From 0e829bc4187e265d1e4ccb1bec24996088acf0a5 Mon Sep 17 00:00:00 2001
From: Aaron Paterson <9441877+MayCXC@users.noreply.github.com>
Date: Tue, 1 Oct 2024 01:47:21 -0400
Subject: [PATCH] caddyhttp: Fix listener wrapper regression from #6573 (#6599)

---
 listeners.go             |  8 ++++----
 modules/caddyhttp/app.go | 10 +++++-----
 2 files changed, 9 insertions(+), 9 deletions(-)

diff --git a/listeners.go b/listeners.go
index cf7b52018..3a2a5180f 100644
--- a/listeners.go
+++ b/listeners.go
@@ -183,14 +183,14 @@ func (na NetworkAddress) listen(ctx context.Context, portOffset uint, config net
 		}
 	}
 
-	if ln == nil {
-		return nil, fmt.Errorf("unsupported network type: %s", na.Network)
-	}
-
 	if err != nil {
 		return nil, err
 	}
 
+	if ln == nil {
+		return nil, fmt.Errorf("unsupported network type: %s", na.Network)
+	}
+
 	if IsUnixNetwork(na.Network) {
 		isAbstractUnixSocket := strings.HasPrefix(address, "@")
 		if !isAbstractUnixSocket {
diff --git a/modules/caddyhttp/app.go b/modules/caddyhttp/app.go
index 673ebcb8e..7a5c10623 100644
--- a/modules/caddyhttp/app.go
+++ b/modules/caddyhttp/app.go
@@ -535,11 +535,6 @@ func (app *App) Start() error {
 						return fmt.Errorf("network '%s' cannot handle HTTP/1 or HTTP/2 connections", listenAddr.Network)
 					}
 
-					if useTLS {
-						// create TLS listener - this enables and terminates TLS
-						ln = tls.NewListener(ln, tlsCfg)
-					}
-
 					// wrap listener before TLS (up to the TLS placeholder wrapper)
 					var lnWrapperIdx int
 					for i, lnWrapper := range srv.listenerWrappers {
@@ -550,6 +545,11 @@ func (app *App) Start() error {
 						ln = lnWrapper.WrapListener(ln)
 					}
 
+					if useTLS {
+						// create TLS listener - this enables and terminates TLS
+						ln = tls.NewListener(ln, tlsCfg)
+					}
+
 					// finish wrapping listener where we left off before TLS
 					for i := lnWrapperIdx; i < len(srv.listenerWrappers); i++ {
 						ln = srv.listenerWrappers[i].WrapListener(ln)