You defined a bunch of request matchers, but you don’t seem to be using them anywhere.
Matchers are basically an if condition, but you need to pair it with a handler to make it actually control something.
These are the same matchers, they aren’t in the inverse of eachother at all.
But also the inverse of that matcher would be “match literally every request except this one” which is probably not what you want.
Well, the Referer header is something the browser sets. What are you trying to prevent? If some bad actor tries to make a request with curl to your server, than can just set the Referer header themselves by hand and get through.
I’m not sure what this really achieves. It would probably make more sense to just require authentication on your API (with API tokens or something) which your website would provide to logged in users or something so the JS code can hit the API. I guess.
Your reverse_proxy upstream (127.0.01 vs 127.0.0.1) is a bit odd (typo?), but will work just fine because of different IP representations (IP zero suppression and zero compression in this case).
While it does work, I’d recommend changing it to 127.0.0.1 anyway.
2 of those 4 @namedMatcher are still equal. Prefixing the name of a @namedMatcher with not (@not_namedMatcher) will only change the name and nothing else.
If you want @not_findprovs to not match the paths of @findprovs you would need to prefix the path with not:
@findprovs {
path /api/v0/dht/findprovs
method POST
header_regexp Referer (domainB)
}
@not_findprovs {
- path /api/v0/dht/findprovs
+ not path /api/v0/dht/findprovs
method POST
header_regexp Referer (domainB)
}
@matt did an amazingly extensive explanation about directive order in Caddyfiles here: Composing in the Caddyfile
I can assure you this will help you understand how matchers and ordering works!
So please consider reading it and use some handle {}s and maybe post your new Caddyfile again, if you have any remaining questions
And relying on the referrer (Referer header) for any kind of security is an awful idea. Trivially easy to overcome as a “bad actor” and some browser may not even send that header at all, which would render them incompatible with your site.