Hey guys. I found this discussion [1] and hate it did not turn out well. I am struggling to get Caddy to work for my use case but am convinced it is the best solution and want to keep working at it and help make the platform better.
I need the Admin API available on a public URL but would like some simple API token security so if anyone ever found the end point, they could only call it if they also could found the API key.
Is anyone interested in discussing this? I am happy to help and am very grateful to all the work going in to Caddy.
An approach some have used is to use the origin option as essentially an authentication mechanism. Set the allowed origins to only some secret hash value.
Enable enforce_origin and specify a secret origin (wrapped in an array).
This creates a deadlock. When the admin endpoint applies changes, it waits for the proxied request to finish, but the proxied request doesn’t finish until the changes are applied. It times out after a few seconds and I think it still works, but the admin API client will get an error response because the proxied request was forcefully terminated. You won’t really know if your changes succeeded or not.
I have plans to make the admin endpoint more readily exposable to external networks, but nothing in the short-term dev tree. (Right now my focus is on the website.)
Matt - I am happy to sponsor some development work on this.
Every time I have tried to do anything on that Admin API on any URI other than localhost I lose all ability to connect to Admin.
To start I’d much rather pay a one-time sponsor fee than have to get a monthly support contract from Ardan Labs. But I am kind of dead in the water now and wasting a lot of time with trial and error.
I really think over time I can help you with Caddy if I can use it to support custom domains on Webase. But right now I am merely “a friend in need”!
Hmm, Ardan should be able to do a one-time development service too. Did they say they’ll only do a monthly contract? Let me double check. Did you email Miguel (and/or use our contact form) with your request?
Nice… what I would have expected. So lets add the origin header.
Harriss-MacBook-Pro-4:~ harris$ curl localhost:2019/config/ -H “Origin: webase://pl2ks-9c94kkg-ss9g224”
{“error”:“client is not allowed to access from origin pl2ks-9c94kkg-ss9g224”}
But it still does not work.
How exactly is this origin header technique supposed to work?
FYI, please use ``` on lines before and after your code for code formatting in forum comments. > is for block quotes. Code blocks preserve whitespace correctly and use a monospaced font.
Sweet. It works without a URI scheme. I had put the scheme in there based on the Origin documentation here: Origin - HTTP | MDN
FYI francislavoie … the ``` does not work well when you paste JSON into the forum topic editor. No one loves well-formatted messages more than me! … BUT… this editor is not as robust as Slack and just doesn’t work a good bit of the time!