Hi Guys,
I’m trying to protect “admin” api without any success.
My JSON config from api
curl http://172.21.20.8:2019/config/admin
{"enforce_origin":true,"listen":":2019","origins":["secret.admin.too"]}
Admin/Config endpoint is not protected.
(Basicauth could be a perfect fit… but not available).
That’s odd, that used to work. Something must have changed recently.
Fixed here (and refactored some things while I was at it, since the logic could be cleaned up): https://github.com/caddyserver/caddy/commit/40b54434f3cdb804ef10eee0ba5d8d6c390e93d4
Hi,
I still have issue, the new commit work partially.
test> cat admin.json
{
"listen": ":2019",
"origins": ["secret.admin.too"],
"enforce_origin": true
}
test> curl -X PATCH -H'Content-Type: application/json' http://172.21.20.8:2019/config/admin -d @admin.json
test> curl http://172.21.20.8:2019/config/ |jq
% Total % Received % Xferd Average Speed Time Time Time Current
Dload Upload Total Spent Left Speed
100 59 100 59 0 0 275 0 --:--:-- --:--:-- --:--:-- 275
{
"error": "client is not allowed to access from origin ''"
}
## No access
test> curl -X GET -H'Content-Type: application/json' -H'Origin: secret.admin.too' http://172.21.20.8:2019/config
{"error":"client is not allowed to access from origin 'secret.admin.too'"}
test>
## didn't work :(
I notice … that “secret.admin.too” is stored as “//secret.admin.too” on autosave.json.
curl -X GET -H'Content-Type: application/json' -H'Origin: //secret.admin.too' http://172.21.20.8:2019/config
#Works !! :)
That’s weird, doesn’t happen for me when I use your exact config and steps shown above:
╔[matt@shadowfax:~/.config/caddy]
╚>$ cat autosave.json
{"admin":{"enforce_origin":true,"listen":":2019","origins":["secret.admin.too"]}}
You probably see //secret.admin.too in the log output:
INFO admin admin endpoint started {"address": "tcp/:2019", "enforce_origin": true, "origins": ["//secret.admin.too"]}
and that is normal/expected. The Origin header value is actually supposed to include a scheme by spec (but Caddy allows you to omit it for convenience to allow any scheme), so the origin is parsed as a URL, and when stringified, it prints // to separate scheme (empty) and host.
So, your request is invalid:
-H'Origin: secret.admin.too'
it must include either http:// or https://:
-H'Origin: https://secret.admin.too'
Please see the Origin header docs:
Notice that only a port is optional. Scheme is required.
It makes sens !
Thanks for your quick answer.
This topic was automatically closed after 30 days. New replies are no longer allowed.