Access blocked to a subfolder

Help
1

1. Caddy version (caddy version):

caddy version
(devel)

2. How I run Caddy:

Dockerfile

....
FROM alpine:latest

# we are installing caddy using curl + bash
# so here come the dependencies
RUN apk add --no-cache \
    bash \
    curl \
    caddy
EXPOSE 443
CMD ["caddy","run", "--config", "/etc/Caddyfile"]
....

a. System environment:

inside a docker of alpine:latest

b. Command:

CMD ["caddy","run", "--config", "/etc/Caddyfile"]

c. Service/unit/compose file:

version: '3'

services:

  client:
    container_name: client
    image: test_client:latest
    restart: always
    ports:
      - "80:80"
      - "443:443"
    links:
      - express
    volumes:
      - /home/opc/persist/.caddy:/root/.caddy


  express:
    container_name: express
    build: express
    image: test_express:latest
    environment:
      - NODE_ENV=test
    restart: always

d. My complete Caddyfile or JSON config:

      :443 {

        tls     /etc/caddy/cert.pem /etc/caddy/key.pem

        log {
                output file /var/log/caddylog.log
        }

        root *  /var/www/html
        file_server

        encode gzip

        route  /api* {

           uri strip_prefix  /api
           reverse_proxy  express:3000 {
                  header_up  Strict-Transport-Security "max-age=63072000; includeSubDomains; preload"

           }

        }
     
        header /api ?Cache-Control

    }

3. The problem I’m having:

The webapp itself works great. However, there is a route that requests under “share” path cannot access.
In the caddy1 version, our Caddyfile did enable it:

 {$PRIVATE_IP}:80 {$CADDY_SUBDOMAIN}.companyname.com:443 {

        tls     /etc/caddy/cert.pem /etc/caddy/key.pem

        log     /oapi    stdout "{remote} {method} {uri} {proto} {status} {size} {latency_ms}"

        log     /share    stdout "{remote} {method} {uri} {proto} {status} {size} {latency_ms}"

        errors
        root    /var/www/html
        gzip     

        proxy   /api    express:3000 {
            without     /api
            transparent
        }

        proxy   /share    express:3000/share {
            without     /share
            transparent
        }

        header / {

            -Server
            X-Frame-Options "DENY"
            Strict-Transport-Security "max-age=63072000; includeSubDomains; preload"
            Cache-Control "max-age=259200"
        }
        
        header /agroapi -Cache-Control
        header /share -Cache-Control
        header /api -Cache-Control



    }

4. Error messages and/or full log output:

in the browser:

This test.companyname.com page can’t be foundNo webpage was found for the web address: https://test.companyname.com/**share**/finding/7260613/user/7
HTTP ERROR 404

5. What I already tried:

tryout 1):

        route  /api/share* {
           uri strip_prefix  /api/share
           reverse_proxy  express:3000/share {
                  header_up  Strict-Transport-Security "max-age=63072000; includeSubDomains; preload"
           }
        }

tryout 2):

         reverse_proxy /share/*  express:3000/share {
                   header_up  Strict-Transport-Security "max-age=63072000; includeSubDomains; preload"
         }

The need for this “shared” is to expose resources to users that are not logged into the webapp.

I guess the update from caddy1 to latest missed this part.

Thanks!

2

Here the the log from caddylog:

{
    "level": "error",
    "ts": 1640613200.5454836,
    "logger": "http.log.access.log0",
    "msg": "handled request",
    "request": {
        "remote_addr": "172.31.7.126:45372",
        "proto": "HTTP/1.1",
        "method": "GET",
        "host": "test.companyname.com",
        "uri": "/share/finding/7260613/user/7",
        "headers": {
            "Sec-Ch-Ua-Mobile": ["?0"],
            "User-Agent": ["Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.110 Safari/537.36"],
            "Sec-Ch-Ua-Platform": ["\"Windows\""],
            "Sec-Fetch-Site": ["same-origin"],
            "Sec-Fetch-Mode": ["same-origin"],
            "Referer": ["https://www.google.com/"],
            "X-Forwarded-For": ["31.154.238.71"],
            "X-Forwarded-Proto": ["https"],
            "Sec-Ch-Ua": ["\" Not A;Brand\";v=\"99\", \"Chromium\";v=\"96\", \"Google Chrome\";v=\"96\""],
            "Accept-Language": ["en-US,en;q=0.9"],
            "Accept": ["text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9"],
            "X-Forwarded-Port": ["443"],
            "X-Amzn-Trace-Id": ["Root=1-61c9c550-7852e55806846aa4194c11fd"],
            "Upgrade-Insecure-Requests": ["1"],
            "Sec-Fetch-Dest": ["empty"],
            "Accept-Encoding": ["gzip, deflate, br"],
            "Cookie": ["..."]
        },
        "tls": {
            "resumed": false,
            "version": 771,
            "cipher_suite": 49199,
            "proto": "",
            "proto_mutual": true,
            "server_name": ""
        }
    },
    "common_log": "172.31.7.126 - - [27/Dec/2021:13:53:20 +0000] \"GET /share/finding/7260613/user/7 HTTP/1.1\" 404 0",
    "user_id": "",
    "duration": 0.000074341,
    "size": 0,
    "status": 404,
    "resp_headers": {
        "Server": ["Caddy"]
    }
}
3

Caddy v2’s reverse_proxy doesn’t allow simultaneously rewriting the path – don’t include /share in the upstream address.

Try something like this:

:443 {
	tls /etc/caddy/cert.pem /etc/caddy/key.pem
	log {
		output file /var/log/caddylog.log
	}

	header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload"

	encode gzip

	handle_path /api* {
		reverse_proxy express:3000
	}

	handle /share* {
		reverse_proxy express:3000
	}

	handle {
		root * /var/www/html
		file_server
	}
}

This makes use of handle blocks which are mutually exclusive with eachother (only the first matching handle or handle_path will run).

And handle_path is a shortcut for handle + uri strip_prefix, so it’s kinda like the without from Caddy v1.

1 Like
4

Now everthing is blocked, I receive in devtools 404 for all the api’s, and the caddylog as follows:

{
    "level": "error",
    "ts": 1640618944.404541,
    "logger": "http.log.access.log0",
    "msg": "handled request",
    "request": {
        "remote_addr": "172.31.32.127:41290",
        "proto": "HTTP/1.1",
        "method": "GET",
        "host": "test.companyname.com",
        "uri": "/api/crops",
        "headers": {
            "Sec-Ch-Ua-Platform": ["\"Windows\""],
            "Content-Type": ["application/json"],
            "Accept-Language": ["en-US,en;q=0.9"],
            "X-Forwarded-For": ["31.154.238.71"],
            "X-Forwarded-Port": ["443"],
            "Accept": ["application/json, text/plain, */*"],
            "Accept-Encoding": ["gzip, deflate, br"],
            "Sec-Fetch-Site": ["same-origin"],
            "Sec-Fetch-Mode": ["cors"],
            "X-Amzn-Trace-Id": ["Root=1-61c9dbc0-6a99ea69495225025d827113"],
            "Sec-Ch-Ua": ["\" Not A;Brand\";v=\"99\", \"Chromium\";v=\"96\", \"Google Chrome\";v=\"96\""],
            "Sec-Ch-Ua-Mobile": ["?0"],
            "Referer": ["https://test.comapnyname.com/"],
            "Cookie": [""],
            "X-Forwarded-Proto": ["https"],
            "User-Agent": ["Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.110 Safari/537.36"],
            "Sec-Fetch-Dest": ["empty"]
        },
        "tls": {
            "resumed": false,
            "version": 771,
            "cipher_suite": 49199,
            "proto": "",
            "proto_mutual": true,
            "server_name": ""
        }
    },
    "common_log": "172.31.32.127 - - [27/Dec/2021:15:29:04 +0000] \"GET /api/crops HTTP/1.1\" 404 0",
    "user_id": "",
    "duration": 0.000047121,
    "size": 0,
    "status": 404,
    "resp_headers": {
        "Server": ["Caddy"]
    }
}
5

What’s your Caddyfile at this point? I can’t really make any assumptions about meaning of the logs without the exact config.

Also, enable the debug global option to get more details as to what Caddy is doing. Add this at the top of your Caddyfile:

{
	debug
}
1 Like
6

The caddy is what you suggested.
I’ll add the debug and check again.
Thanks

7

Thank you!

Here is the working version of Caddyfile:

      {
         debug
      }

      :443 {

        tls     /etc/caddy/cert.pem /etc/caddy/key.pem

        log {
                output file /var/log/caddylog.log
        }

        root *  /var/www/html
        file_server

        encode gzip

        route  /api* {

           uri strip_prefix  /api
           reverse_proxy  express:3000 {
                  header_up  Strict-Transport-Security "max-age=63072000; includeSubDomains; preload"

           }

        }

        handle /share* {
                reverse_proxy express:3000
        }

        header /agroapi ?Cache-Control

    }

Thank you for your time and effort!

1 Like
8

This topic was automatically closed after 30 days. New replies are no longer allowed.