Block query of reverse_proxy

Help
1

1. Caddy version (2.3.0):

2. How I run Caddy:

using Docker

a. System environment:

Debian GNU/Linux 10 (buster)

containerd.io/buster,now 1.4.3-1 amd64
docker-ce-cli/buster,now 5:20.10.2~3-0~debian-buster amd64
docker-ce-rootless-extras/buster,now 5:20.10.2~3-0~debian-buster amd64
docker-ce/buster,now 5:20.10.2~3-0~debian-buster amd64
docker-compose/stable,now 1.21.0-3 all

b. Command:

from Dockerfile:

"/bin/parent" "caddy" "--conf" "/etc/Caddyfile" "--log" "stdout" "--agree=$ACME_AGREE"

c. Service/unit/compose file:

docker-compose.yml:

version: '3.3'

services:
  caddy:
    image: caddy:2-alpine
    network_mode: host
    ports:
      - "80:80"
      - "443:443"
    volumes:
      - "./Caddyfile:/etc/caddy/Caddyfile"
      - "./caddy_data:/data"
      - "./caddy_config:/config"
      - "./public:/public:ro"
    restart: unless-stopped

d. My complete Caddyfile or JSON config:

dns.my_domain.de {
	respond /*overTimeData* 403

	reverse_proxy localhost:10501 {

		header_down Referrer-Policy "strict-origin-when-cross-origin"
		header_down Strict-Transport-Security "max-age=15768000"
		header_down X-Frame-Options "sameorigin"
	}

	redir / /admin 301

}

3. The problem I’m having:

I would like to block all query/request, which include overTimeData.
But it is still possible to open https://dns.my_domain.de/admin/api.php?overTimeData10mins

4. Error messages and/or full log output:

no error message

5. What I already tried:

I have already try:

respond /forbidden/* 403|
rewrite /*overTimeData* /forbidden

and

respond /admin/forbidden/* 403|
rewrite /*overTimeData* /forbidden

instead of respond /*overTimeData* 403.

6. Links to relevant resources:

2

That doesn’t look right - those are options from Caddy v1, which had a different command line interface.

Your docker-compose.yml does look correct though.

So, overTimeData is not part of the path, it’s part of the query in the URL. So you can’t use a path matcher for that. Anyways, I don’t think infix wildcards work in regular path matchers, you would need a path_regexp to match for that.

Typically I would suggest a query matcher for this, but Caddy’s query matcher can only match exact values or any value, no wildcards. So I think using a CEL expression matcher with the {query} placeholder is your best bet:

3

Thanks for your help, using expression solve the problem:

	@overTimeData {
		expression {query}.contains("overTimeData")
	}
	respond @overTimeData 403

That doesn’t look right - those are options from Caddy v1, which had a different command line interface.

I also check this again. It seems like I had accidentally inspect the layer of the old Caddy1 image, which I had used, before I had change to Caddy2.

1 Like
4

This topic was automatically closed after 30 days. New replies are no longer allowed.