V2: understanding rewrite

lexpierce · April 29, 2020, 7:29am

One last question. My adapt calling is giving me a group: directive in the rewrite:

                    {
                      "group": "group0",
                      "handle": [
                        {
                          "handler": "rewrite",
                          "uri": "/mta-sts.txt"
                        }
                      ],
                      "match": [
                        {
                          "path": [
                            "/.well-known/mta-sts.txt"
                          ]
                        }
                      ]
                    }

This seems confusing, as there is only one matcher in my ‘group’. Also, does the JSON process top to bottom? Can you guarantee matcher order? Assuming for my (very) limited use case I can remove the “group” parameter.

lexpierce · April 29, 2020, 7:55am

Ah ha! So here is the final form of the Caddyfile… assuming I am missing something in grouping in Caddyfile?

mta-sts.meeple.ninja {
  header / { 
    Strict-Transport-Security "max-age=63072000; includeSubDomains; preload"
  }
  rewrite /.well-known/mta-sts.txt /mta-sts.txt
  file_server {
    root /var/www/mta-sts
  }
  @forbidden {
    not path /.well-known/mta-sts.txt
  }
  respond @forbidden "Not Found" 404 
}

This failed until I added the “group” directive to both matchers in the JSON. Other wise I would rewrite, and then match the not matcher and get a 404. Shortcoming in the Caddyfile adapter? Or me not quite understand how to group things in the caddyfile? I didn’t see anything in the caddyfile part of the docs about grouping.

JSON that worked. Please note I manually added the "group": "mtastsrewrite", to the not matcher grouping:

            {
              "handle": [
                {
                  "handler": "subroute",
                  "routes": [
                    {
                      "handle": [
                        {
                          "handler": "headers",
                          "response": {
                            "set": {
                              "Strict-Transport-Security": [
                                "max-age=63072000; includeSubDomains; preload"
                              ]
                            }
                          }
                        }
                      ],
                      "match": [
                        {
                          "path": [
                            "/"
                          ]
                        }
                      ]
                    },
                    {
                      "group": "mtastsrewrite",
                      "handle": [
                        {
                          "handler": "rewrite",
                          "uri": "/mta-sts.txt"
                        }
                      ],
                      "match": [
                        {
                          "path": [
                            "/.well-known/mta-sts.txt"
                          ]
                        }
                      ]
                    },
                    {
                      "group": "mtastsrewrite",
                      "handle": [
                        {
                          "body": "Not Found",
                          "close": true,
                          "handler": "static_response",
                          "status_code": 404
                        }
                      ],
                      "match": [
                        {
                          "not": [
                            {
                              "path": [
                                "/.well-known/mta-sts.txt"
                              ]
                            }
                          ]
                        }
                      ]
                    },
                    {
                      "handle": [
                        {
                          "handler": "file_server",
                          "root": "/var/www/mta-sts"
                        }
                      ]
                    }
                  ]
                }
              ],
              "match": [
                {
                  "host": [
                    "mta-sts.meeple.ninja"
                  ]
                }
              ],
              "terminal": true
            }

Thanks for all you help with this!

Whitestrake · April 29, 2020, 11:05pm

What’s the purpose of the HSTS header?

Specifically, why issue it only on / and not anywhere else?

lexpierce · April 30, 2020, 5:46pm

HSTS? That’s to let the client know I am HTTPS only, never HTTP, and how long to remember that. It is a standard header that all HTTPS sites should use.

as for /? is there a way to set the header to send out all paths? a * matcher? I’ve only ever sent that header out on /… I should look into the spec more.

francislavoie · April 30, 2020, 7:31pm

Yeah - there’s no reason to only match on / for that. If you remove the matcher, it acts as “any request”. Same with having a * path matcher.

system · May 30, 2020, 7:31pm

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.