407 container died 23f895673c97d8cefacfbc35577d411c2a3abf760e04657330d51feaf37ca3ed (image=docker.io/library/caddy:latest, name=example-caddy, org.opencontainers.image.licenses=Apache-2.0, org.opencontainers.image.url=https://caddyserver.com, org.opencontainers.image.version=v2.10.2, PODMAN_SYSTEMD_UNIT=example-caddy.service, org.opencontainers.image.documentation=https://caddyserver.com/docs, org.opencontainers.image.source=https://github.com/caddyserver/caddy-docker, org.opencontainers.image.description=a powerful, enterprise-ready, open source web server with automatic HTTPS written in Go, org.opencontainers.image.title=Caddy, org.opencontainers.image.vendor=Light Code Labs)
Feb 16 12:10:06 example podman[444689]: 2026-02-16 12:10:06.507489402 +0100 CET m=+1.097426850 container remove 23f895673c97d8cefacfbc35577d411c2a3abf760e04657330d51feaf37ca3ed (image=docker.io/library/caddy:latest, name=example-caddy, org.opencontainers.image.documentation=https://caddyserver.com/docs, org.opencontainers.image.licenses=Apache-2.0, org.opencontainers.image.vendor=Light Code Labs, org.opencontainers.image.version=v2.10.2, PODMAN_SYSTEMD_UNIT=example-caddy.service, org.opencontainers.image.url=https://caddyserver.com, org.opencontainers.image.source=https://github.com/caddyserver/caddy-docker, org.opencontainers.image.title=Caddy, org.opencontainers.image.description=a powerful, enterprise-ready, open source web server with automatic HTTPS written in Go)
Feb 16 12:10:06 example systemd[746]: example-caddy.service: Main process exited, code=exited, status=1/FAILURE
░░ Subject: Unit process exited
░░ Defined-By: systemd
░░ Support: https://lists.freedesktop.org/mailman/listinfo/systemd-devel
░░ 
░░ An ExecStart= process belonging to unit UNIT has exited.
░░ 
░░ The process' exit code is 'exited' and its exit status is 1.
Feb 16 12:10:06 example systemd[746]: example-caddy.service: Failed with result 'exit-code'.
░░ Subject: Unit failed
░░ Defined-By: systemd
░░ Support: https://lists.freedesktop.org/mailman/listinfo/systemd-devel
░░ 
░░ The unit UNIT has entered the 'failed' state with result 'exit-code'.
Feb 16 12:10:06 example systemd[746]: example-caddy.service: Consumed 453ms CPU time, 103.1M memory peak.
░░ Subject: Resources consumed by unit runtime
░░ Defined-By: systemd
░░ Support: https://lists.freedesktop.org/mailman/listinfo/systemd-devel
░░ 
░░ The unit UNIT completed and consumed the indicated resources.

Is this what the Warning in the README.md File is about ?

https://github.com/eriksjolund/podman-caddy-socket-activation?tab=readme-ov-file#support-for-socket-activation-in-caddy

Caddy does not make use of file descriptor names that can be retrieved with sd_listen_fds_with_names(). Instead file descriptor numbers are specified. Do not use multiple socket units. Use one socket unit so that the file descriptor numbers can be mapped to the listening sockets that are configured with ListenStream= and ListenDatagram=.

I still don't get however how that would work correctly, given that Systemd clearly refused to cooperate, when I tried that using Traefik 😕.

[luckylinux]

Also trying with named Sockets fails.

    # Answer to HTTPS (TCP) IPv4 Requests
    # bind fd/4 {
    # bind fdname/example-https-443-ipv4:0 {
    bind fdname/example-https-443-ipv4 {
        protocols h1 h2
    }

    # Answer to HTTPS (TCP) IPv6 Requests
    # bind fd/6 {
    # bind fdname/example-https-443-ipv6:0 {
    bind fdname/example-https-443-ipv6 {
        protocols h1 h2
    }

    # Answer to HTTPS HTTP3 QUIC (UDP) IPv4 Requests
    # bind fdgram/4 {
    # bind fdgramname/example-https-443-ipv4:0 {
    # bind fdgramname/example-https-443-ipv4:1 {
    #     protocols h3
    # }

    # Answer to HTTPS HTTP3 (QUIC) IPv6 Requests
    # bind fdgram/6 {
    # bind fdgramname/example-https-443-ipv4:0 {
    # bind fdgramname/example-https-443-ipv6:1 {
    #     protocols h3
    # } 

Originally it failed with Error: loading initial config: loading new config: http app module: start: starting HTTP/3 QUIC listener: network 'fdgramname' cannot handle HTTP/3 connections.
When I disabled QUIC, then it also failed on TCP with Error: loading initial config: loading new config: http app module: start: listening on fdname/example-http-80-ipv4: listen fdname: unknown network fdname.