Linux rproxy01 4.15.0-55-generic #60-Ubuntu(18.04) SMP Tue Jul 2 18:22:20 UTC 2019 x86_64 x86_64 x86_64 GNU/Linux
Relevant portion of Caddyfile:
dps.prod.globi.us {
import dns
reverse_proxy {
to https://ruprod.int.globius.org/dps <---Line 19 is this line
import transparent
}
}
Error output:
root@rproxy01:/etc/caddy# /usr/bin/caddy run --config /etc/caddy/Caddyfile
2020/05/07 06:44:33.309 INFO using provided configuration {"config_file": "/etc/caddy/Caddyfile", "config_adapter": ""}
run: adapting config using caddyfile: parsing caddyfile tokens for 'reverse_proxy': /etc/caddy/Caddyfile:19 - Error during parsing: for now, URLs for proxy upstreams only support scheme, host, and port components
Basically what I’m trying to do is when a user goes to the dps.prod.globi.us website, they reach the page internally /dps
I can remove the https:// and the /dps and it’ll work just fine, but when I include both, it gives that error.
It’s telling you that you can’t have a reverse proxy upstream to a subfolder. You may only specify a scheme (e.g. https://), a host (e.g. example.com), and a port (e.g. :8080). Trying to proxy to a subfolder implies a rewrite, which reverse_proxy doesn’t handle.
Instead of defining an upstream with a URI, manipulate the URI yourself before sending it upstream, e.g.
thanks @Whitestrake guess it worked because now I’m battling with Cloudflare 403…not sure all the fields are correctly set, because instead of a forbidden I think I should be getting a captcha, which btw still would be an issue…
Help really appreciated!
I started using caddy some weeks ago because I thought it was amazingly straight forward. I think that as documentation with examples on how to “build” with caddy are put on the site, this will really be the most user friendly think out there
So it’s taking the Authorizationrequest header, looking for instances of Basic and replacing them with mybase64secret:key before passing them forward. This is, predictably, probably what’s breaking your authentication.
Instead, put your header data in quotes so it’s parsed as a single token.
P.S. Since this effectively permanently bypasses a security mechanism, I do hope you’ve got some kind of access control or security on the site you’re serving with Caddy!
P.S.S. There’s also a bunch of headers in there that don’t need to be:
By default, Caddy passes thru incoming headers to the backend—including the Host header—without modifications, with two exceptions:
mmm still stuck at the 403- Forbidden screen at cloudflare, so I’m not sure redirect its working fine. Accessing directly to the end api via postman with http auth secret:token works fine.
About security yes, not a big deal, since I’m only pointing to an endpoint, user would not be able to auth to the rest of the api.
Now removed. Btw something a bit surprising:
If I add the transport tls option, with https://example.com, as you comment its not necessary
adapt: parsing caddyfile tokens for 'reverse_proxy': Caddyfile:24 - Error during parsing: upstream address scheme is HTTP but transport is configured for HTTP+TLS (HTTPS)
Naturally - the two conflict. HTTPS is literally HTTP over TLS. Can’t have HTTP (i.e. no TLS) with transport over TLS, that’s just HTTPS.
To explain a little bit - having to specify tls via the transport subdirective used to be necessary for a HTTPS upstream. Earlier on in the piece, Caddy v2 did not allow you to specify the scheme at all in the upstream. It was just a hostname and port. Now it also accepts scheme and from it, implies the transport. The tls option there is… well, not quite vestigial, because you could still specify example.com upstream and then specify HTTP transport over TLS to say it’s HTTPS. But why, when you could just specify https://example.com?
I guess reverse proxies are quite popular nowadays
@Whitestrake Yes, ops I see I forgot them when copying many thanks for the help provided. I think I will continue other days to see if I finally come up with a solution. For now I’m a bit stuck…
