I had a look at the relevant piece of code
// checkHost returns a handler that wraps next such that // it will only be called if the request's Host header matches // a trustworthy/expected value. This helps to mitigate DNS // rebinding attacks. func (h adminHandler) checkHost(r *http.Request) error { var allowed bool for _, allowedHost := range h.allowedOrigins { if r.Host == allowedHost { allowed = true break } } if !allowed { return APIError{ Code: http.StatusForbidden, Err: fmt.Errorf("host not allowed: %s", r.Host), } } return nil }
From that I derive that the host IP (the host caddy runs on) must be in origins. I tried
{
"admin": {
"listen": ":2020",
"origins": ["192.168.10.2:2020"],
"enforce_origin": false
}
}
and it works!
Since the docs say that origin is not used when enforce_origin is true, I guess that this should be changed in the documentation (if my analysis is correct).
One drawback of this solution is that I have to explicitly set the IP I will bind to (in origin, but not in listen).