Bug in enforce_origin?

1. Caddy version (caddy version):

# caddy version
v2.5.0-beta.1 h1:lF5wWqqDJ6HjETbnBILvTAeKcThsz1+OeWB+d1tWxp4=

2. How I run Caddy:


d. My complete Caddyfile or JSON config:

    admin {
        origins "http://localhost:2019"
        # enforce_origin


3. The problem I’m having:

Steps to reproduce:

  1. caddy run
INFO    admin   admin endpoint started  {"address": "tcp/", "enforce_origin": false, "origins": ["http://localhost:2019"]}
  1. Uncomment enforce_origin
  2. caddy reload

Note that this reload worked

  1. caddy reload
reload: sending configuration to instance: caddy responded with error: HTTP 403: {"error":"client is not allowed to access from origin 'localhost:2019'"}

caddy log:

ERROR   admin.api       request error   {"error": "client is not allowed to access from origin 'localhost:2019'", "status_code": 403}

Is this a:

  1. bug in enforce_origin?
  2. caddy reload isn’t sending admin the correct (origin) headers?
  3. I am misunderstanding something?
1 Like

Oh, possibly in the caddy reload command. It needs to add the scheme to the Origin header, looks like we might not be doing that.

Thanks for the report.

1 Like

I was able to reproduce the bug. Should be fixed in

Can you confirm? Thanks!

1 Like

On it, but since you’re here, I also want to run sockets by you:

        admin unix//tmp/http.sock {
            origins "dummy"  # I probably got this wrong! Please let me know a more realistic one that will appear in the real world


curl --unix-socket /tmp/http.sock -X GET -H'Content-Type: application/json' -H'Origin: dummy' https://dummy/config/
    curl: (35) error:1408F10B:SSL routines:ssl3_get_record:wrong version number
curl --unix-socket /tmp/http.sock -X GET -H'Content-Type: application/json' -H'Origin: dummy' http://dummy/config/
    {"error":"client is not allowed to access from origin 'dummy'"}
curl --unix-socket /tmp/http.sock -X GET -H'Content-Type: application/json' -H'Origin: dummy' dummy/config/
    {"error":"client is not allowed to access from origin 'dummy'"}

Ah yeah, sockets are tricky; we have special handling for that and I’m currently working on something else so I need to find time to check, but I believe enforcing Origin on a unix socket doesn’t make much sense if I recall correctly, can you even connect to a unix socket from a browser page?

1 Like


I was thinking of using ssh to push config changes.

I’m away from the computer right now… If you omit origin on those unix socket commands does it work?

This topic was automatically closed after 30 days. New replies are no longer allowed.