I am using Caddy to terminate SSL, with reverse_proxy. Caddy adds a Server header to the response. But the response from the upstream already has a Server header. Which means I now have two Server headers. I would like to remove just the Caddy Server header.
2. Error messages and/or full log output:
I looks like I can only remove both Server headers at once. Am I missing something?
Or is is perhaps possible to join the two headers so I can use a replace to clean up?
Ah, good. Well, if you advise against using Caddy on Ubuntu because of that, I should perhaps take a look at Nginx to see if that will do the SSL-termination job for me.
It’s not a hobby… What I really need is LTS, much more so than the absolute latest and greatest version of all of the software I’m using.
Maybe I should consider using X-Server in the upstreams. Then I can remove the Server header and will be left with what I need. It’s not pretty but it’s a possibility.
That is if there is no way to remove just the Caddy Server header. Nobody said it yet, but I gather that is the answer: Can’t.
Nobody advised this. We’re telling you use Caddy’s official repository, as listed on the Caddy official documentation, which is linked by @techjedialex. The package provided by Debian/Ubuntu is not always up to date. Ours (official Caddy repository) is always up to date.
That’s false. As I already said, upgrade Caddy to latest and you’ll see it using the Via header while keeping the Server header from upstream.
Is there a placeholder that will give me de value of the Server header from the upstream response? All I could find was {http.response.header.Server"} but that is not the one from the upstream. It just gives me “Caddy”.
I think I could do something if such a placeholder exists.
To further elaborate, the person that added Caddy to Debian has not at all maintained it since, and never got in contact with us in the first place. We’re extremely annoyed about this, because it causes users like you to get misled to use an old broken version of Caddy which we have no control over. DO NOT use that version, DO use the apt repo in our official docs.
That is indeed a sad state of things… and exactly why I said I should perhaps look at other ways to implement my use case.
Of course I can follow you suggestion. But do I want to? Do I need to? How does that work with regard to LTS? You say you only support the latest version of Caddy. What about security patches, upgrades, handling breaking changes? People use software distributions for a reason. I may not be in a position or have the means or priorities to take care of all that…
Which is why it would be so much more useful if the Caddy was properly maintained in popular software distributions. Maybe this list, which has contact information for the maintainers, is of use:
… while I consider my options, that is.
Question in this context:
If I follow your recipe will it break my current installation? Will I perhaps have to uninstall and reinstall? Or will an apt-get upgrade just upgrade me to the latest version and maybe only require a few minor tweaks to my Caddyfile?
No, in fact the opposite, it will fix your installation. Using our official installation method is obviously what you should be doing. We do not support the outdated debian package. You will get regular updates via our apt repo, it shadows and replaces the debian package since they share the same name.
We don’t do LTS.
We do not patch old versions, we only release new versions. So you must use the latest to keep up on security patches.
We are careful to avoid breaking changes, but you can watch the release notes on Github for any alerts about that should they happen (they are relatively rare).
Anyway, this thread prompted me to go yell at Debian maintainers about this because they’ve caused us enough grief from complaints like this that are out of our control https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1110530. It’ll probably land on deaf ears though.
Their way of dealing with Caddy may very well have been chosen as a consequence of your choice to only support the latest version. Is what I’m thinking…
Anyway, thanks for trying again. I too contacted Canonical about this problem, by the way.
(But at the moment Caddy is smoothly terminating SSL for me.)
And the status quo will have to serve for my own choices in this…
No, there was just no choice made. There’s nobody actually maintaining it. It was just one guy who set it up, and it’s been left as-is since.
The fact is, Debian’s policies regarding packaging Go apps is really messy. They decided they have to package every single Go subdependency as separate deb packages so they can build the final program. That’s obviously ridiculous considering the amount of transient dependencies Caddy happens to have, mostly because packages we depend on for small subsets of their functionality happen to also be full apps of their own right, (like smallstep which is a whole CA toolkit, we only use the library APIs of it, but it pollutes the Go dependency chain due to how Go modules work).
You also need to realize we’re a small team, all of us volunteers with full time jobs, aside from Matt who has his time funded via sponsorships. We don’t have time to maintain multiple release branches, so we only support the latest, unless a sponsor specifically requests a branch is maintained for them for their own technical reasons.
Caddy is constantly improving, it’s really in your best interest to use the latest version via our official installation method, to get security fixes and latest features and optimizations, in also keeping up with integrations with services like Let’s Encrypt.
Maybe, with your limited resources, you could still afford to run two branches. One stable and one hot. Where the stable package only gets urgent (security) fixes. And regularly (say anually, perhaps after a bit of a freeze) you merge the current hot branch to this stable branch.
I think offering that may help you in your goal of more adoption outside of the hobby sphere. It would probably also help you when talking to the big(ger) software distributions. Stability is obviously a major consideration for them.
I for one, would also be more inclined to use that than what you are currently offering.
That already exists. The “master” branch is “hot” and releases which happen a couple of times a year are “stable”. I understand this doesn’t match your understanding of what stable may be coming from debian, but it matches my understanding as somebody that doesn’t use debian specifically because it’s way too out of date for me.
