Match Host IP address

icmono · February 23, 2023, 2:38pm

Hello caddy community!
Hope you’re doing well.

1. Caddy version:

v2.6.2 h1:wKoFIxpmOJLGl3QXoo6PNbYvGW4xLEgo32GPBEjWL8o=

2. How I installed, and run Caddy:

built with xcaddy and GitHub - ss098/certmagic-s3: Certmagic S3-compatible driver written in Go | Caddy 证书存储 Certmagic 接口分布式对象存储实现 plugin

a. System environment:

Linux x64 systemd

b. Command:

/usr/bin/caddy run --environ --config /etc/caddy/Caddyfile

c. Service/unit/compose file:

[Unit]
Description=Caddy
Documentation=https://caddyserver.com/docs/
After=network.target network-online.target
Requires=network-online.target

[Service]
Type=notify
User=caddy
Group=caddy
ExecStart=/usr/bin/caddy run --environ --config /etc/caddy/Caddyfile
ExecReload=/usr/bin/caddy reload --config /etc/caddy/Caddyfile --force
TimeoutStopSec=5s
LimitNOFILE=1048576
LimitNPROC=512
PrivateTmp=true
ProtectSystem=full
AmbientCapabilities=CAP_NET_BIND_SERVICE

[Install]
WantedBy=multi-user.target

d. My complete Caddy config:

{
        admin off
        auto_https disable_redirects
        on_demand_tls {
                ask https://REDACTED/check
        }
        storage s3 {
                host "REDACTED"
                bucket "REDACTED"
                access_id "REDACTED"
                secret_key "REDACTED"
                prefix "ssl"
        }
}

https:// {
        tls {
                on_demand
                issuer acme {
                        dir https://acme.zerossl.com/v2/DV90
                        eab REDACTED
                        email REDACTED
                }
        }
        reverse_proxy {
                to http://localhost:8080
        }
}

http:// {
        reverse_proxy {
                to http://localhost:8080
        }
}

3. The problem I’m having:

I’m trying to replicate a behavior that I had configured in nginx where if Host matched the IP address of the server, it will return 403.
So I need to return 403 if the request was directly on any IP address on that server before triggering the tls_on_demand logic.

in nginx I just used an if statement in the server block:

 if ( $host = $server_addr ) { return 403; }

I thought about using header regexp, but that would not solve the problem of triggering the tls_on_demand mechanism.

4. Error messages and/or full log output:

N/A

5. What I already tried:

https://^(?:(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.){3}(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)$ {
        reverse_proxy {
                to http://localhost:8080
        }
}

That was stupid.

Any ideas?

Regards,
M.

francislavoie · February 23, 2023, 11:27pm

It’s the job of your ask endpoint to reject those hostnames.

The TLS handshake cannot complete if Caddy doesn’t have a certificate for that hostname. The only way to write an HTTP response is with a valid certificate. So it’s impossible to write a 403 response without a certificate.

system · March 25, 2023, 11:28pm

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.