Change tls ask querystring?

1. Output of caddy version: 2.6.2

2. How I run Caddy:

docker compose

a. System environment:

caddy:2.6.2-builder

b. Command:

RUN caddy start --config /usr/caddy/Caddyfile

c. Service/unit/compose file:



FROM caddy:2.6.2-builder AS builder

RUN xcaddy build \
    --with github.com/gamalan/caddy-tlsredis
    
FROM caddy:2.6.2

COPY --from=builder /usr/bin/caddy /usr/bin/caddy

RUN mkdir -p /usr/caddy
COPY Caddyfile /usr/caddy


RUN caddy start --config /usr/caddy/Caddyfile

d. My complete Caddy config:

{

	on_demand_tls {
		ask {$SSL_PROXY_ALLOW_API}
		interval 2m
        burst    5
	}
	storage redis {
		"address": "",
		"host": "{$REDIS_HOST}",
		"port": "{$REDIS_PORT}",
		"db": {REDIS_DB},
		"password": "{$REDIS_PASSWORD}",
		"timeout": 5,
		"key_prefix": "",
		"value_prefix": "",
		"tls_enabled": true,
		"tls_insecure": false
	}
}

https://
tls {
	on_demand
}
reverse_proxy / {$PROXY_BACKEND}

3. The problem I’m having:

I’m trying to use an existing domain verification api that I sadly don’t have access to edit; it’s a env variable in the config but resolves to https://10.0.0.32/v2/verificationapi/

Currently it will return a 204 for allowed domains specified directly after the url; i.e https://10.0.0.32/v2/verificationapi/alloweddomain.com and 404 for anything not allowed however caddy formats its ask requests as https://10.0.0.32/v2/verificationapi/?domain=alloweddomain.com.

As i don’t have access to edit the API i’m wondering if there’s any way to change the format caddy sends its ask requests or redirect it.

4. Error messages and/or full log output:

n/a

5. What I already tried:

6. Links to relevant resources:

No, it’s hard-coded.

You could hack it by using a site in Caddy to perform a rewrite though.

{
	on_demand_tls {
		ask http://localhost:5001/
	}
}

https:// {
	tls {
		on_demand
	}
	reverse_proxy {$PROXY_BACKEND}
}

:5001 {
	rewrite * /v2/verificationapi/{query.domain}
	reverse_proxy http://10.0.0.32
}

FYI, your syntax for storage redis is incorrect. Caddyfile config is not JSON.

And you should remove the / from your reverse_proxy. Path matching in Caddy is exact, so a matcher of / will only match exactly / and nothing else, so only requests to your home page would be proxied, and everything else would get an empty response.

1 Like