search

caddyserver / forwardproxy

Forward proxy plugin for the Caddy web server
Apache License 2.0
603 stars 228 forks source link

The caddy2 version bahaves unexpectly. #89

Closed ha-ku closed 2 years ago

ha-ku commented 2 years ago

I'm trying to simply set up an https proxy which has a basic auth check and proxy everything to a http proxy listening on localhost. In the Caddyfile, I write something like:

https://my.domain:31082 {
    route {
        forward_proxy {
            basic_auth user passwd
            upstream http://localhost:31081
        }
    }
}

However when I do curl -x https://user:passwd@my.domain:31082 https://whatever.site, it results in an error:1408F10B:SSL routines:ssl3_get_record:wrong version number. When I do curl -x https://user:passwd@my.domain:31082 http://whatever.site, it just return an empty 200 response even if the "whatever.site" does not exist. I have no idea why it behaves like this. Anyone help?

flyxl commented 2 years ago

+1

flyxl commented 2 years ago

I dig into the caddy server code and find out that this related to how caddy matches a request to handler. Caddy server uses http Host header to match domains defined in config file. However, when it comes to forward proxy scenario, the request's Host is always the target host which is not your proxy's Host. The following is a typical proxy request

[root@VM_0_4_centos ~]# curl -x https://example.com httpbin.org/ip -v
> GET http://httpbin.org/ip HTTP/1.1
> Host: httpbin.org
> User-Agent: curl/7.81.0
> Accept: */*
> Proxy-Connection: Keep-Alive

You can see in this case, the request Host header is httpbin.org while not example.com. When caddy server receives this request, it can't find any route of target host httpbin.org and then it just responses 200 to client.

mholt commented 2 years ago

I think what I've done with my Caddyfiles is something like:

:443 example.com

forwardproxy ...

in other words, specify a domain name along with a catch-all, port-only address. That should route the requests properly. I haven't finished updating this plugin for v2 due to lack of sponsorship resources to prioritize it. But I think that's basically how you want to do it.

flyxl commented 2 years ago

I think what I've done with my Caddyfiles is something like:

:443 example.com

forwardproxy ...

in other words, specify a domain name along with a catch-all, port-only address. That should route the requests properly. I haven't finished updating this plugin for v2 due to lack of sponsorship resources to prioritize it. But I think that's basically how you want to do it.

This Caddyfile works. Thanks a ton!

mholt commented 2 years ago

No problem. You really only need the :443 (don't restrict the Host) but adding example.com (or rather, your domain) is an easy way to tell Caddy to automate the certificate for that domain.