- npm install
- micro app.js
- caddy
curl http://localhost:4000/index.html -v
serve public/index.html file
failed: redirect to /
> curl http://localhost:4000/index.html -v
* Trying ::1...
* TCP_NODELAY set
* Connected to localhost (::1) port 4000 (#0)
> GET /index.html HTTP/1.1
> Host: localhost:4000
> User-Agent: curl/7.54.0
> Accept: */*
>
< HTTP/1.1 301 Moved Permanently
< Location: /
< Server: Caddy
< Date: Mon, 07 Aug 2017 15:49:56 GMT
< Content-Length: 36
< Content-Type: text/html; charset=utf-8
<
<a href="/">Moved Permanently</a>.
* Connection #0 to host localhost left intac
curl http://localhost:4000/notindex.html -v
serve public/notindex.html file
failed: redirect to /not
> curl http://localhost:4000/notindex.html -v
* Trying ::1...
* TCP_NODELAY set
* Connected to localhost (::1) port 4000 (#0)
> GET /notindex.html HTTP/1.1
> Host: localhost:4000
> User-Agent: curl/7.54.0
> Accept: */*
>
< HTTP/1.1 301 Moved Permanently
< Location: /not
< Server: Caddy
< Date: Mon, 07 Aug 2017 15:53:57 GMT
< Content-Length: 39
< Content-Type: text/html; charset=utf-8
<
<a href="/not">Moved Permanently</a>.
* Connection #0 to host localhost left intact
curl http://localhost:4000/not.html -v
serve public/not.html
passed: served file
> curl http://localhost:4000/not.html -v
* Trying ::1...
* TCP_NODELAY set
* Connected to localhost (::1) port 4000 (#0)
> GET /not.html HTTP/1.1
> Host: localhost:4000
> User-Agent: curl/7.54.0
> Accept: */*
>
< HTTP/1.1 200 OK
< Accept-Ranges: bytes
< Content-Length: 16
< Content-Type: text/html; charset=utf-8
< Etag: "oubo0fg"
< Last-Modified: Mon, 07 Aug 2017 15:50:39 GMT
< Server: Caddy
< Date: Mon, 07 Aug 2017 15:55:49 GMT
<
Public not.html
* Connection #0 to host localhost left intact
curl http://localhost:4000/secure/index.html -v
app server returns X-Accel-Redirect of /private/index.html and then caddy serves public/private/index.html
failed: returns redirect to http://localhost:3000/private/
The redirect contains the direct address to the app server, not the caddy proxy.
If the proxy server is intentionally unreachable, for example on an internal network, this exposes the internal IP and port
> curl http://localhost:4000/secure/index.html -v
* Trying ::1...
* TCP_NODELAY set
* Connected to localhost (::1) port 4000 (#0)
> GET /secure/index.html HTTP/1.1
> Host: localhost:4000
> User-Agent: curl/7.54.0
> Accept: */*
>
< HTTP/1.1 301 Moved Permanently
< Date: Mon, 07 Aug 2017 16:02:55 GMT
< Location: http://localhost:3000/private/
< Server: Caddy
< Content-Length: 65
< Content-Type: text/html; charset=utf-8
<
<a href="http://localhost:3000/private/">Moved Permanently</a>.
* Connection #0 to host localhost left intact
curl http://localhost:4000/secure/notindex.html -v
app server returns X-Accel-Redirect of /private/notindex.html and then caddy serves public/private/notindex.html
failed: returns redirect to http://localhost:3000/private/not
The redirect contains the direct address to the app server, not the caddy proxy.
If the proxy server is intentionally unreachable, for example on an internal network, this exposes the internal IP and port
> curl http://localhost:4000/secure/notindex.html -v
* Trying ::1...
* TCP_NODELAY set
* Connected to localhost (::1) port 4000 (#0)
> GET /secure/notindex.html HTTP/1.1
> Host: localhost:4000
> User-Agent: curl/7.54.0
> Accept: */*
>
< HTTP/1.1 301 Moved Permanently
< Date: Mon, 07 Aug 2017 16:05:41 GMT
< Location: http://localhost:3000/private/not
< Server: Caddy
< Content-Length: 68
< Content-Type: text/html; charset=utf-8
<
<a href="http://localhost:3000/private/not">Moved Permanently</a>.
* Connection #0 to host localhost left intact
curl http://localhost:4000/secure/not.html -v
app server returns X-Accel-Redirect of /private/not.html and then caddy serves public/private/not.html
passed: caddy serves internal resource properly
> curl http://localhost:4000/secure/not.html -v
* Trying ::1...
* TCP_NODELAY set
* Connected to localhost (::1) port 4000 (#0)
> GET /secure/not.html HTTP/1.1
> Host: localhost:4000
> User-Agent: curl/7.54.0
> Accept: */*
>
< HTTP/1.1 200 OK
< Accept-Ranges: bytes
< Content-Length: 17
< Content-Type: text/html; charset=utf-8
< Date: Mon, 07 Aug 2017 16:07:55 GMT
< Etag: "oubo0wh"
< Last-Modified: Mon, 07 Aug 2017 15:50:56 GMT
< Server: Caddy
<
Private not.html
* Connection #0 to host localhost left intact
Define the index to something that will not exist.
eg:
index abc.xyz