Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Forcing Scheme and Port to Match #3361

Closed
vtky opened this issue May 6, 2020 · 7 comments
Closed

Forcing Scheme and Port to Match #3361

vtky opened this issue May 6, 2020 · 7 comments
Labels
question ❔ Help is being requested

Comments

@vtky
Copy link

vtky commented May 6, 2020

Hello!

I'd like to find out the rationale for the following code

caddy/modules/caddyhttp/reverseproxy/caddyfile.go

Line 121 in afecd90

if toURL.Scheme == "http" && urlPort == "443" {

It forces http to match port 80 and https to match 443 and there is no way to overwrite if I want to run https on port 80. (unless I'm missing something?)
@mholt
Copy link
Member

mholt commented May 6, 2020

Configuration for the reverse proxy transport is inferred from the upstream address; if it's a "plain" network address (e.g. socket) we use it literally; if it's a URL, we can draw from the different components like scheme and port, so that if you specify https:// we can enable TLS to the upstream implicitly.

But it's problematic if you specify a scheme that says "use TLS" with a port that says "don't use TLS."

Why do you want to run HTTPS on port 80? AFAIK I that defies IANA conventions and expected behavior pretty much everywhere. We want networks to be compatible....

You can do this, of course, but not with implicit means, since the conflict leaves it ambiguous.

(Hopefully that answers your question! I will close the issue but feel free to continue discussion.)

@mholt mholt closed this as completed May 6, 2020
@mholt mholt added the question ❔ Help is being requested label May 6, 2020
@vtky
Copy link
Author

vtky commented May 6, 2020

@mholt Thanks for that! Unfortunately I'm proxying an application that performs SSL on port 80. For now, I'm going to do a custom build of Caddy. Would you and the team consider an option to force an overwrite, if I were to write a patch and submit it?

@mholt
Copy link
Member

mholt commented May 6, 2020
edited
Loading

You can already do this, just don't leave it up to implicit behavior:

reverse_proxy localhost:80 {
    transport http {
        tls
    }
}

At least, I think that'll work. (It's just weird.)

@vtky
Copy link
Author

vtky commented May 6, 2020

Caddy spits out a parsing error.

upstream address scheme is HTTP but transport is configured for HTTP+TLS (HTTPS)

mholt added a commit that referenced this issue May 6, 2020
@mholt
reverseproxy: Allow using TLS for port 80 upstreams (see #3361)
1c17e6c 
An upstream like https://localhost:80 is still forbidden, but an addr of
localhost:80 can be used while explicitly enabling TLS as an override;
we just don't allow the implicit behavior to be ambiguous.
@mholt
Copy link
Member

mholt commented May 6, 2020
edited
Loading

Hmm, I see... I've pushed a fix to master in 1c17e6c @vtky - can you please try it and confirm?

Basically, if a scheme is given explicitly, it must not conflict with port convention, but if the scheme is omitted, i.e. what I showed above, it should work, since there's nothing implicit/hidden going on there.

@vtky
Copy link
Author

vtky commented May 7, 2020

Not sure what went wrong but it still failed. I had to comment out

caddy/modules/caddyhttp/reverseproxy/caddyfile.go

Line 552 in 1c17e6c

if commonScheme == "http" && te.TLSEnabled() {
to L554

Then it works for me.

@mholt
Copy link
Member

mholt commented May 7, 2020
edited
Loading

@vtky are you sure you tried the version from that commit? It worked for me. You need to use the syntax I provided above.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
question ❔ Help is being requested
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@mholt @vtky