Caddy: QUIC-only Mode

🤔 What exactly do you mean by "QUIC-only"? Is that different from using -quic? QUIC will be preferred where the client and protocols support it.

By that I mean an option for Caddy to accept connections only over QUIC (only listen on UDP?), leaving the TCP port open for another server to listen on.
What I'm trying to do is use Caddy as a reverse proxy to experiment with QUIC connectivity on top of my existing nginx setup.

Oh. No, there's no way to do that with Caddy. It's extremely niche, and severely limits the kinds of clients that can connect. Why do you need this?

I'd like to experiment with QUIC while keeping nginx for handling other connections since Caddy's cipher suites don't support some legacy clients that I need.

Previously, I tested with quic-reverse-proxy, which had a flag (-quic_only) that changed it into only handling QUIC connections. I know that it's a niche feature request, but perhaps it could still be sane to add in, because I'm guessing that it wouldn't require too much code change.

Hmm... so, I am not really inclined to implement this (doesn't seem generally useful) -- I would recommend just testing on a separate machine or a different port.

Thanks for your request though!

You can use --origin-to-force-quic-on=: in Chrome to force QUIC on the client.

I'm aware of that flag, but I'm trying to force QUIC on the server, as opposed to the client side.

I've found a way to split TCP/UDP traffic incoming on port 443 with iptables NAT, but if anybody knows of a better method, please do let me know.

@Injust How did you manage to split the traffic, so you can do QUIC-only with Caddy?

I know the time passed since this answer but can you still explain how to do it or did you find another, better solution, yet?

Use ufw to block the TCP port and only keep udp open?

@Henrocker Here is a series of iptables rules that will split the traffic:

-A PREROUTING -p tcp -m tcp --dport 443 -j REDIRECT --to-ports 60443
-A PREROUTING -p tcp -m tcp --dport 60443 -j REDIRECT --to-ports 0
-A INPUT -p tcp -m multiport --dports 80,60443 -j ACCEPT
-A INPUT -p udp -m udp --dport 443 -j ACCEPT

TCP traffic on port 443 is redirected to 60443 (or any other port you prefer), and UDP traffic remains untouched. Have Caddy listen to https://domain.tld as usual, and have nginx listen to the high port to handle the TCP traffic.

This would be indeed a good feature for those people who would like to use caddy only for quic on 443/udp but another webserver on 443/tcp.

I personally run caddy in a container which then only 443/udp is forwarded to.

I deploy my services in Docker, and this problem could be solved naturally.

nginx:
  ports:
    - '443:443'
caddy:
  ports:
    - '443:443/udp'

+1

docker is good solution but I'm not using docker. :(

firewall require root and may need edit kernel setting.