Add support for Caddy 2

README.md

@@ -14,48 +14,53 @@ For a complete list of features and their usage, see Caddyfile syntax:
 
 ## Caddyfile Syntax (Server Configuration)
 
-The simplest way to enable the forward proxy without authentication just include the `forwardproxy` directive in your Caddyfile. However, this allows anyone to use your server as a proxy, which might not be desirable.
+The simplest way to enable the forward proxy without authentication just include the `forward_proxy` directive in your Caddyfile. However, this allows anyone to use your server as a proxy, which might not be desirable.
 
-Open a block for more control; here's an example of all properties in use (note that the syntax is subject to change):
+The `forward_proxy` directive has no default order and must be used within a `route` directive to explicitly specify its order of evaluation. In the Caddyfile the addresses must start with `:443` for the `forward_proxy` to work for proxy requests of all origins.
+
+Here's an example of all properties in use (note that the syntax is subject to change):
 
 ```
-forwardproxy {
-    basicauth user1 0NtCL2JPJBgPPMmlPcJ
-    basicauth user2 密码
+:443, example.com
+route {
+  forward_proxy {
+    basic_auth user1 0NtCL2JPJBgPPMmlPcJ
+    basic_auth user2 密码
     ports     80 443
     hide_ip
     hide_via
     probe_resistance secret-link-kWWL9Q.com # alternatively you can use a real domain, such as caddyserver.com
     serve_pac        /secret-proxy.pac
-    response_timeout 30
     dial_timeout     30
     upstream         https://user:[email protected]
     acl {
       allow     *.caddyserver.com
       deny      192.168.1.1/32 192.168.0.0/16 *.prohibitedsite.com *.localhost
       allow     ::1/128 8.8.8.8 github.com *.github.io
-      allowfile /path/to/whitelist.txt
-      denyfile  /path/to/blacklist.txt
+      allow_file /path/to/whitelist.txt
+      deny_file  /path/to/blacklist.txt
       allow     all
       deny      all # unreachable rule, remaining requests are matched by `allow all` above
     }
+  }
+  file_server
 }
 ```
 
 (The square brackets `[ ]` indicate values you should replace; do not actually include the brackets.)
 
 ##### Security
 
-- **basicauth [user] [password]**  
-Sets basic HTTP auth credentials. This property may be repeated multiple times. Note that this is different from Caddy's built-in `basicauth` directive. BE SURE TO CHECK THE NAME OF THE SITE THAT IS REQUESTING CREDENTIALS BEFORE YOU ENTER THEM.  
+- **basic_auth [user] [password]**  
+Sets basic HTTP auth credentials. This property may be repeated multiple times. Note that this is different from Caddy's built-in `basic_auth` directive. BE SURE TO CHECK THE NAME OF THE SITE THAT IS REQUESTING CREDENTIALS BEFORE YOU ENTER THEM.  
 _Default: no authentication required._
 
 - **probe_resistance [secretlink.tld]**  
 Attempts to hide the fact that the site is a forward proxy.
 Proxy will no longer respond with "407 Proxy Authentication Required" if credentials are incorrect or absent,
 and will attempt to mimic a generic Caddy web server as if the forward proxy is not enabled.  
-Probing resistance works (and makes sense) only if basicauth is set up.
-To use your proxy with probe resistance, supply your basicauth credentials to your client configuration.
+Probing resistance works (and makes sense) only if `basic_auth` is set up.
+To use your proxy with probe resistance, supply your `basic_auth` credentials to your client configuration.
 If your proxy client(browser, operating system, browser extension, etc)
 allows you to preconfigure credentials, and sends credentials preemptively, you do not need secret link.  
 If your proxy client does not preemptively send credentials, you will have to visit your secret link in your browser to trigger the authentication.
@@ -91,9 +96,9 @@ The hostname in each forwardproxy request will be resolved to an IP address,
 and caddy will check the IP address and hostname against the directives in order until a directive matches the request.
 acl_directive may be:
   - **allow [ip or subnet or hostname] [ip or subnet or hostname]...**
-  - **allowfile /path/to/whitelist.txt**
+  - **allow_file /path/to/whitelist.txt**
   - **deny [ip or subnet or hostname] [ip or subnet or hostname]...**
-  - **denyfile /path/to/blacklist.txt**
+  - **deny_file /path/to/blacklist.txt**
 
   If you don't want unmatched requests to be subject to the default policy, you could finish
   your acl rules with one of the following to specify action on unmatched requests:
@@ -105,7 +110,7 @@ acl_directive may be:
   Note that hostname rules, matched early in the chain, will override later IP rules,
   so it is advised to put IP rules first, unless domains are highly trusted and should override the
   IP rules. Also note that domain-based blacklists are easily circumventable by directly specifying the IP.  
-  For `allowfile`/`denyfile` directives, syntax is the same, and each entry must be separated by newline.  
+  For `allow_file`/`deny_file` directives, syntax is the same, and each entry must be separated by newline.  
   This policy applies to all requests except requests to the proxy's own domain and port.
   Whitelisting/blacklisting of ports on per-host/IP basis is not supported.  
 _Default policy:_  
@@ -117,10 +122,6 @@ _Default deny rules intend to prohibit access to localhost and local networks an
 
 ##### Timeouts
 
-- **response_timeout [integer]**  
-Sets timeout (in seconds) to get full response for HTTP requests made by proxy on behalf of users (does not affect `CONNECT`-method requests).  
-_Default: no timeout._
-
 - **dial_timeout [integer]**  
 Sets timeout (in seconds) for establishing TCP connection to target website. Affects all requests.  
 _Default: 20 seconds._

acl.go

@@ -6,6 +6,11 @@ import (
 	"strings"
 )
 
+type ACLRule struct {
+	Subjects []string `json:"subjects,omitempty"`
+	Allow    bool     `json:"allow,omitempty"`
+}
+
 type aclDecision uint8
 
 const (
@@ -65,7 +70,7 @@ func (a *aclAllRule) tryMatch(ip net.IP, domain string) aclDecision {
 	return aclDecisionDeny
 }
 
-func newAclRule(ruleSubject string, allow bool) (aclRule, error) {
+func newACLRule(ruleSubject string, allow bool) (aclRule, error) {
 	if ruleSubject == "all" {
 		return &aclAllRule{allow: allow}, nil
 	}
@@ -94,3 +99,25 @@ func newAclRule(ruleSubject string, allow bool) (aclRule, error) {
 	}
 	return &aclDomainRule{domain: ruleSubject, subdomainsAllowed: subdomainsAllowed, allow: allow}, nil
 }
+
+// isValidDomainLite shamelessly rejects non-LDH names. returns nil if domains seems valid
+func isValidDomainLite(domain string) error {
+	for i := 0; i < len(domain); i++ {
+		c := domain[i]
+		if 'a' <= c && c <= 'z' || 'A' <= c && c <= 'Z' || c == '_' || '0' <= c && c <= '9' ||
+			c == '-' || c == '.' {
+			continue
+		}
+		return errors.New("character " + string(c) + " is not allowed")
+	}
+	sections := strings.Split(domain, ".")
+	for _, s := range sections {
+		if len(s) == 0 {
+			return errors.New("empty section between dots in domain name or trailing dot")
+		}
+		if len(s) > 63 {
+			return errors.New("domain name section is too long")
+		}
+	}
+	return nil
+}

acl_test.go

@@ -9,15 +9,14 @@ import (
 test port blocking working
 test blacklist allowed
 test blacklist refused with correct status
-
 */
 
 func TestWhitelistAllowing(t *testing.T) {
-	useTls := true
-	for _, httpProxyVer := range testHttpProxyVersions {
+	const useTLS, dialLocal = true, true
+	for _, httpProxyVer := range testHTTPProxyVersions {
 		for _, resource := range testResources {
 			response, err := getViaProxy(caddyTestTarget.addr, resource, caddyForwardProxyWhiteListing.addr, httpProxyVer,
-				"", useTls)
+				"", useTLS, dialLocal)
 			if err != nil {
 				t.Fatal(err)
 			} else if err = responseExpected(response, caddyTestTarget.contents[resource]); err != nil {
@@ -28,11 +27,11 @@ func TestWhitelistAllowing(t *testing.T) {
 }
 
 func TestWhitelistBlocking(t *testing.T) {
-	useTls := true
-	for _, httpProxyVer := range testHttpProxyVersions {
+	const useTLS, dialLocal = true, false
+	for _, httpProxyVer := range testHTTPProxyVersions {
 		for _, resource := range testResources {
 			response, err := getViaProxy(caddyHTTPTestTarget.addr, resource, caddyForwardProxyWhiteListing.addr, httpProxyVer,
-				"", useTls)
+				"", useTLS, dialLocal)
 			if err != nil {
 				t.Fatal(err)
 			} else if response.StatusCode != http.StatusForbidden {
@@ -41,10 +40,10 @@ func TestWhitelistBlocking(t *testing.T) {
 		}
 	}
 
-	for _, httpProxyVer := range testHttpProxyVersions {
+	for _, httpProxyVer := range testHTTPProxyVersions {
 		for _, resource := range testResources {
 			response, err := getViaProxy("google.com:6451", resource, caddyForwardProxyWhiteListing.addr, httpProxyVer,
-				"", useTls)
+				"", useTLS, dialLocal)
 			if err != nil {
 				t.Fatal(err)
 			} else if response.StatusCode != http.StatusForbidden {
@@ -55,11 +54,11 @@ func TestWhitelistBlocking(t *testing.T) {
 }
 
 func TestLocalhostDefaultForbidden(t *testing.T) {
-	useTls := true
-	for _, httpProxyVer := range testHttpProxyVersions {
+	const useTLS, dialLocal = true, false
+	for _, httpProxyVer := range testHTTPProxyVersions {
 		for _, resource := range testResources {
 			response, err := getViaProxy("localhost:6451", resource, caddyForwardProxyNoBlacklistOverride.addr, httpProxyVer,
-				"", useTls)
+				"", useTLS, dialLocal)
 			if err != nil {
 				t.Fatal(err)
 			} else if response.StatusCode != http.StatusForbidden {
@@ -68,10 +67,10 @@ func TestLocalhostDefaultForbidden(t *testing.T) {
 		}
 	}
 
-	for _, httpProxyVer := range testHttpProxyVersions {
+	for _, httpProxyVer := range testHTTPProxyVersions {
 		for _, resource := range testResources {
 			response, err := getViaProxy("127.0.0.1:808", resource, caddyForwardProxyNoBlacklistOverride.addr, httpProxyVer,
-				"", useTls)
+				"", useTLS, dialLocal)
 			if err != nil {
 				t.Fatal(err)
 			} else if response.StatusCode != http.StatusForbidden {
@@ -80,10 +79,10 @@ func TestLocalhostDefaultForbidden(t *testing.T) {
 		}
 	}
 
-	for _, httpProxyVer := range testHttpProxyVersions {
+	for _, httpProxyVer := range testHTTPProxyVersions {
 		for _, resource := range testResources {
 			response, err := getViaProxy("[::1]:8080", resource, caddyForwardProxyNoBlacklistOverride.addr, httpProxyVer,
-				"", useTls)
+				"", useTLS, dialLocal)
 			if err != nil {
 				t.Fatal(err)
 			} else if response.StatusCode != http.StatusForbidden {
@@ -94,11 +93,11 @@ func TestLocalhostDefaultForbidden(t *testing.T) {
 }
 
 func TestLocalNetworksDefaultForbidden(t *testing.T) {
-	useTls := true
-	for _, httpProxyVer := range testHttpProxyVersions {
+	const useTLS, dialLocal = true, false
+	for _, httpProxyVer := range testHTTPProxyVersions {
 		for _, resource := range testResources {
 			response, err := getViaProxy("10.0.0.0:80", resource, caddyForwardProxyNoBlacklistOverride.addr, httpProxyVer,
-				"", useTls)
+				"", useTLS, dialLocal)
 			if err != nil {
 				t.Fatal(err)
 			} else if response.StatusCode != http.StatusForbidden {
@@ -107,10 +106,10 @@ func TestLocalNetworksDefaultForbidden(t *testing.T) {
 		}
 	}
 
-	for _, httpProxyVer := range testHttpProxyVersions {
+	for _, httpProxyVer := range testHTTPProxyVersions {
 		for _, resource := range testResources {
 			response, err := getViaProxy("127.222.34.1:443", resource, caddyForwardProxyNoBlacklistOverride.addr, httpProxyVer,
-				"", useTls)
+				"", useTLS, dialLocal)
 			if err != nil {
 				t.Fatal(err)
 			} else if response.StatusCode != http.StatusForbidden {
@@ -119,10 +118,10 @@ func TestLocalNetworksDefaultForbidden(t *testing.T) {
 		}
 	}
 
-	for _, httpProxyVer := range testHttpProxyVersions {
+	for _, httpProxyVer := range testHTTPProxyVersions {
 		for _, resource := range testResources {
 			response, err := getViaProxy("172.16.0.1:8080", resource, caddyForwardProxyNoBlacklistOverride.addr, httpProxyVer,
-				"", useTls)
+				"", useTLS, dialLocal)
 			if err != nil {
 				t.Fatal(err)
 			} else if response.StatusCode != http.StatusForbidden {
@@ -131,10 +130,10 @@ func TestLocalNetworksDefaultForbidden(t *testing.T) {
 		}
 	}
 
-	for _, httpProxyVer := range testHttpProxyVersions {
+	for _, httpProxyVer := range testHTTPProxyVersions {
 		for _, resource := range testResources {
 			response, err := getViaProxy("192.168.192.168:888", resource, caddyForwardProxyNoBlacklistOverride.addr, httpProxyVer,
-				"", useTls)
+				"", useTLS, dialLocal)
 			if err != nil {
 				t.Fatal(err)
 			} else if response.StatusCode != http.StatusForbidden {
@@ -145,11 +144,11 @@ func TestLocalNetworksDefaultForbidden(t *testing.T) {
 }
 
 func TestBlacklistBlocking(t *testing.T) {
-	useTls := true
-	for _, httpProxyVer := range testHttpProxyVersions {
+	const useTLS, dialLocal = true, false
+	for _, httpProxyVer := range testHTTPProxyVersions {
 		for _, resource := range testResources {
 			response, err := getViaProxy(blacklistedDomain, resource, caddyForwardProxyBlackListing.addr, httpProxyVer,
-				"", useTls)
+				"", useTLS, dialLocal)
 			if err != nil {
 				t.Fatal(err)
 			} else if response.StatusCode != http.StatusForbidden {
@@ -158,10 +157,10 @@ func TestBlacklistBlocking(t *testing.T) {
 		}
 	}
 
-	for _, httpProxyVer := range testHttpProxyVersions {
+	for _, httpProxyVer := range testHTTPProxyVersions {
 		for _, resource := range testResources {
 			response, err := getViaProxy(blacklistedIPv4, resource, caddyForwardProxyBlackListing.addr, httpProxyVer,
-				"", useTls)
+				"", useTLS, dialLocal)
 			if err != nil {
 				t.Fatal(err)
 			} else if response.StatusCode != http.StatusForbidden {
@@ -170,10 +169,10 @@ func TestBlacklistBlocking(t *testing.T) {
 		}
 	}
 
-	for _, httpProxyVer := range testHttpProxyVersions {
+	for _, httpProxyVer := range testHTTPProxyVersions {
 		for _, resource := range testResources {
 			response, err := getViaProxy("["+blacklistedIPv6+"]:80", resource, caddyForwardProxyBlackListing.addr, httpProxyVer,
-				"", useTls)
+				"", useTLS, dialLocal)
 			if err != nil {
 				t.Fatal(err)
 			} else if response.StatusCode != http.StatusForbidden {
@@ -184,11 +183,11 @@ func TestBlacklistBlocking(t *testing.T) {
 }
 
 func TestBlacklistAllowing(t *testing.T) {
-	useTls := true
-	for _, httpProxyVer := range testHttpProxyVersions {
+	const useTLS, dialLocal = true, true
+	for _, httpProxyVer := range testHTTPProxyVersions {
 		for _, resource := range testResources {
 			response, err := getViaProxy(caddyTestTarget.addr, resource, caddyForwardProxyBlackListing.addr, httpProxyVer,
-				"", useTls)
+				"", useTLS, dialLocal)
 			if err != nil {
 				t.Fatal(err)
 			} else if err = responseExpected(response, caddyTestTarget.contents[resource]); err != nil {