Caddy as reverse proxy for git to github.com

1. The problem I’m having:

Given a network constraint, I need to use git through a proxy.
The proxy is Caddy and the team allowed to configure it for me, I gave a configuration to use, but it seems it’s not working, looks like the communication can’t get back to the client.

2. Error messages and/or full log output:

Seems no error are shown on the caddy side. I did add the debug option but there is no line involving the endpoint of interest.

3. Caddy version:

lucaslorentz/caddy-docker-proxy:2.8.10

4. How I installed and ran Caddy:

/

a. System environment:

Docker

b. Command:

/

c. Service/unit/compose file:

/

d. My complete Caddy config:

Relevant part I provided under handle_path /github/*

api.<redacted>.it {
	handle_path /github/* {
		reverse_proxy https://github.com {
			header_up Host {upstream_hostport} <-- seemed relevant to allow Github to recognize the original request
		}
	}

	reverse_proxy <redacted>:3001
}

5. Links to relevant resources:

git has been configured to use the proxy by issuing the commands below in the repo:
git config http.proxy <redacted>:80/github, same for https 443.
I had to specify the ports otherwise git attempted a connection to port 1080 (socks?)

which results to the block in .git\config

[http]
	proxy = http://api.<redacted>.it:80/github/
[https]
	proxy = https://api.<redacted>.it:443/github/

GIT LOGS

C:\Users\federicod\Downloads\test-proxy>set GIT_CURL_VERBOSE=1
C:\Users\federicod\Downloads\test-proxy>git fetch
22:11:16.915353 http.c:937              == Info: Host <redacted>:80 was resolved.
22:11:16.916341 http.c:937              == Info: IPv6: (none)
22:11:16.917355 http.c:937              == Info: IPv4: <redacted>
22:11:16.919855 http.c:937              == Info:   Trying <redacted>:80...
22:11:16.931407 http.c:937              == Info: CONNECT tunnel: HTTP/1.1 negotiated
22:11:16.931407 http.c:937              == Info: allocate connect buffer
22:11:16.931407 http.c:937              == Info: Establish HTTP proxy tunnel to github.com:443
22:11:16.932378 http.c:884              => Send header, 0000000121 bytes (0x00000079)
22:11:16.933405 http.c:896              => Send header: CONNECT github.com:443 HTTP/1.1
22:11:16.933405 http.c:896              => Send header: Host: github.com:443
22:11:16.934384 http.c:896              => Send header: User-Agent: git/2.46.1.windows.1
22:11:16.934384 http.c:896              => Send header: Proxy-Connection: Keep-Alive
22:11:16.934384 http.c:896              => Send header:
22:11:16.942400 http.c:884              <= Recv header, 0000000033 bytes (0x00000021)
22:11:16.943379 http.c:896              <= Recv header: HTTP/1.1 308 Permanent Redirect
22:11:16.943379 http.c:884              <= Recv header, 0000000019 bytes (0x00000013)
22:11:16.945772 http.c:896              <= Recv header: Connection: close
22:11:16.946815 http.c:884              <= Recv header, 0000000031 bytes (0x0000001f)
22:11:16.947791 http.c:896              <= Recv header: Location: https://github.com/
22:11:16.947791 http.c:884              <= Recv header, 0000000015 bytes (0x0000000f)
22:11:16.948813 http.c:896              <= Recv header: Server: Caddy
22:11:16.948813 http.c:884              <= Recv header, 0000000037 bytes (0x00000025)
22:11:16.948813 http.c:896              <= Recv header: Date: Wed, 23 Oct 2024 20:11:16 GMT
22:11:16.949798 http.c:884              <= Recv header, 0000000019 bytes (0x00000013)
22:11:16.949798 http.c:896              <= Recv header: Content-Length: 0
22:11:16.949798 http.c:884              <= Recv header, 0000000002 bytes (0x00000002)
22:11:16.950796 http.c:896              <= Recv header:
22:11:16.950796 http.c:937              == Info: CONNECT tunnel failed, response 308
22:11:16.950796 http.c:937              == Info: closing connection #0
fatal: unable to access 'https://github.com/maxiride/upptime.git/': CONNECT tunnel failed, response 308

C:\Users\federicod\Downloads\test-proxy>

From my understanding, git did attempt the connection through the proxy, successfully resolved the address and subsequent connection to github but couldn’t complete the round trip I guess.

The 308 error code made me think I provided a wrong configuration, I also did try to reverse proxy to http://github.com with the same results.

You’re looking for a forward proxy, not a reverse proxy. See GitHub - caddyserver/forwardproxy: Forward proxy plugin for the Caddy web server

2 Likes

Thanks for the link, I guess the difference between a forward and a reverse isn’t that clear for me.

It’s my understanding that a forward proxy would forward to any address but only GitHub needs to be reachable and only from request coming from the designated server, is that something a forward proxy can achieve? Or do I need to mix/match basic Caddy configurations with the plugin configuration?