rewrite double-encodes url

[5HT2]

Caddyfile: Caddyfile

Relevant section:

frogg.ie {
	header Caddy LeapPad
	@image {
		expression {path}.size() > 1
	}
	@root {
		expression {path}.size() == 1
	}
	rewrite @image /i{uri}
	reverse_proxy @image localhost:6010
	redir @root https://l1v.in
}

Example: frogg.ie (Caddy rewrite) i.l1v.in/i/ (original host)

Other example (to prove rewrite works as intended): frogg.ie i.l1v.in/i/

My best guess is that Caddy's rewrite is doing something weird to the encoding here.. I will try to get debug output

[francislavoie]

Yeah, logs with the debug global option enabled should show some more details about what's going on.

I'd suggest that your upstream app should probably URL decode before serving the image. It's pretty normal to have the URL be encoded. scratch that, I see that the image loads fine while the URL is encoded and reaches the upstream.

[5HT2]

I was right, it is the encoding.

2022/01/10 04:31:35 - Returned 403 to [REDACTED] - tried to connect with '' to '/i/%C2%B7%E2%88%B5%E2%80%A6%E2%80%A2%E2%8B%AE%E2%88%B5%C2%B7.png'
2022/01/10 04:31:59 - Returned 403 to [REDACTED] - tried to connect with '' to '/i/·∵…•⋮∵·.png

[5HT2]

Do note, I do kind of expect to have the un-encoded URL sent to my backend, as it only happens with rewrite

[francislavoie]

Where are those logs from? Those aren't Caddy's logs.

Please provide us with which version of Caddy you're using, and debug logs from Caddy.

[5HT2]

Those are logs from my own backend, https://github.com/l1ving/fs-over-http

I'll grab the debug logs in a second. I'm running v2.4.5

[francislavoie]

Please also try upgrading to v2.4.6.

[5HT2]

Where can I find the logs that Caddy generates? I have it running in the background, I've added debug to my global config block beside my email, and ran caddy reload

[francislavoie]

Caddy outputs its logs to stdout/stderr. It depends how you're running Caddy.

[5HT2]

these are the logs from v2.4.6, the issue is still present

2022/01/10 04:43:17.478 DEBUG   http.handlers.reverse_proxy     upstream roundtrip   {"upstream": "localhost:6010", "duration": 0.000470641, "request": {"remote_addr": "REDACTED:34110", "proto": "HTTP/2.0", "method": "POST", "host": "i.l1v.in", "uri": "/i/·∵…•⋮∵·.png", "headers": {"User-Agent": ["curl/7.81.0"], "Accept": ["*/*"], "X-Forwarded-For": ["REDACTED"], "X-Forwarded-Proto": ["https"]}, "tls": {"resumed": false, "version": 772, "cipher_suite": 4865, "proto": "h2", "proto_mutual": true, "server_name": "i.l1v.in"}}, "headers": {"Content-Type": ["text/plain; charset=utf-8"], "Content-Length": ["14"], "X-Server-Message": ["403 Forbidden"], "Server": ["fs-over-http"], "Date": ["Mon, 10 Jan 2022 04:43:17 GMT"]}, "status": 403}
2022/01/10 04:43:17.531 DEBUG   tls.handshake   choosing certificate    {"identifier":"frogg.ie", "num_choices": 1}
2022/01/10 04:43:17.531 DEBUG   tls.handshake   default certificate selection results{"identifier": "frogg.ie", "subjects": ["frogg.ie"], "managed": true, "issuer_key": "acme-v02.api.letsencrypt.org-directory", "hash": "74b524fb5b23f2adc6e906f84956a3459e24c6c111131b6a5cc8caef81848e36"}
2022/01/10 04:43:17.531 DEBUG   tls.handshake   matched certificate in cache    {"subjects": ["frogg.ie"], "managed": true, "expiration": "2022/04/06 13:26:09.000", "hash":"74b524fb5b23f2adc6e906f84956a3459e24c6c111131b6a5cc8caef81848e36"}
2022/01/10 04:43:17.553 DEBUG   http.handlers.rewrite   rewrote request {"request": {"remote_addr": "REDACTED:34112", "proto": "HTTP/2.0", "method": "POST", "host": "frogg.ie", "uri": "/i/·∵…•⋮∵·.png", "headers": {"User-Agent": ["curl/7.81.0"], "Accept": ["*/*"]}, "tls": {"resumed": false, "version": 772, "cipher_suite": 4865, "proto": "h2", "proto_mutual": true, "server_name": "frogg.ie"}}, "method": "POST", "uri": "/i/i/%25C2%25B7%25E2%2588%25B5%25E2%2580%25A6%25E2%2580%25A2%25E2%258B%25AE%25E2%2588%25B5%25C2%25B7.png"}
2022/01/10 04:43:17.553 DEBUG   http.handlers.reverse_proxy     upstream roundtrip   {"upstream": "localhost:6010", "duration": 0.000341721, "request": {"remote_addr": "REDACTED:34112", "proto": "HTTP/2.0", "method": "POST", "host": "frogg.ie", "uri": "/i/i/%25C2%25B7%25E2%2588%25B5%25E2%2580%25A6%25E2%2580%25A2%25E2%258B%25AE%25E2%2588%25B5%25C2%25B7.png", "headers": {"User-Agent": ["curl/7.81.0"], "Accept": ["*/*"], "X-Forwarded-For": ["REDACTED"], "X-Forwarded-Proto": ["https"]}, "tls": {"resumed":false, "version": 772, "cipher_suite": 4865, "proto": "h2", "proto_mutual": true, "server_name": "frogg.ie"}}, "headers": {"X-Server-Message": ["403 Forbidden"], "Server":["fs-over-http"], "Date": ["Mon, 10 Jan 2022 04:43:17 GMT"], "Content-Type": ["text/plain; charset=utf-8"], "Content-Length": ["14"]}, "status": 403}

Command ran:

curl -X POST https://i.l1v.in/i/·∵…•⋮∵·.png; curl -X POST https://frogg.ie/i/·∵…•⋮∵·.png

[francislavoie]

Alright, I think I can replicate the issue.

2022/01/10 04:39:48.791 DEBUG   http.handlers.rewrite   rewrote request {"request": {"remote_ip": "::1", "remote_port": "60091", "proto": "HTTP/1.1", "method": "GET", "host": "localhost:23456", "uri": "/%C2%B7%E2%88%B5%E2%80%A6%E2%80%A2%E2%8B%AE%E2%88%B5%C2%B7.png", "headers": {"User-Agent": ["curl/7.55.1"], "Accept": ["*/*"]}}, "method": "GET", "uri": "/i/%25C2%25B7%25E2%2588%25B5%25E2%2580%25A6%25E2%2580%25A2%25E2%258B%25AE%25E2%2588%25B5%25C2%25B7.png"}

When rewriting, the path gets double-encoded. I'm not sure what the fix is for rewrite... we need to tread carefully here.

I do have a workaround for you though. Instead of using rewrite, you can do this:

uri path_regexp ^/ /i/

Basically this will replace the leading / of a URL with /i/. I confirmed that it doesn't double-encode.

Also FYI, your Caddyfile can be simplified to this (you can just match on / exactly for redir, and then you don't need any of the matchers)

frogg.ie {
	header Caddy LeapPad
	redir / https://l1v.in
	uri path_regexp ^/ /i/
	reverse_proxy localhost:6010
}

[5HT2]

I've confirmed that your workaround does indeed fix the issue, thank you :)

[francislavoie]

I have a fix in #4516

[mholt]

Geez, you all fast.