-
-
Notifications
You must be signed in to change notification settings - Fork 4.1k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
reverseproxy: return validation error if upstream address has port range size of more than 1 #3695
Conversation
Hmm, yeah I think we should continue to support that, not reject it. It was a thing in Caddy v1 and was intended to work in v2. |
It didn't work before. It would've just failed at runtime rather than during validation. |
Understood - but we should actually fix it instead of rejecting it 🙂 |
Hmm okay, how should we handle them? Should we expand them into the upstream slice? This makes it simpler for the selection policy to work. The other approach is to treat network addresses whose port range size is greater than 1 as a single unit, but the selection policy might need to be applied recursively or at random. |
🤔 I think the Caddyfile adapter can expand it out. Probably the easiest way to deal with it. |
Oh so you're saying the JSON should reject upstream network addresses whose port range size is greater than 1, but the Caddyfile should accept it, right? I understood your earlier comment to apply to both JSON and Caddyfile. |
Either that, or we expand it out early at provisioning time so it's supported everywhere? |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
The tricky thing about expanding them out into multiple upstreams is the user might expect all of them to act as one upstream, because they were configured together. This has implications with regards to load balancing and health checks.
So to keep things simple, for now I disallowed port ranges. I remember initially thinking that expanding them out would be no problem (and thus didn't put in this check here), but when I got around to HC and LB it got complicated so I changed my mind.
Anyway, this is a good change I think. Thanks!
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Excellent, look good! Thank you as always, Mohammed!
* reverseproxy: Fix dial placeholders, SRV, active health checks Supercedes #3776 Partially reverts or updates #3756, #3693, and #3695 * reverseproxy: add integration tests Co-authored-by: Mohammed Al Sahaf <[email protected]>
Currently the Provision-er of the reverse proxy handler accepts upstream network address with range size more than 1. This means the following Caddyfile is accepted and validates successfully:
This is despite the comment on the
Dial
field of theUpstream
struct saying only a single socket is accepted:caddy/modules/caddyhttp/reverseproxy/hosts.go
Lines 68 to 78 in e2f913b
The code doesn't validate that until request time, when the method
fillDialInfo
is called:caddy/modules/caddyhttp/reverseproxy/hosts.go
Lines 161 to 164 in e2f913b
This PR adds validation of the port range size of an upstream address to the
Provision
step. We can sugar the Caddyfile upstream to accept port range and convert it to the JSON array for the entire specified range.