summaryrefslogtreecommitdiff
path: root/modules/caddyhttp/reverseproxy
AgeCommit message (Collapse)Author
2022-07-08reverseproxy: Adjust new TLS Caddyfile directive names (#4872)Francis Lavoie
2022-06-28forwardauth: Fix case when `copy_headers` is omitted (#4856)Francis Lavoie
See https://caddy.community/t/using-forward-auth-and-writing-my-own-authenticator-in-php/16410, apparently it didn't work when `copy_headers` wasn't used. This is because we were skipping adding a handler to the routes in the "good response handler", but this causes the logic in `reverseproxy.go` to ignore the response handler since it's empty. Instead, we can just always put in the `header` handler, even with an empty `Set` operation, it's just a no-op, but it fixes that condition in the proxy code.
2022-06-22reverseproxy: Fix double headers in response handlers (#4847)Francis Lavoie
2022-06-22reverseproxy: Fix panic when TLS is not configured (#4848)Francis Lavoie
* reverseproxy: Fix panic when TLS is not configured * Refactor and simplify setScheme Co-authored-by: Matthew Holt <mholt@users.noreply.github.com>
2022-06-20reverseproxy: Skip TLS for certain configured ports (#4843)Kiss Károly Pál
* Make reverse proxy TLS server name replaceable for SNI upstreams. * Reverted previous TLS server name replacement, and implemented thread safe version. * Move TLS servername replacement into it's own function * Moved SNI servername replacement into httptransport. * Solve issue when dynamic upstreams use wrong protocol upstream. * Revert previous commit. Old commit was: Solve issue when dynamic upstreams use wrong protocol upstream. Id: 3c9806ccb63e66bdcac8e1ed4520c9d135cb011d * Added SkipTLSPorts option to http transport. * Fix typo in test config file. * Rename config option as suggested by Matt Co-authored-by: Matt Holt <mholt@users.noreply.github.com> * Update code to match renamed config option. * Fix typo in config option name. * Fix another typo that I missed. * Tests not completing because of apparent wrong ordering of options. Co-authored-by: Matt Holt <mholt@users.noreply.github.com>
2022-06-16forwardauth: Support renaming copied headers, block support (#4783)Francis Lavoie
2022-06-14reverseproxy: Dynamic ServerName for TLS upstreams (#4836)Kiss Károly Pál
* Make reverse proxy TLS server name replaceable for SNI upstreams. * Reverted previous TLS server name replacement, and implemented thread safe version. * Move TLS servername replacement into it's own function * Moved SNI servername replacement into httptransport. * Solve issue when dynamic upstreams use wrong protocol upstream. * Revert previous commit. Old commit was: Solve issue when dynamic upstreams use wrong protocol upstream. Id: 3c9806ccb63e66bdcac8e1ed4520c9d135cb011d Co-authored-by: Matt Holt <mholt@users.noreply.github.com>
2022-06-14reverseproxy: Make TLS renegotiation optionalMatthew Holt
2022-06-10reverseproxy: Add renegotiation param in TLS client (#4784)Yaacov Akiba Slama
* Add renegotiation option in reverseproxy tls client * Update modules/caddyhttp/reverseproxy/httptransport.go Co-authored-by: Matt Holt <mholt@users.noreply.github.com>
2022-06-06reverseproxy: Correct the `tls_server_name` docs (#4827)Francis Lavoie
* reverseproxy: Correct the `tls_server_name` docs * Update modules/caddyhttp/reverseproxy/httptransport.go Co-authored-by: Matt Holt <mholt@users.noreply.github.com> Co-authored-by: Matt Holt <mholt@users.noreply.github.com>
2022-06-03reverseproxy: HTTP 504 for upstream timeouts (#4824)Matt Holt
Closes #4823
2022-06-02reverseproxy: api: Remove misleading 'healthy' valueMatthew Holt
In v2.5.0, upstream health was fixed such that whether an upstream is considered healthy or not is mostly up to each individual handler's config. Since "healthy" is an opinion, it is not a global value. I unintentionally left in the "healthy" field in the API endpoint for checking upstreams, and it is now misleading (see #4792). However, num_requests and fails remains, so health can be determined by the API client, rather than having it be opaquely (and unhelpfully) determined for the client. If we do restore this value later on, it'd need to be replicated once per reverse_proxy handler according to their individual configs.
2022-05-29reverseproxy: Add --internal-certs CLI flag #3589 (#4817)Alexander M
added flag --internal-certs when set, for non-local domains the internal CA will be used for cert generation
2022-05-10reverseproxy: Support http1.1>h2c (close #4777) (#4778)Matt Holt
2022-05-06reverseproxy: Support performing pre-check requests (#4739)Francis Lavoie
2022-05-04reverseproxy: Permit resolver addresses to not specify a port (#4760)Francis Lavoie
Context: https://caddy.community/t/caddy-2-5-dynamic-upstreams-and-consul-srv-dns/15839 I realized it probably makes sense to allow `:53` to be omitted, since it's the default port for DNS.
2022-05-02reverseproxy: Fix Caddyfile support for `replace_status` (#4754)Francis Lavoie
2022-04-27reverseproxy: Improve hashing LB policies with HRW (#4724)Matt Holt
* reverseproxy: Improve hashing LB policies with HRW Previously, if a list of upstreams changed, hash-based LB policies would be greatly affected because the hash relied on the position of upstreams in the pool. Highest Random Weight or "rendezvous" hashing is apparently robust to pool changes. It runs in O(n) instead of O(log n), but n is very small usually. * Fix bug and update tests
2022-04-25httpcaddyfile: Deprecate paths in site addresses; use zap logs (#4728)Francis Lavoie
2022-04-11reverseproxy: Add `_ms` placeholders for proxy durations (#4666)Francis Lavoie
* reverseproxy: Add `_ms` placeholders for proxy durations * Add http.request.duration_ms Also add comments, and change duration_sec to duration_ms * Add response.duration_ms for consistency * Add missing godoc comment Co-authored-by: Matthew Holt <mholt@users.noreply.github.com>
2022-04-11reverseproxy: Sync up `handleUpgradeResponse` with stdlib (#4664)Francis Lavoie
* reverseproxy: Sync up `handleUpgradeResponse` with stdlib I had left this as a TODO for when we bump to minimum 1.17, but I should've realized it was under `internal` so it couldn't be used directly. Copied the functions we needed for parity. Hopefully this is ok! * Add tests and fix godoc comments Co-authored-by: Matthew Holt <mholt@users.noreply.github.com>
2022-03-24reverseproxy: Include port in A upstreams cacheMatthew Holt
Should fix #4659
2022-03-21reverseproxy: Don't clear name in SRV upstreamsMatthew Holt
Fix for dc4d147388547515f77447d594024386b732e7d4
2022-03-18reverseproxy: Expand SRV/A addrs for cache keyMatthew Holt
Hopefully fix #4645
2022-03-13chore: Comment fixes (#4634)Francis Lavoie
2022-03-09reverseproxy: copy_response and copy_response_headers for handle_response ↵Francis Lavoie
routes (#4391) * reverseproxy: New `copy_response` handler for `handle_response` routes Followup to #4298 and #4388. This adds a new `copy_response` handler which may only be used in `reverse_proxy`'s `handle_response` routes, which can be used to actually copy the proxy response downstream. Previously, if `handle_response` was used (with routes, not the status code mode), it was impossible to use the upstream's response body at all, because we would always close the body, expecting the routes to write a new body from scratch. To implement this, I had to refactor `h.reverseProxy()` to move all the code that came after the `HandleResponse` loop into a new function. This new function `h.finalizeResponse()` takes care of preparing the response by removing extra headers, dealing with trailers, then copying the headers and body downstream. Since basically what we want `copy_response` to do is invoke `h.finalizeResponse()` at a configurable point in time, we need to pass down the proxy handler, the response, and some other state via a new `req.WithContext(ctx)`. Wrapping a new context is pretty much the only way we have to jump a few layers in the HTTP middleware chain and let a handler pick up this information. Feels a bit dirty, but it works. Also fixed a bug with the `http.reverse_proxy.upstream.duration` placeholder, it always had the same duration as `http.reverse_proxy.upstream.latency`, but the former was meant to be the time taken for the roundtrip _plus_ copying/writing the response. * Delete the "Content-Length" header if we aren't copying Fixes a bug where the Content-Length will mismatch the actual bytes written if we skipped copying the response, so we get a message like this when using curl: ``` curl: (18) transfer closed with 18 bytes remaining to read ``` To replicate: ``` { admin off debug } :8881 { reverse_proxy 127.0.0.1:8882 { @200 status 200 handle_response @200 { header Foo bar } } } :8882 { header Content-Type application/json respond `{"hello": "world"}` 200 } ``` * Implement `copy_response_headers`, with include/exclude list support * Apply suggestions from code review Co-authored-by: Matt Holt <mholt@users.noreply.github.com>
2022-03-07fastcgi: Protect against requests with null bytes in the path (#4614)Francis Lavoie
2022-03-06reverseproxy: Dynamic upstreams (with SRV and A/AAAA support) (#4470)Matt Holt
* reverseproxy: Begin refactor to enable dynamic upstreams Streamed here: https://www.youtube.com/watch?v=hj7yzXb11jU * Implement SRV and A/AAA upstream sources Also get upstreams at every retry loop iteration instead of just once before the loop. See #4442. * Minor tweaks from review * Limit size of upstreams caches * Add doc notes deprecating LookupSRV * Provision dynamic upstreams Still WIP, preparing to preserve health checker functionality * Rejigger health checks Move active health check results into handler-specific Upstreams. Improve documentation regarding health checks and upstreams. * Deprecation notice * Add Caddyfile support, use `caddy.Duration` * Interface guards * Implement custom resolvers, add resolvers to http transport Caddyfile * SRV: fix Caddyfile `name` inline arg, remove proto condition * Use pointer receiver * Add debug logs Co-authored-by: Francis Lavoie <lavofr@gmail.com>
2022-03-06reverseproxy: Implement trusted proxies for `X-Forwarded-*` headers (#4507)Francis Lavoie
2022-03-05reverseproxy: Refactor dial address parsing, augment command parsing (#4616)Francis Lavoie
2022-03-03reverseproxy: Make shallow-ish clone of the request (#4551)Francis Lavoie
* reverseproxy: Make shallow-ish clone of the request * Refactor request cloning into separate function Co-authored-by: Matthew Holt <mholt@users.noreply.github.com>
2022-03-02fastcgi: Set SERVER_PORT to 80 or 443 depending on scheme (#4572)ttys3
2022-03-01reverseproxy: Move status replacement intercept to `replace_status` (#4300)Francis Lavoie
2022-02-01reverseproxy: Avoid returning a `nil` error during GetClientCertificate (#4550)Francis Lavoie
2022-01-19Improve the reverse-proxy CLI --to flag help message (#4535)Vojtech Vitek
2022-01-04admin, reverseproxy: Stop timers if canceled to avoid goroutine leak (#4482)Денис Телюх
2021-12-17reverseproxy: Fix incorrect `health_headers` Caddyfile parsing (#4485)Francis Lavoie
Fixes #4481
2021-12-02caddyhttp: Make logging of credential headers opt-in (#4438)Francis Lavoie
2021-12-02fastcgi: Fix a TODO, prevent zap using reflection for logging env (#4437)Francis Lavoie
* fastcgi: Fix a TODO, prevent zap using reflection for logging env * Update modules/caddyhttp/reverseproxy/fastcgi/fastcgi.go Co-authored-by: Mohammed Al Sahaf <msaa1990@gmail.com> Co-authored-by: Mohammed Al Sahaf <msaa1990@gmail.com>
2021-11-24reverseproxy: Adjust defaults, document defaults (#4436)Francis Lavoie
* reverseproxy: Adjust defaults, document defaults Related to some of the issues in https://github.com/caddyserver/caddy/issues/4245, a complaint about the proxy transport defaults not being properly documented in https://caddy.community/t/default-values-for-directives/14254/6. - Dug into the stdlib to find the actual defaults for some of the timeouts and buffer limits, documenting them in godoc so the JSON docs get them next release. - Moved the keep-alive and dial-timeout defaults from `reverseproxy.go` to `httptransport.go`. It doesn't make sense to set defaults in the proxy, because then any time the transport is configured with non-defaults, the keep-alive and dial-timeout defaults are lost! - Sped up the dial timeout from 10s to 3s, in practice it rarely makes sense to wait a whole 10s for dialing. A shorter timeout helps a lot with the load balancer retries, so using something lower helps with user experience. * reverseproxy: Make keepalive interval configurable via Caddyfile * fastcgi: DialTimeout default for fastcgi transport too
2021-10-26reverseproxy: Sanitize scheme and host on incoming requests (#4237)Francis Lavoie
* caddyhttp: Sanitize scheme and host on incoming requests * reverseproxy: Sanitize the URL scheme and host before proxying * Apply suggestions from code review Co-authored-by: Matt Holt <mholt@users.noreply.github.com> Co-authored-by: Matt Holt <mholt@users.noreply.github.com>
2021-10-18reverseproxy: Prevent copying the response if a response handler ran (#4388)Francis Lavoie
2021-10-11caddyhttp: reverseproxy: clarify warning for -insecure (#4379)Simão Gomes Viana
The question would only receive bad answers so it's better to just say what the option actually does.
2021-09-29Move from deprecated ioutil to os and io packages (#4364)KallyDev
2021-09-27Revert 3336faf2 (close #4360)Matthew Holt
Debug log is correct level for this
2021-09-24reverseproxy: Log error at error level (fix #4360)Matthew Holt
2021-09-17fastcgi: Implement `try_files` override in Caddyfile directive (#4347)Francis Lavoie
2021-09-11fastcgi: Fix Caddyfile parsing when `handle_response` is used (#4342)Francis Lavoie
2021-08-23reverseproxy: Remove redundant flushing (#4299)Francis Lavoie
From reading through the code, I think this code path is now obsoleted by the changes made in https://github.com/caddyserver/caddy/pull/4266. Basically, `h.flushInterval()` will set the flush interval to `-1` if we're in a bi-directional stream, and the recent PR ensured that `h.copyResponse()` properly flushes headers immediately when the flush interval is non-zero. So now there should be no need to call Flush before calling `h.copyResponse()`.
2021-08-17logging: Warn for deprecated single_field encoderMatthew Holt