Ipfilter (missing a plugin?)

(Bhaal85) #1

Hello
I can’t install / configure the http.filter plugin correctly in order to make only some sites available locally.

I used https://getcaddy.com/ and passed http.filter as a plugin parameter.

The list of plugins is installed:

./caddy -plugins:
	Server types:
	  http

	Caddyfile loaders:
	  short
	  flag
	  default

	Other plugins:
	  http.basicauth
	  http.bind
	  http.browse
	  http.errors
	  http.expvar
	  http.ext
	  http.fastcgi
	  http.filter
	  http.gzip
	  http.header
	  http.index
	  http.internal
	  http.limits
	  http.log
	  http.markdown
	  http.mime
	  http.pprof
	  http.proxy
	  http.push
	  http.redir
	  http.request_id
	  http.rewrite
	  http.root
	  http.status
	  http.templates
	  http.timeouts
	  http.websocket
	  on
	  tls
	  tls.cluster.file`

My configuration file:

mysite:123 {
  proxy / localhost:123 {
	websocket
	transparent
  }
  
  ipfilter / {
	rule allow
	ip 127.0.0.1
  }
}

When I try to start caddy I get the error:

no action found for directive 'ipfilter' with server type 'http' (missing a plugin?)

What am I doing wrong?

Thank you

(Matthew Fay) #2

Hi @bhaal85, welcome to the Caddy community!

Note that http.filter plugin is different to http.ipfilter. You’ll need to download Caddy with the latter, not the former.

(Bhaal85) #3

Hello
thanks for your help, I managed to install http.ipfilter correctly and everything works.

I couldn’t solve my problem completely, maybe http.ipfilter is not for me.

I explain my problem:
I have three hosts
https://aaa.xxx.com:pppp
https://bbb.xxx.com:pppp
https://ccc.xxx.com:pppp

I would like to make sure that only https://aaa.xxx.com:pppp is visible from the outside.
In https://aaa.xxx.com:pppp there are iframes that point to https://bbb.xxx.com:pppp and https://ccc.xxx.com:pppp

If I don’t use http.ipfilter https://bbb.xxx.com and https://ccc.xxx.com they are visible from the outside.
If I use http.ipfilter inserting
ipfilter / {
rule allow
ip 127.0.0.1 192.168.0.201
}

https://bbb.xxx.com:pppp and https://cc.xxx.com:pppp are not reachable from the outside (403) but not from https://aaa.xxx.com:pppp

If I use different ports for https://bbb.xxx.com:dddd and https://ccc.xxx.com:dddd I get the error (421) when using iframes

Is there any configuration I can use with Caddy to solve this problem?

Thanks again

(Matthew Fay) #4

This is essentially expected behaviour for ipfilter. iframes won’t get around the block. If you’re not on the whitelist, you can’t load it.

What, exactly, are you trying to achieve?

(b2c) #5

I guess @bhaal85 is trying to block 2 hosts(bbb & ccc) from accessing directly but only from a parent(aaa) iframe/html.

Add headers in child hosts(bbb & ccc);

X-Frame-Options: DENY
X-Frame-Options: SAMEORIGIN
X-Frame-Options: ALLOW-FROM https://aaa.xxx.com:pppp

https://caddyserver.com/docs/header

This will block others from loading them inside an iframe.

Add few lines of Javascript in child hosts index page;

if (window == window.top) {   // if not iframe
    window.location.href = "404.html"; 
}

This will allow your child hosts index page to load inside an iframe only.

This is not a full proof scenario but will protect from most users. You better use rest-api instead of iframe.

1 Like