Headers in dev and prod

betterthanever2 · December 29, 2024, 9:13am

1. The problem I’m having:

I need some advice. I would like content from an s3 bucket (which is proxied with Caddy) to be served on 1) my website; 2) localhost (for development). For this I’m adding serveral header_down clauses to the reverse proxy configuration.

According to the docs, you can add headers multiple times, so I’m adding 2 Access-Control-Allow-Origin headers, one for the prod domain, and one for the localhost.

The problem is that the presence of the 2nd header breaks things. If both headers are present, neither of the cases work. If any 1 header is present, that particular case works.

Is there a way to have both?

2. Error messages and/or full log output:

No specific errors

3. Caddy version:

2.7.6

4. How I installed and ran Caddy:

Caddy is ran via docker compose

a. System environment:

Ubuntu 22

d. My complete Caddy config:

{
        admin 0.0.0.0:2045
        auto_https disable_redirects
        email d@subjective.agency
        acme_dns cloudflare <cloudflare token>

        log {
                output file /var/log/caddy/ctrl_access.log
        }
}

(cloudflare) {
        tls {
                protocols tls1.3
                key_type p256
                dns cloudflare <cloudflare token>
                resolvers 1.1.1.1
        }
}

(fauth) {
        reverse_proxy /outpost.goauthentik.io/* http://<ip_address>:50900
        forward_auth http://<ip_address>:50900 {
                uri /outpost.goauthentik.io/auth/caddy
                copy_headers X-Authentik-Username X-Authentik-Groups X-Authentik-Email X-Authentik-Name X-Authentik-Uid X-Aut>
                trusted_proxies private_ranges
        }
}

*.subjective.agency {
        import cloudflare

        @garage_s3 host s3.subjective.agency
        handle @garage_s3 {
                reverse_proxy 10.0.0.3:3900 {
                        health_uri /health
                        health_port 3903
                        header_down +Access-Control-Allow-Origin "http://localhost:8000"
                        header_down +Access-Control-Allow-Origin "https://wapaganda.subjective.agency"
                        header_down +Access-Control-Allow-Credentials "true"
                }
        }

        @garage_web host *.data.subjective.agency
        handle @garage_web {
                reverse_proxy 10.0.0.3:3902 {
                        health_uri /health
                        health_port 3903
                }
        }

        @garage_admin host garage.subjective.agency
        handle @garage_web {
                reverse_proxy 10.0.0.3:3903 {
                        health_uri /health
                        health_port 3903
                }
        }

Mohammed90 · December 30, 2024, 8:32pm

This is pretty old. Upgrade to 2.8.4.

Multiple Access-Control-Allow-Origin header is disallowed by spec.

Depending on how your development network access is setup, you might be able to utilize the client_ip matcher, the Referer header, or another approach that fits your environment.

betterthanever2 · December 30, 2024, 8:46pm

Oh, didn’t know that. Thanks. I will research these options.