Stucked with changing redir to proxy

1. The problem I’m having:

Hi, because I would like to hide credentials inside url params I tried to change redir (works with config posted below) to proxy_reverse but with no success. What I do wrong? Any response what will kick me right direction is appreciated a lot

Bob:admin@172.20.10.22:11000?receiver=999999999&smstext=hello&report=1

4. How I installed and ran Caddy:

c. Service/unit/compose file:

version: '3.3'

services:
  caddy:
    image: caddy:latest
    restart: unless-stopped
    volumes:
      - ./caddy/Caddyfile:/etc/caddy/Caddyfile
    ports:
      - 11000:80
      - 2019:2019
    networks:
      - default

networks:
  default:
    driver: bridge
    ipam:
      driver: default
      config:
        - subnet: 172.30.169.0/24

d. My complete Caddy config:

Using redir works:

{
    admin :2019
}

:80 {

   log
   skip_log /health

   handle /health {
      respond 200
   }

   route {
      basicauth {
# admin pass
         Bob $2a$14$bIpj.rzTSiXPQb7bdqv13.3LgpX5xc/nFuDLBRnhlUfpJGzD9NXgS
      }

      redir https://aweg.t-mobile.cz:443{uri}&auth=:
   }
}

Logs:

proxy-caddy-1  | 2024-03-06T23:09:03.123457536Z {"level":"info","ts":1709766543.123074,"msg":"using provided configuration","config_file":"/etc/caddy/Caddyfile","config_adapter":"caddyfile"}
proxy-caddy-1  | 2024-03-06T23:09:03.124778526Z {"level":"warn","ts":1709766543.1247246,"msg":"Caddyfile input is not formatted; run 'caddy fmt --overwrite' to fix inconsistencies","adapter":"caddyfile","file":"/etc/caddy/Caddyfile","line":2}
proxy-caddy-1  | 2024-03-06T23:09:03.125547135Z {"level":"info","ts":1709766543.1255016,"logger":"admin","msg":"admin endpoint started","address":":2019","enforce_origin":false,"origins":["//:2019"]}
proxy-caddy-1  | 2024-03-06T23:09:03.125551787Z {"level":"warn","ts":1709766543.1255202,"logger":"admin","msg":"admin endpoint on open interface; host checking disabled","address":":2019"}
proxy-caddy-1  | 2024-03-06T23:09:03.125704085Z {"level":"warn","ts":1709766543.1256318,"logger":"http.auto_https","msg":"server is listening only on the HTTP port, so no automatic HTTPS will be applied to this server","server_name":"srv0","http_port":80}
proxy-caddy-1  | 2024-03-06T23:09:03.125830843Z {"level":"info","ts":1709766543.1257858,"logger":"tls.cache.maintenance","msg":"started background certificate maintenance","cache":"0xc0004b8980"}
proxy-caddy-1  | 2024-03-06T23:09:03.126696743Z {"level":"info","ts":1709766543.12624,"logger":"http.log","msg":"server running","name":"srv0","protocols":["h1","h2","h3"]}
proxy-caddy-1  | 2024-03-06T23:09:03.126701108Z {"level":"info","ts":1709766543.1264043,"msg":"autosaved config (load with --resume flag)","file":"/config/caddy/autosave.json"}
proxy-caddy-1  | 2024-03-06T23:09:03.126702842Z {"level":"info","ts":1709766543.1264107,"msg":"serving initial configuration"}
proxy-caddy-1  | 2024-03-06T23:09:03.127625622Z {"level":"info","ts":1709766543.1272583,"logger":"tls","msg":"cleaning storage unit","storage":"FileStorage:/data/caddy"}
proxy-caddy-1  | 2024-03-06T23:09:03.127629753Z {"level":"info","ts":1709766543.1275725,"logger":"tls","msg":"finished cleaning storage units"}
proxy-caddy-1  | 2024-03-06T23:09:44.004152808Z {"level":"error","ts":1709766584.0039504,"logger":"http.log.access","msg":"handled request","request":{"remote_ip":"172.18.64.255","remote_port":"61307","client_ip":"172.18.64.255","proto":"HTTP/1.1","method":"GET","host":"172.20.10.22:11000","uri":"/?receiver=607690844&smstext=Foo&report=1","headers":{"Connection":["keep-alive"],"User-Agent":["PostmanRuntime/7.36.3"],"Accept":["*/*"],"Cache-Control":["no-cache"],"Postman-Token":["98faa423-174e-45ef-a79e-4d5ad9300d85"],"Accept-Encoding":["gzip, deflate, br"]}},"bytes_read":0,"user_id":"","duration":0.000175151,"size":0,"status":401,"resp_headers":{"Server":["Caddy"],"Www-Authenticate":["Basic realm=\"restricted\""]}}
proxy-caddy-1  | 2024-03-06T23:09:53.959489214Z {"level":"info","ts":1709766593.9593055,"logger":"http.log.access","msg":"handled request","request":{"remote_ip":"172.18.64.255","remote_port":"61307","client_ip":"172.18.64.255","proto":"HTTP/1.1","method":"GET","host":"172.20.10.22:11000","uri":"/?receiver=607690844&smstext=Foo&report=1","headers":{"Accept-Encoding":["gzip, deflate, br"],"Connection":["keep-alive"],"Authorization":[],"User-Agent":["PostmanRuntime/7.36.3"],"Accept":["*/*"],"Cache-Control":["no-cache"],"Postman-Token":["f10fd3bc-3591-4729-a801-dc222607e6b0"]}},"bytes_read":0,"user_id":"Bob","duration":0.877850188,"size":0,"status":302,"resp_headers":{"Location":["https://aweg.t-mobile.cz:443/?receiver=607690844&smstext=Foo&report=1&auth="],"Content-Type":[],"Server":["Caddy"]}}

My not working attempt to change it to reverse_proxy:

{
    admin :2019
}

:80 {

   log
   skip_log /health

   handle /health {
      respond 200
   }

   route {
      basicauth {
# admin pass
         Bob $2a$14$bIpj.rzTSiXPQb7bdqv13.3LgpX5xc/nFuDLBRnhlUfpJGzD9NXgS
      }

      rewrite {uri}&auth=
      reverse_proxy https://aweg.t-mobile.cz:443
   }
}

proxy-caddy-1  | 2024-03-06T23:19:52.571367911Z {"level":"info","ts":1709767192.5708518,"msg":"using provided configuration","config_file":"/etc/caddy/Caddyfile","config_adapter":"caddyfile"}
proxy-caddy-1  | 2024-03-06T23:19:52.572131638Z {"level":"warn","ts":1709767192.5720925,"msg":"Caddyfile input is not formatted; run 'caddy fmt --overwrite' to fix inconsistencies","adapter":"caddyfile","file":"/etc/caddy/Caddyfile","line":2}
proxy-caddy-1  | 2024-03-06T23:19:52.572812593Z {"level":"info","ts":1709767192.572775,"logger":"admin","msg":"admin endpoint started","address":":2019","enforce_origin":false,"origins":["//:2019"]}
proxy-caddy-1  | 2024-03-06T23:19:52.572816497Z {"level":"warn","ts":1709767192.5727894,"logger":"admin","msg":"admin endpoint on open interface; host checking disabled","address":":2019"}
proxy-caddy-1  | 2024-03-06T23:19:52.573020457Z {"level":"warn","ts":1709767192.5729144,"logger":"http.auto_https","msg":"server is listening only on the HTTP port, so no automatic HTTPS will be applied to this server","server_name":"srv0","http_port":80}
proxy-caddy-1  | 2024-03-06T23:19:52.573024881Z {"level":"info","ts":1709767192.5729926,"logger":"tls.cache.maintenance","msg":"started background certificate maintenance","cache":"0xc0004e0380"}
proxy-caddy-1  | 2024-03-06T23:19:52.573765807Z {"level":"info","ts":1709767192.5736394,"logger":"http.log","msg":"server running","name":"srv0","protocols":["h1","h2","h3"]}
proxy-caddy-1  | 2024-03-06T23:19:52.573823615Z {"level":"info","ts":1709767192.5737946,"msg":"autosaved config (load with --resume flag)","file":"/config/caddy/autosave.json"}
proxy-caddy-1  | 2024-03-06T23:19:52.573827061Z {"level":"info","ts":1709767192.5738046,"msg":"serving initial configuration"}
proxy-caddy-1  | 2024-03-06T23:19:52.574465429Z {"level":"info","ts":1709767192.5742824,"logger":"tls","msg":"cleaning storage unit","storage":"FileStorage:/data/caddy"}
proxy-caddy-1  | 2024-03-06T23:19:52.574470939Z {"level":"info","ts":1709767192.5744262,"logger":"tls","msg":"finished cleaning storage units"}
proxy-caddy-1  | 2024-03-06T23:19:58.743943421Z {"level":"info","ts":1709767198.7437723,"logger":"http.log.access","msg":"handled request","request":{"remote_ip":"172.18.64.255","remote_port":"61709","client_ip":"172.18.64.255","proto":"HTTP/1.1","method":"GET","host":"172.20.10.22:11000","uri":"/?receiver=607690844&smstext=Foo&report=1","headers":{"Accept-Encoding":["gzip, deflate, br"],"Connection":["keep-alive"],"Authorization":[],"User-Agent":["PostmanRuntime/7.36.3"],"Accept":["*/*"],"Cache-Control":["no-cache"],"Postman-Token":["609f43ba-93a0-4047-9aca-14dcfc479da2"]}},"bytes_read":0,"user_id":"Bob","duration":0.986487807,"size":384,"status":200,"resp_headers":{"Last-Modified":["Fri, 16 Nov 2018 15:21:05 GMT"],"Etag":["W/\"5beee061-264\""],"Content-Encoding":["gzip"],"Date":["Wed, 06 Mar 2024 23:19:58 GMT"],"Server":["Caddy","nginx/1.14.0 (Ubuntu)"],"Content-Type":["text/html"]}}

I don’t understand what you’re trying to do. The description of your problem isn’t clear. Please elaborate.

My goal is to hide T-Mobile SMS gateway (public internet url) behind basic authentication because gateway sw supports have only 1 password given as URL param (I need to hide this auth url param for other connected systems).

I still don’t understand the goal. Please explain exactly what you need to happen on the request.

Basic auth uses the Authorization header. Are you trying to remove that header or something?

I don’t understand.

My goal:

systemA wants send SMS → caddy (basic authentication) → request to SMS gateway with additional url param with credentials for SMS gateway which should not know systemA ?auth=hidden_credential_username_for_systemA:hidden_credential_pass_for_systemA → response sent to systemA with not mentioned url param ?auth=hidden_credential_username_for_systemA:hidden_credential_pass_for_systemA`

I’m still not sure I understand, I don’t find that explanation clear.

But I’m kinda getting the sense that you’re looking to rewrite the query part of the URL before proxying? Is that it?

If so, then you can do this:

rewrite ?{query}&auth=Bob:some-secret

The key is that ? is in the rewrite string to tell rewrite to change the query (and in this case, not touch the path because there’s nothing before the ?) and using {query} to preserve the existing query if any, appending the bit you want at the end.

So I found problem create proxy for this specific url: https://aweg.t-mobile.cz

Caddyfile

:80,:443 {
   log
   route {
      reverse_proxy https://aweg.t-mobile.cz:443
   }
}

This code does not work. What I am missing?

I feel like you keep moving the goalpost. I don’t understand what you’re trying to achieve. You haven’t clearly explained what you want to do. I gave a suggestion, but you showed no evidence that you tried it, and you didn’t explain why my suggestion wouldn’t work for you if it doesn’t. Please use words. Explain. Help me to help you.

This doesn’t make sense – a single site block can only serve HTTP or HTTPS, not both. You’d need to split this up.

Either way, a :443 site address doesn’t really make sense because you need a TLS certificate for HTTPS. Caddy won’t know how to set up HTTPS if you don’t tell it a domain. Nor did you use the tls directive to give it an existing cert/key pair.

What do you mean “does not work”? What does that mean? I can’t read your mind. Elaborate. Tell me exactly the behaviour you’re seeing. Show your logs. Show evidence of the problem.

I have the same goal since I started this thread. Make work these lines:

      rewrite {uri}&auth=
      reverse_proxy https://aweg.t-mobile.cz:443

Used redir as I wrote was working to me but I need to change redir approach to rewrit & then proxy because I need to hide SMS T-mobile gateway auth url param ?auth from systemA, systemB, systemC etc.

In previous post you understood me clearly. I guess. Sorry for missing response.

In summary. I just try to auth request with basic authentication for systemA, systemB, systemC, then rewrite request internally with additional auth url param (not known for systemA, systemB, systemC) ?auth=xy:xy, then send request with this additional auth url param via proxy and return response to systemA, …

If you need to rewrite the request to add another query param, then just do this, as I said:

I think rewrite fixed by you (thank you!) will work but no tested yet because I am struggling with simplified goal only to working reverse_proxy to mentioned SMS gateway. I changed docker compose to:

Docker-compose:

version: '3.3'

services:
  caddy:
    image: caddy:latest
    restart: unless-stopped
    volumes:
      - ./caddy/Caddyfile:/etc/caddy/Caddyfile
    network_mode: host

My caddyFile looks like this:

{
    admin :2019
    debug
}

:11000 {

   log

   reverse_proxy http://aweg.t-mobile.cz:80
}

And output when I access http://localhost:11000 is

<html>

<head>
    <title>Welcome to nginx!</title>
    <style>
        body {
            width: 35em;
            margin: 0 auto;
            font-family: Tahoma, Verdana, Arial, sans-serif;
        }
    </style>
</head>

<body>
    <h1>Welcome to nginx!</h1>
    <p>If you see this page, the nginx web server is successfully installed and
        working. Further configuration is required.</p>

    <p>For online documentation and support please refer to
        <a href="http://nginx.org/">nginx.org</a>.<br/>
Commercial support is available at
        <a href="http://nginx.com/">nginx.com</a>.
    </p>

    <p><em>Thank you for using nginx.</em></p>
</body>

</html>

instead of:

<title>AWEG 3.14.3 http/s transport</title>
</head>
<body>This is AWEG SMS Gateway v3.14.3 by GTS Czech s.r.o.<br>
<i>There is nothing interesting for your browser here. You may want to see <a href='/profil'>Profil SMS</a>.</i>
</body>
</html>

Tried in postman.

Complete log:

Attaching to proxy_caddy_1
caddy_1  | 2024-03-10T19:21:32.398351675Z {"level":"info","ts":1710098492.3982565,"msg":"using provided configuration","config_file":"/etc/caddy/Caddyfile","config_adapter":"caddyfile"}
caddy_1  | 2024-03-10T19:21:32.398898922Z {"level":"warn","ts":1710098492.3988743,"msg":"Caddyfile input is not formatted; run 'caddy fmt --overwrite' to fix inconsistencies","adapter":"caddyfile","file":"/etc/caddy/Caddyfile","line":2}
caddy_1  | 2024-03-10T19:21:32.399159116Z {"level":"info","ts":1710098492.3991346,"logger":"admin","msg":"admin endpoint started","address":":2019","enforce_origin":false,"origins":["//:2019"]}
caddy_1  | 2024-03-10T19:21:32.399166782Z {"level":"warn","ts":1710098492.399142,"logger":"admin","msg":"admin endpoint on open interface; host checking disabled","address":":2019"}
caddy_1  | 2024-03-10T19:21:32.399275858Z {"level":"info","ts":1710098492.3992581,"logger":"tls.cache.maintenance","msg":"started background certificate maintenance","cache":"0xc0000bf200"}
caddy_1  | 2024-03-10T19:21:32.399293112Z {"level":"debug","ts":1710098492.3992074,"logger":"http.auto_https","msg":"adjusted config","tls":{"automation":{"policies":[{}]}},"http":{"servers":{"srv0":{"listen":[":11000"],"routes":[{"handle":[{"handler":"reverse_proxy","upstreams":[{"dial":"aweg.t-mobile.cz:80"}]}]}],"automatic_https":{},"logs":{}}}}}
caddy_1  | 2024-03-10T19:21:32.399387622Z {"level":"debug","ts":1710098492.399375,"logger":"http","msg":"starting server loop","address":"[::]:11000","tls":false,"http3":false}
caddy_1  | 2024-03-10T19:21:32.399417584Z {"level":"info","ts":1710098492.3993871,"logger":"http.log","msg":"server running","name":"srv0","protocols":["h1","h2","h3"]}
caddy_1  | 2024-03-10T19:21:32.399595218Z {"level":"info","ts":1710098492.3995798,"msg":"autosaved config (load with --resume flag)","file":"/config/caddy/autosave.json"}
caddy_1  | 2024-03-10T19:21:32.399598278Z {"level":"info","ts":1710098492.3995838,"msg":"serving initial configuration"}
caddy_1  | 2024-03-10T19:21:32.409467668Z {"level":"info","ts":1710098492.4094346,"logger":"tls","msg":"cleaning storage unit","storage":"FileStorage:/data/caddy"}
caddy_1  | 2024-03-10T19:21:32.409566052Z {"level":"info","ts":1710098492.4095447,"logger":"tls","msg":"finished cleaning storage units"}
caddy_1  | 2024-03-10T19:21:47.953952966Z {"level":"debug","ts":1710098507.9538743,"logger":"http.handlers.reverse_proxy","msg":"selected upstream","dial":"aweg.t-mobile.cz:80","total_upstreams":1}
caddy_1  | 2024-03-10T19:21:48.026140451Z {"level":"debug","ts":1710098508.025919,"logger":"http.handlers.reverse_proxy","msg":"upstream roundtrip","upstream":"aweg.t-mobile.cz:80","duration":0.071987595,"request":{"remote_ip":"::1","remote_port":"57956","client_ip":"::1","proto":"HTTP/1.1","method":"GET","host":"localhost:11000","uri":"/","headers":{"Accept":["*/*"],"Cache-Control":["no-cache"],"Postman-Token":["baa72d60-061b-480f-bb63-4f2b740abec6"],"X-Forwarded-Proto":["http"],"X-Forwarded-Host":["localhost:11000"],"Accept-Encoding":["gzip, deflate, br"],"X-Forwarded-For":["::1"],"User-Agent":["PostmanRuntime/7.36.3"]}},"headers":{"Date":["Sun, 10 Mar 2024 19:21:47 GMT"],"Content-Type":["text/html"],"Last-Modified":["Fri, 16 Nov 2018 15:21:05 GMT"],"Connection":["keep-alive"],"Etag":["W/\"5beee061-264\""],"Content-Encoding":["gzip"],"Server":["nginx/1.14.0 (Ubuntu)"]},"status":200}
caddy_1  | 2024-03-10T19:21:48.026328291Z {"level":"info","ts":1710098508.0262382,"logger":"http.log.access","msg":"handled request","request":{"remote_ip":"::1","remote_port":"57956","client_ip":"::1","proto":"HTTP/1.1","method":"GET","host":"localhost:11000","uri":"/","headers":{"Accept":["*/*"],"Cache-Control":["no-cache"],"Postman-Token":["baa72d60-061b-480f-bb63-4f2b740abec6"],"Accept-Encoding":["gzip, deflate, br"],"Connection":["keep-alive"],"User-Agent":["PostmanRuntime/7.36.3"]}},"bytes_read":0,"user_id":"","duration":0.072370928,"size":384,"status":200,"resp_headers":{"Content-Encoding":["gzip"],"Date":["Sun, 10 Mar 2024 19:21:47 GMT"],"Content-Type":["text/html"],"Last-Modified":["Fri, 16 Nov 2018 15:21:05 GMT"],"Server":["Caddy","nginx/1.14.0 (Ubuntu)"],"Etag":["W/\"5beee061-264\""]}}```

Then the problem is with your upstream server, it’s serving you that content.

You had a proxy to HTTPS earlier. You might need this?

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.