A HTTP host which is not supposed to be redirected to HTTPS is redirected

Help
1

1. My Caddy version (caddy version):

~ # ./caddy version                                                                                                                                                            root@srv
v2.0.0-rc.3 h1:z2H/QnaRscip6aZJxwTbghu3zhC88Vo8l/K57WUce4Q=

2. How I run Caddy:

d. My complete Caddyfile or JSON config:

{
  "admin": {
    "enforce_origin": false,
    "listen": ":2020",
    "origins": [
      "192.168.10.2:2020"
    ]
  },
  "apps": {
    "http": {
      "servers": {
        "srv": {
          "automatic_https": {
            "skip": [
              "dash.swtk.info"
            ]
          },
          "listen": [
            ":443"
          ],
          "routes": [
            {
              "handle": [
                {
                  "handler": "subroute",
                  "routes": [
                    {
                      "handle": [
                        {
                          "handler": "reverse_proxy",
                          "upstreams": [
                            {
                              "dial": "172.18.0.22:8080"
                            }
                          ]
                        }
                      ],
                      "match": [
                        {
                          "remote_ip": {
                            "ranges": [
                              "192.168.10.0/24",
                              "192.168.20.0/24"
                            ]
                          }
                        }
                      ]
                    }
                  ]
                }
              ],
              "match": [
                {
                  "host": [
                    "dash.swtk.info"
                  ]
                }
              ],
              "terminal": true
            }
          ]
        }
      }
    },
    "tls": {
      "automation": {
        "policies": [
          {
            "issuer": {
              "email": "w@xxx.com",
              "module": "acme"
            }
          }
        ]
      }
    }
  },
  "logging": {
    "logs": {
      "default": {
        "level": "INFO"
      }
    }
  }
}

3. The problem I’m having:

The configuration above is intended to expose http://dash.swtk.info and not have it redirected to HTTPS (nor have LE certs generated).

It does not work, however: the redirection happens:

 # curl http://dash.swtk.info -v                                                                                                                       root@srv
* Rebuilt URL to: http://dash.swtk.info/
*   Trying 192.168.10.2...
* TCP_NODELAY set
* Connected to dash.swtk.info (192.168.10.2) port 80 (#0)
> GET / HTTP/1.1
> Host: dash.swtk.info
> User-Agent: curl/7.58.0
> Accept: */*
>
< HTTP/1.1 308 Permanent Redirect
< Connection: close
< Location: https://dash.swtk.info/
< Server: Caddy
< Date: Mon, 04 May 2020 21:05:51 GMT
< Content-Length: 0
<
* Closing connection 0

Is there something I am missing? The JSON configuration above was bootsrapped from

http://dash.swtk.info {
  reverse_proxy @lan localhost:8080
  @lan {
    remote_ip 192.168.10.0/24 192.168.20.0/24
  }
}
2

I think this is because your request doesn’t end up being matched by anything, so it falls through to the redirect.

I think you should use this sort of logic instead, to ensure that you block unwanted requests instead of letting them fall through:

http://dash.swtk.info {
  reverse_proxy localhost:8080

  @notLan {
    not remote_ip 192.168.10.0/24 192.168.20.0/24
  }
  respond @notLan 403
}
3

I am not sure because I have exactly this logic in place for other sites (HTTPS ones) and it restricts the access to the LAN.

Also the JSON seems to show that matching the hostname from the LAN redirects to the upstream server.

I will give it a try though, just to be sure.

4

Hmm.

Where is that coming from? Shouldn’t that be :80?

5

Yes, it still gets redirected

6

This is coming from the full configuration where there are ~20 more sites behind HTTPS (they work fine). Caddy is listening on :80 anyway, for the TLS challenge:

caddy      4226            root    3u  IPv4 8822966      0t0  TCP *:2020 (LISTEN)
caddy      4226            root    8u  IPv4 8823901      0t0  TCP *:443 (LISTEN)
caddy      4226            root    9u  IPv4 8823902      0t0  TCP *:80 (LISTEN)

Should I explicitly state that it should listen on :80 also for other reasons?
(and how does this impacts the redirection?)

7

That was the right track, thanks!

The port :80 had to be explicitly set to listen, even if it was technically open by caddy for the TLS challenge.

8

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.