paste config here, replacing this text
DO NOT REDACT anything except credentials
3. The problem I’m having:
I am using Thinfinity Remote Desktop server vpn. When the firewall is configured to forward the requests of vpn.domain.com to the pc running the vpn software it works perfectly. When I instead forward the requests to the machine running caddy users when accessing the login page see another users session. This is of course a big security issue since anyone accessing the vpn domain can see another random user’s session, already authenticated and ready to go.
4. Error messages and/or full log output:
5. What I already tried:
I’ve tried different versions of caddy including updating today to 2.1.1. I’ve tried adding some extra header_up options. I tried remaking the config file from scratch with only the one site and no extra options.
That should be in 2d not 2c - that is my current caddyfile I’m trying to use. I can’t post the actual domain due to the mentioned security issue where anyone clicking on it could see another authenticated user’s session.
I’m not even sure how Caddy could be mucking this up for you. It should be faithfully passing on pretty much everything from the client.
Do you know how the upstream software assigns its sessions? By cookie? I hope it’s not keying off remote IP (i.e not X-Forwarded-For) and just giving the next user the session from the user most recently logged in since it’s behind a proxy. Is there a pattern?
Thanks for the reply. I do not know how it determines sessions. That is a great point. I will try to contact the developers and see if I can get some information there on that. We have a couple of dozen people logged in at any one time and when I tried to use caddy when I accessed the site I would see another user’s session and would be able to access resources as that user instead of seeing the login page. I could then click on logout and be redirected to the login page and then could use it but if someone else access the page they could potentially see my session or another logged in user.
If the viewed session is always the one most recently activated (i.e. logged in), that would be consistent with an upstream server treating all connections from downstream (i.e. Caddy) as a single session. Possibly based on remote IP?