Default Bind Port 443 causes issues with Certificates

[EntropySmoke]

Running the latest Edge build of AGH on Raspberry Pi 2 with Bullseye. New default AdGuardHome.yaml settings set Bind Port to 443 (HTTPS) by default, but it doesn't come with any certificates and connection is not encrypted. Attempts to add SSL certificates when using Bind Port 443 results in an error (about Port 443 being busy or something like that).
To input my local certificates, Bind Port must be set to 80, but once certificates are in place and re-direction to HTTPS is enabled, port 443 with encrypted connection becomes the default, while Bind Port 80 remains set in AdGuardHome.yaml.

Basically, I think it isn't a good idea to set default Bind Port to 443. It only creates issues and doesn't encrypt anything by default.

[t3dium]

Could just be because the 443 port is already being used up by another service on your device, in all my testing I've never ran into issues

[EntropySmoke]

The only way TCP Port 443 works on AdGuard is if I set Bind Port to 80, use HTTPS certificate, and select automatic redirection.

If I simply bind TCP Port 443 in AdGuardHome.yaml, a connection can't be made.

[DavidOsipov]

I would like to just recommend using a reverse proxy like Nginx in from of Adguard home, which would listen to 443 port, strip encryption and forward requests to local Adguard home. Don't forget to set allow_unencrypted_doh: true in this configuration.

As for your problem, the 443 port is already occupied by some process and Adguard home can't bind to it. Do sudo lsof -i -P -n | grep LISTEN and find out the app, which is already binded to the 443 port.

[ainar-g]

New default AdGuardHome.yaml settings set Bind Port to 443 (HTTPS) by default

I don't believe that that's true. The initial port for the web interface is always 3000, and you set the actual port during the initial post-install setup process.

Attempts to add SSL certificates when using Bind Port 443 results in an error (about Port 443 being busy or something like that).

The only way TCP Port 443 works on AdGuard is if I set Bind Port to 80, use HTTPS certificate, and select automatic redirection.

This sounds like you're making AGH conflict with itself here. The bind_port setting is for the HTTP web interface, without the “S”. So, when you put the HTTPS port in there, the actual HTTPS server cannot start.

@ameshkov, do you think that we should just clarify that in the docs, or perhaps add some code to produce a better error message about the port conflict?

[ameshkov]

I'd prefer better config validation with a clear error message in this case.

[EugeneOne1]

@EntropySmoke, hello again. We've just pushed the latest edge build. It contains some improvements on reporting the port binding errors. Could you please install it and check if those messages are clear enough?

[EugeneOne1]

@EntropySmoke, I'll close the issue for now. Feel free to reopen it if the solution seems incomplete to you.