mastercactapus / caddy2-proxyprotocol Goto Github PK

View Code? Open in Web Editor NEW

59.0 59.0 14.0 55 KB

License: Apache License 2.0

Go 89.79% Shell 10.21%

caddy2-proxyprotocol's People

Contributors

Stargazers

Watchers

Forkers

francislavoie adm-sglm dumpmemory absorbb jamison-phillips jaytechx kwaa owntag ackermann inkerbot

caddy2-proxyprotocol's Issues

global option servers ignored

Hi all,

I'm trying to use the module with the following Caddyfile:

{
	admin 0.0.0.0:2019
	servers {
		listener_wrappers {
			proxy_protocol {
				timeout 2s
				allow 0.0.0.0/0
			}
			http_redirect
			tls
		}
	}
	storage consul {
		address consul:8500
		timeout 10
		prefix caddytls
		value_prefix caddy
		aes_key consultls-1234567890-caddytls-32
		tls_enabled false
		tls_insecure true
	}
}

I'm using caddy in a docker swarm with the following compose file:

version: "3.7"

services:      
  consul:
    image: consul:1.14
    command: "agent -server -bootstrap -ui -client 0.0.0.0 -bind '{{ GetInterfaceIP \"eth0\"}}'"
    networks:
      - consul
    volumes:
      - consul_data:/consul/data
    deploy:
      replicas: 1
      placement:
        constraints: [node.role==manager]    
        
  consul-replica:
    image: consul:latest
    command: "agent -server -retry-join consul -client 0.0.0.0 -bind '{{ GetInterfaceIP \"eth0\"}}'"
    depends_on:
      - consul
    volumes:
      - consul_replica_data:/consul/data
    networks:
      - consul
    deploy:
      mode: global
      placement:
        preferences:
          - spread: node.id
      
  caddy:
    depends_on:
      - consul
    image: custom_caddy_image
    ports:
      - 2019:2019
      - 80:80
      - 443:443
    environment:
      - CADDY_INGRESS_NETWORKS=caddy-network
      - CONSUL_HTTP_ADDR=consul:8500
    networks:
      - caddy-network
      - consul
    volumes:
      - /var/run/docker.sock:/var/run/docker.sock
    deploy:
      labels:
        caddy.email: [email protected]
      placement:
        constraints:
          - node.role == manager # I have 3 manager nodes
        preferences:
          - spread: node.id
      replicas: 1

networks:
  caddy-network:
  consul:
    driver: overlay

volumes:

  consul_data: {}
  consul_replica_data: {}

with a custom build:

FROM caddy:2.6-builder-alpine AS builder

RUN xcaddy build \
    --with github.com/pteich/caddy-tlsconsul \
    --with github.com/lucaslorentz/caddy-docker-proxy/v2 \
    --with github.com/mastercactapus/caddy2-proxyprotocol


FROM caddy:2.6-alpine
COPY --from=builder /usr/bin/caddy /usr/bin/caddy
COPY Caddyfile /etc/caddy/Caddyfile
# Install package with certutil
RUN apk add --no-cache nss-tools
CMD ["caddy", "docker-proxy", "--caddyfile-path", "/etc/caddy/Caddyfile"]

But then in the logs I see the final JSON format of the Caddyfile:

{
	"admin": {
		"listen": "0.0.0.0:2019"
	},
	"storage": {
		"ConsulClient": null,
		"Storage": null,
		"address": "consul:8500",
		"aes_key": "Y29uc3VsdGxzLTEyMzQ1Njc4OTAtY2FkZHl0bHMtMzI=",
		"module": "consul",
		"prefix": "caddytls",
		"timeout": 10,
		"tls_enabled": false,
		"tls_insecure": true,
		"token": "",
		"value_prefix": "stofcaddy"
	}
}

So the module isn't used. What's happening here?

Caddy behind AWS Network Load Balancer with proxyprotocol enabled leads to tls errors

We are trying to pass the client IP through our load balancing stack. The stack is NLB => Caddy (on Docker/Fargate) => ALB.

My Understanding based on the documentation of your caddy plugin, caddies documentations and AWS's documentation of the Network Load Balancer (NLB) (https://docs.aws.amazon.com/elasticloadbalancing/latest/network/load-balancer-target-groups.html#proxy-protocol), I need to enable proxy protocol v2 in the NLB and install your plugin in caddy as well as configure it. I've written about my configuration in the Caddy Forum: https://caddy.community/t/caddy-behind-nlb/13988

when I enable all the stuff mentioned above, I get the following lines in caddy if I set the log level to debug:

`{"level":"debug","ts":1634749313.4648879,"logger":"http.stdlib","msg":"http: TLS handshake error from 10.20.201.113:12064: invalid length"}``

where the 10.20.201.113 is the private IP of our NLB.

What can I do to further debug this issue? Might there be a problem in your plugin when working with the NLB?

TLS scene support

Hope to support the use of TLS scenarios. It is a real ‘proxy protocol’ protocol.

Need help concerning adding custom Caddy modules

After reading the section "Adding custom Caddy modules" on https://hub.docker.com/_/caddy i still don't know how i can build a new caddy binary with the plugin caddy2-proxyprotocol inside.

As i understood the documentation i should do the following:

FROM caddy:<version>-builder AS builder

RUN xcaddy build \
    --with github.com/mastercactapus/caddy2-proxyprotocol.git

FROM caddy:<version>

COPY --from=builder /usr/bin/caddy /usr/bin/caddy

But i dont know where and how.

My Caddy environment is running in a docker container and managed by a docker-compose.yml file. The docker components (vaultwarden, caddy) are working well. With the component fail2ban i've still difficulties (registering but not banning the ip address) but this is offtopic here.

My motivation to include the "caddy2-proxyprotocol" plugin is to protect my vaultwarden vault from potentially brute force attackers. If i understand well this plugin is able to provide the real ip address to fail2ban (which is also included in a docker container) so it can ban the right ip address. At this moment fail2ban is getting a private ip address (172.x.x.x) from the container instead which will cause a DOS for the "normal" user.

How can i build a new caddy binary inside a docker container? Please help, i'm new in docker and i also don't have any "go" know-how. Thank you.

Please update Caddy dependency

Building Caddy with proxyprotocol fails with errors:

[redacted]/pkg/mod/github.com/google/[email protected]/parser/helper.go:20:2: ambiguous import: found package github.com/antlr/antlr4/runtime/Go/antlr in multiple modules:
        github.com/antlr/antlr4 v0.0.0-20200503195918-621b933c7a7f ([redacted]/pkg/mod/github.com/antlr/[email protected]/runtime/Go/antlr)
        github.com/antlr/antlr4/runtime/Go/antlr v1.4.10 ([redacted]/pkg/mod/github.com/antlr/antlr4/runtime/!go/[email protected])

As far as I'm able to guess that happens because proxyprotocol's go.mod requires an old Caddy.

PROXY protocol v2 does not work normally behind HAProxy

Works

global
    daemon
defaults
    mode                            http
    option                          http-use-htx
frontend fe_main
    bind                            :443 ssl crt-list /etc/haproxy/crt-list.txt
    default_backend                 be_main
backend be_main
    server caddy                    127.0.0.1:19600 send-proxy

Does not work

global
    daemon
defaults
    mode                            http
    option                          http-use-htx
frontend fe_main
    bind                            :443 ssl crt-list /etc/haproxy/crt-list.txt
    default_backend                 be_main
backend be_main
    server caddy                    127.0.0.1:19600 send-proxy-v2

Caddyfile

{
    debug
    servers {
        listener_wrappers {
            proxy_protocol {
                timeout 3s
            }
            tls
        }
    }
}
http://127.0.0.1:19600 {
    # encode gzip
    root * /usr/share/caddy
    file_server {
        hide .git
    }
}

Typo on Readme.md

Wrong slash, should be 0.0.0.0/0 not 0.0.0.0\0

Reverse Proxy fails Google Compute Cloud https healthcheck behind TCP load balancer

Caddy 2.5.2

I try to make Caddy handles all HTTPs in my Google Compute Cloud setup.
So i install caddy behind External TCP load balancer.

Our service relies on client IP. That is why i enable PROXY protocol for load balancer.
and setup your plugin
But once plugin enabled all request must use PROXY protocol that is why i set GCC https health check to use PROXY protocol too,
Problem is that health-check sends PROXY UNKNOWN header. and plugin sets client ip to empty value.
https://cloud.google.com/load-balancing/docs/health-checks#optional-flags-hc-protocol-http

Reverse Proxy fails with error:
preparing request for upstream round-trip: invalid client IP address:
and there is no way health-check will be passed.

I guess replacing IPs with empty values is wrong.
in case of PROXY UNKNOWN header it is better to leave original(proxy) values in requests

TLS handshake error

Hello,

I'm getting TLS errors when using this plugin (I stripped IP addresses for privacy concerns):

$ curl -v https://xxx.yyy/
*   Trying xxx.xxx.xxx.x:443...
* TCP_NODELAY set
* Connected to xxx.yyy (xxx.xxx.xxx.x) port 443 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
* successfully set certificate verify locations:
*   CAfile: /etc/ssl/certs/ca-certificates.crt
  CApath: /etc/ssl/certs
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
* OpenSSL SSL_connect: SSL_ERROR_SYSCALL in connection to xxx.yyy:443 
* Closing connection 0
curl: (35) OpenSSL SSL_connect: SSL_ERROR_SYSCALL in connection to xxx.yyy:443

{"level":"debug","ts":1662558661.0007904,"logger":"http.stdlib","msg":"http: TLS handshake error from xx.xxx.xxx.xxx:3803: invalid signature"}

Here is my caddyfile:

{
	debug
	servers {
		listener_wrappers {
			proxy_protocol {
				timeout 5s
				allow 0.0.0.0/0
			}
			tls
		}
	}
}

xxx.yyy {
	reverse_proxy sftpgo:8080 # I run this in docker-compose, so sftpgo is a docker containe
}

I don't understand what I'm doing wrong.

Project still maintained?

Hi,

I'm getting this error:

2023/06/06 11:55:13.948	INFO	using provided configuration	{"config_file": "/etc/caddy/Caddyfile", "config_adapter": ""}
Error: adapting config using caddyfile: parsing caddyfile tokens for 'servers': /etc/caddy/Caddyfile:11 - Error during parsing: getting module named 'caddy.listeners.proxy_protocol': module not registered: caddy.listeners.proxy_protocol

Cadyfile:

"/etc/caddy/Caddyfile" 30L, 483B                                                                                                                                                                                                                                                                                                                        27,0-1        All
{
    log {
        output file /var/log/caddy/caddy.log {
            roll_size 1gb
            roll_keep 5
            roll_keep_for 720h
        }
    }
    servers 127.0.0.1:5001 {
        listener_wrappers {
            proxy_protocol
        }
        protocols h2c h1
    }
}

:5001 {
    root * /srv/http/default
    file_server
    bind 127.0.0.1
}

:80 {
    redir https://{host}{uri} permanent
}

It compiles as seen below, but when running, I get the error above.

sudo curl -o /usr/bin/caddy "https://caddyserver.com/api/download?os=linux&arch=amd64&package=github.com%2Fcaddy-dns%2Fcloudflare&package=github.com%2FWeidiDeng%2Fcaddy-cloudflare-ip&package=github.com%2Fmastercactapus%2Fcaddy2-proxyprotocol&package=github.com%2Fimgk%2Fcaddy-trojan"

What gives? Not sure if this project is still maintained though.
Thanks

Consider switching to pires/go-proxyproto

Consider switching to pires/go-proxyproto, which has more features than your package.

Don't get me wrong, I don't dislike your package or find it low quality. It's just that pires/go-proxyproto already has a lot more features implemented and has more users (so less potential bugs).

I'd like to add more features to this Caddy plugin (e.g. TLVs). I've already took some time to improve pires/go-proxyproto, I'd prefer to avoid having to re-implement everything in mastercactapus/proxyprotocol. Would you welcome a patch that switches over to pires/go-proxyproto?

Thanks.

Caddyfile support

This issue is to track adding Caddyfile support.

Proposed format differs slightly from the Caddy 1.x version to simplify it's use

No options/use defaults:

proxy_protocol {
  timeout 5s
  allow 0.0.0.0/0 1.2.3.4/0
}

Set override default timeout or allow ranges:

proxy_protocol {
  timeout 0
  allow 0.0.0.0/0 1.2.3.4/0
}

Unrecognized directive: listener_wrappers

After compiling caddy with this plugin:

$ xcaddy build --with github.com/mastercactapus/caddy2-proxyprotocol

And trying to validate:

$ caddy validate --config Caddyfile --adapter caddyfile

This Caddyfile:

app.example.com {
	listener_wrappers {
		proxy_protocol {
			timeout 2s
			allow 0.0.0.0/0
		}
		tls
	}
	reverse_proxy backend:3000
}

I'm getting the error: Unrecognized directive: listener_wrappers

Why is this? I'm I using the syntax wrong? Did I compile caddy wrong?