Header manipulation

lepore · March 30, 2020, 1:01am

Hi, guys.
I have been reading the documentation of Caddy v2 and I have not found anything truly helpful about manipulating headers in reverse_proxy directive, besides this:

header_up Sets, adds, removes, or performs a replacement in a request header going upstream to the backend.

header_down Sets, adds, removes, or performs a replacement in a response header coming downstream from the backend.

Is there any documentation about this? I need to learn more about this subject to solve a problem I’m having with the reverse_proxy directive in Caddy v2.

Whitestrake · March 30, 2020, 1:31am

The documentation for reverse_proxy is here: reverse_proxy (Caddyfile directive) — Caddy Documentation

The syntax given for those two, as of writing this post, is as follows:

    # header manipulation
    header_up   [+|-]<field> [<value|regexp> [<replacement>]]
    header_down [+|-]<field> [<value|regexp> [<replacement>]]

The only thing I think is not explained here is the [+|-] syntax. + before a header (e.g. +Server) tells Caddy to add it as a new header rather than setting an existing instance of the header (this can result in two Server headers being sent). - before a header instructs Caddy to strip the header entirely (and renders the [<value|regexp> [<replacement>]] fields fairly redundant, I believe).

matt · March 30, 2020, 1:34am

This is correct.

Should probably add a note about the +/- in the new docs.

lepore · March 30, 2020, 2:03am

I’m probably looking in the wrong place how to solve my problem.
Basically: Caddy → Varnish → Node.js application
In varnish default.vcl there is an acl that does not work, because to varnish all hosts have the ip 127.0.0.1. That’s why I was asking you guys for documentation about header_up and header_down; I thought the issue may be related to headers. I don’t know if the issue is related to varnish.

This is my Caddyfile:

mydomain.tech www.mydomain.tech {
reverse_proxy 127.0.0.1:8080 {
header_up X-Forwarded-Proto {scheme}
header_up X-Forwarded-For {remote}
header_up X-Real-IP {remote}
}
}

matt · March 30, 2020, 2:08am

Ah, so this is an XY problem. I would just ask what your X question is, rather than your Y question, and we’ll help you out.

matt · March 30, 2020, 2:11am

Oh, sorry – did you mean that this is the actual (X) problem?

By default, Caddy 2 sends all (non-hop-by-hop) incoming headers to the upstream as they are. But it depends, where is Varnish getting the IP “127.0.0.1” from?

lepore · March 30, 2020, 3:07am

Even though the request comes from the internet, Varnish sees it as 127.0.0.1.

matt · March 30, 2020, 3:11am

Yes, I get that, but where is it getting that number? What does “sees it as” really mean? Is it looking at a connection’s remote address? or a Host header? or another header? Is it getting that from some configuration? I don’t know how Varnish works, so we’ll need more details. You might consider asking on the Varnish forums if you need help finding out.

Whitestrake · March 30, 2020, 3:14am

You need to tell Varnish to use X-Forwarded-For to determine its client IP addresses instead of the remote IP. That header is the standard for proxies communicating the origin IP of the client.

Not sure how to do this in VCL, sorry.

It’s not possible, realistically, to spoof the actual remote IP address. Doing so would involve having return traffic go directly to the spoofed IP address, for one problem.

matt · March 30, 2020, 3:17am

Luckily, it seems like @Whitestrake has some experience with Varnish

system · April 29, 2020, 3:22am

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.