curben
/
blog
mirror of https://gitlab.com/curben/blog
1
0
Fork 0
Code Issues Releases Wiki Activity

post(caddy-v2): add v2.1 directives

This commit is contained in:
MDLeom 2020-06-21 05:20:30 +01:00
parent 9d24be770a
commit 6d8b80c257
No known key found for this signature in database
GPG Key ID: 5D9DB57A25D34EE3
1 changed files with 72 additions and 7 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

79
source/_posts/caddy-upgrade-v2-proxy.md
View File

@ -2,7 +2,7 @@
title: Upgrading Caddy reverse proxy from v1 to v2 syntax title: Upgrading Caddy reverse proxy from v1 to v2 syntax
excerpt: route, strip_prefix, rewrite excerpt: route, strip_prefix, rewrite
date: 2020-05-23 date: 2020-05-23
lastUpdated: 2020-05-28 lastUpdated: 2020-06-21
tags: tags:
- server - server
- caddy - caddy
@ -54,13 +54,21 @@ Requests to `https://example.com/api/foo/bar/` is redirected to `https://backend
v2 doesn't have `without` directive, instead you need to use `route` the request and remove the prefix using `uri strip_prefix`: v2 doesn't have `without` directive, instead you need to use `route` the request and remove the prefix using `uri strip_prefix`:
``` plain v2 ``` plain v2.0
route /api/* { route /api/* {
uri strip_prefix /api uri strip_prefix /api
reverse_proxy https://backend.com reverse_proxy https://backend.com
} }
``` ```
v2.1 adds `handle_path` directive which integrates prefix stripping:
``` plain v2.1
handle_path /api/* {
reverse_proxy https://backend.com
}
```
### Backend with custom path ### Backend with custom path
Reverse proxy with custom path: Reverse proxy with custom path:
@ -75,7 +83,7 @@ proxy /img https://backend.com/img/blog {
v2 doesn't support custom path, instead you need to use `rewrite` to prepend the path: v2 doesn't support custom path, instead you need to use `rewrite` to prepend the path:
``` plain v2 ``` plain v2.0
route /img/* { route /img/* {
uri strip_prefix /img uri strip_prefix /img
@ -85,6 +93,13 @@ route /img/* {
} }
``` ```
``` plain v2.1
handle_path /img/* {
rewrite * /img/blog{path}
reverse_proxy https://backend.com
}
```
![v2 syntax](20200523/reverse_proxy.png) ![v2 syntax](20200523/reverse_proxy.png)
## header_upstream to header_up ## header_upstream to header_up
@ -144,7 +159,7 @@ example.com www.example.com {
} }
``` ```
``` plain v2 ``` plain v2.0
example.com www.example.com { example.com www.example.com {
@www { @www {
host www.example.com host www.example.com
@ -153,6 +168,15 @@ example.com www.example.com {
} }
``` ```
v2.1 supports single-line matcher:
``` plain v2.1
example.com www.example.com {
@www host www.example.com
redir @www https://example.com{uri} permanent
}
```
Add `www.` subdomain: Add `www.` subdomain:
``` plain v1 ``` plain v1
@ -164,7 +188,7 @@ example.com www.example.com {
} }
``` ```
``` plain v2 ``` plain v2.0
example.com www.example.com { example.com www.example.com {
@www { @www {
host example.com host example.com
@ -173,6 +197,13 @@ example.com www.example.com {
} }
``` ```
``` plain v2.1
example.com www.example.com {
@www host example.com
redir @www https://www.example.com{uri} permanent
}
```
## header and reverse_proxy ## header and reverse_proxy
`header` directive still keeps similar syntax, but operates a bit different. In v2, when used alongside with `reverse_proxy`, Caddy modifies the header _before_ receiving header response from the backend. This behaviour is apparent when you want to replace existing header(s); instead of replacing, Caddy adds the header and results in duplicate headers. To avoid this issue, you should use `defer`: `header` directive still keeps similar syntax, but operates a bit different. In v2, when used alongside with `reverse_proxy`, Caddy modifies the header _before_ receiving header response from the backend. This behaviour is apparent when you want to replace existing header(s); instead of replacing, Caddy adds the header and results in duplicate headers. To avoid this issue, you should use `defer`:
@ -189,10 +220,44 @@ example.com www.example.com {
In v2, Caddy automatically listens on HTTP (port 80) and redirects to HTTPS, whereas in v1, you need add a separate `redir 301`. This is handy is most use cases, but doesn't apply to my {% post_link caddy-nixos-part-3 'use case' %}--listens on HTTPS only. In v2, Caddy automatically listens on HTTP (port 80) and redirects to HTTPS, whereas in v1, you need add a separate `redir 301`. This is handy is most use cases, but doesn't apply to my {% post_link caddy-nixos-part-3 'use case' %}--listens on HTTPS only.
In v2.0, this can only be disabled in [JSON](https://caddyserver.com/docs/json/apps/http/servers/#automatic_https/disable_redirects); it will be configurable using Caddyfile in [v2.1](https://github.com/caddyserver/caddy/issues/3219). In v2.0, this can only be disabled in [JSON](https://caddyserver.com/docs/json/apps/http/servers/#automatic_https/disable_redirects).
v2.1 supports configuring Automatic HTTPS in Caddyfile using `auto https` global option:
``` plain Caddyfile
{
auto_https disable_redirects
}
```
## TLS client authentication ## TLS client authentication
Client authentication adds another step to TLS connection process whereby a client needs to present a certificate (that has been signed by a CA certificate) to the server (which has the CA certificate) when it attempts to establish a TLS connection. Once the client is authenticated, the process is reversed and client authenticates the server instead. The padlock icon next to the web address indicates that the website's certificate is valid. Client authentication is only used in private web server to restrict access to authorised clients only. In my case, I restrict my origin server to [Cloudflare CDN](https://support.cloudflare.com/hc/en-us/articles/204899617-Authenticated-Origin-Pulls) only; mdleom.com is only accessible via Cloudflare, direct connection to the origin server will be dropped. Client authentication adds another step to TLS connection process whereby a client needs to present a certificate (that has been signed by a CA certificate) to the server (which has the CA certificate) when it attempts to establish a TLS connection. Once the client is authenticated, the process is reversed and client authenticates the server instead. The padlock icon next to the web address indicates that the website's certificate is valid. Client authentication is only used in private web server to restrict access to authorised clients only. In my case, I restrict my origin server to [Cloudflare CDN](https://support.cloudflare.com/hc/en-us/articles/204899617-Authenticated-Origin-Pulls) only; mdleom.com is only accessible via Cloudflare, direct connection to the origin server will be dropped.
In v2.0, this can only be disabled in [JSON](https://caddyserver.com/docs/json/apps/http/servers/tls_connection_policies/#client_authentication); it will be configurable using Caddyfile in [v2.1](https://github.com/caddyserver/caddy/issues/3334). In v2.0, this can only be disabled in [JSON](https://caddyserver.com/docs/json/apps/http/servers/tls_connection_policies/#client_authentication).
v2.1 supports configuring client authentication in Caddyfile using `clients` directive in tls option:
``` plain Caddyfile
example.com {
tls cert.pem cert.key {
client_auth {
mode require_and_verify
trusted_ca_cert_file origin-pull-ca.pem
# base64 DER-encoded CA cert is also supported
# trusted_ca_cert MIIDSzCCAjOgAwIBAg
}
}
}
```
## Administration endpoint
[Admin endpoint](https://caddyserver.com/docs/api) is the highlight feature of v2.0; new config can be loaded without restarting Caddy. It is enabled by default and listens on `http://localhost:2019`.
To disable it:
```
{
admin off
}