How to remove cookie from request headers?

1. The problem I’m having:

Hi, I am using caddy discord to do an auth to a web service, but as the cookie keeps being passed after using the plugin, so when i request a file, image or audio i keep hitting cf-cache-status: MISS
while using cURL for debugging i get cf-cache-status: HIT

I’d like to remove the cookies on file_server, but i can’t find a way to do so.

2. Error messages and/or full log output:

__Wrong (via caddy)__
HTTP/2 200 
date: Sat, 28 Sep 2024 02:21:12 GMT
content-type: audio/mpeg
content-length: 181053
cache-control: public, max-age=31536000, must-revalidate
etag: "d32h57uhglfdxxx9"
last-modified: Tue, 30 Jul 2024 01:15:12 GMT
permissions-policy: interest-cohort=()
preload: 
vary: Accept-Encoding
x-content-type-options: nosniff
x-frame-options: DENY
x-xss-protection: 1; mode=block
____cf-cache-status: MISS____
accept-ranges: bytes
report-to: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=XT2ufKWmKbxX1PGj75QnyIo%2Fbxxxxxxx39HLwl95G2dM%2FkWHMhDoIC%2Ff8uR2uVOn%2FA%2FBQ5rJxU2lnSao%3D"}],"group":"cf-nel","max_age":604800}
nel: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
server: cloudflare
cf-ray: 8ca0423xxx1e9c-EZE


GET /songs/1420/preview.mp3 HTTP/2
Host: baubau.lena.moe
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:130.0) Gecko/20100101 Firefox/130.0
Accept: */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate, br, zstd
Referer: https://baubau.lena.moe/
DNT: 1
Sec-GPC: 1
Sec-Fetch-Dest: empty
Sec-Fetch-Mode: cors
Sec-Fetch-Site: same-origin
Connection: keep-alive
Cookie: _DISCORDCADDY_guild_checker_b16125370b6fadc8....

__Good__ via cURL


curl -I https://baubau.lena.moe/songs/1591/main.ogg
HTTP/2 200
date: Sat, 28 Sep 2024 02:11:42 GMT
content-type: audio/ogg
content-length: 2543784
cache-control: public, max-age=31536000, must-revalidate
etag: "cwaebqys7u2o1iiso"
last-modified: Tue, 17 Oct 2023 03:32:12 GMT
permissions-policy: interest-cohort=()
preload:
vary: Accept-Encoding
x-content-type-options: nosniff
x-frame-options: DENY
x-xss-protection: 1; mode=block
____cf-cache-status: HIT_____
age: 4
accept-ranges: bytes
report-to: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=vfg%2BhznqFebRSeIOX6xxxxxG2PPiIvSmygpXY6WHrho7iT8tdFSk%3D"}],"group":"cf-nel","max_age":604800}
nel: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
server: cloudflare
cf-ray: 8ca034517d23xxxx-EZE

3. Caddy version:

v2.8.4 h1:q3pe0wpBj1OcHFZ3n/1nl4V4bxBrYoSoab7rL9BMYNk=

4. How I installed and ran Caddy:

a. System environment:

b. Command:

@cachedFiles {
    path *.mp3 *.ogg *.jpg *.png
}

# Set cache headers for specific file types
header @cachedFiles {
    Cache-Control "public, max-age=666666, must-revalidate"
}

# Modify request headers, removing the _DISCORDCADDY_guild_checker cookie
header {
    # Match and remove the dynamic _DISCORDCADDY_guild_checker_ cookie from request headers
 -Cookie "(?i)(^_DISCORDCADDY_guild_checker_[^;]+;? ?|;? ?_DISCORDCADDY_guild_checker_[^;]+)"
 -Cookie _DISCORDCADDY_guild_checker_
}

PASTE OVER THIS, BETWEEN THE ``` LINES.
Please use the preview pane to ensure it looks nice.

c. Service/unit/compose file:

PASTE OVER THIS, BETWEEN THE ``` LINES.
Please use the preview pane to ensure it looks nice.

d. My complete Caddy config:

https://baubau.lena.moe:443, https://www.baubau.lena.moe:443 {
	import header-gen
	handle_errors {
		rewrite * /{err.status_code}
		reverse_proxy https://http.cat {
			header_up Host {upstream_hostport}
			replace_status {err.status_code}
		}
	}

	handle /sw.js {
		rewrite * /mnt/hdd/data/serv-web/public/sw/sw.js
		php_fastcgi unix//run/php/php8.1-fpm.sock

		file_server 
	}

	@static path_regexp ^/(assets|songs|src|img|audio|fonts|song_skins|live2d_api|api/config)/
	handle @static {
		root * /mnt/hdd/data/serv-web/public/

		@songpreview path_regexp songs ^/songs/([0-9]+)/preview\.mp3$
		handle @songpreview {
			try_files {path} /api/preview?id={re.songs.1}
		}
		@songpreview2 path_regexp songs ^/songs/([0-9]+)/preview\.ogg$
		handle @songpreview2 {
			try_files {path} /api/preview?id={re.songs.1}
		}
		        file_server 

	}

@cachedFiles {
    path *.mp3 *.ogg *.jpg *.png
}

# Set cache headers for specific file types
header @cachedFiles {
    Cache-Control "public, max-age=666666, must-revalidate"
}

# Modify request headers, removing the _DISCORDCADDY_guild_checker cookie
header {
    # Match and remove the dynamic _DISCORDCADDY_guild_checker_ cookie from request headers
 -Cookie "(?i)(^_DISCORDCADDY_guild_checker_[^;]+;? ?|;? ?_DISCORDCADDY_guild_checker_[^;]+)"
 -Cookie _DISCORDCADDY_guild_checker_
}
	
	handle /favicon.ico {
	    root * /mnt/hdd/data/serv-web/public
	    file_server
	}	

	@wasm {
		path *.wasm
	}
	header @wasm Content-Type application/wasm

	route /discordauth/callback {
		discord callback
	}

	route /* {
		# Player endpoint
		protect using guild_checker
		reverse_proxy 127.0.0.1:34801
	}

	route /api/preview {
		reverse_proxy 127.0.0.1:34801
	}
	
	route /p2* {
		# Multiplayer endpoint
		protect using guild_checker
		reverse_proxy 127.0.0.1:34802
	}

	respond "Welcome to nothing"
}
PASTE OVER THIS, BETWEEN THE ``` LINES.
Please use the preview pane to ensure it looks nice.

5. Links to relevant resources:

See the docs for the header directive. Neither of those match any of the supported modes.

Notice that -<field> doesn’t take any arguments. This can only delete the entire header, it doesn’t change the value of a header.

If you want to replace the contents of a header (e.g. Cookie) to remove parts of it, then yeah, the regexp replacement mode is what you want (but to do that, remove the leading -). The syntax is <field> <find> <replace>, so you might do something like:

header Cookie ([^|;]?)_DISCORDCADDY_guild_checker=[^;]*(;|$) "$1"

The "$1" at the end means that the replacement is the matched value of the first capture group; I chose to write the regexp this way because Go doesn’t have lookbehinds in the RE2 regexp engine, so matching a predecing ; or ^ (start of the text) will make sure it only matches the start of a cookie name and not somewhere in the middle of a cookie value if you were so unlucky to have a cookie value with the same as your cookie name. So effectively it will replace the match with just a ; if it wasn’t the first cookie in the header value. You can play around with https://regex101.com/ to get it just right, make sure to choose the Golang mode.

Thanks for the swift response and my apologies for the long delay

I been trying the whole day for different alternatives but no one seems to work they way I need it

Ended up rewriting a lot of the config because I’ve thought the import order mattered but I am not sure if that was the issue.

• As testing method I’ve tried, cleaning browser cookies, storage, disabling cache in network tab, cleaning cf cache (Purge everything).

• I’ve tried adding test cookies to see if the route works but i see no changes in the cookies header

• Could it be that route /songs/* is conflicting with @static path_regexp ^/(assets|songs?

• If you intend to manipulate headers for proxying, use the header_up subdirective of reverse_proxy instead, as those manipulations are proxy-aware.
  I’ve tried this in route /songs/* but I see no changes.

• Cloudflare offers custom cache keys but unfortunately they’re a paid feature

network tab cookies return this which neither I’ve managed to capture with regex in golang mode. regex101 certainly matches them, but caddy won’t
(these values change on each caddy restart so they’re not privacy-sensitive):

{
	"Request Cookies": {
		"_DISCORDCADDY_guild_checker_df6b2c10f04589c60dd24cea872e88b421cd29d18e18685960fb1e101377458aea98165aaf36a7e2f2ca985ae938c9a6447ce9568fdeb32f0bf74fdd46e4fe1a": "eyJhbGciOiJIUzUxMiIsInR5cCI6IkpXVCJ9.eyJyZWFsbSI6Imd1aWxkX2NoZWNrZXIiLCJ1c2VyIjoiZGpfdG9tYXRv5iYXZhdGFyIjoiN2VhZmZlMzZkMmM0OWY5MGNiYjMyY2I1OThlMTdiMWEiLCJhdXRob3Jpc2VkIjp0cnVlLCJzdWIiOiI1MjI4NjAzODY2NjQ1NzkwODIiLCJhdWQiOlsiYXV0aCJdLCJleHAiOjE3Mjc2MjE3ODgsIm5iZiI6MTcyNzU2NDE4OCwiaWF0IjoxNzI3NTY0MTg4fQ.q072DF6AGAVnrjPl8zquKtG3kD78amODfZVcicxF3A6z8-GTZT7jINU3rJNDTB7bErFdiirLSHwlI7Y0z3-l3w",
		"cf_clearance": "jF0NfCGAgF2h82Sy3Bcd2D18lCGF_rbB_HCc8YnpcRo-1727564190-1.2.1.1-iVyqdHnqcmuzN3cGvST2UNwKUnBxETaMIG4H6zy14lEVcklEjwDZAshMHPop0BlTOPExDwlP91tvA_XjOv2y4MSR2_ZXqvs3lFz209f2kkwdgI2pPrIoxxiWY.1gBDhlk8CQdA3Dovf5qhTGCYfxVa5Gsb80tJ2Eo6jT8on1uuFNBurs5Uc43HjlbVhhEJ0ez29nygFCf9OnpjSDrnL5fG4vSjB6hMjnge8yAv0myQ9RADrIAByu6YJRL6RyNVL9IP1BfJYSNyao_5UgB2O8bfLnSzzA5T6WzBtHVAisqWnNNMlzSCcYxPCEqsN9NsmHz5VqspTi.3t4nuW0XsA5SjTkrW_YPyuo093vP6l4uQ"
	}
}

Below is a full response from network tab for one of the /songs/* route (sorry for the formatting but it’s what I get by copy/pasting)

as you can see $1 and $1$2 are added as response headers, not request.

GET
	https://baubau.lena.moe/songs/188/main.ogg
Status
200
VersionHTTP/2
Transferred4.08 MB (4.08 MB size)
Referrer Policystrict-origin-when-cross-origin
Request PriorityHighest
DNS ResolutionSystem

	
$1
	
$1$2
	
accept-ranges
	bytes
cache-control
	public, max-age=31536000, must-revalidate
cf-cache-status
	MISS
cf-ray
	8ca7624c2ff9a78f-EZE
content-length
	4079656
content-type
	audio/ogg
date
	Sat, 28 Sep 2024 23:06:26 GMT
etag
	"cflcetcm1bfg2ffvs"
last-modified
	Tue, 09 Nov 2021 15:09:56 GMT
nel
	{"success_fraction":0,"report_to":"cf-nel","max_age":604800}
permissions-policy
	interest-cohort=()
preload
	
report-to
	{"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=NAWUKjOlS5EapyzVvW6DXVbcHPpRPJS5%2F1ncJha3CDmf2LwkVIkBM46hIR68pvxH1b5%2FGOrQK%2Bmus6VC5cAO%2FotegWfroUynoSZNbYALjZJ19Bga4uH4T7YLvUpVgVPEAK0%3D"}],"group":"cf-nel","max_age":604800}
server
	cloudflare
vary
	Accept-Encoding
x-content-type-options
	nosniff
X-Firefox-Spdy
	h2
x-frame-options
	DENY
x-xss-protection
	1; mode=block
	
Accept
	*/*
Accept-Encoding
	gzip, deflate, br, zstd
Accept-Language
	en-US,en;q=0.5
Cache-Control
	no-cache
Connection
	keep-alive
Cookie
	_DISCORDCADDY_guild_checker_df6b2c10f04589c60dd24cea872e88b421cd29d18e18685960fb1e101377458aea98165aaf36a7e2f2ca985ae938c9a6447ce9568fdeb32f0bf74fdd26e4fe1a=eyJhbGciOiJIUzUxMiIsInR5cCI6IkpXVCJ9.eyJyZWFsbSI6Imd1aWxkX2NoZWNrZXIiLCJ1c2VyIjoiZGpfdG9tYXRvIiwiYXZhdGFyIjoiN2VhZmZlMzZkMmM0OWY5MGNiYjMyY2I1OThlMTdiMWEiLCJhdXRob3Jpc2VkIjp0cnVlLCJ5WIiOiI1MjI4NjAzODY2NjQ1NzkwODIiLCJhdWQiOlsiYXV0aCJdLCJleHAiOjE3Mjc2MjE3ODgsIm5iZiI6MTcyNzU2NDE4OCwiaWF0IjoxNzI3NTY0MTg4fQ.q072DF6AGAVnrjPl8zquKtG3kD78amODfZVcicxF3A6z8-GTZT7jINU3rJNDTB7bErFdiirLSHwlI7Y0z3-l3w; cf_clearance=jF0NfCGAgF2h82Sy3Bcd2D18lCGF_rbB_HCc8YnpcRo-1727564190-1.2.1.1-iVyqdHnqcmuzN3cGvST2UNwKUnBxETaMIG4H6zy14lEVcklEjwDZAshMHPop0BlTOPExDwlP91tvA_XjOv25MSR2_ZXqvs3lFz209f2kkwdgI2pPrIoxxiWY.1gBDhlk8CQdA3Dovf5qhTGCYfxVaWUGsb80tJ2Eo6jT8on1uuFNBurs5Uc43HjlbVhhEJ0ez29nygFCf9OnpjSDrnL5fG4vSjB6hMjnge8yAv0myQ9RADrIAByu6YJRL6RyNVL9IP1BfJYSNyao_gUgB2O8bfLnSzzA5T6WzBtHVAisqWnNNMlzSCcYxPCEqsN9NsmHz5VqspTi.3t4nuW0XsA5SjTkrW_YPyuo093vP6l4uQ
DNT
	1
Host
	baubau.lena.moe
Pragma
	no-cache
Priority
	u=0
Referer
	https://baubau.lena.moe/
Sec-Fetch-Dest
	empty
Sec-Fetch-Mode
	cors
Sec-Fetch-Site
	same-origin
Sec-GPC
	1
TE
	trailers
User-Agent
	Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:130.0) Gecko/20100101 Firefox/130.0

Here’s my full caddyfile, I apologize in advance for the mess and truly appreciate any further tips on how to tackle this nightmare. as you can see in the comments I’ve tried everything to my disposal =(

(handle_errors)
{
	handle_errors {
		rewrite * /{err.status_code}
		reverse_proxy https://http.cat {
			header_up Host {upstream_hostport}
			replace_status {err.status_code}
		}
	}
}	

(sw) {
	#Service handler ignore
	handle /sw.js {
		rewrite * /mnt/hdd/data/serv-web/public/sw/sw.js
		php_fastcgi unix//run/php/php8.1-fpm.sock
		file_server 
	}
}

(favicon) {
	handle /favicon.ico {
	    root * /mnt/hdd/data/serv-web/public
	    file_server
	}	
}


(header-gen) {
	header {
		Strict-Transport-Security max-age=31536000; includeSubdomains; preload
		X-XSS-Protection "1; mode=block"
		X-Content-Type-Options "nosniff"
		X-Frame-Options "DENY"
		Permissions-Policy interest-cohort=()
		
		# This cookie appears!
		# Set-Cookie "Checking=Checked; SameSite=None; Secure"
		# But below won't be deleted, instead they appear as Response headers?
		# request_header Cookie "([^;]*)_DISCORDCADDY_guild_checker=[^;]*(;|$)" "$1"
		# request_header Cookie "(.*)_DISCORDCADDY_guild_checker_\w+=[^;]*;?(.*$)" "$1$2"
		# request_header Cookie "_DISCORDCADDY_guild_checker=[^;]*(;|$)" ""
		# request_header Cookie "(?s)(^.*?)(;?\s*_DISCORDCADDY_guild_checker_\w+=[^;]*)(;.*)?$" "$1$3"
		# request_header Cookie "(_DISCORDCADDY_guild_checker_\w+=[^;]*;?\s*)?"  ""
		# request_header Cookie "(?<=^|;)\s*_DISCORDCADDY_guild_checker_\w+=[^;]*;?\s* "" 
		#using this causes a loop with caddy discord, meaning the cookie is deleted? ironically putting exactly this in /songs/api won't do anything
		header -Set-Cookie "_DISCORDCADDY_guild_checker_*"
	}
	
	#This just never worked
	@cachetest {
		#Example
		# https://baubau.lena.moe/songs/220/main.ogg
		
		#path_regexp test ^public/songs/([0-9]+)/main\.ogg$
		path_regexp ^/songs/([0-9]+)/main\.ogg$
	}

	header @cachetest {
	#This just don't trigger idk why.
	Cache-Control "public, max-age=666666, must-revalidate"
	#This cookie appears
	#Set-Cookie "header2=header; SameSite=None; Secure"
	header_request Cookie ([^|;]?)_DISCORDCADDY_guild_checker=[^;]*(;|$) "$1"	
	header_request Cookie (?s)(^.*)_DISCORDCADDY_guild_checker_\w+=[^;]*;?(.*$) "$1$2"
	Cookie ([^|;]?)_DISCORDCADDY_guild_checker=[^;]*(;|$) "$1"	
	Cookie (?s)(^.*)_DISCORDCADDY_guild_checker_\w+=[^;]*;?(.*$) "$1$2"
	request_header Cookie (?<=^|;)\s*_DISCORDCADDY_guild_checker_\w+=[^;]*;?\s* "" 
	#here nothing will happen
	-Set-Cookie _DISCORDCADDY_guild_checker_*
	}
}


https://baubau.lena.moe:443, https://www.baubau.lena.moe:443 {
	import header-gen 
	import handle_errors #ignore
	import sw #ignore
	import favicon #ignore
	
	#Paths that needs caching, hence ignoring the cookie so cf-cache-status: miss doesn't happen.
	@static path_regexp ^/(assets|songs|src|img|audio|fonts|song_skins|live2d_api|api/config)/
	handle @static {
		header {
		#This just don't trigger idk why.
		Cache-Control "public, max-age=666666, must-revalidate"
		# -Cookie _DISCORDCADDY_guild_checker_*
		#nothing happens 
		header_up Set-Cookie "regextest=test; SameSite=None; Secure"
		header_up Cookie "([^|;]?)_DISCORDCADDY_guild_checker=[^;]*(;|$)" "$1"	
		header_up Cookie "(?s)(^.*)_DISCORDCADDY_guild_checker_\w+=[^;]*;?(.*$)" "$1$2"
		request_header Cookie "(^|;)\s*_DISCORDCADDY_guild_checker_\w+=[^;]*;?\s*" "" 
		header_request Set-Cookie "_DISCORDCADDY_guild_checker_*=; Expires=Thu, 01 Jan 1970 00:00:00 GMT; Path=/; HttpOnly; Secure; SameSite=None;"
		header_request Cookie "_DISCORDCADDY_guild_checker_*=; Expires=Thu, 01 Jan 1970 00:00:00 GMT; Path=/; HttpOnly; Secure;"
		}
	
		root * /mnt/hdd/data/serv-web/public/
		

		@songpreview path_regexp songs ^/songs/([0-9]+)/preview\.mp3$
		handle @songpreview {
			try_files {path} /api/preview?id={re.songs.1}
		}
		@songpreview2 path_regexp songs2 ^/songs/([0-9]+)/preview\.ogg$
		handle @songpreview2 {
			try_files {path} /api/preview?id={re.songs.1}
		}
		        file_server 
	}
	@wasm {
		path *.wasm
	}
	header @wasm Content-Type application/wasm

	route /discordauth/callback {
		discord callback
	}

	#If you intend to manipulate headers for proxying, use the header_up subdirective of reverse_proxy instead, as those manipulations are proxy-aware.
	route /songs/* {
		header {
			-Set-Cookie _DISCORDCADDY_guild_checker_*
			#if i don't use header_request it will create the cookie instead as response header
			header_request Set-Cookie "_DISCORDCADDY_guild_checker_*=; Expires=Thu, 01 Jan 1970 00:00:00 GMT; Path=/; HttpOnly; Secure; SameSite=None;"
			header_request Cookie "_DISCORDCADDY_guild_checker_*=; Expires=Thu, 01 Jan 1970 00:00:00 GMT; Path=/; HttpOnly; Secure;"
		}
		reverse_proxy 127.0.0.1:34801 {
			header_up Cookie "(?s)(^.*)_DISCORDCADDY_guild_checker_\w+=[^;]*;?(.*$)" "$1$2"
		}
	}
	
	route / {
		# Player endpoint
		protect using guild_checker
		reverse_proxy 127.0.0.1:34801
	}
	route /api/* {
		# Player endpoint
		protect using guild_checker
		reverse_proxy 127.0.0.1:34801
	}
	route /admin/* {
		# Player endpoint
		protect using guild_checker
		reverse_proxy 127.0.0.1:34801
	}

	route /api/preview {
		reverse_proxy 127.0.0.1:34801
	}
	
	route /p2 {
		# Multiplayer endpoint
		protect using guild_checker
		reverse_proxy 127.0.0.1:34802
	}

	respond "Welcome to nothing"
}

Oh, your cookie name isn’t just _DISCORDCADDY_guild_checker_, it’s _DISCORDCADDY_guild_checker_df6b2c10f04589c60dd24cea872e88b421cd29d18e18685960fb1e101377458aea98165aaf36a7e2f2ca985ae938c9a6447ce9568fdeb32f0bf74fdd46e4fe1a. That’s wild. So my recommendation changes:

request_header Cookie ([^|;]?)_DISCORDCADDY_guild_checker_[a-z0-9]*=[^;]*(;|$) "$1"

You’re right to use request_header, but you can’t put that inside of a header directive, it needs to go top level in your site block. header and request_header are siblings, not children of eachother.

Here’s the result, with regex101: build, test, and debug regex

image851×490 29.6 KB

You can drop all the other cruft surrounding this from the config you posted. Valiant attempts, but yeah they won’t do the job, mostly because of having it within a header directive but for other reasons as well.

Man you’re the best, I really appreciate what you’re done here. had no idea header and header_request are siblings haha.

Unfortunately even if the regex matches, i won’t delete it from the upcoming header requests

• putting request header in the top, at the beginning, seems to delete the cookie, causing a loop at discord gateway. I assume it’s deleting the cookie on / requests, so the reverse_proxy doesn’t even start.

• To avoid this I’ve tried putting it only in the route /songs/* so only when the reverse_proxy access it, it attempts to clean the cookie, but remains there ultimately.

• What’s curious is that the route /songs/ is even not protected by the guild_checker, so it shouldn’t even carry the cookie around, but it does.

• Same case if I do it at:

@static path_regexp ^/(assets|songs|src|img|audio|fonts|song_skins|live2d_api|api/config)/
   handle @static {

I am pulling out my hair here, even tried other browsers and other computer connected to 4G just in case. I’ve cleaned and added even more commenting.

If Cloudflare wasn’t so picky we could just tell them to assume any cookie called that* and would be so much easy. What else could we try?

(handle_errors)
{
	handle_errors {
		rewrite * /{err.status_code}
		reverse_proxy https://http.cat {
			header_up Host {upstream_hostport}
			replace_status {err.status_code}
		}
	}
}	

(sw) {
	#Service handler ignore
	handle /sw.js {
		rewrite * /mnt/hdd/data/serv-web/public/sw/sw.js
		php_fastcgi unix//run/php/php8.1-fpm.sock
		file_server 
	}
}

(favicon) {
	handle /favicon.ico {
	    root * /mnt/hdd/data/serv-web/public
	    file_server
	}	
}


(header-gen) {
	header {
		Strict-Transport-Security max-age=31536000; includeSubdomains; preload
		X-XSS-Protection "1; mode=block"
		X-Content-Type-Options "nosniff"
		X-Frame-Options "DENY"
		Permissions-Policy interest-cohort=()
	}
	
}


https://baubau.lena.moe:443, https://www.baubau.lena.moe:443 {
	# This will cause a login loop with caddy discord plugin so i've commented it
	# What i need to remove the cookie on anything past / but not on / itself.
	#request_header Cookie ([^|;]?)_DISCORDCADDY_guild_checker_[a-z0-9]*=[^;]*(;|$) "$1"
	route / {
		# Player endpoint
		protect using guild_checker
		reverse_proxy 127.0.0.1:34801
	}
	route /api/* {
		# Player endpoint
		protect using guild_checker
		reverse_proxy 127.0.0.1:34801
	}
	route /admin/* {
		# Player endpoint
		protect using guild_checker
		reverse_proxy 127.0.0.1:34801
	}

	route /api/preview {
		reverse_proxy 127.0.0.1:34801
	}
	
	route /p2 {
		# Multiplayer endpoint
		protect using guild_checker
		reverse_proxy 127.0.0.1:34802
	}

	route /songs/* {
	#If an asset is requested, delete the cookie from the header request
		request_header Cookie ([^|;]?)_DISCORDCADDY_guild_checker_[a-z0-9]*=[^;]*(;|$) "$1"
		reverse_proxy 127.0.0.1:34801 {
		#out of desperation attempt, but nope
		header_up Cookie ([^|;]?)_DISCORDCADDY_guild_checker_[a-z0-9]*=[^;]*(;|$) "$1"
		}
		
	}
	#Prioritizing  /songs/route before header-gen and static path_regexp
	
	import header-gen 
	import handle_errors #ignore
	import sw #ignore
	import favicon #ignore
	
	#Could it be these two conflict? /songs/* and root * => /public
	@static path_regexp ^/(assets|songs|src|img|audio|fonts|song_skins|live2d_api|api/config)/
	handle @static {
		# Cookie remains - Added also here just in case.
		request_header Cookie ([^|;]?)_DISCORDCADDY_guild_checker_[a-z0-9]*=[^;]*(;|$) "$1"
		header {
		Cache-Control "public, max-age=666666, must-revalidate"
		}	
		root * /mnt/hdd/data/serv-web/public/

		@songpreview path_regexp songs ^/songs/([0-9]+)/preview\.mp3$
		handle @songpreview {
			try_files {path} /api/preview?id={re.songs.1}
		}
		@songpreview2 path_regexp songs2 ^/songs/([0-9]+)/preview\.ogg$
		handle @songpreview2 {
			try_files {path} /api/preview?id={re.songs.1}
		}
		        file_server 
	}
	@wasm {
		path *.wasm
	}
	header @wasm Content-Type application/wasm

	route /discordauth/callback {
		discord callback
	}
	
	respond "Welcome to nothing"
}```

You can do this I guess:

@notroot not path /
request_header @notroot Cookie ([^|;]?)_DISCORDCADDY_guild_checker_[a-z0-9]*=[^;]*(;|$) "$1"

You don’t need all those repeated route, you can just have one using a path matcher. See Request matchers (Caddyfile) — Caddy Documentation

I am afraid I’ve have tried everything but Caddy is just unable to alter the headers, I give up on this issue.

I don’t agree that “Caddy is just unable”. I tested it myself and it worked fine. Show evidence. Show your latest config and logs.

As proof, here’s an example Caddyfile:

:8881 {
    @notroot not path /
    request_header @notroot Cookie ([^|;]?)_DISCORDCADDY_guild_checker_[a-z0-9]*=[^;]*(;|$) "$1"

    respond "Cookie: {header.Cookie}"
}

And curl request:

$ curl -v -H'Cookie: foo=bar;_DISCORDCADDY_guild_checker_123123=abcabc;bar=baz' http://localhost:8881/foo

*   Trying 127.0.0.1:8881...
* Connected to localhost (127.0.0.1) port 8881 (#0)
> GET /foo HTTP/1.1
> Host: localhost:8881
> User-Agent: curl/7.81.0
> Accept: */*
> Cookie: foo=bar;_DISCORDCADDY_guild_checker_123123=abcabc;bar=baz
> 
< HTTP/1.1 200 OK
< Content-Type: text/plain; charset=utf-8
< Server: Caddy
< Date: Thu, 10 Oct 2024 10:08:36 GMT
< Content-Length: 15
< 
Cookie: foo=bar;bar=baz

See that the header’s value was correctly modified.

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.