Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
httpcaddyfile: Bring
enforce_origin
andorigins
to admin config #3595httpcaddyfile: Bring
enforce_origin
andorigins
to admin config #3595Changes from 5 commits
dd1190f
f51a2dc
2d23e35
158a2f3
7ab8ff6
047cc26
File filter
Filter by extension
Conversations
Jump to
There are no files selected for viewing
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This admin config typically does:
localhost:2019
(address argument left empty in theadmin <address> | off { ... }
)ensure_origin
(not set in the caddyfile)There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I'm not sure I understand this part...
FYI reverse proxying to the admin endpoint within the same Caddy instance/config will not work (because of a chicken-egg problem). I am not sure if that is what you are referring to, but just wanted to clarify that.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Not sure what kind of scenario you are referring to, may I just clarify my usecase here:
10.147.17.12
./api/caddy
, so only trusted devices can get to the admin endpoint of my caddy server, and the data is encrypted in the public network. The config is as follows:host not allowed
reported:10.147.17.12
to the admin config:10.147.17.12
with10.147.17.12:443
in origins field, I cannot get the config whether I specified port in client request or not:10.147.17.12
as host for checking, so only10.147.17.12
without specifying port with work.There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thanks for explaining!
This will be problematic. Config changes through this proxy will wait for the admin endpoint to return, obviously, but the admin endpoint will be waiting for the reverse proxy to return, for a graceful reload. So it's a chicken-and-egg problem that I don't know how to solve yet.
Unrelated to this PR, but I thought you should know.
Correct; alternatively, you can have the proxy change the Host and Origin headers as they go upstream to the backend.
Caddy is not removing the port. The
Host
header won't usually include a port for standard ports (that is up to the HTTP client). In this case,curl
does not append:443
to the header. Caddy does not change them.