1. Caddy version (caddy version):
v2.2.0-rc.1
2. How I run Caddy:
a. System environment:
OS:
Distributor ID: Ubuntu
Description: Ubuntu 18.04.5 LTS
Release: 18.04
Codename: bionic
Running through Docker & Docker-Compose
b. Command:
(If the container is down)
docker-compose up -d
(If I just need to reload the config)
docker exec -w /etc/caddy caddy caddy reload
c. Service/unit/compose file:
version: "3.7"
services:
caddy:
build: ./dns-dockerfile
container_name: caddy
hostname: caddy
restart: unless-stopped
ports:
- "80:80"
- "443:443"
environment:
- MY_DOMAIN
- CLOUDFLARE_API_TOKEN
volumes:
- ./Caddyfile:/etc/caddy/Caddyfile:ro
- ./data:/data
- ./config:/config
networks:
default:
external:
name: $DOCKER_MY_NETWORK
d. My complete Caddyfile or JSON config:
(cloudflare) {
# tls {env.CLOUDFLARE_EMAIL}
tls {
dns cloudflare {env.CLOUDFLARE_API_TOKEN}
}
}
(LAN_only) {
@fuck_off_world {
not remote_ip 24.227.248.138/24
}
respond @fuck_off_world 403
}
#@print_matcher {
# path_regexp ^(?:[0-9]{1,3}\.){3}[0-9]{1,3}$
#}
{$MY_DOMAIN} {
import cloudflare
log {
output file ~/caddylog {
roll_size 20mb
roll_keep 5
}
}
reverse_proxy 192.168.1.3:80
}
a.{$MY_DOMAIN} {
import cloudflare
reverse_proxy whoami:80
}
b.{$MY_DOMAIN} {
import cloudflare
reverse_proxy nginx:80
}
vault.{$MY_DOMAIN} {
import cloudflare
encode gzip
header {
# Enable cross-site filter (XSS) and tell browser to block detected attacks
X-XSS-Protection "1; mode=block"
# Disallow the site to be rendered within a frame (clickjacking protection)
X-Frame-Options "DENY"
# Prevent search engines from indexing (optional)
X-Robots-Tag "none"
# Server name removing
-Server
}
# Notifications redirected to the websockets server
reverse_proxy /notifications/hub bitwarden:3012
# Proxy the Root directory to Rocket
reverse_proxy bitwarden:80
}
wiki.{$MY_DOMAIN} {
import cloudflare
log {
output file /data/logs/bookstack_access.log {
roll_size 20mb
roll_keep 5
}
}
#reverse_proxy bookstack:80
reverse_proxy bookstack:443 {
transport http {
tls
tls_insecure_skip_verify
}
}
}
print.{$MY_DOMAIN} {
import cloudflare
route {path} {
#uri strip_prefix {path}
reverse_proxy {path} {
to {query}/:80
#insecure_skip_verify
header_up Host {http.reverse_proxy.upstream.hostport}
# header_up +X-Frame-Options SAMESITE
header_down -X-Frame-Options
header_down -Host
#header_down +X-Frame-Options ALLOW-FROM {MY_DOMAIN}
}
#uri strip_prefix {query}
}
}
3. The problem I’m having:
Some background:
I’m trying to set up a “Printer Page” for the administrative staff at the company I work at. The concept is that they can add the printer and it’s IP address to a database, and then view all of the different printer pages from a table of links.
Image for reference:
Anyways, I wanted to have the printer pages all on a single subdomain and have caddy redirect the request to the proper page. Now, my current code does work, but it seems to be acting as a redirect instead of a reverse proxy, so the printer settings page will not show up within an iframe.
4. Error messages and/or full log output:
Here’s the error I get from caddy whenever I attempt to load any of the printers within the iframe:
{
"level":"debug",
"ts":1599843213.0695734,
"logger":"http.handlers.reverse_proxy",
"msg":"upstream roundtrip",
"upstream":"{http.request.uri.query}/:80",
"request":{
"method":"GET",
"uri":"/192.168.1.16/",
"proto":"HTTP/1.1",
"remote_addr":"162.158.187.70:20172",
"host":":80",
"headers":{
"X-Forwarded-For":[
"24.227.248.138, 162.158.187.70"
],
"Cache-Control":[
"no-cache"
],
"Sec-Fetch-User":[
"?1"
],
"Cf-Ray":[
"5d12e5855b3107d6-ATL"
],
"Accept":[
"text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9"
],
"Cdn-Loop":[
"cloudflare"
],
"X-Forwarded-Proto":[
"https"
],
"Upgrade-Insecure-Requests":[
"1"
],
"Pragma":[
"no-cache"
],
"Accept-Language":[
"en-US,en;q=0.9"
],
"Sec-Fetch-Site":[
"same-site"
],
"Cf-Ipcountry":[
"US"
],
"Sec-Fetch-Mode":[
"navigate"
],
"User-Agent":[
"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/85.0.4183.83 Safari/537.36"
],
"Cf-Connecting-Ip":[
"24.227.248.138"
],
"Referer":[
"https://vprsrv.org/printers.php"
],
"Cf-Request-Id":[
"051fadc75b000007d6e73a3200000001"
],
"Cookie":[
"__cfduid=d8703413d8c110a3d1e7a08b7b6194e0a1599759255"
],
"Cf-Visitor":[
"{\"scheme\":\"https\"}"
],
"Sec-Fetch-Dest":[
"iframe"
],
"Accept-Encoding":[
"gzip"
]
},
"tls":{
"resumed":false,
"version":772,
"ciphersuite":4867,
"proto":"",
"proto_mutual":true,
"server_name":"print.vprsrv.org"
}
},
"headers":{
"Date":[
"Fri, 11 Sep 2020 16:53:33 GMT"
],
"Content-Length":[
"0"
],
"Location":[
"https:///192.168.1.16/"
],
"Server":[
"Caddy"
]
},
"duration":0.00080883,
"status":308
}{
"level":"info",
"ts":1599843213.069884,
"logger":"http.log.access",
"msg":"handled request",
"request":{
"method":"GET",
"uri":"/192.168.1.16/",
"proto":"HTTP/1.1",
"remote_addr":"162.158.187.70:20172",
"host":"print.vprsrv.org",
"headers":{
"Sec-Fetch-User":[
"?1"
],
"Referer":[
"https://vprsrv.org/printers.php"
],
"Cf-Request-Id":[
"051fadc75b000007d6e73a3200000001"
],
"Cdn-Loop":[
"cloudflare"
],
"Cf-Ipcountry":[
"US"
],
"X-Forwarded-For":[
"24.227.248.138"
],
"Cache-Control":[
"no-cache"
],
"Sec-Fetch-Site":[
"same-site"
],
"X-Forwarded-Proto":[
"https"
],
"Upgrade-Insecure-Requests":[
"1"
],
"Sec-Fetch-Mode":[
"navigate"
],
"Cookie":[
"__cfduid=d8703413d8c110a3d1e7a08b7b6194e0a1599759255"
],
"Cf-Connecting-Ip":[
"24.227.248.138"
],
"Cf-Visitor":[
"{\"scheme\":\"https\"}"
],
"Pragma":[
"no-cache"
],
"User-Agent":[
"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/85.0.4183.83 Safari/537.36"
],
"Sec-Fetch-Dest":[
"iframe"
],
"Accept":[
"text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9"
],
"Accept-Language":[
"en-US,en;q=0.9"
],
"Connection":[
"Keep-Alive"
],
"Accept-Encoding":[
"gzip"
],
"Cf-Ray":[
"5d12e5855b3107d6-ATL"
]
},
"tls":{
"resumed":false,
"version":772,
"ciphersuite":4867,
"proto":"",
"proto_mutual":true,
"server_name":"print.vprsrv.org"
}
},
"common_log":"162.158.187.70 - - [11/Sep/2020:16:53:33 +0000] \"GET /192.168.1.16/ HTTP/1.1\" 308 0",
"duration":0.001026267,
"size":0,
"status":308,
"resp_headers":{
"Server":[
"Caddy",
"Caddy"
],
"Date":[
"Fri, 11 Sep 2020 16:53:33 GMT"
],
"Content-Length":[
"0"
],
"Location":[
"https:///192.168.1.16/"
]
}
}
5. What I already tried:
As I mentioned before, my current code works (if you go to the url in a new tab at least), but it redirects to the printer’s IP address. I’m pretty sure this is due to this: header_up Host {http.reverse_proxy.upstream.hostport}, but removing that doesn’t allow me to access the printers at all.
I also have gotten this to work, but only when I reverse proxy all paths to a specific subdomain (i.e.
print.{$MY_DOMAIN} {
reverse_proxy 192.168.1.100:80
}
). As much as I would like for that to be the solution, it requires someone to change the Caddyfile anytime a new printer is added (or whose IP changes), which isn’t realistic for the administrative staff.
Other things I’ve tried…
Using the transport directive:
reverse_proxy {path}:443 {
transport http {
tls
tls_insecure_skip_verify
}
}
I’ve also tried using regex:
@static {
path_regexp static (.[0-9]{1})+
}
reverse_proxy @static {
to {http.regexp.static.1}/:80
header_down -X-Frame-Options
}
And finally what I started with:
print.{$MY_DOMAIN} {
reverse_proxy {path}:80
}
Help is much appreciated!