Comments (5)
sergeyfrolov
commented on September 14, 2024
1
@hacker1024
This is a known (to developers) limitation and it has to do how Caddy matches requests to websites.
While forwardproxying, the only place where website name shows up is Subject Name Indication during TLS handshake. After the tls handshake, it's just CONNECT somesite.com HTTP/1.1 OR GET anothersite.com HTTP/1.1.
For any use-case, other than forwardproxy (which came around last August), Caddy doesn't need to keep track of which SNI was used for which TLS connection, and thus was designed to simply match requests where they should go, as they come. Other webservers share this behavior. So what we've done, when we added forwardproxy, is that whenever forwardproxy is on, Caddy will match all unmatched requests into the forwardproxying chain. Hence, your issue.
As a result, fixing this issue would require (potentially substantial) changes in Caddy's core to make sure incoming requests have context that includes original SNI. I, as author of forwardproxy, do not know whether @mholt (Caddy author) would be happy for this to happen. If you describe your use-case and why it's important for forwardproxy to only work with single SNI, that might help.
from forwardproxy.
mholt
commented on September 14, 2024
Sergey is right.
... although technically, Caddy does already (uniquely) hold onto the TLS ClientHello info for MITM detection for each HTTPS request. It doesn't currently hold onto the SNI information but we could potentially add it.
Anyway, it's not out of the question.
from forwardproxy.
hacker1024
commented on September 14, 2024
I see. In the meantime, perhaps an error or warning could show when someone tries to do what I've done?
from forwardproxy.
mholt
commented on September 14, 2024
Perhaps we could introduce a -sni-first flag (as in #12), except by this issue the flag would also disable forwardproxy's "fallback" behavior. In other words, without the -sni-first flag, the forwardproxy plugin tells Caddy to "fall back" to the site of the forwardproxy when the Host header doesn't match any site definitions. This is how it already works. But if we use -sni-first then we would have to disable that, since we would match on SNI to find the site definition that applies to that request, then consume the Host header with forwardproxy.
It's a bit of a hack, and very, very niche use, and we'd have to consider on the implications for probe resistance. Feedback and critique welcome.
from forwardproxy.
jim3ma
commented on September 14, 2024
I think the -sni-first disables the forwardproxy's "fallback" behavior is not matter.
When proxy traffic comes with -sni-first, caddy knows it is for the proxy site(which configured with forwardproxy).
While currently the fallback method is just a workaround. We should consider a perfect solution.
With -sni-first, forwardproxy should register with the site and the CONNECT method for catching the proxy traffic and this can resolve this issue.
Without -sni-first, it seems that fallback is the only way.
from forwardproxy.
Related Issues (20)
- Should caddy2 be default branch? HOT 1
- Rationale of :443 in ":443, example.com" HOT 1
- Allow use of wildcard outside of `*.` prefix HOT 5
- Leverage caddy-l4 HOT 7
- Role of probe_resistance HOT 4
- [Feature request] Add custom DNS resolver
- Caddy shows "ResponseWriter doesn't implement http.Flusher" when enable access log and connect to a proxy server using HTTP/2 HOT 4
- Would using tokio improve performance? HOT 2
- Putty/WinScp HTTP Proxy
- insecure schemes are only allowed to localhost upstreams HOT 2
- Can I us this to add custom request headers? HOT 1
- Network Interface Feature example: fe0 in the dialcontext to be added. HOT 1
- xcaddy build --with github.com/caddyserver/forwardproxy failed with [FATAL] exit status 1 HOT 2
- Redirect requests show "status 0" instead of 301/307
- The caddy2 version bahaves unexpectly. HOT 5
- where the "binaries" at? HOT 1
- "308 Permanent Redirect" HOT 2
- Download not available HOT 2
- Broken link in documentation pointing at blog article HOT 1
- Any change to support Cadddy log function ?
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from forwardproxy.