Using ip_mask filter with 2.5 [actually an init script issue]

1. Caddy version (caddy version): 2.5

$ /usr/bin/caddy version
v2.5.0 h1:eRHzZ4l3X6Ag3kUt8nj5IxATprhqKq/wToP7OHlXWA0=

2. How I run Caddy:

https://ponce.cc

a. System environment:

lxc container with slackware64-15.0.
$ uname -a
Linux chuckd 5.17.2 #1 SMP PREEMPT Fri Apr 8 14:20:27 CEST 2022 x86_64 Intel(R) Core™ i7 CPU 930 @ 2.80GHz GenuineIntel GNU/Linux

b. Command:

launch command:
su - $CADDYUSR -c "XDG_DATA_HOME=/var/lib XDG_CONFIG_HOME=/etc $CADDYBIN run --environ --config $CADDYCFG >> /var/log/caddy/caddy.log 2>&1"

c. Service/unit/compose file:

#!/bin/bash

CADDYUSR=caddy
CADDYGRP=caddy
CADDYBIN=/usr/bin/caddy
CADDYCFG=/etc/caddy/Caddyfile
CADDYLOG=/var/log/caddy/caddy.log

caddy_start() {
  echo "Starting caddy"
  if [ -S /run/caddy/admin.socket ] ; then
    echo "Already running!"
    return
  fi
  su - $CADDYUSR -c "XDG_DATA_HOME=/var/lib XDG_CONFIG_HOME=/etc $CADDYBIN validate --config $CADDYCFG >> /var/log/caddy/caddy.log 2>&1"
  mkdir -p /run/caddy
  chown -R $CADDYUSR:$CADDYGRP /run/caddy
  su - $CADDYUSR -c "XDG_DATA_HOME=/var/lib XDG_CONFIG_HOME=/etc $CADDYBIN run --environ --config $CADDYCFG >> /var/log/caddy/caddy.log 2>&1" &
}

caddy_stop() {
  echo "Stopping caddy"
  if [ -S /run/caddy/admin.socket ] ; then
    su - $CADDYUSR -c "$CADDYBIN stop -address unix//run/caddy/admin.socket"
    rm -f /run/caddy/admin.socket
  else
    echo "Not running!"
  fi
}

caddy_reload() {
  if [ -S /run/caddy/admin.socket ] ; then
    echo "Reloading caddy"
    su - $CADDYUSR -c "XDG_DATA_HOME=/var/lib XDG_CONFIG_HOME=/etc $CADDYBIN reload --config $CADDYCFG"
  else
    echo "Not running!"
  fi
}

caddy_restart() {
  caddy_stop
  sleep 1
  caddy_start
}

case "$1" in
'start')
  caddy_start
  ;;
'stop')
  caddy_stop
  ;;
restart)
  caddy_restart
  ;;
reload)
  caddy_reload
  ;;
*)
  echo "usage $0 start|stop|restart|reload"
esac

d. My complete Caddyfile or JSON config:

{                                                                                                                                                                                                                                                                                                  
  order cgi last                                                                                                                                                                                                                                                                                   
  admin "unix//run/caddy/admin.socket"                                                                                                                                                                                                                                                             
}                                                                                                                                                                                                                                                                                                  
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                   
ponce.cc ponce.cc:80 {                                                                                                                                                                                                                                                                             
  root * /var/www/htdocs                                                                                                                                                                                                                                                                           
  encode zstd gzip                                                                                                                                                                                                                                                                                 
  file_server {                                                                                                                                                                                                                                                                                    
    index index.htm index.html                                                                                                                                                                                                                                                                     
    browse                                                                                                                                                                                                                                                                                         
  }                                                                                                                                                                                                                                                                                                
  log {                                                                                                                                                                                                                                                                                            
    format filter {                                                                                                                                                                                                                                                                                
      wrap console                                                                                                                                                                                                                                                                                 
      fields {                                                                                                                                                                                                                                                                                     
        request>remote_ip ip_mask {                                                                                                                                                                                                                                                                
          ipv4 24                                                                                                                                                                                                                                                                                  
          ipv6 56                                                                                                                                                                                                                                                                                  
        }                                                                                                                                                                                                                                                                                          
      }                                                                                                                                                                                                                                                                                            
    }                                                                                                                                                                                                                                                                                              
    output file /var/log/caddy/ponce.cc.log                                                                                                                                                                                                                                                        
  }                                                                                                                                                                                                                                                                                                
}                                                                                                                                                                                                                                                                                                  

3. The problem I’m having:

remote_ip still shows in the logs

4. Error messages and/or full log output:

{"level":"info","ts":1651080138.101779,"logger":"http.log.access.log1","msg":"handled request","request":{"remote_ip":"142.132.143.107","remote_port":"14882","proto":"HTTP/1.1","method":"GET","host":"ponce.cc","uri":"/slackware/slackware-14.1/packages/stella-4.6.1-i486-1ponce.lst","headers":{"Connection":["close"],"User-Agent":["Mozilla/5.0 (compatible; DataForSeoBot/1.0; +https://dataforseo.com/dataforseo-bot)"],"Accept-Encoding":["gzip, deflate, br"],"Upgrade-Insecure-Requests":["1"]},"tls":{"resumed":false,"version":772,"cipher_suite":4867,"proto":"http/1.1","server_name":"ponce.cc"}},"user_id":"","duration":0.009822473,"size":9375,"status":200,"resp_headers":{"Content-Length":["9375"],"Server":["Caddy"],"Etag":["\"o63hyq78f\""],"Content-Type":[],"Last-Modified":["Sat, 23 Apr 2016 16:32:50 GMT"]}}

5. What I already tried:

applied the example as described at the bottom of the page linked below

6. Links to relevant resources:

Works for me.

For sake of example, since I’m testing on LAN, my IP is 127.0.0.1, I used ipv4 1 to just do a “super aggressive” mask:

:8888 {
	log {
		format filter {
			wrap console
			fields {
				request>remote_ip ip_mask {
					ipv4 1
					ipv6 56
				}
			}
		}
	}
	respond "foo"
}

Then with curl localhost:8888, I get in this in my logs:

1.6510827211412401e+09	info	http.log.access.log0	handled request	{"request": {"remote_ip": "0.0.0.0", "remote_port": "37910", "proto": "HTTP/1.1", "method": "GET", "host": "localhost:8888", "uri": "/", "headers": {"User-Agent": ["curl/7.74.0"], "Accept": ["*/*"]}}, "user_id": "", "duration": 0.000069021, "size": 3, "status": 200, "resp_headers": {"Server": ["Caddy"], "Content-Type": []}}
1 Like

thanks a lot Francis,

your confirmation made me have a better look and actually what was happening is that the original caddy process never stopped because when I was trying to stop it (like described in the init file above) using a command like

su - $CADDYUSR -c "$CADDYBIN stop -address unix//run/caddy/admin.socket"

that worked with 2.4.x the server won’t stop answering

Stopping caddy
2022/04/28 07:19:09.204 WARN    failed using API to stop instance       {"error": "performing request: Post \"//%20/unixsocket/stop\": unsupported protocol scheme \"\""}
stop: performing request: Post "//%20/unixsocket/stop": unsupported protocol scheme ""

so the ip_mask directive wasn’t actually applied…

if I just kill the processes, remove the socket and restart caddy ip_mask works as intended, sorry for the noise.

I’ll have a deeper look at the changes introduced with this version. :books:

1 Like

:man_facepalming:

Oops, looks like we broke unix socket addresses with a change to some of the CLI commands. I can replicate the issue. I’ll try to fix it.

Got it:

thanks for this too!
so I think I’ll wait for 2.5.1 to update my caddies (and maybe open a new topic on how to package it from source for Slackware).

You can build from source easily with xcaddy:

just a curiosity, I hope not being too OT in this topic…

how do you apply a patch (like the one for which you opened a pull request for) for caddy or even for some plugin when building with xcaddy?
it’s safe to build it with a syntax like this (I’ve tried and it seems to work)?

xcaddy build f24853e --with github.com/aksdb/caddy-cgi/v2

Yep, that syntax works. The first argument can be any kind of git ref on the Caddy repo. It can also be the branch name for that PR if you want.