Reverse proxy backend redirects losing https

ayyrex · April 3, 2018, 11:31pm

I am a novice at configuring webservers so hopefully my question makes sense.

I am trying to configure caddy with some self signed certificates so that my backend cherrypy servers operate in http mode, while caddy handles all the https stuff. It works for the most part, however whenever there is a url where the backend cherrypy does a redirect, it loses the https scheme in the url, and the browser complains with ERR_INVALID_HTTP_RESPONSE.

Directly accessing pages with or without https in the URL works just fine. Only when pages perform a redirect does this happen.

For example:
10.0.0.5:56888/faq and https://10.0.0.5:56888/faq both load the https page

https://10.0.0.5:56888/redirectsrc loads http://10.0.0.5:56888/redirecttarget (ERR_INVALID_HTTP_RESPONSE)

I’ve tried stripping down my Caddyfile to be as simple as possible, I still see this problem with this:

*:56888
tls /ssl-test/domain.crt /ssl-test/domain.key {
}
errors /tmp/caddy_error.txt
log / /tmp/caddy_logs.txt "{upstream} {common}"
proxy / 127.0.0.1:30041 {
  transparent
except /roundrobin
}
proxy /roundrobin 127.0.0.1:30042 127.0.0.1:30043  {
  transparent
}

Whitestrake · April 4, 2018, 12:29am

Hi @ayyrex, welcome to the Caddy community!

Your question makes a lot of sense, it’s pretty common around here to see people wrangling with unruly upstream servers.

I wish I had a better answer for you, though… Ultimately if the upstream server is sending a redirect to HTTP on a HTTPS port, and your browser is following it, you’re going to get an error every time.

Realistically, your only viable solution is to fix the upstream server to send scheme-agnostic redirects. I’m not familiar with cherrypy, so I’m not sure if that’s viable or not.

Theoretically you could also break redirects by having Caddy strip the location header out of upstream responses, or you could leave the whole site on HTTP, but both of those don’t sound like good solutions.

ayyrex · April 4, 2018, 3:30am

That’s actually quite helpful. I was thinking that I had configured Caddy incorrectly or that it was unsuitable for my task. I’ll take a look at the upstream server configuration to see what’s going on in there.

What Caddy directive should I be looking into to strip out the location header? I might experiment with that as well.

Thank you so much!

Whitestrake · April 4, 2018, 3:47am

Stripping out the location header can be done universally for the entire proxy and will almost definitely break all redirects. Per the docs:

header_upstream sets headers to be passed to the backend. The field name is name and the value is value. This option can be specified multiple times for multiple headers, and dynamic values can also be inserted using request placeholders. By default, existing header fields will be replaced, but you can add/merge field values by prefixing the field name with a plus sign (+). You can remove fields by prefixing the header name with a minus sign (-) and leaving the value blank.

header_downstream modifies response headers coming back from the backend. It works the same way header_upstream does.

– https://caddyserver.com/docs/proxy

Since we want to strip it out of the response back to the client, you’d want to use the subdirective header_downstream -Location inside the brackets of your proxy block, which will simply remove the header entirely.

system · July 3, 2018, 3:47am

This topic was automatically closed 90 days after the last reply. New replies are no longer allowed.