Need assistance with http.matchers.remote_ip usage

prime42-john · August 15, 2022, 10:43pm

1. Output of `caddy version`:

v2.5.2 h1:eCJdLyEyAGzuQTa5Mh3gETnYWDClo1LjtQm2q9RNZrs=

2. How I run Caddy:

Runs as a service, primary config is /etc/caddy/Caddyfile which contains

import /etc/caddy/redirects/*.cnf

The purpose of this server is redirects and all of the files in the redirects directory are created by a script and are in this form:

fromDomain.tld www.fromDomain.tld {
	redir https://toDomain.tld{uri} permanent
}

We have no issues with this setup, it is an exception to this setup I am writing about.

a. System environment:

OS: AlmaLinux release 8.6 (Sky Tiger)
Kernel: 4.18.0-348.23.1.el8_5.x86_64
Headless server instance running in a VPC on AWS - EC2 instance t3a.medium
systemd 239 (239-58.el8_6.3)
No Docker, no desktop, no anything else really except for some custom created scripts for managing Route 53 zones and the redirects.

b. Command:

I don’t type anything to run it, it is a service. Service status is as follows

Alias tip: S status caddy
● caddy.service - Caddy
   Loaded: loaded (/usr/lib/systemd/system/caddy.service; enabled; vendor preset: disabled)
   Active: active (running) since Tue 2022-08-09 06:16:45 PDT; 6 days ago
     Docs: https://caddyserver.com/docs/
 Main PID: 899223 (caddy)
    Tasks: 12 (limit: 12008)
   Memory: 57.2M
   CGroup: /system.slice/caddy.service
           └─899223 /usr/bin/caddy run --environ --config /etc/caddy/Caddyfile

If I add or remove a redirect my script either creates a new config file from a template or deletes the config file and then restarts the caddy service.

c. Service/unit/compose file:

N/A

d. My complete Caddy config:

As above

import /etc/caddy/redirects/*.cnf

and a sample config, because I am not going to post over 350 almost identical files

fromDomain.tld www.fromDomain.tld {
	redir https://toDomain.tld{uri} permanent

3. The problem I’m having:

I have a need to have one of the redirects behave differently, but only if the remote IP is a certain IP. I want it to act normally otherwise. I have read the documentation but I am still unsure how to go about this. So for this particular config file I have appended a line I got from (Request matchers (Caddyfile) — Caddy Documentation) to the top of the file, but then I don’t know what to do with it, and how to have any other IPs that doesn’t match just do the redirect.

Here is as far as I got before I got lost.

@pinger remote_ip 203.0.113.14

fromDomain.tld www.fromDomain.tld {
	redir https://toDomain.tld{uri} permanent

Once I have defined @pinger, then what do I do? What does the config file then look like. For example, if I wanted that one IP to serve a static web page on the file system, and all other IPs to just do the redirect, how would that look?

4. Error messages and/or full log output:

N/A

5. What I already tried:

Not much. I have read the following:
I’m new and can’t post links - /docs/caddyfile/matchers#remote-ip
I’m new and can’t post links - /docs/modules/http.matchers.remote_ip
I’m new and can’t post links - /docs/caddyfile/patterns
I’m new and can’t post links - /docs/caddyfile/directives

and I have no better idea how to proceed than I did before I read those pages.

6. Links to relevant resources:

francislavoie · August 15, 2022, 10:49pm

Matchers must go inside of a site block. See the Caddyfile Concepts doc to understand the structure of a Caddyfile:

Then, you apply the matcher to a directive to make it do something when that matcher matches. You can also use the not matcher in front of any other matcher to invert the result.

Keep in mind directives are sorted according to predetermined order. The redir directive is high on the order, so if you use a directive with a lower order, it’ll be sorted after, so the redirect will always trigger anyways. There’s a bunch of ways to work around this, but it depends on your specific needs. Please elaborate on what you’re trying to do when the matcher does match, and we can probably help further.

prime42-john · August 15, 2022, 11:24pm

What I am attempting to do is have the domain this config file belongs to behave normally (a 301 status redirect to another domain) unless the single IP address of a monitoring server makes the request. In that case I would like it to instead serve a static webpage which basically looks like this:

<!DOCTYPE html>
<html lang="en">
  <head>
    <meta charset="utf-8">
    <meta http-equiv="refresh" content="1; URL='https://toDomain.tld/'">
    <title>Redirect to https://toDomain.tld/</title>
  </head>
  <body>
    <h1>Off to https://toDomain.tld/</h1>
  </body>
</html>

If you are really astute you will recognize that is just a client side redirect using meta refresh. The main difference is that to the monitoring server it is a Status 200 and load completion and not a Status 301 redirect. We need to do some code testing on the monitoring server, which is why I want that server to get the Status 200 and think it is done rather than follow the 301 redirect.

For the sake of this example the static file could be stored at /usr/share/www/toDomain.tld/index.html

francislavoie · August 15, 2022, 11:33pm

Caddy supports doing an HTML redirect, btw, with the html option for redir.

But AFAIK it is broken in the current release, but a fix is coming for the next release. We never noticed it was broken until recently because we didn’t even know anyone still used it

github.com/caddyserver/caddy

redir directive code html does not redirect using HTML document

opened 09:10PM - 08 Aug 22 UTC

closed 05:12PM - 09 Aug 22 UTC

nomuus

bug

## Version Currently using Caddy 2.5.2 for Linux AMD64: ```v2.5.2 h1:eCJdL…yEyAGzuQTa5Mh3gETnYWDClo1LjtQm2q9RNZrs=``` ## Configuration `Caddyfile` configuration: ``` (test_config) { redir /html https://www.example.com/ html redir /301 https://www.example.com/ permanent redir /302 https://www.example.com/ temporary redir /permanent https://www.example.com/ permanent redir /temporary https://www.example.com/ temporary respond /test_html_redirect_200 200 { body `<!DOCTYPE html> <html> <head> <title>Redirecting...</title> <script>window.location.replace("https://www.example.com");</script> <meta http-equiv="refresh" content="0; URL='https://www.example.com'"> </head> <body>Redirecting to <a href="https://www.example.com">https://www.example.com</a>...</body> </html> ` close } respond /test_html_redirect_301 301 { body `<!DOCTYPE html> <html> <head> <title>Redirecting...</title> <script>window.location.replace("https://www.example.com");</script> <meta http-equiv="refresh" content="0; URL='https://www.example.com'"> </head> <body>Redirecting to <a href="https://www.example.com">https://www.example.com</a>...</body> </html> ` close } respond /test_html_redirect_302 302 { body `<!DOCTYPE html> <html> <head> <title>Redirecting...</title> <script>window.location.replace("https://www.example.com");</script> <meta http-equiv="refresh" content="0; URL='https://www.example.com'"> </head> <body>Redirecting to <a href="https://www.example.com">https://www.example.com</a>...</body> </html> ` close } } http://localhost { import test_config } ``` ## Details After reviewing issue [#3979](https://github.com/caddyserver/caddy/issues/3979) and associated fix, it appears that the [redir](https://caddyserver.com/docs/caddyfile/directives/redir) directive is not redirecting as documented using HTML or script. Rather the redirect makes use of a `302` response code where the `200` code may be more appropriate. In prior versions, it's possible that `200` could have been the default response code. (`3xx` response code may meet expected behavior but if the `Location` header is omitted.) According to the [syntax documentation](https://caddyserver.com/docs/caddyfile/directives/redir#syntax): > `html` to use an HTML document to perform the redirect (useful for redirecting browsers but not API clients) This supposes that any browser would be redirected using a script defined by [`metaRedir` const](https://github.com/caddyserver/caddy/blob/v2.5.2/caddyconfig/httpcaddyfile/builtins.go#L569). The observed behavior is that the browser will not redirect from the HTML `meta` tag or the script. Rather the browser will redirect based on the `Location` header in conjunction with the `302` response code. This behavior can be observed in a variety ways, for example: - To determine if a script redirect is occuring, Chromium's browser developer tools can be used to set an *Event Listener Breakpoint* on *Script*. If the script-based redirect is successful then the page should pause at `<script>window.location.replace`. - Alternatively, another simple test could be to add `alert('Script executed');` within the script tag of `metaRedir` prior to the `window.location.replace`. If the script-based redirect is successful then the browser will display an alert box then redirect after closing it. The current behavior of Caddy 2.5.2 functions similar to specifying a code of `temporary` for the `redir` directive. The following are all functionally equivalent while using a web browser: - `redir <matcher> <to> temporary` - `redir <matcher> <to> html` - `redir <matcher> <to> 302` ## Suggestions Based on observations of web applications implementing HTML/script redirection, the response code for HTML or script redirections should be `200` instead of `3xx`. Chromium appears to ignore the `Location` header if it is present and proceeds to execute the HTML/script code. *Alternatively*, Chromium appears to execute the HTML/script code with a `3xx` response code but only if the `Location` header is removed from the response. It has not been confirmed which behavior is "RFC" standard behavior. The expected behavior can be demonstrated and observed using the [`metaRedir` const](https://github.com/caddyserver/caddy/blob/v2.5.2/caddyconfig/httpcaddyfile/builtins.go#L569). value with the `respond` directive in the examples provided in the test configuration: - `/test_html_redirect_200` will respond with a `200` and uses the redirect text from `metaRedir`. - `/test_html_redirect_301` will respond with a `301` and uses the redirect text from `metaRedir` without a `Location` header. - `/test_html_redirect_302` will respond with a `302` and uses the redirect text from `metaRedir` without a `Location` header.

So you could just use the HTML redirect all the time for that one domain instead of doing a remote_ip match? Or if you must have different redirects for those IPs, you can use a matcher like this:

from-domain.tld {
	@pinger remote_ip 203.0.113.14
	redir @pinger https://toDomain.tld{uri} html
	redir https://toDomain.tld{uri} permanent
}

So basically this will return an html redirect for requests from that one IP, and a permanent redirect otherwise.

prime42-john · August 15, 2022, 11:49pm

Thank you, that example is probably exactly what I am looking for.

We do want a 301 Permanent Redirect in almost every case. From an SEO perspective using an html redirect doesn’t carry any “link juice” and can actually hurt SEO performance if the client has more than one domain, but only one website. Also, Google can downrank you for html redirects as they are used heavily by bad websites to keep you from using the back button. So really the html redirect must be the exception and not the rule here.

Thank you very much.

system · September 14, 2022, 10:44pm

This topic was automatically closed after 30 days. New replies are no longer allowed.