1. The problem I’m having:
we’re trying to set-up a reverse proxy for image in order to prevent sourcing image from remote host and filter out SVG images to follow CASA Security requirement.
We want to do something like:
https://img.mydomain.io/domain.com/path/to/example.svg
→ 403https://img.mydomain.io/www.gravatar.com/avatar/4462f80994d1518a3b30b324df958bd5?d=404&s=400
→ reverse_proxywww.gravatar.com/avatar/4462f80994d1518a3b30b324df958bd5?d=404&s=400
→ content- What we tried so far (Caddyfile below) is configuring Caddy to reverse proxy to
https://www.gravatar.com
, so for example requestinghttps://img.mydomain.io/avatar/4462f80994d1518a3b30b324df958bd5?d=404&s=400
will display the image, but the @png matcher where we check for Content-Type if image/png then block the image didn’t work, the image was still displayed, i checked with curl -Ihttps://img.mydomain.io/avatar/4462f80994d1518a3b30b324df958bd5?d=404&s=400
and the Content-Type header was indeed image/png (our case is we want to block SVG, we are just testing with a PNG available url )
2. Caddy version:
v2.8.4
3. How I installed and ran Caddy:
Installed from the APT repository following the official Docs Install — Caddy Documentation, we run it with systemd.
a. System environment:
Ubuntu 22.04 LTS, Linux kernel 5.15.0-124-generic, x86_64, systemd 249
b. Command:
systemctl start caddy
d. My complete Caddy config:
https://img.mydomain.io {
route /avatar/* {
@png {
header Content-Type image/png
}
handle @png {
respond "Access Denied" 403
}
reverse_proxy https://www.gravatar.com {
header_up Host www.gravatar.com
header_up X-Forwarded-Host {host}
}
}
}