Modify downstream headers in upgrade to websocket

ICSI · December 14, 2022, 12:16am

Caddy Version

v2.6.2

Environment

Running from binary via a systemd service on an Ubuntu Server based image as a nonprivileged service user.
dns cloudflare is the only additional plugin installed and is used for acme challenges the caddy binary is an official one downloaded from the Caddy download page: Download Caddy

Caddyfile:

(common) {
        header /* {
                -Server
                +x-gateway "dz021"
        }
}

www.example.com:3023 {
        import common
        reverse_proxy https://10.3.2.21:2001
        tls {
                dns cloudflare "[ Redacted ]"
        }
}

The problem I’m having:

Normal requests to say https://www.example.com:3023/test would have the Server: Caddy removed and the x-gateway: dz021 header is present. However when requesting a url which upgrades to a websocket the response headers lack the gateway header and the Server header is still present. I’ve tried reading the documentation and shifting options around in the Caddyfile but was met with errors. How can I get the desired headers to show in the response?

Thank you for any assistance.

francislavoie · December 14, 2022, 12:23am

Since you’re doing a - delete operation in your header directive, the header operations get deferred until the header directive gets called again on the way back up the middleware chain. See the note at the top of the docs here header (Caddyfile directive) — Caddy Documentation. But since websocket connections involve hijacking the connection to transition it from HTTP to TCP, it never goes back up the middleware chain, and your header stuff never happens.

You can try this:

reverse_proxy https://10.3.2.21:2001 {
	header_down X-Gateway dz021
}

Or try this:

header X-Gateway dz021
reverse_proxy https://10.3.2.21:2001

In that case, there’s no - delete operation, so it shouldn’t get deferred, and it should work fine.

FWIW, there’s no benefit to removing the Server header. It doesn’t reveal any information that clients couldn’t otherwise figure out trivially by observing traffic patterns.

system · January 13, 2023, 12:17am

This topic was automatically closed after 30 days. New replies are no longer allowed.