Bug in enforce_origin?

Help
1

1. Caddy version (caddy version):

# caddy version
v2.5.0-beta.1 h1:lF5wWqqDJ6HjETbnBILvTAeKcThsz1+OeWB+d1tWxp4=

2. How I run Caddy:

docker

d. My complete Caddyfile or JSON config:

{
    admin 127.0.0.1:2019 {
        origins "http://localhost:2019"
        # enforce_origin
    }

    debug
}

3. The problem I’m having:

Steps to reproduce:

  1. caddy run
INFO    admin   admin endpoint started  {"address": "tcp/127.0.0.1:2019", "enforce_origin": false, "origins": ["http://localhost:2019"]}
  1. Uncomment enforce_origin
  2. caddy reload

Note that this reload worked

  1. caddy reload
reload: sending configuration to instance: caddy responded with error: HTTP 403: {"error":"client is not allowed to access from origin 'localhost:2019'"}

caddy log:

ERROR   admin.api       request error   {"error": "client is not allowed to access from origin 'localhost:2019'", "status_code": 403}

Is this a:

  1. bug in enforce_origin?
  2. caddy reload isn’t sending admin the correct (origin) headers?
  3. I am misunderstanding something?
1 Like
2

Oh, possibly in the caddy reload command. It needs to add the scheme to the Origin header, looks like we might not be doing that.

Thanks for the report.

1 Like
3

I was able to reproduce the bug. Should be fixed in

Can you confirm? Thanks!

1 Like
4

On it, but since you’re here, I also want to run sockets by you:

        admin unix//tmp/http.sock {
            origins "dummy"  # I probably got this wrong! Please let me know a more realistic one that will appear in the real world
            enforce_origin
        }

access:

curl --unix-socket /tmp/http.sock -X GET -H'Content-Type: application/json' -H'Origin: dummy' https://dummy/config/
    curl: (35) error:1408F10B:SSL routines:ssl3_get_record:wrong version number
curl --unix-socket /tmp/http.sock -X GET -H'Content-Type: application/json' -H'Origin: dummy' http://dummy/config/
    {"error":"client is not allowed to access from origin 'dummy'"}
curl --unix-socket /tmp/http.sock -X GET -H'Content-Type: application/json' -H'Origin: dummy' dummy/config/
    {"error":"client is not allowed to access from origin 'dummy'"}
5

Ah yeah, sockets are tricky; we have special handling for that and I’m currently working on something else so I need to find time to check, but I believe enforcing Origin on a unix socket doesn’t make much sense if I recall correctly, can you even connect to a unix socket from a browser page?

1 Like
6

Fair.

I was thinking of using ssh to push config changes.

7

I’m away from the computer right now… If you omit origin on those unix socket commands does it work?

8

This topic was automatically closed after 30 days. New replies are no longer allowed.