plugins: www/caddy: Not satisfying ACL returns 200
Important notices Before you add a new report, we ask you kindly to acknowledge the following:
- I have read the contributing guide lines at https://github.com/opnsense/plugins/blob/master/CONTRIBUTING.md
- I have searched the existing issues, open and closed, and I’m convinced that mine is new.
- The title contains the plugin to which this issue belongs
Describe the bug
When ACL is enabled and a request is made from a non-allowed IP, the proxy is responding with a 200 rather than e.g. 401.
To Reproduce Steps to reproduce the behavior:
- Create a ACL with a internal subnet, e.g.
192.168.0.0/24. - Create a domain that uses that ACL.
- Request from a IP address that is satisfied by ACL (in below example, I expect a 401 from upstream).
> curl -I https://example.com
HTTP/2 401
alt-svc: h3=":443"; ma=2592000
server: Caddy
server: Kestrel
- Request from an IP address not satisfied by ACL.
> curl -I https://example.com
HTTP/2 200
alt-svc: h3=":443"; ma=2592000
server: Caddy
Expected behavior
Response code of 401 (Unauthorized) or similar when a request is made that does not satisfy ACL.
Screenshots N/A
Relevant log files The access log did not include any relevant information to the issue.
Additional context This might be a strange edge-case in my setup and this being a faulty report. Kindly help me rule that out.
Environment
OPNsense 24.1.4-amd64 with os-caddy version 1.5.2.
About this issue
- Original URL
- State: closed
- Created 3 months ago
- Comments: 17 (8 by maintainers)
Thanks for the feedback, this looks like what I expected. Now there is maximum flexibility with this setup without it being too difficult to configure. So this is the version that stays in the new os-caddy version.
This here is the most I’m willing to do. It allows to set this globally.
https://github.com/opnsense/plugins/commit/c41319247ad11134ce381e9f04339404f4228ef1