forwardproxy insecure schemes are only allowed to localhost upstreams

1. Is bug reproducible with latest `forwardproxy` build?

yes

2. What are you trying to do?

3. What is your entire Caddyfile?

Caddyfile

:8082
route {
	forward_proxy {
		hide_ip
		hide_via
		upstream http://xxx:xxx@xxx:22225
		acl {
			allow     all
		}
	}
  file_server
}

4. How is your client configured?

v2.7.6 h1:w0NymbG2m9PcvKWsrXO6EEkY9Ru4FJK8uQbYcev1p3A=

5. How did you run Caddy? (give the full command and describe the execution environment). If multiple servers are used (for example with `upstream`), describe those as well.

caddy run --config Caddyfile

6. Please paste any relevant HTTP request(s) here.

7. What did you expect to see?

8. What did you see instead (give full error messages and/or log)?

9. How can someone who is starting from scratch reproduce the bug as minimally as possible?

Mar 05 '24 07:03 noed0ps

I think i'm faced with a similar problem. Tried to set up a proxy chain - both on a local net. First one is caddy and the second is squid. I wanted to upstream form caddy to squid.

Caddyfile:

:1234 { log { output stdout }

    route {
            forward_proxy {
                    upstream http://ip_of_squid.local:8080
            }
    }

}

Error: loading initial config: loading new config: loading http app module: provision http: server srv0: setting up route handlers: route 0: loading handler modules: position 0: loading module 'subroute': provision http.handlers.subroute: setting up subroutes: route 0: loading handler modules: position 0: loading module 'forward_proxy': provision http.handlers.forward_proxy: insecure schemes are only allowed to localhost upstreams

Mar 21 '24 13:03 smrzlina

Please allow the http:// scheme for arbitrary upstreams, not only localhost. If a downstream client connects via TLS, use the CONNECT method to establish a secure channel with the upsteam HTTP proxy.

This way security is preserved and usability greatly improved. I was so hopeful to find caddy/forwardproxy after trying to use mitmproxy as proxy redirect, but it will always intercept. Then I got insecure schemes are only allowed to localhost upstreams and was stuck again. In a place that, as I understand it, is not necessary. @mholt What do you think?

Aug 13 '24 08:08 cachius

forwardproxy forwardproxy copied to clipboard

insecure schemes are only allowed to localhost upstreams

1. Is bug reproducible with latest forwardproxy build?

2. What are you trying to do?

3. What is your entire Caddyfile?

4. How is your client configured?

5. How did you run Caddy? (give the full command and describe the execution environment). If multiple servers are used (for example with upstream), describe those as well.

6. Please paste any relevant HTTP request(s) here.

7. What did you expect to see?

8. What did you see instead (give full error messages and/or log)?

9. How can someone who is starting from scratch reproduce the bug as minimally as possible?

forwardproxy
forwardproxy copied to clipboard

1. Is bug reproducible with latest `forwardproxy` build?

5. How did you run Caddy? (give the full command and describe the execution environment). If multiple servers are used (for example with `upstream`), describe those as well.