Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

www/Caddy - Layer4 Proxy Causing Issues #4384

Open
3 tasks done
jkoch22 opened this issue Dec 4, 2024 · 3 comments
Open
3 tasks done

www/Caddy - Layer4 Proxy Causing Issues #4384

jkoch22 opened this issue Dec 4, 2024 · 3 comments
Assignees
Labels
upstream Third party issue

Comments

@jkoch22
Copy link

jkoch22 commented Dec 4, 2024

Important notices
Before you add a new report, we ask you kindly to acknowledge the following:

Describe the bug
Enabling Layer4 Proxy on Caddy breaks the ability to view OPNsense's firmware status.

To Reproduce
Steps to reproduce the behavior:

  1. Configure OPNsense web GUI port to something other than 80/443 and configure reverse proxy in Caddy to access the web GUI on that port.
  2. Enable Layer4 Proxy with no rules configured and access System>Firmware>Status in OPNsense web GUI.

Expected behavior
Status page loads data.

Screenshots
Console showing that connection was closed with Layer4 Proxy enabled:
image

Page loads without Layer4 Proxy enabled and no console errors:
image

Relevant log files
Caddy Error:

"debug","ts":"2024-12-04T17:18:20Z","logger":"http.handlers.reverse_proxy","msg":"upstream roundtrip","upstream":"10.254.254.1:10443","duration":2.971530084,"request":{"remote_ip":"10.254.253.2","remote_port":"6014","client_ip":"10.254.253.2","proto":"HTTP/2.0","method":"GET","host":"opnsense.jokosolutions.com","uri":"/api/core/firmware/info","headers":{"Sec-Fetch-Site":["same-origin"],"X-Requested-With":["XMLHttpRequest"],"Sec-Fetch-Mode":["cors"],"Accept-Language":["en-US,en;q=0.9,es;q=0.8"],"Priority":["u=1, i"],"X-Forwarded-Proto":["https"],"Cache-Control":["no-cache"],"Content-Type":["application/json"],"User-Agent":["Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/131.0.0.0 Safari/537.36"],"Sec-Fetch-Dest":["empty"],"Sec-Ch-Ua":["\"Google Chrome\";v=\"131\", \"Chromium\";v=\"131\", \"Not_A Brand\";v=\"24\""],"Accept":["application/json, text/javascript, */*; q=0.01"],"Dnt":["1"],"X-Forwarded-Host":["opnsense.jokosolutions.com"],"Accept-Encoding":["gzip, deflate, br, zstd"],"X-Csrftoken":["fxOhJ71D6vwUohhe2uuq5A"],"X-Forwarded-For":["10.254.253.2"],"Pragma":["no-cache"],"Cookie":["REDACTED"],"Referer":["https://opnsense.jokosolutions.com/ui/core/firmware"],"Sec-Ch-Ua-Platform":["\"Windows\""],"Sec-Ch-Ua-Mobile":["?0"]},"tls":{"resumed":true,"version":772,"cipher_suite":4865,"proto":"h2","server_name":"opnsense.jokosolutions.com"}},"error":"context canceled"}

Additional context
I admit, this could be an issue within my configuration. If you need any additional information or feel this isn't a bug let me know. Thank you!

Environment
OPNsense 24.7.10_2
Caddy Plugin 1.7.5
Google Chrome 131.0.6778.108

Mentioning: @Monviech since it appears you are the primary maintainer of this plugin. My apologies if this is considered bad etiquette.

@Monviech
Copy link
Member

Monviech commented Dec 4, 2024

I need your caddyfile with l4 enabled and disabled. Ensure there is no sensitive data like API keys in it before sharing.

@Monviech Monviech added the support Community support label Dec 4, 2024
@jkoch22
Copy link
Author

jkoch22 commented Dec 4, 2024

Before enabling Layer4

# DO NOT EDIT THIS FILE -- OPNsense auto-generated file


# caddy_user=root

# Global Options
{
	log {
		output net unixgram//var/run/caddy/log.sock {
		}
		format json {
			time_format rfc3339
		}
	}

	servers {
		protocols h1 h2 h3
	}

	dynamic_dns {
		provider cloudflare [REDACTED]
		domains {
			jokosolutions.com *
		}
		ip_source interface igc0
		versions ipv4
	}

	email [REDACTED]
	grace_period 10s
	import /usr/local/etc/caddy/caddy.d/*.global
}

# Reverse Proxy Configuration


# Reverse Proxy Domain: "7d06b9a8-519a-4271-b807-886fe8008e6f"
*.jokosolutions.com {
	tls {
		issuer acme {
			dns cloudflare [REDACTED]
		}
	}

	@471f3433-4861-42f6-92a9-a3b3b3ac0168 {
		host pve.jokosolutions.com
	}
	handle @471f3433-4861-42f6-92a9-a3b3b3ac0168 {
		@0226a122-7a59-4ddc-ae11-70488eeba636_pvejokosolutionscom {
			not client_ip 10.0.0.0/8
		}
		handle @0226a122-7a59-4ddc-ae11-70488eeba636_pvejokosolutionscom {
			abort
		}

		handle {
			reverse_proxy https://10.10.100.10:8006 {
				transport http {
					tls_trust_pool file /var/db/caddy/data/caddy/certificates/temp/64ae19145c017.pem
					tls_server_name pve.jokosolutions.com
				}
			}
		}
	}
	@351410a5-1dad-4741-b0f1-082034531e10 {
		host opnsense.jokosolutions.com
	}
	handle @351410a5-1dad-4741-b0f1-082034531e10 {
		@0226a122-7a59-4ddc-ae11-70488eeba636_opnsensejokosolutionscom {
			not client_ip 10.0.0.0/8
		}
		handle @0226a122-7a59-4ddc-ae11-70488eeba636_opnsensejokosolutionscom {
			abort
		}

		handle {
			@0226a122-7a59-4ddc-ae11-70488eeba636 {
				not client_ip 10.0.0.0/8
			}
			handle @0226a122-7a59-4ddc-ae11-70488eeba636 {
				abort
			}

			reverse_proxy https://10.254.254.1:10443 {
				transport http {
					tls_insecure_skip_verify
					tls_trust_pool file /var/db/caddy/data/caddy/certificates/temp/64ae19145c017.pem
					tls_server_name opnsense.jokosolutions.com
				}
			}
		}
	}
}

import /usr/local/etc/caddy/caddy.d/*.conf

After enabling Layer4

# DO NOT EDIT THIS FILE -- OPNsense auto-generated file


# caddy_user=root

# Global Options
{
	log {
		output net unixgram//var/run/caddy/log.sock {
		}
		format json {
			time_format rfc3339
		}
	}

	servers {
		protocols h1 h2 h3
		listener_wrappers {
			layer4 {
				import /usr/local/etc/caddy/caddy.d/*.layer4listener
			}
			tls
		}
	}

	layer4 {
		import /usr/local/etc/caddy/caddy.d/*.layer4global
	}

	dynamic_dns {
		provider cloudflare [REDACTED]
		domains {
			jokosolutions.com *
		}
		ip_source interface igc0
		versions ipv4
	}

	email [REDACTED]
	grace_period 10s
	import /usr/local/etc/caddy/caddy.d/*.global
}

# Reverse Proxy Configuration


# Layer4 default HTTP port
:80 {
}
# Layer4 default HTTPS port
:443 {
}

# Reverse Proxy Domain: "7d06b9a8-519a-4271-b807-886fe8008e6f"
*.jokosolutions.com {
	tls {
		issuer acme {
			dns cloudflare [REDACTED]
		}
	}

	@471f3433-4861-42f6-92a9-a3b3b3ac0168 {
		host pve.jokosolutions.com
	}
	handle @471f3433-4861-42f6-92a9-a3b3b3ac0168 {
		@0226a122-7a59-4ddc-ae11-70488eeba636_pvejokosolutionscom {
			not client_ip 10.0.0.0/8
		}
		handle @0226a122-7a59-4ddc-ae11-70488eeba636_pvejokosolutionscom {
			abort
		}

		handle {
			reverse_proxy https://10.10.100.10:8006 {
				transport http {
					tls_trust_pool file /var/db/caddy/data/caddy/certificates/temp/64ae19145c017.pem
					tls_server_name pve.jokosolutions.com
				}
			}
		}
	}
	@351410a5-1dad-4741-b0f1-082034531e10 {
		host opnsense.jokosolutions.com
	}
	handle @351410a5-1dad-4741-b0f1-082034531e10 {
		@0226a122-7a59-4ddc-ae11-70488eeba636_opnsensejokosolutionscom {
			not client_ip 10.0.0.0/8
		}
		handle @0226a122-7a59-4ddc-ae11-70488eeba636_opnsensejokosolutionscom {
			abort
		}

		handle {
			@0226a122-7a59-4ddc-ae11-70488eeba636 {
				not client_ip 10.0.0.0/8
			}
			handle @0226a122-7a59-4ddc-ae11-70488eeba636 {
				abort
			}

			reverse_proxy https://10.254.254.1:10443 {
				transport http {
					tls_insecure_skip_verify
					tls_trust_pool file /var/db/caddy/data/caddy/certificates/temp/64ae19145c017.pem
					tls_server_name opnsense.jokosolutions.com
				}
			}
		}
	}
}

import /usr/local/etc/caddy/caddy.d/*.conf

@Monviech
Copy link
Member

Monviech commented Dec 4, 2024

Thanks, I could reproduce it. Really weird. Might take some time to know whats going on.

This feels like upstream.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
upstream Third party issue
Development

No branches or pull requests

2 participants