Protect admin endpoint

Hi Guys,
I’m trying to protect “admin” api without any success.

  1. Caddy version (v2.4.6) | docker

My JSON config from api


Admin/Config endpoint is not protected.
(Basicauth could be a perfect fit… but not available).

1 Like

That’s odd, that used to work. Something must have changed recently.

Fixed here (and refactored some things while I was at it, since the logic could be cleaned up):

I still have issue, the new commit work partially.

test> cat admin.json                                                       
 "listen": ":2019",
 "origins": ["secret.admin.too"],
 "enforce_origin": true

test> curl -X PATCH -H'Content-Type: application/json' -d @admin.json
test> curl |jq                                                             
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
100    59  100    59    0     0    275      0 --:--:-- --:--:-- --:--:--   275
  "error": "client is not allowed to access from origin ''"

## No access 

test> curl -X GET -H'Content-Type: application/json' -H'Origin: secret.admin.too'
{"error":"client is not allowed to access from origin 'secret.admin.too'"}

## didn't work :(

I notice … that “secret.admin.too” is stored as “//secret.admin.too” on autosave.json.

curl -X GET -H'Content-Type: application/json' -H'Origin: //secret.admin.too'

#Works !! :)

That’s weird, doesn’t happen for me when I use your exact config and steps shown above:

╚>$ cat autosave.json 

You probably see //secret.admin.too in the log output:

INFO    admin   admin endpoint started  {"address": "tcp/:2019", "enforce_origin": true, "origins": ["//secret.admin.too"]}

and that is normal/expected. The Origin header value is actually supposed to include a scheme by spec (but Caddy allows you to omit it for convenience to allow any scheme), so the origin is parsed as a URL, and when stringified, it prints // to separate scheme (empty) and host.

So, your request is invalid:

-H'Origin: secret.admin.too'

it must include either http:// or https://:

-H'Origin: https://secret.admin.too'

Please see the Origin header docs:

Notice that only a port is optional. Scheme is required.

It makes sens !
Thanks for your quick answer.

This topic was automatically closed after 30 days. New replies are no longer allowed.