From 8e27be7a1c6df64865137ef0d7a3d66436762f99 Mon Sep 17 00:00:00 2001
From: George Oastler <goastler@users.noreply.github.com>
Date: Wed, 30 Oct 2024 13:53:54 +0000
Subject: [PATCH] fix caddy headers (#1487)

---
 docker/local.Caddyfile    |  95 ++++++++++++++++++++++++++++++++
 docker/provider.Caddyfile | 112 +++++++++++++++++++++++++++-----------
 2 files changed, 176 insertions(+), 31 deletions(-)
 create mode 100644 docker/local.Caddyfile

diff --git a/docker/local.Caddyfile b/docker/local.Caddyfile
new file mode 100644
index 000000000..cfe8c744a
--- /dev/null
+++ b/docker/local.Caddyfile
@@ -0,0 +1,95 @@
+# usage: `caddy run --config ./docker/provider.Caddyfile --envfile docker/env.development`
+{
+	http_port 4000
+	auto_https disable_redirects
+	admin :2020
+	servers {
+		timeouts {
+			read_body 10s
+			read_header 10s
+			write 10s
+			idle 2m
+		}
+
+		max_header_size 1MB
+	}
+}
+
+local.prosopo.io:4001 {
+	reverse_proxy localhost:9229 {
+		
+        header_up x-tls-version "{tls_version}"
+		header_up x-tls-version "^{tls_version}$" ""
+
+		header_up x-tls-client-subject "{tls_client_subject}"
+		header_up x-tls-client-subject "^{tls_client_subject}$" ""
+
+		header_up x-tls-client-serial "{tls_client_serial}"
+		header_up x-tls-client-serial "^{tls_client_serial}$" ""
+
+		header_up x-tls-client-issuer "{tls_client_issuer}"
+		header_up x-tls-client-issuer "^{tls_client_issuer}$" ""
+
+		header_up x-tls-client-fingerprint "{tls_client_fingerprint}"
+		header_up x-tls-client-fingerprint "^{tls_client_fingerprint}$" ""
+
+		header_up x-tls-client-certificate-pem "{tls_client_certificate_pem}"
+		header_up x-tls-client-certificate-pem "^{tls_client_certificate_pem}$" ""
+
+		header_up x-tls-client-certificate-der-base64 "{tls_client_certificate_der_base64}"
+		header_up x-tls-client-certificate-der-base64 "^{tls_client_certificate_der_base64}$" ""
+
+		header_up x-tls-cipher "{tls_cipher}"
+		header_up x-tls-cipher "^{tls_cipher}$" ""
+
+		header_up x-remote-port "{remote_port}"
+		header_up x-remote-port "^{remote_port}$" ""
+
+		header_up x-remote-host "{remote_host}"
+		header_up x-remote-host "^{remote_host}$" ""
+
+		header_up x-method "{method}"
+		header_up x-method "^{method}$" ""
+
+		header_up x-client-ip "{client_ip}"
+		header_up x-client-ip "^{client_ip}$" ""
+
+		header_up x-duration-ms {http.request.duration}
+		header_up x-duration-ms "^{http.request.duration}$" ""
+
+		header_up x-tls-resumed "{http.request.tls.resumed}"
+		header_up x-tls-resumed "^{http.request.tls.resumed}$" ""
+
+		header_up x-tls-proto "{http.request.tls.proto}"
+		header_up x-tls-proto "^{http.request.tls.proto}$" ""
+
+		header_up x-tls-proto-mutual "{http.request.tls.proto_mutual}"
+		header_up x-tls-proto-mutual "^{http.request.tls.proto_mutual}$" ""
+
+		header_up x-tls-server-name "{http.request.tls.server_name}"
+		header_up x-tls-server-name "^{http.request.tls.server_name}$" ""
+
+		header_up x-tls-public-key "{http.request.tls.public_key}"
+		header_up x-tls-public-key "^{http.request.tls.public_key}$" ""
+
+		header_up x-tls-public-key-sha256 "{http.request.tls.public_key_sha256}"
+		header_up x-tls-public-key-sha256 "^{http.request.tls.public_key_sha256}$" ""
+
+		header_up x-tls-client-san-dns-names "{http.request.tls.client.san.dns_names}"
+		header_up x-tls-client-san-dns-names "^{http.request.tls.client.san.dns_names}$" ""
+
+		header_up x-tls-client-san-emails "{http.request.tls.client.san.emails}"
+		header_up x-tls-client-san-emails "^{http.request.tls.client.san.emails}$" ""
+
+		header_up x-tls-client-san-ips "{http.request.tls.client.san.ips}"
+		header_up x-tls-client-san-ips "^{http.request.tls.client.san.ips}$" ""
+
+		header_up x-tls-client-san-uris "{http.request.tls.client.san.uris}"
+		header_up x-tls-client-san-uris "^{http.request.tls.client.san.uris}$" ""
+	}
+
+	log {
+		format json
+	}
+
+}
diff --git a/docker/provider.Caddyfile b/docker/provider.Caddyfile
index 787183814..83a0702f3 100644
--- a/docker/provider.Caddyfile
+++ b/docker/provider.Caddyfile
@@ -3,6 +3,15 @@
 	http_port {$CADDY_HTTP_PORT:80}
 	auto_https {$CADDY_AUTO_HTTPS:disable_redirects}
 	admin {$CADDY_ADMIN_API::2020} # set the admin api to run on localhost:2020 (default is 2019 which can conflict with caddy daemon)
+
+	servers {
+		timeouts {
+			read_body 15s
+			read_header 10s
+			write 15s
+			idle 5m
+		}
+	}
 }
 
 {$CADDY_DOMAIN} {
@@ -17,39 +26,80 @@
 
 	# reverse proxy to the provider container
 	reverse_proxy {$CADDY_PROVIDER_CONTAINER_NAME:provider}:{$CADDY_PROVIDER_PORT:9229} {
-		header_up X-TLS-Version "{tls_version:-none}"
-		header_up X-TLS-Cipher "{tls_cipher:-none}"
-		header_up X-TLS-Client-SNI "{tls_client_sni:-none}"
-		header_up X-TLS-Client-Verified "{tls_client_verified:-none}"
-		header_up X-TLS-Client-Cert-Subject "{tls_client_subject:-none}"
-		header_up X-TLS-Client-Cert-Issuer "{tls_client_issuer:-none}"
-		header_up X-TLS-Client-Cert-Serial "{tls_client_serial:-none}"
-		header_up X-TLS-Client-Cert-Fingerprint "{tls_client_fingerprint:-none}"
-		header_up X-Request-Start-Time "{start_time:-none}"
-		header_up X-Request-ID "{request_id:-none}"
-		header_up X-Scheme "{scheme:-none}"
-		header_up X-Remote-Address "{remote:-none}"
-		header_up X-Remote-IP "{remote_host:-none}"
-		header_up X-Remote-Port "{remote_port:-none}"
-		header_up X-Server-IP "{server_ip:-none}"
-		header_up X-Server-Port "{server_port:-none}"
-		header_up X-Elapsed-Time "{elapsed:-none}"
-		header_up X-Request-Protocol "{proto:-none}"
-		header_up X-Client-IP "{client_ip:-none}"
-		header_up X-Host "{host:-none}"
-		header_up X-HostPort "{hostport:-none}"
-		header_up X-tls_client_certificate_der_base64 "{tls_client_certificate_der_base64:-none}"
-		header_up X-tls_client_certificate_pem "{tls_client_certificate_pem:-none}"
-		header_up X-upstream_hostport "{upstream_hostport:-none}"
-		header_up X-http.request.uuid "{http.request.uuid:-none}"
-		header_up X-http.request.tls.resumed "{http.request.tls.resumed:-none}"
-		header_up X-http.request.tls.proto_mutual "{http.request.tls.proto_mutual:-none}"
-		header_up X-http.request.tls.client.fingerprint "{http.request.tls.client.fingerprint:-none}"
-		header_up X-http.request.tls.client.public_key "{http.request.tls.client.public_key:-none}"
+		# https://caddyserver.com/docs/caddyfile/concepts#placeholders
+		# https://caddyserver.com/docs/json/apps/http/#docs
+		
+        header_up x-tls-version "{tls_version}"
+		header_up x-tls-version "^{tls_version}$" ""
+
+		header_up x-tls-client-subject "{tls_client_subject}"
+		header_up x-tls-client-subject "^{tls_client_subject}$" ""
+
+		header_up x-tls-client-serial "{tls_client_serial}"
+		header_up x-tls-client-serial "^{tls_client_serial}$" ""
+
+		header_up x-tls-client-issuer "{tls_client_issuer}"
+		header_up x-tls-client-issuer "^{tls_client_issuer}$" ""
+
+		header_up x-tls-client-fingerprint "{tls_client_fingerprint}"
+		header_up x-tls-client-fingerprint "^{tls_client_fingerprint}$" ""
+
+		header_up x-tls-client-certificate-pem "{tls_client_certificate_pem}"
+		header_up x-tls-client-certificate-pem "^{tls_client_certificate_pem}$" ""
+
+		header_up x-tls-client-certificate-der-base64 "{tls_client_certificate_der_base64}"
+		header_up x-tls-client-certificate-der-base64 "^{tls_client_certificate_der_base64}$" ""
+
+		header_up x-tls-cipher "{tls_cipher}"
+		header_up x-tls-cipher "^{tls_cipher}$" ""
+
+		header_up x-remote-port "{remote_port}"
+		header_up x-remote-port "^{remote_port}$" ""
+
+		header_up x-remote-host "{remote_host}"
+		header_up x-remote-host "^{remote_host}$" ""
+
+		header_up x-method "{method}"
+		header_up x-method "^{method}$" ""
+
+		header_up x-client-ip "{client_ip}"
+		header_up x-client-ip "^{client_ip}$" ""
+
+		header_up x-duration-ms {http.request.duration}
+		header_up x-duration-ms "^{http.request.duration}$" ""
+
+		header_up x-tls-resumed "{http.request.tls.resumed}"
+		header_up x-tls-resumed "^{http.request.tls.resumed}$" ""
+
+		header_up x-tls-proto "{http.request.tls.proto}"
+		header_up x-tls-proto "^{http.request.tls.proto}$" ""
+
+		header_up x-tls-proto-mutual "{http.request.tls.proto_mutual}"
+		header_up x-tls-proto-mutual "^{http.request.tls.proto_mutual}$" ""
+
+		header_up x-tls-server-name "{http.request.tls.server_name}"
+		header_up x-tls-server-name "^{http.request.tls.server_name}$" ""
+
+		header_up x-tls-public-key "{http.request.tls.public_key}"
+		header_up x-tls-public-key "^{http.request.tls.public_key}$" ""
+
+		header_up x-tls-public-key-sha256 "{http.request.tls.public_key_sha256}"
+		header_up x-tls-public-key-sha256 "^{http.request.tls.public_key_sha256}$" ""
+
+		header_up x-tls-client-san-dns-names "{http.request.tls.client.san.dns_names}"
+		header_up x-tls-client-san-dns-names "^{http.request.tls.client.san.dns_names}$" ""
+
+		header_up x-tls-client-san-emails "{http.request.tls.client.san.emails}"
+		header_up x-tls-client-san-emails "^{http.request.tls.client.san.emails}$" ""
+
+		header_up x-tls-client-san-ips "{http.request.tls.client.san.ips}"
+		header_up x-tls-client-san-ips "^{http.request.tls.client.san.ips}$" ""
+
+		header_up x-tls-client-san-uris "{http.request.tls.client.san.uris}"
+		header_up x-tls-client-san-uris "^{http.request.tls.client.san.uris}$" ""
 	}
 
-	# logs. Note this is not limited, truncated or rotated whatsoever, so it grows over time!
 	log {
-		output file /var/log/caddy/{$CADDY_DOMAIN}.log
+		format json
 	}
 }