mastercactapus / caddy2-proxyprotocol Goto Github PK
View Code? Open in Web Editor NEWLicense: Apache License 2.0
License: Apache License 2.0
Hi all,
I'm trying to use the module with the following Caddyfile:
{
admin 0.0.0.0:2019
servers {
listener_wrappers {
proxy_protocol {
timeout 2s
allow 0.0.0.0/0
}
http_redirect
tls
}
}
storage consul {
address consul:8500
timeout 10
prefix caddytls
value_prefix caddy
aes_key consultls-1234567890-caddytls-32
tls_enabled false
tls_insecure true
}
}
I'm using caddy in a docker swarm with the following compose file:
version: "3.7"
services:
consul:
image: consul:1.14
command: "agent -server -bootstrap -ui -client 0.0.0.0 -bind '{{ GetInterfaceIP \"eth0\"}}'"
networks:
- consul
volumes:
- consul_data:/consul/data
deploy:
replicas: 1
placement:
constraints: [node.role==manager]
consul-replica:
image: consul:latest
command: "agent -server -retry-join consul -client 0.0.0.0 -bind '{{ GetInterfaceIP \"eth0\"}}'"
depends_on:
- consul
volumes:
- consul_replica_data:/consul/data
networks:
- consul
deploy:
mode: global
placement:
preferences:
- spread: node.id
caddy:
depends_on:
- consul
image: custom_caddy_image
ports:
- 2019:2019
- 80:80
- 443:443
environment:
- CADDY_INGRESS_NETWORKS=caddy-network
- CONSUL_HTTP_ADDR=consul:8500
networks:
- caddy-network
- consul
volumes:
- /var/run/docker.sock:/var/run/docker.sock
deploy:
labels:
caddy.email: [email protected]
placement:
constraints:
- node.role == manager # I have 3 manager nodes
preferences:
- spread: node.id
replicas: 1
networks:
caddy-network:
consul:
driver: overlay
volumes:
consul_data: {}
consul_replica_data: {}
with a custom build:
FROM caddy:2.6-builder-alpine AS builder
RUN xcaddy build \
--with github.com/pteich/caddy-tlsconsul \
--with github.com/lucaslorentz/caddy-docker-proxy/v2 \
--with github.com/mastercactapus/caddy2-proxyprotocol
FROM caddy:2.6-alpine
COPY --from=builder /usr/bin/caddy /usr/bin/caddy
COPY Caddyfile /etc/caddy/Caddyfile
# Install package with certutil
RUN apk add --no-cache nss-tools
CMD ["caddy", "docker-proxy", "--caddyfile-path", "/etc/caddy/Caddyfile"]
But then in the logs I see the final JSON format of the Caddyfile:
{
"admin": {
"listen": "0.0.0.0:2019"
},
"storage": {
"ConsulClient": null,
"Storage": null,
"address": "consul:8500",
"aes_key": "Y29uc3VsdGxzLTEyMzQ1Njc4OTAtY2FkZHl0bHMtMzI=",
"module": "consul",
"prefix": "caddytls",
"timeout": 10,
"tls_enabled": false,
"tls_insecure": true,
"token": "",
"value_prefix": "stofcaddy"
}
}
So the module isn't used. What's happening here?
We are trying to pass the client IP through our load balancing stack. The stack is NLB => Caddy (on Docker/Fargate) => ALB.
My Understanding based on the documentation of your caddy plugin, caddies documentations and AWS's documentation of the Network Load Balancer (NLB) (https://docs.aws.amazon.com/elasticloadbalancing/latest/network/load-balancer-target-groups.html#proxy-protocol), I need to enable proxy protocol v2 in the NLB and install your plugin in caddy as well as configure it. I've written about my configuration in the Caddy Forum: https://caddy.community/t/caddy-behind-nlb/13988
when I enable all the stuff mentioned above, I get the following lines in caddy if I set the log level to debug:
`{"level":"debug","ts":1634749313.4648879,"logger":"http.stdlib","msg":"http: TLS handshake error from 10.20.201.113:12064: invalid length"}``
where the 10.20.201.113 is the private IP of our NLB.
What can I do to further debug this issue? Might there be a problem in your plugin when working with the NLB?
Hope to support the use of TLS scenarios. It is a real ‘proxy protocol’ protocol.
After reading the section "Adding custom Caddy modules" on https://hub.docker.com/_/caddy i still don't know how i can build a new caddy binary with the plugin caddy2-proxyprotocol inside.
As i understood the documentation i should do the following:
FROM caddy:<version>-builder AS builder
RUN xcaddy build \
--with github.com/mastercactapus/caddy2-proxyprotocol.git
FROM caddy:<version>
COPY --from=builder /usr/bin/caddy /usr/bin/caddy
But i dont know where and how.
My Caddy environment is running in a docker container and managed by a docker-compose.yml file. The docker components (vaultwarden, caddy) are working well. With the component fail2ban i've still difficulties (registering but not banning the ip address) but this is offtopic here.
My motivation to include the "caddy2-proxyprotocol" plugin is to protect my vaultwarden vault from potentially brute force attackers. If i understand well this plugin is able to provide the real ip address to fail2ban (which is also included in a docker container) so it can ban the right ip address. At this moment fail2ban is getting a private ip address (172.x.x.x) from the container instead which will cause a DOS for the "normal" user.
How can i build a new caddy binary inside a docker container? Please help, i'm new in docker and i also don't have any "go" know-how. Thank you.
Building Caddy with proxyprotocol fails with errors:
[redacted]/pkg/mod/github.com/google/[email protected]/parser/helper.go:20:2: ambiguous import: found package github.com/antlr/antlr4/runtime/Go/antlr in multiple modules:
github.com/antlr/antlr4 v0.0.0-20200503195918-621b933c7a7f ([redacted]/pkg/mod/github.com/antlr/[email protected]/runtime/Go/antlr)
github.com/antlr/antlr4/runtime/Go/antlr v1.4.10 ([redacted]/pkg/mod/github.com/antlr/antlr4/runtime/!go/[email protected])
As far as I'm able to guess that happens because proxyprotocol's go.mod requires an old Caddy.
global
daemon
defaults
mode http
option http-use-htx
frontend fe_main
bind :443 ssl crt-list /etc/haproxy/crt-list.txt
default_backend be_main
backend be_main
server caddy 127.0.0.1:19600 send-proxy
global
daemon
defaults
mode http
option http-use-htx
frontend fe_main
bind :443 ssl crt-list /etc/haproxy/crt-list.txt
default_backend be_main
backend be_main
server caddy 127.0.0.1:19600 send-proxy-v2
{
debug
servers {
listener_wrappers {
proxy_protocol {
timeout 3s
}
tls
}
}
}
http://127.0.0.1:19600 {
# encode gzip
root * /usr/share/caddy
file_server {
hide .git
}
}
Caddy 2.5.2
I try to make Caddy handles all HTTPs in my Google Compute Cloud setup.
So i install caddy behind External TCP load balancer.
Our service relies on client IP. That is why i enable PROXY protocol for load balancer.
and setup your plugin
But once plugin enabled all request must use PROXY protocol that is why i set GCC https health check to use PROXY protocol too,
Problem is that health-check sends PROXY UNKNOWN
header. and plugin sets client ip to empty value.
https://cloud.google.com/load-balancing/docs/health-checks#optional-flags-hc-protocol-http
Reverse Proxy fails with error:
preparing request for upstream round-trip: invalid client IP address:
and there is no way health-check will be passed.
I guess replacing IPs with empty values is wrong.
in case of PROXY UNKNOWN
header it is better to leave original(proxy) values in requests
Hello,
I'm getting TLS errors when using this plugin (I stripped IP addresses for privacy concerns):
$ curl -v https://xxx.yyy/
* Trying xxx.xxx.xxx.x:443...
* TCP_NODELAY set
* Connected to xxx.yyy (xxx.xxx.xxx.x) port 443 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
* successfully set certificate verify locations:
* CAfile: /etc/ssl/certs/ca-certificates.crt
CApath: /etc/ssl/certs
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
* OpenSSL SSL_connect: SSL_ERROR_SYSCALL in connection to xxx.yyy:443
* Closing connection 0
curl: (35) OpenSSL SSL_connect: SSL_ERROR_SYSCALL in connection to xxx.yyy:443
{"level":"debug","ts":1662558661.0007904,"logger":"http.stdlib","msg":"http: TLS handshake error from xx.xxx.xxx.xxx:3803: invalid signature"}
Here is my caddyfile:
{
debug
servers {
listener_wrappers {
proxy_protocol {
timeout 5s
allow 0.0.0.0/0
}
tls
}
}
}
xxx.yyy {
reverse_proxy sftpgo:8080 # I run this in docker-compose, so sftpgo is a docker containe
}
I don't understand what I'm doing wrong.
Hi,
I'm getting this error:
2023/06/06 11:55:13.948 INFO using provided configuration {"config_file": "/etc/caddy/Caddyfile", "config_adapter": ""}
Error: adapting config using caddyfile: parsing caddyfile tokens for 'servers': /etc/caddy/Caddyfile:11 - Error during parsing: getting module named 'caddy.listeners.proxy_protocol': module not registered: caddy.listeners.proxy_protocol
Cadyfile:
"/etc/caddy/Caddyfile" 30L, 483B 27,0-1 All
{
log {
output file /var/log/caddy/caddy.log {
roll_size 1gb
roll_keep 5
roll_keep_for 720h
}
}
servers 127.0.0.1:5001 {
listener_wrappers {
proxy_protocol
}
protocols h2c h1
}
}
:5001 {
root * /srv/http/default
file_server
bind 127.0.0.1
}
:80 {
redir https://{host}{uri} permanent
}
It compiles as seen below, but when running, I get the error above.
sudo curl -o /usr/bin/caddy "https://caddyserver.com/api/download?os=linux&arch=amd64&package=github.com%2Fcaddy-dns%2Fcloudflare&package=github.com%2FWeidiDeng%2Fcaddy-cloudflare-ip&package=github.com%2Fmastercactapus%2Fcaddy2-proxyprotocol&package=github.com%2Fimgk%2Fcaddy-trojan"
What gives? Not sure if this project is still maintained though.
Thanks
Consider switching to pires/go-proxyproto, which has more features than your package.
Don't get me wrong, I don't dislike your package or find it low quality. It's just that pires/go-proxyproto already has a lot more features implemented and has more users (so less potential bugs).
I'd like to add more features to this Caddy plugin (e.g. TLVs). I've already took some time to improve pires/go-proxyproto, I'd prefer to avoid having to re-implement everything in mastercactapus/proxyprotocol. Would you welcome a patch that switches over to pires/go-proxyproto?
Thanks.
This issue is to track adding Caddyfile support.
Proposed format differs slightly from the Caddy 1.x version to simplify it's use
No options/use defaults:
proxy_protocol {
timeout 5s
allow 0.0.0.0/0 1.2.3.4/0
}
Set override default timeout or allow ranges:
proxy_protocol {
timeout 0
allow 0.0.0.0/0 1.2.3.4/0
}
After compiling caddy with this plugin:
$ xcaddy build --with github.com/mastercactapus/caddy2-proxyprotocol
And trying to validate:
$ caddy validate --config Caddyfile --adapter caddyfile
This Caddyfile:
app.example.com {
listener_wrappers {
proxy_protocol {
timeout 2s
allow 0.0.0.0/0
}
tls
}
reverse_proxy backend:3000
}
I'm getting the error: Unrecognized directive: listener_wrappers
Why is this? I'm I using the syntax wrong? Did I compile caddy wrong?
A declarative, efficient, and flexible JavaScript library for building user interfaces.
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google ❤️ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.