Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Allow use of wildcard outside of *. prefix #102

Open
mogul opened this issue May 4, 2023 · 5 comments
Open

Allow use of wildcard outside of *. prefix #102

mogul opened this issue May 4, 2023 · 5 comments
Labels
feature request help wanted

Comments

@mogul
Copy link

mogul commented May 4, 2023

Problem

From the docs:

For hostname, you can specify *. as a prefix to match domain and subdomains. For example, *.caddyserver.com will match caddyserver.com, subdomain.caddyserver.com, but not fakecaddyserver.com.

Active word: prefix.

This implementation is constraining how well I can address a real-world example: New Relic says that their agent traffic is ingested via collector*.newrelic.com. If I try to specify that pattern, I get this from Caddy:

2023-05-04T18:10:04.94+0000 [APP/PROC/WEB/0] ERR run: loading initial config: loading new config: loading http app module: provision http: server srv0: setting up route handlers: route 0: loading handler modules: position 0: loading module 'subroute': provision http.handlers.subroute: setting up subroutes: route 0: loading handler modules: position 0: loading module 'forward_proxy': provision http.handlers.forward_proxy: *-[api.newrelic.com](http://api.newrelic.com/) could not be parsed as either IP, IP network, or domain: character * is not allowed

Since I can't specify collector*.newrelic.com for an acl directive I instead have to allow traffic to all of *.newrelic.com which is very overbroad for what I want!

Proposed solution

acl patterns like collector*.newrelic.com and *-api.newrelic.com should be supported.
@mogul mogul mentioned this issue May 4, 2023
Merged
@mholt
Copy link
Member

mholt commented May 4, 2023

The restriction is defined by TLS certificate validation rules regarding wildcards. The Caddyfile conflates the TLS certificate name and the Host for routing HTTP requests. But you can probably do what you want with a regex matcher inside a site block. I'm mobile at the moment but you can probably find what you need in our docs.

@mholt
Copy link
Member

mholt commented May 9, 2023

Oh, you know -- my bad. This is an ACL rule, duh. (See, I was mobile, I should just wait until I'm at my computer.)

I think the ACL rules don't currently support any wildcard characters. But they probably should. Want to submit a PR?

@mogul
Copy link
Author

mogul commented May 10, 2023

Given my Go skills, I don't think you want me to do that. ;)

@mogul
Copy link
Author

mogul commented May 10, 2023

I think the ACL rules don't currently support any wildcard characters.

I've tested that it works with things like *.newrelic.com and *.google.com; it's only when the * is in the middle of a subdomain that's not accepted.

@mholt
Copy link
Member

mholt commented May 10, 2023
edited

@mogul Only *. as a prefix works, not * in isolation.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
feature request help wanted
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@mogul @mholt