Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Caddyfile support #217

Merged
merged 33 commits into from
Jul 23, 2024
Merged
Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
33 commits
Select commit Hold shift + click to select a range
201370a
Caddyfile support (1/27): register layer4 global directive
vnxme Jul 16, 2024
c692689
Caddyfile support (2/27): unmarshal layer4.Server
vnxme Jul 16, 2024
dd1f5ae
Caddyfile support (3/27): unmarshal layer4.ListenerWrapper
vnxme Jul 6, 2024
383a2d6
Caddyfile support (4/27): unmarshal layer4.Match*
vnxme Jul 9, 2024
d519964
Caddyfile support (5/27): unmarshal l4echo.Handler
vnxme Jul 11, 2024
2ed0e1c
Caddyfile support (6/27): unmarshal l4http.MatchHTTP
vnxme Jul 9, 2024
a016ef5
Caddyfile support (7/27): unmarshal l4postgres.MatchPostgres
vnxme Jul 9, 2024
881b0cf
Caddyfile support (8/27): unmarshal l4proxy.HealthChecks
vnxme Jul 13, 2024
314a2b9
Caddyfile support (9/27): unmarshal l4proxy.LoadBalancing
vnxme Jul 11, 2024
8525c7b
Caddyfile support (10/27): unmarshal l4proxy.Upstream
vnxme Jul 16, 2024
398f55c
Caddyfile support (11/27): unmarshal l4proxy.Handler
vnxme Jul 13, 2024
df3dfc1
Caddyfile support (12/27): unmarshal l4proxyprotocol.MatchProxyProtocol
vnxme Jul 9, 2024
a0dac61
Caddyfile support (13/27): unmarshal l4proxyprotocol.Handler
vnxme Jul 11, 2024
19c8188
Caddyfile support (14/27): unmarshal l4socks.Socks4Matcher
vnxme Jul 9, 2024
f45b7ff
Caddyfile support (15/27): unmarshal l4socks.Socks5Matcher
vnxme Jul 9, 2024
f32383e
Caddyfile support (16/27): fix l4socks.Socks5Matcher unmarshalling:
vnxme Jul 9, 2024
a375ad4
Caddyfile support (17/27): unmarshal l4socks.Socks5Handler
vnxme Jul 11, 2024
c30b301
Caddyfile support (18/27): unmarshal l4ssh.MatchSSH
vnxme Jul 9, 2024
b0ccbe2
Caddyfile support (19/27): unmarshal l4subroute.Handler
vnxme Jul 11, 2024
931c28b
Caddyfile support (20/27): unmarshal l4tee.Handler
vnxme Jul 11, 2024
7649d9c
Caddyfile support (21/27): unmarshal l4throttle.Handler
vnxme Jul 11, 2024
5dbe0fc
Caddyfile support (22/27): unmarshal l4tls.MatchALPN
vnxme Jul 9, 2024
8f32ae6
Caddyfile support (23/27): unmarshal l4tls.MatchTLS
vnxme Jul 9, 2024
24a46a5
Caddyfile support (24/27): unmarshal l4tls.Handler
vnxme Jul 16, 2024
4e311d9
Caddyfile support (25/27): unmarshal l4xmpp.MatchXMPP
vnxme Jul 9, 2024
c667983
Caddyfile support (26/27): add missing matchers and handlers to README
vnxme Jul 13, 2024
735d11f
Caddyfile support (27/27): add caddyfile examples to README
vnxme Jul 13, 2024
24a15f8
Caddyfile support (build fix): update go.mod and go.sum
vnxme Jul 19, 2024
4b71b60
Caddyfile support (fix 11/27): flatten health and lb options
vnxme Jul 18, 2024
da16bb8
Caddyfile support (fix 10/27): flatten tls options
vnxme Jul 18, 2024
0da2649
Caddyfile support (fix 9/27): remove l4proxy.LoadBalancing unmarshaler
vnxme Jul 18, 2024
59ddd84
Caddyfile support (fix 8/27): remove l4proxy.HealthChecks unmarshaler
vnxme Jul 18, 2024
b7f2e98
Caddyfile support (integration): perform adapt tests
vnxme Jul 23, 2024
File filter

Filter by extension

Filter by extension


Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
185 changes: 182 additions & 3 deletions README.md
Original file line number Diff line number Diff line change
Expand Up @@ -19,14 +19,14 @@ With it, you can listen on sockets/ports and express logic such as:

Because this is a caddy app, it can be used alongside other Caddy apps such as the [HTTP server](https://caddyserver.com/docs/modules/http) or [TLS certificate manager](https://caddyserver.com/docs/modules/tls).

Note that only JSON config is available at this time. More documentation will come soon. For now, please read the code, especially type definitions and their comments. It's actually a pretty simple code base, and the JSON config isn't that bad once you get used to it! See below for tips and examples writing config.
Note that both Caddyfile and JSON configs are available at this time. More documentation will come soon. For now, please read the code, especially type definitions and their comments. It's actually a pretty simple code base. See below for tips and examples writing config.

> [!NOTE]
> This is not an official repository of the [Caddy Web Server](https://github.com/caddyserver) organization.

## Introduction

This app works similarly to the `http` app. You define servers, and each server consists of routes. A route has a set of matchers and handlers; if a connection matches, the assoicated handlers are invoked.
This app works similarly to the `http` app. You define servers, and each server consists of routes. A route has a set of matchers and handlers; if a connection matches, the associated handlers are invoked.

Current matchers:

Expand All @@ -36,15 +36,18 @@ Current matchers:
- **layer4.matchers.postgres** - matches connections that look like Postgres connections.
- **layer4.matchers.remote_ip** - matches connections based on remote IP (or CIDR range).
- **layer4.matchers.local_ip** - matches connections based on local IP (or CIDR range).
- **layer4.matchers.not** - matches connections that aren't matched by inner matcher sets.
- **layer4.matchers.proxy_protocol** - matches connections that start with [HAPROXY proxy protocol](https://www.haproxy.org/download/1.8/doc/proxy-protocol.txt).
- **layer4.matchers.rdp** - matches connections that look like [RDP](https://winprotocoldoc.blob.core.windows.net/productionwindowsarchives/MS-RDPBCGR/%5BMS-RDPBCGR%5D.pdf).
- **layer4.matchers.socks4** - matches connections that look like [SOCKSv4](https://www.openssh.com/txt/socks4.protocol).
- **layer4.matchers.socks5** - matches connections that look like [SOCKSv5](https://www.rfc-editor.org/rfc/rfc1928.html).
- **layer4.matchers.xmpp** - matches connections that look like [XMPP](https://xmpp.org/about/technology-overview/).

Current handlers:

- **layer4.handlers.echo** - An echo server.
- **layer4.handlers.proxy** - Powerful layer 4 proxy, capable of multiple upstreams (with load balancing and health checks) and establishing new TLS connections to backends. Optionally supports sending the [HAProxy proxy protocol](https://www.haproxy.org/download/1.8/doc/proxy-protocol.txt).
- **layer4.handlers.subroute** - Implements recursion logic, i.e. allows to match and handle already matched connections.
- **layer4.handlers.tee** - Branches the handling of a connection into a concurrent handler chain.
- **layer4.handlers.throttle** - Throttle connections to simulate slowness and latency.
- **layer4.handlers.tls** - TLS termination.
Expand Down Expand Up @@ -79,6 +82,24 @@ See below for some examples to help you get started.

A simple echo server:

<details>
<summary>Caddyfile</summary>

```
{
layer4 {
127.0.0.1:5000 {
route {
echo
}
}
}
}
```
</details>
<details>
<summary>JSON</summary>

```json
{
"apps": {
Expand All @@ -99,10 +120,30 @@ A simple echo server:
}
}
```
</details>


A simple echo server with TLS termination that uses a self-signed cert for `localhost`:

<details>
<summary>Caddyfile</summary>

```
{
layer4 {
127.0.0.1:5000 {
route {
tls
echo
}
}
}
}
```
</details>
<details>
<summary>JSON</summary>

```json
{
"apps": {
Expand Down Expand Up @@ -136,9 +177,41 @@ A simple echo server with TLS termination that uses a self-signed cert for `loca
}
}
```
</details>

A simple TCP reverse proxy that terminates TLS on 993, and sends the PROXY protocol header to 1143 through 143:

<details>
<summary>Caddyfile</summary>

```
{
layer4 {
0.0.0.0:993 {
route {
tls
proxy {
proxy_protocol v1
upstream localhost:143
}
}
}
0.0.0.0:143 {
route {
proxy_protocol
proxy {
proxy_protocol v2
upstream localhost:1143
}
}
}
}
}
```
</details>
<details>
<summary>JSON</summary>

```json
{
"apps": {
Expand Down Expand Up @@ -187,9 +260,33 @@ A simple TCP reverse proxy that terminates TLS on 993, and sends the PROXY proto
}
}
```
</details>

A multiplexer that proxies HTTP to one backend, and TLS to another (without terminating TLS):

<details>
<summary>Caddyfile</summary>

```
{
layer4 {
127.0.0.1:5000 {
@insecure http
route @insecure {
proxy localhost:80
}
@secure tls
route @secure {
proxy localhost:443
}
}
}
}
```
</details>
<details>
<summary>JSON</summary>

```json
{
"apps": {
Expand Down Expand Up @@ -235,9 +332,38 @@ A multiplexer that proxies HTTP to one backend, and TLS to another (without term
}
}
```
</details>

Same as previous, but only applies to HTTP requests with specific hosts:

<details>
<summary>Caddyfile</summary>

```
{
layer4 {
127.0.0.1:5000 {
@example http host example.com
route @example {
subroute {
@insecure http
route @insecure {
proxy localhost:80
}
@secure tls
route @secure {
proxy localhost:443
}
}
}
}
}
}
```
</details>
<details>
<summary>JSON</summary>

```json
{
"apps": {
Expand Down Expand Up @@ -299,9 +425,33 @@ Same as previous, but only applies to HTTP requests with specific hosts:
}
}
```
</details>

Same as previous, but filter by HTTP Host header and/or TLS ClientHello ServerName:

<details>
<summary>Caddyfile</summary>

```
{
layer4 {
127.0.0.1:5000 {
@insecure http host example.com
route @insecure {
proxy localhost:80
}
@secure tls sni example.net
route @secure {
proxy localhost:443
}
}
}
}
```
</details>
<details>
<summary>JSON</summary>

```json
{
"apps": {
Expand Down Expand Up @@ -351,11 +501,39 @@ Same as previous, but filter by HTTP Host header and/or TLS ClientHello ServerNa
}
}
```

</details>

Forwarding SOCKSv4 to a remote server and handling SOCKSv5 directly in caddy.
While only allowing connections from a specific network and requiring a username and password for SOCKSv5.

<details>
<summary>Caddyfile</summary>

```
{
layer4 {
0.0.0.0:1080 {
@s5 {
socks5
ip 10.0.0.0/24
}
route @s5 {
socks5 {
credentials bob qHoEtVpGRM
}
}
@s4 socks4
route @s4 {
proxy 10.64.0.1:1080
}
}
}
}
```
</details>
<details>
<summary>JSON</summary>

```json
{
"apps": {
Expand Down Expand Up @@ -402,3 +580,4 @@ While only allowing connections from a specific network and requiring a username
}
}
```
</details>
Loading
Loading