Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

insecure schemes are only allowed to localhost upstreams #116

Open
noed0ps opened this issue Mar 5, 2024 · 5 comments · May be fixed by #142
Open

insecure schemes are only allowed to localhost upstreams #116

noed0ps opened this issue Mar 5, 2024 · 5 comments · May be fixed by #142

Comments

@noed0ps
Copy link

noed0ps commented Mar 5, 2024

1. Is bug reproducible with latest forwardproxy build?

yes

2. What are you trying to do?

3. What is your entire Caddyfile?

Caddyfile

:8082
route {
	forward_proxy {
		hide_ip
		hide_via
		upstream http://xxx:xxx@xxx:22225
		acl {
			allow     all
		}
	}
  file_server
}

4. How is your client configured?

v2.7.6 h1:w0NymbG2m9PcvKWsrXO6EEkY9Ru4FJK8uQbYcev1p3A=

5. How did you run Caddy? (give the full command and describe the execution environment). If multiple servers are used (for example with upstream), describe those as well.

caddy run --config Caddyfile

6. Please paste any relevant HTTP request(s) here.

7. What did you expect to see?

8. What did you see instead (give full error messages and/or log)?

9. How can someone who is starting from scratch reproduce the bug as minimally as possible?

@smrzlina
Copy link

smrzlina commented Mar 21, 2024

I think i'm faced with a similar problem. Tried to set up a proxy chain - both on a local net. First one is caddy and the second is squid. I wanted to upstream form caddy to squid.

Caddyfile:

:1234 {
log {
output stdout
}

    route {
            forward_proxy {
                    upstream http://ip_of_squid.local:8080
            }
    }

}

Error: loading initial config: loading new config: loading http app module: provision http: server srv0: setting up route handlers: route 0: loading handler modules: position 0: loading module 'subroute': provision http.handlers.subroute: setting up subroutes: route 0: loading handler modules: position 0: loading module 'forward_proxy': provision http.handlers.forward_proxy: insecure schemes are only allowed to localhost upstreams

@cachius
Copy link

cachius commented Aug 13, 2024

Please allow the http:// scheme for arbitrary upstreams, not only localhost. If a downstream client connects via TLS, use the CONNECT method to establish a secure channel with the upsteam HTTP proxy.

This way security is preserved and usability greatly improved. I was so hopeful to find caddy/forwardproxy after trying to use mitmproxy as proxy redirect, but it will always intercept. Then I got insecure schemes are only allowed to localhost upstreams and was stuck again. In a place that, as I understand it, is not necessary. @mholt What do you think?

@Saiv46 Saiv46 linked a pull request Oct 12, 2024 that will close this issue
4 tasks
@zoulja
Copy link

zoulja commented Nov 14, 2024

Dear forwardproxy author, please take a look at this issue

@mholt
Copy link
Member

mholt commented Nov 14, 2024

FWIW the "forwardproxy author" is no longer active on this repo, and hasn't been for years; I only aided its development originally (about 10 years ago!) and attempted to upgrade it for v2, but I haven't done any of the actual threat modeling of this.

So I don't know if simply removing the insecure upstreams check is the right thing to do. Alas, I don't have the time to work on this as I have my attention being pulled in mainline Caddy development right now, but if a sufficiently-tiered sponsor needed this worked on, I could prioritize it. I would just have to spend a lot of time getting deeply familiar with the code.

In the meantime, anyone else is welcome to become qualified to decide whether the linked PR is a security risk or not.

@jerry-wolf
Copy link

I don't think removing this restriction would be a big risk. There is no such restriction on reverse proxy upstreams unless you use a secure upstream and certificate verification fails (which can be turned off via configuration).

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging a pull request may close this issue.

6 participants