Caddy2 support

[guoxiangke]

Plz support Caddy2
Why I need Caddy2 forwardproxy: https://medium.com/@mattholt/private-browsing-without-a-vpn-e91027552700

===updated at 30/7/2020===
I found a fork
https://github.com/klzgrad/forwardproxy

[josh-chan]

please support caddy2 http3

[mholt]

I actually already upgraded it for Caddy 2 locally, but I have no idea as to the security or privacy implications of my upgrade work... I'll try to polish it up more and push it to a branch, but it will not have any privacy guarantees whatsoever -- for now.

(It's basically a straight port of the existing code, but there are a lot of tricky nuances to get it just right.)

[mholt]

@guoxiangke @ashfame @yjsslab Please see #74 which has my work-in-progress branch. You can try it out today, all the tests pass on my machine and it seems to work with a config like this:

{
  "apps": {
    "http": {
      "servers": {
        "fwdproxy": {
          "listen": [
            ":443"
          ],
          "logs": {},
          "routes": [
            {
              "handle": [
                {
                  "handler": "subroute",
                  "routes": [
                    {
                      "handle": [
                        {
                          "handler": "forward_proxy"
                        },
                        {
                          "handler": "static_response",
                          "body": "This is the regular site."
                        }
                      ]
                    }
                  ]
                }
              ],
              "terminal": true
            }
          ]
        }
      }
    },
    "tls": {
      "certificates": {
        "automate": ["localhost"]
      },
      "automation": {
        "policies": [
          {
            "issuer": {
              "module": "internal"
            }
          }
        ]
      }
    }
  }
}

Please let me know how it goes!

[chinadsfdsf]

{"error":"loading config: loading new config: loading http app module: provision http: server fwdproxy: setting up route handlers: route 0: loading handler modules: position 0: loading module 'subroute': provision http.handlers.subroute: setting up subroutes: route 0: loading handler modules: position 0: loading module 'forward_proxy': unknown module: http.handlers.forward_proxy"}

I think there is NO forward_proxy module.... Do I missing somthing ? I try to repalce it by "forwardproxy" but still failed.
Does anybody know what happens ?

[mholt]

@chinadsfdsf Please follow the instructions in our docs and it will work just fine: https://caddyserver.com/docs/build#xcaddy (make sure to build from the PR branch)

[chinadsfdsf]

./xcaddy build --with github.com/caddyserver/forwardproxy
2.
./caddy list-modules |grep forward
and get nothing...
3.
So, I think the key problem is : what is PR branch ?

[mholt]

@chinadsfdsf You didn't build from the PR branch, which is currently at commit 03a7df4. The docs I linked to show you how to build at a specific version.

[chinadsfdsf]

Thank you.

[NightMachinery]

@mholt I want to add a password-protected web proxy. I already have some directives in my caddyfile:

files.sth.com, http://:8080 {
  file_server browse
}

sg.sth.com {
  reverse_proxy localhost:7080
}

Now I want to add a web proxy that, e.g., proxies https://google.com when someone accesses https://proxy.sth.com/https://google.com. How do I add this without messing up my current config?

BTW, will the links also be changed to link to the proxied versions, or will they link at the original location?

[mholt]

@NightMachinary I don't think that's how the proxy works; the URL stays the same, you have to configure your HTTP client to do the proxying.

BTW, will the links also be changed to link to the proxied versions, or will they link at the original location?

The proxy doesn't change any of the contents as far as I know. There is a third-party caddy plugin that can filter responses and do replacements in the body, but it's not very efficient yet.

[aivaturi]

@guoxiangke @ashfame @yjsslab Please see #74 which has my work-in-progress branch. You can try it out today, all the tests pass on my machine and it seems to work with a config like this:

{
  "apps": {
    "http": {
      "servers": {
        "fwdproxy": {
          "listen": [
            ":443"
          ],
          "logs": {},
          "routes": [
            {
              "handle": [
                {
                  "handler": "subroute",
                  "routes": [
                    {
                      "handle": [
                        {
                          "handler": "forward_proxy"
                        },
                        {
                          "handler": "static_response",
                          "body": "This is the regular site."
                        }
                      ]
                    }
                  ]
                }
              ],
              "terminal": true
            }
          ]
        }
      }
    },
    "tls": {
      "certificates": {
        "automate": ["localhost"]
      },
      "automation": {
        "policies": [
          {
            "issuer": {
              "module": "internal"
            }
          }
        ]
      }
    }
  }
}

Please let me know how it goes!

I tried running that config, and I get this error:

run: adapting config using caddyfile: Caddyfile:51 - Error during parsing: Unexpected EOF

[mholt]

@aivaturi That's not a Caddyfile, that's a JSON config. If you name it Caddyfile, Caddy will think it's a Caddyfile. Please see https://caddyserver.com/docs/getting-started

[andychongyz]

Hi @mholt, first of all, thanks for building Caddy, it is so simple compared to the other web servers!

I was trying to translate the Caddyfile below to the JSON format, but I need some help, as I can't find how to translate the forwardproxy specific config to the JSON format.

From

:443, proxy.example.com 
route {
  forward_proxy {
    basic_auth username123 password12345
    ports 80 443
    hide_ip
    hide_via
    dial_timeout 30
    acl {
      allow all
    }
  }
}

To

{
  "apps": {
    "http": {
      "servers": {
        "fwdproxy": {
          "listen": [
            ":443"
          ],
          "logs": {},
          "routes": [
            {
              "handle": [
                {
                  "handler": "subroute",
                  "routes": [
                    {
                      "handle": [
                        {
                          "handler": "authentication",
                          "providers": {
                            "accounts": [
                              {
                                "username": "username123",
                                "password": "password12345"
                              }
                            ]
                          }
                        },
                        {
                          "handler": "forward_proxy"
                        }
                      ]
                    }
                  ]
                }
              ],
              "terminal": true
            }
          ]
        }
      }
    },
    "tls": {
      "certificates": {
        "automate": ["proxy.example.com "]
      }
    }
  }
}

Pending configs

ports 80 443
hide_ip
hide_via
dial_timeout 30
acl {
  allow all
}

Besides, I got this error when I tried to load the JSON config. Not very sure why it reporting http.authentication.providers.accounts as an unknown module. Do I need a plugin for it?

ERROR	admin.api	request error	{"error": "loading config: loading new config: loading http app module: provision http: server fwdproxy: setting up route handlers: route 0: loading handler modules: position 0: loading module 'subroute': provision http.handlers.subroute: setting up subroutes: route 0: loading handler modules: position 0: loading module 'authentication': provision http.handlers.authentication: loading authentication providers: module name 'accounts': unknown module: http.authentication.providers.accounts", "status_code": 400}
{"error":"loading config: loading new config: loading http app module: provision http: server fwdproxy: setting up route handlers: route 0: loading handler modules: position 0: loading module 'subroute': provision http.handlers.subroute: setting up subroutes: route 0: loading handler modules: position 0: loading module 'authentication': provision http.handlers.authentication: loading authentication providers: module name 'accounts': unknown module: http.authentication.providers.accounts"}

[francislavoie]

@andychongyz generally, use the caddy adapt command to get the underlying JSON for a Caddyfile config. That'll give you a good starting point.

[samstride]

@mholt , @francislavoie any update on Caddy2 support?

[mholt]

I suppose a lot of people are subscribed to this thread by now. Sorry for the lack of updates. I have been very busy with the core of Caddy. And as I'm not the original author of this plugin, this subject matter is not my forte/expertise, and the nature of it requires sensitive handling / careful programming.

The current status is that the caddy2 branch is functional as far as I know, but I do not think it carries as robust security or privacy guarantees as the original, since I haven't been able to verify the tests are correct, or test in a variety of scenarios. I also have not applied any adversarial testing to it.

I understand that @sergeyfrolov is very busy these days and has moved onto other things. So I suppose we can merge in that branch if someone would like to take up developing and maintaining this plugin. Preferably someone who can become familiar and comfortable with its code and who can thoroughly vet it for flaws, and who understands the subject matter of proxying and tunneling from experience.

If you'd like to volunteer, please let me know!

In the meantime, the PR is here: #74

[NightMachinery]

I suppose a lot of people are subscribed to this thread by now. Sorry for the lack of updates. I have been very busy with the core of Caddy. And as I'm not the original author of this plugin, this subject matter is not my forte/expertise, and the nature of it requires sensitive handling / careful programming.

The current status is that the caddy2 branch is functional as far as I know, but I do not think it carries as robust security or privacy guarantees as the original, since I haven't been able to verify the tests are correct, or test in a variety of scenarios. I also have not applied any adversarial testing to it.

I understand that @sergeyfrolov is very busy these days and has moved onto other things. So I suppose we can merge in that branch if someone would like to take up developing and maintaining this plugin. Preferably someone who can become familiar and comfortable with its code and who can thoroughly vet it for flaws, and who understands the subject matter of proxying and tunneling from experience.

If you'd like to volunteer, please let me know!

In the meantime, the PR is here: #74

Have you seen https://github.com/klzgrad/naiveproxy ?

[gaby]

Fixed via #74

[mholt]

Thanks very much for your help finishing that up!