caddyhttp: Fix listener wrapper regression from #6573 (#6599)

2 files changed, 9 insertions, 9 deletions

diff --git a/listeners.go b/listeners.go
index cf7b5201..3a2a5180 100644
--- a/listeners.go
+++ b/listeners.go
@@ -183,14 +183,14 @@ func (na NetworkAddress) listen(ctx context.Context, portOffset uint, config net
 		}
 	}
 
-	if ln == nil {
-		return nil, fmt.Errorf("unsupported network type: %s", na.Network)
-	}
-
 	if err != nil {
 		return nil, err
 	}
 
+	if ln == nil {
+		return nil, fmt.Errorf("unsupported network type: %s", na.Network)
+	}
+
 	if IsUnixNetwork(na.Network) {
 		isAbstractUnixSocket := strings.HasPrefix(address, "@")
 		if !isAbstractUnixSocket {
diff --git a/modules/caddyhttp/app.go b/modules/caddyhttp/app.go
index 673ebcb8..7a5c1062 100644
--- a/modules/caddyhttp/app.go
+++ b/modules/caddyhttp/app.go
@@ -535,11 +535,6 @@ func (app *App) Start() error {
 						return fmt.Errorf("network '%s' cannot handle HTTP/1 or HTTP/2 connections", listenAddr.Network)
 					}
 
-					if useTLS {
-						// create TLS listener - this enables and terminates TLS
-						ln = tls.NewListener(ln, tlsCfg)
-					}
-
 					// wrap listener before TLS (up to the TLS placeholder wrapper)
 					var lnWrapperIdx int
 					for i, lnWrapper := range srv.listenerWrappers {
@@ -550,6 +545,11 @@ func (app *App) Start() error {
 						ln = lnWrapper.WrapListener(ln)
 					}
 
+					if useTLS {
+						// create TLS listener - this enables and terminates TLS
+						ln = tls.NewListener(ln, tlsCfg)
+					}
+
 					// finish wrapping listener where we left off before TLS
 					for i := lnWrapperIdx; i < len(srv.listenerWrappers); i++ {
 						ln = srv.listenerWrappers[i].WrapListener(ln)