[Caddy] allow user to disable server header via the GUI

[tiny-pangolin]

Important notices Before you add a new report, we ask you kindly to acknowledge the following:

• [X] I have read the contributing guide lines at https://github.com/opnsense/plugins/blob/master/CONTRIBUTING.md
• [X] I have searched the existing issues, open and closed, and I'm convinced that mine is new.
• [X] When the request is meant for an existing plugin, I've added its name to the title.

Is your feature request related to a problem? Please describe. I was configuring Caddy to disable the server header when it was in the community repo but I have not been able to configure Caddy through the plugin to disable the server header.

Describe the solution you'd like I would like to be able to either check a box to remove the server header or have a way to customize headers in the UI

Describe alternatives you've considered I have tried using including the options in /usr/local/etc/caddy/caddy.d but it appears this has to be added to each front end

[Monviech]

Do you mean this? https://caddyserver.com/docs/caddyfile/directives/reverse_proxy#headers Wherever possible, I want to adhere to the defaults. https://caddyserver.com/docs/caddyfile/directives/reverse_proxy#defaults

Can you explain the usecase for the header manipulation that can't use these defaults?

[justinhorton]

Can you explain the usecase for the header manipulation that can't use these defaults?

Not OP, but I had to remove the Authorization header to prevent 400 errors for a Unifi controller. Likely just bad handling on the Unifi side, but as the forum post is 5 years old and I ran into it this year, I doubt it'll be fixed anytime soon.

[Monviech]

@justinhorton I'm surprised by that since I have reports of the Unifi controller working. Heres one: https://forum.opnsense.org/index.php?topic=38714.msg190745#msg190745

I guess this kind of jank depends on the unifi controller version/implementation.

[tiny-pangolin]

When I worked in Web hosting customers requested the header be removed since it is an information disclosure that could help an attacker and I have made a habit of doing this. This an example of of the types of issues customers would report

https://www.tenable.com/plugins/was/98618

[Monviech]

Header manipulation won't be easy to template because of all the options it offers, and because there can be multiple header_up and header_down with regex matching and replacement.

Since Caddy uses sane secure defaults, the security risk of exposed headers should be minimal? (I don't know, not a security expert on webservers).

Maybe somebody wants to contribute the headers logic to this plugin. Though since there are options like nginx and haproxy that have specialized on feature richness, maybe they are the better choice for this?

[justinhorton]

@justinhorton I'm surprised by that since I have reports of the Unifi controller working. Heres one: https://forum.opnsense.org/index.php?topic=38714.msg190745#msg190745

I guess this kind of jank depends on the unifi controller version/implementation.

I just re-tested with my Unifi server (latest version) and it actually has the 400 error message with and without header_up -Authorization and also without Caddy proxying at all. So, I guess this wasn't a valid example and none of my current services need header modifications. Thanks for your work on getting Caddy into OPNsense!

(The "400: Bad Request" message appears very briefly after logging in, before the dashboard loads. So briefly that I had to do a screen recording to discern whether the flash I saw was this message. And also so briefly that I mistakenly thought the header change fixed it in the first place!)

[Monviech]

@justinhorton Thank you for the report, I'm glad it can work without header modifications.

If anybody wants to implement it though, it would probably have to be like the basic auth section. It needs an array section in the model and an own bootgrid where all header manipulations can be saved, and then a model relation field inside the handlers where multiple headers can be selected, the templating working kinda like the basic auth example.

It's a bigger addition with intermediate difficulty.

[Monviech]

I will take ownership of this issue and implement a flexible header menu, since I have a feeling this will be one of the more often requested features.

[Monviech]

Here's a preview of os-caddy-1.5.4 to test the header functionality, any tests are very welcome.

This is a dev version, don't use on mission critical systems

How to install:

1. opnsense-patch 2d45b78
2. curl https://os-caddy-plugin.pischem.com/os-caddy-plugin/dev/os-caddy-1.5.4.pkg -o os-caddy-1.5.4.pkg
3. pkg install ./os-caddy-1.5.4.pkg

EDIT: Here is the up to date documentation: https://github.com/Monviech/opnsense-docs/blob/os-caddy-1.5.3/source/manual/how-tos/caddy.rst