Reverse proxy not maintaining URL

jkuhn12 · August 19, 2017, 9:05pm

I’m using caddy as a reverse proxy a URL in place of another (TLDR; using Cloud Foundry, which binds apps to URLs, and i need to use a different domain in addition to the one the cloud foundry app uses). Lets say the URL i want Caddy to serve is some.address.com and i want to reverse proxy to the app located at other.address.io. The other.address.io redirects to a /login page if the user is not authenticated. What i expect to happen is the user goes to some.address.com and is redirected to some.address.com/login. What is actually happening is they are being taken straight to other.address.io/login no matter what, even if they are authenticated. Is there something up with my config or am I trying to do this reverse proxy incorrectly? I’m using Caddy 0.9.4 at the moment if that makes a difference. Thanks for any help

Here is my config:

http://some.address.com {
    redir https://some.address.com{uri}
    log /var/log/access.log
    {
        rotate {
            size 100
            age 14
            keep 10
        }
    }
}
https://some.address.com {
		tls {
   			max_certs 10
   		}
   		proxy / other.address.io {
   			header_upstream Host other.address.io
		}
        log /var/log/access.log
        {
            rotate {
                size 100
                age 14
                keep 10
            }
        }
}

gurubobnz · August 20, 2017, 1:09am

Hello …

It sounds like there’s a redirect being sent to the browser when requesting https://some.address.com - let’s find out where this is coming from. Can you paste the output from the following:

curl -I https://some.address.com/

Specifically the “Server” header will give a hint as to what is responsible for sending the redirect.

Cheers,

Bob.

jkuhn12 · August 20, 2017, 4:04am

Hi Bob, here’s what i get when i curl it, im thinking something in the web application is doing the redirect. Although oddly enough when i curly the other.address.io directly i go directly to the page.

HTTP/1.1 302 Found
Cache-Control: no-cache, no-store, max-age=0, must-revalidate
Content-Length: 0
Date: Sun, 20 Aug 2017 03:10:40 GMT
Expires: 0
Location: http://other.address.io/login
Pragma: no-cache
Server: Caddy
Set-Cookie: __VCAP_ID__=eeb549c9-e7cd-46f0-558e-21a245ea2ee2; Path=/; HttpOnly
Set-Cookie: JSESSIONID=B211E4F66D2386E614922C3F440D8DC9;path=/;HttpOnly
X-Content-Type-Options: nosniff
X-Frame-Options: DENY
X-Vcap-Request-Id: a230fb06-c0b3-49d4-64a0-681c33a6d928
X-Xss-Protection: 1; mode=block
Content-Type: text/plain; charset=utf-8

When i curl other.address.io/login, i get the following:

HTTP/1.1 200 OK
Cache-Control: no-cache, no-store, max-age=0, must-revalidate
Content-Language: en-US
Content-Type: text/html;charset=UTF-8
Date: Sun, 20 Aug 2017 03:18:29 GMT
Expires: 0
Pragma: no-cache
Strict-Transport-Security: max-age=31536000 ; includeSubDomains
X-Application-Context: webapp:cloud:0
X-Content-Type-Options: nosniff
X-Frame-Options: DENY
X-Vcap-Request-Id: 0b1cf27a-d1e5-482a-76fa-b696c47711af
X-Xss-Protection: 1; mode=block
transfer-encoding: chunked
Connection: keep-alive

<!DOCTYPE html>
<html xmlns="http://www.w3.org/1999/xhtml">
...
</html>

Whitestrake · August 21, 2017, 12:26am

Looks like your app at other.address.io is not proxy-aware - it doesn’t know it’s being accessed via some.address.com.

This means that whenever it redirects a client to authenticate themselves, it does so canonically (i.e. to the other.address.io URL). You can assume it will have this behaviour for any redirects, if this logic is consistent throughout the app.

You will need to modify the application to either redirect relatively (i.e. sending Location: /login instead, letting the browser fill in the blank domain name) or based on the host it was accessed from (you’ll need to change your header_upstream Host or set some other header for the app to use to tell what domain is being requested, in that case).

jkuhn12 · August 25, 2017, 5:44pm

Thanks for the answers, i had to change some settings on the cloud foundry side to accept routing from some.address.com, then changed my Caddyfile to use the transparent directive instead of header_upstream Host other.address.io so that traffic would be forwarded with some.address.com in the header.

system · November 23, 2017, 5:44pm

This topic was automatically closed 90 days after the last reply. New replies are no longer allowed.