Caddy and Header Security

DavidFW1960 · June 13, 2018, 1:16am

I have been playing with Caddy add-on for Hassio by Koryl Prince and also looking at security reports etc.

The below actually works BUT with the Content-Security-Policy I can’t actually access the front end anymore. If I go to https://securityheaders.com/ and scan my domain with the below configuration it comes up A+. If I remove the Content-Security-Policy it’s only an A and I get a warning:

Content Security Policy is an effective measure to protect your site from XSS attacks. By whitelisting sources of approved content, you can prevent the browser from loading malicious assets.

Any ideas how I can edit the following to make this work without locking myself out of the frontend?

my-domain.duckdns.org {
    header / {
    Strict-Transport-Security "max-age=31536000; includeSubdomains"
    X-XSS-Protection "1; mode=block"
    X-Content-Type-Options "nosniff"
    X-Frame-Options "SAMEORIGIN"
    Referrer-Policy "same-origin"
    Content-Security-Policy "default-src 'self' *://*.my-domain.duckdns.org:*;"
}
    proxy / localhost:8123 {
        websocket
        transparent
    }
}

DavidFW1960 · June 13, 2018, 7:46am

Bumping for the night shift…

paul2nz · July 4, 2018, 9:26pm

Hi David. Did you manage to solve the issue. I have the same problem.

DavidFW1960 · July 4, 2018, 11:33pm

nope. I just don’t use that policy.

gieljnssns · February 5, 2019, 10:31am

Have you found a solution?

DavidFW1960 · February 5, 2019, 11:09am

See above. I don’t use that policy.

I am using x-forwarded-for and trusted proxy so I don’t get locked out anymore

reef-actor · February 5, 2019, 11:37am

I don’t have experience with this add on, but when you browser blocks content based on the CSP headers it will leave a detailed entry in the console, usually it’s just a case of adding a specific rule for the blocked resource.

champ26 · August 26, 2019, 4:22pm

hi there. i’m trying to get proper remote source IPs passed to HA from caddy. is there something specific i need to add to my caddy config?

i have

use_x_forwarded_for: true

set in my configuration.yaml and the following in my caddyfile (domain and IP redacted)

domain.com {
  proxy / x.x.x.x:8123 {
    websocket
    transparent
  }
}

if i test and enter a bad login i still get the IP of the caddy instance and not the origin IP.

it appears from caddy documentation that using transparent should be forwarding the data. anyone have any suggestions?

champ26 · August 26, 2019, 4:49pm

i think i found the issue. i didn’t have the specific proxy set up for the IP of my caddy instance. once i explicitly added this, it seems i’m getting the source IPs forwarded to HA.

still need to read into more about setting IP bans at the Caddy level. i’ve noticed the past couple of weeks russia and france knocking on my door…

DavidFW1960 · August 26, 2019, 9:02pm

As well as x_forwarded_for you also need a trusted proxy to be set. I have 127.0.0.1 and then the real IP’s should be parsed through.

I also use the custom component authenticated so I have a badge showing last authenticated and a persistent notification for any new authenticated IP address.

I do also use ip_bans in my configuration.yaml.

I don’t know who or what might be hitting my IP address… But I’m pretty well obfuscated as I only have port 443 open now since I worked out how to use DNS validation for lets encrypt. I also only expose my IPv6 address so there is no IPv4 address that anyone can scan.

I’d be interested in seeing how you know about scans or connection attempts from Russia - is that just in your router logs? Also if you get fail2ban working with Caddy…

Here’s my config and you can see my Caddy config in the first post of the thread.

I also have 2FA enabled.

http:
  # ssl_certificate: /ssl/fullchain.pem
  # ssl_key: /ssl/privkey.pem
  use_x_forwarded_for: true
  trusted_proxies:
    - 127.0.0.1
    - ::1
  ip_ban_enabled: true
  login_attempts_threshold: 5
  # Uncomment this if you are using SSL/TLS, running in Docker container, etc.
  base_url: !secret base_http_url

champ26 · August 27, 2019, 7:37pm

regarding the russia and france… i looked at my caddy logs, and saw the remote IPs there. i then did an IP lookup to find the origin

DavidFW1960 · August 27, 2019, 10:29pm

Where do you find the Caddy logs? I only see the log in the addon and it doesn’t show much

DavidFW1960 · August 30, 2019, 3:59am

So I found out how to enable the log file with this addon.

I added to my caddyfile:

	log /data/requests.log {
	rotate_size 50  # Rotate after 50 MB
	rotate_age  90  # Keep rotated files for 90 days
	rotate_keep 20  # Keep at most 20 log files
	rotate_compress # Compress rotated log files in gzip format
    }

The data directory is located at:

 /usr/share/hassio/addons/data/fe41fc28_caddy

I can only access it from the host. You could get there from a console in Portainer as well but I can’t find it in the homeassistant root folder (as it’s in the Caddy container)
The /data folder is one of 3 bind mounts in the container and it is the only one with rw access unfortunately.