1. Caddy version (caddy version
):
v2.3.0 h1:fnrqJLa3G5vfxcxmOH/+kJOcunPLhSBnjgIvjXV/QTA=
2. How I run Caddy:
N/A
a. System environment:
AWS, Docker
b. Command:
paste command here
c. Service/unit/compose file:
paste full file contents here
d. My complete Caddyfile or JSON config:
paste config here, replacing this text
use `caddy fmt` to make it readable
DO NOT REDACT anything except credentials
or helpers will be sad
3. The problem I’m having:
I have a rather complicated (and large) set up of many services and we are replacing Nginx with caddy as a key component. I almost have everything working - but our test suite fails a bunch of tests.
The failure is due to a request for a javascript asset. If you curl the resource it works fine. However, we found that in our test suite this is returning a 403.
Here are the two requests:
This one is just loading the js code by entering the url in chrome. It works fine:
{
"level": "info",
"ts": 1613176370.9133158,
"logger": "http.log.access",
"msg": "handled request",
"request": {
"remote_addr": "52.42.200.43:35674",
"proto": "HTTP/2.0",
"method": "GET",
"host": "accounts-customer.rayj2.dev.tilia-inc.com",
"uri": "/ui/v1/widget",
"headers": {
"Accept": [
"text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9"
],
"Sec-Fetch-Site": [
"none"
],
"Sec-Fetch-User": [
"?1"
],
"Sec-Fetch-Dest": [
"document"
],
"Cache-Control": [
"max-age=0"
],
"Sec-Ch-Ua": [
"\"Chromium\";v=\"88\", \"Google Chrome\";v=\"88\", \";Not A Brand\";v=\"99\""
],
"Sec-Ch-Ua-Mobile": [
"?0"
],
"User-Agent": [
"Mozilla/5.0 (Macintosh; Intel Mac OS X 11_2_1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/88.0.4324.150 Safari/537.36"
],
"Cookie": [
"_ga=GA1.2.385234868.1564785036"
],
"Upgrade-Insecure-Requests": [
"1"
],
"Sec-Fetch-Mode": [
"navigate"
],
"Accept-Encoding": [
"gzip, deflate, br"
],
"Accept-Language": [
"en-US,en;q=0.9"
]
},
"tls": {
"resumed": true,
"version": 772,
"cipher_suite": 4865,
"proto": "h2",
"proto_mutual": true,
"server_name": "accounts-customer.rayj2.dev.tilia-inc.com"
}
},
"common_log": "52.42.200.43 - - [13/Feb/2021:00:32:50 +0000] \"GET /ui/v1/widget HTTP/2.0\" 200 2786",
"duration": 0.022670303,
"size": 2786,
"status": 200,
"resp_headers": {
"Content-Type": [
"application/javascript; charset=utf-8"
],
"X-Powered-By": [
"Express"
],
"Date": [
"Sat, 13 Feb 2021 00:32:50 GMT"
],
"Etag": [
"W/\"238a-up84g1q1MAtG33vOoWlOHqoYGvk\""
],
"Cache-Control": [
"private, no-cache, no-store, must-revalidate"
],
"Expires": [
"-1"
],
"Content-Encoding": [
"gzip"
],
"Pragma": [
"no-cache"
],
"Vary": [
"Accept-Encoding"
],
"Server": [
"Caddy"
]
}
}
This one is generated by a selenium test using headless chrome. It fails!
{
"level": "error",
"ts": 1613175786.8073003,
"logger": "http.log.access",
"msg": "handled request",
"request": {
"remote_addr": "172.17.42.1:49848",
"proto": "HTTP/2.0",
"method": "GET",
"host": "accounts-customer.rayj2.dev.tilia-inc.com",
"uri": "/ui/v1/widget",
"headers": {
"Sec-Fetch-Mode": [
"no-cors"
],
"Sec-Fetch-Dest": [
"script"
],
"Referer": [
"https://fake-integrator.rayj2.dev.tilia-inc.com/ui/tos/iframe?account_id=58a15c06-51f0-48a3-b3b9-75190bcb44e2"
],
"Accept-Encoding": [
"gzip, deflate, br"
],
"Accept-Language": [
"en-US"
],
"User-Agent": [
"Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) HeadlessChrome/88.0.4324.96 Safari/537.36"
],
"Accept": [
"*/*"
],
"Sec-Fetch-Site": [
"same-site"
]
},
"tls": {
"resumed": false,
"version": 772,
"cipher_suite": 4865,
"proto": "h2",
"proto_mutual": true,
"server_name": "fake-integrator.rayj2.dev.tilia-inc.com"
}
},
"common_log": "172.17.42.1 - - [13/Feb/2021:00:23:06 +0000] \"GET /ui/v1/widget HTTP/2.0\" 403 0",
"duration": 2.457e-05,
"size": 0,
"status": 403,
"resp_headers": {
"Server": [
"Caddy"
]
}
}
The interesting thing is when things work the request makes it to my service. But when I’m getting this 403 - the request is never getting to my service!!! The 403 is returned by Caddy (and I assume the reverse proxy module).
Here is the relevant part of my caddy config:
- match:
- host:
- accounts-customer.rayj2.dev.tilia-inc.com
handle:
- handler: subroute
routes:
- handle:
- handler: reverse_proxy
headers:
request:
set:
Host:
- '{http.request.host}'
X-Forwarded-For:
- '{http.request.remote}'
X-Real-Ip:
- '{http.request.remote}'
upstreams:
- dial: accounts-customer-web:3000
match:
- path:
- /ui/*
- /static/*
terminal: true
- handle:
- handler: reverse_proxy
headers:
request:
set:
Host:
- '{http.request.host}'
X-Forwarded-For:
- '{http.request.remote}'
X-Real-Ip:
- '{http.request.remote}'
upstreams:
- dial: accounts-customer:80
terminal: true
terminal: true
So I certainly have nothing that is telling Caddy to return a 403. The only real difference between the two requests is the headers. (As far as I can tell anyway.)
Under what circumstance is caddy making a decision to return a 403 instead of passing the request along to the downstream service? How do I get it to stop doing that?