headers during 301 response in automatic https

omz13 commented 7 years ago

1. What version of Caddy are you running (`caddy -version`)?

0.9.3

2. What are you trying to do?

Caddy supports automatic upgrading from http to https. When it gets a http request, it responds with a 301 to redirect to the https equivalent. Excellent. But, when creating the 301 redirect the header directive is not implemented. This means any directives to add or remove headers are not active in that 301 response. I think that any applicable header directive should be respected during the 301 response for automatic https.

3. What is your entire Caddyfile?

Here's the appropriate snippet. To add a few headers and remove the Server header.

header / X-Backend-Server "{hostname}"
header / strict-transport-security "max-age=10886400; includeSubDomains; preload"
header / -Server
header / X-Clacks-Overhead "GNU Terry Pratchett"

4. How did you run Caddy (give the full command and describe the execution environment)?

5. What did you expect to see?

HTTP/1.1 301 Moved Permanently
Location: https://mava.omz13.com/
Strict-Transport-Security: max-age=10886400; includeSubDomains; preload
X-Backend-Server: mon
X-Clacks-Overhead: GNU Terry Pratchett
Date: Thu, 03 Nov 2016 10:47:18 GMT
Content-Length: 58
Content-Type: text/html; charset=utf-8
Connection: close

<a href="https://mava.omz13.com/">Moved Permanently</a>.

6. What did you see instead (give full error messages and/or log)?

When accessing the site over http, the 301 redirect is:

HTTP/1.1 301 Moved Permanently
Location: https://mava.omz13.com/
Server: Caddy
Date: Thu, 03 Nov 2016 10:47:18 GMT
Content-Length: 58
Content-Type: text/html; charset=utf-8
Connection: close

<a href="https://mava.omz13.com/">Moved Permanently</a>.

As observed, none of the header directives have been executed, and the default headers sent.

If accessing the site via https, the headers are, of course, added or removed as per the header directive, e.g.:

HTTP/1.1 200 OK
Accept-Ranges: bytes
Content-Length: 13175
Content-Type: text/html; charset=utf-8
Etag: W/"581628e0-3377"
Last-Modified: Sun, 30 Oct 2016 17:07:44 GMT
Strict-Transport-Security: max-age=10886400; includeSubDomains; preload
X-Backend-Server: mon
X-Clacks-Overhead: GNU Terry Pratchett
Date: Thu, 03 Nov 2016 10:51:17 GMT
Connection: close

I'm guessing that when the 301 is constructed the code logic to do the header add/remove isn't invoked.

7. How can someone who is starting from scratch reproduce this behavior as minimally as possible?

mholt commented 7 years ago

Can you please share the full Caddyfile? The snippet you gave by itself isn't particularly useful.

omz13 commented 7 years ago

mava.omz13.com {
root /var/www/com.omz13.mava
ext .html
log / /var/log/caddy/mava.log {combined} {
    rotate {
        size 10 # Rotate after 10 MB
        age  365  # Keep log files for a year
    }
}
errors {
    log /var/log/caddy/mava.err {
        size 50 # Rotate after 50 MB
        age  30 # Keep rotated files for 30 days
        keep 5  # Keep at most 5 log files
    }        
   404 404.html # not found
}

# because we're not wp
status 403 {
    /wp-login.php
    /wp-login/
    /wp-login
}
header / X-Backend-Server "{hostname}"
header / strict-transport-security "max-age=10886400; includeSubDomains; preload"
header / -Server
header / X-Clacks-Overhead "GNU Terry Pratchett"

}

mholt commented 7 years ago

Ah, okay, so you want the header directive to apply to the plaintext version of the same site.

This is a duplicate of #882, which is deferred for lack of a good way to fix the problem. My proposal there is an ugly breaking change which, frankly, I don't even like.

If there's a better way to solve this problem, I'm all ears, but for now I think you'll just have to define the HTTP version of the site yourself (and add the 1 line to do the redirect) if you want custom behavior for it. Sorry. :-/

caddyserver / caddy