Cors directive/plugin being ignored

[hydrosIII]

1. What version of Caddy are you using (caddy -version)?

Caddy 0.10.10

2. What are you trying to do?

Enable cors for a file in my site. Using the cors plugin

3. What is your entire Caddyfile?

mysite.org {
tls [email protected]
root /srv
cors /config.json  {
		origin *
		methods GET,POST,OPTIONS
		allowed_headers DNT,X-CustomHeader,Keep-Alive,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type,Content-Range,Range
		exposed_headers DNT,X-CustomHeader,Keep-Alive,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type,Content-Range,Range
		}

}

subsite.org {
tls myemail
proxy / 192.168.34.56
}

4. How did you run Caddy (give the full command and describe the execution environment)?

caddy --conf /root/.caddy/Caddyfile --log stdout

5. Please paste any relevant HTTP request(s) here.

curl -vvv https://mapa.rutasdelamemoria.org/config.json

6. What did you expect to see?

Using another site as reference i expected something like :

* TCP_NODELAY set
* Connected to sandbox.uchaguzi.or.ke (23.253.46.148) port 443 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
* Cipher selection: ALL:!EXPORT:!EXPORT40:!EXPORT56:!aNULL:!LOW:!RC4:@STRENGTH
* successfully set certificate verify locations:
*   CAfile: /etc/ssl/certs/ca-certificates.crt
  CApath: none
* TLSv1.2 (OUT), TLS handshake, Client hello (1):
* TLSv1.2 (IN), TLS handshake, Server hello (2):
* NPN, negotiated HTTP1.1
* TLSv1.2 (IN), TLS handshake, Certificate (11):
* TLSv1.2 (IN), TLS handshake, Server key exchange (12):
* TLSv1.2 (IN), TLS handshake, Server finished (14):
* TLSv1.2 (OUT), TLS handshake, Client key exchange (16):
* TLSv1.2 (OUT), TLS change cipher, Client hello (1):
* TLSv1.2 (OUT), TLS handshake, Unknown (67):
* TLSv1.2 (OUT), TLS handshake, Finished (20):
* TLSv1.2 (IN), TLS handshake, Finished (20):
* SSL connection using TLSv1.2 / ECDHE-RSA-AES256-GCM-SHA384
* ALPN, server did not agree to a protocol
* Server certificate:
*  subject: CN=sandbox.uchaguzi.or.ke
*  start date: Oct  5 17:19:23 2017 GMT
*  expire date: Jan  3 17:19:23 2018 GMT
*  subjectAltName: host "sandbox.uchaguzi.or.ke" matched cert's "sandbox.uchaguzi.or.ke"
*  issuer: C=US; O=Let's Encrypt; CN=Let's Encrypt Authority X3
*  SSL certificate verify ok.
> GET /config.json HTTP/1.1
> Host: sandbox.uchaguzi.or.ke
> User-Agent: curl/7.55.1
> Accept: */*
> 
< HTTP/1.1 200 OK
< Server: nginx/1.4.6 (Ubuntu)
< Date: Mon, 13 Nov 2017 15:06:26 GMT
< Content-Type: application/json
< Content-Length: 332
< Last-Modified: Tue, 31 Oct 2017 15:36:29 GMT
< Connection: keep-alive
< ETag: "59f8987d-14c"
< Access-Control-Allow-Origin: *
< Access-Control-Allow-Methods: GET, POST, OPTIONS
< Access-Control-Allow-Headers: DNT,X-CustomHeader,Keep-Alive,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type,Content-Range,Range
< Access-Control-Expose-Headers: DNT,X-CustomHeader,Keep-Alive,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type,Content-Range,Range
< Accept-Ranges: bytes
< 

7. What did you see instead (give full error messages and/or log)?

* ALPN, offering h2
* ALPN, offering http/1.1
* Cipher selection: ALL:!EXPORT:!EXPORT40:!EXPORT56:!aNULL:!LOW:!RC4:@STRENGTH
* successfully set certificate verify locations:
*   CAfile: /etc/ssl/certs/ca-certificates.crt
  CApath: none
* TLSv1.2 (OUT), TLS handshake, Client hello (1):
* TLSv1.2 (IN), TLS handshake, Server hello (2):
* TLSv1.2 (IN), TLS handshake, Certificate (11):
* TLSv1.2 (IN), TLS handshake, Server key exchange (12):
* TLSv1.2 (IN), TLS handshake, Server finished (14):
* TLSv1.2 (OUT), TLS handshake, Client key exchange (16):
* TLSv1.2 (OUT), TLS change cipher, Client hello (1):
* TLSv1.2 (OUT), TLS handshake, Finished (20):
* TLSv1.2 (IN), TLS handshake, Finished (20):
* SSL connection using TLSv1.2 / ECDHE-RSA-AES256-GCM-SHA384
* ALPN, server accepted to use h2
* Server certificate:
*  subject: CN=mapa.rutasdelamemoria.org
*  start date: Oct 26 00:27:46 2017 GMT
*  expire date: Jan 24 00:27:46 2018 GMT
*  subjectAltName: host "mapa.rutasdelamemoria.org" matched cert's "mapa.rutasdelamemoria.org"
*  issuer: C=US; O=Let's Encrypt; CN=Let's Encrypt Authority X3
*  SSL certificate verify ok.
* Using HTTP2, server supports multi-use
* Connection state changed (HTTP/2 confirmed)
* Copying HTTP/2 data in stream buffer to connection buffer after upgrade: len=0
* Using Stream ID: 1 (easy handle 0x55db30d1ac10)
> GET /config.json HTTP/2
> Host: mapa.rutasdelamemoria.org
> User-Agent: curl/7.55.1
> Accept: */*
> 
* Connection state changed (MAX_CONCURRENT_STREAMS updated)!
< HTTP/2 200 
< accept-ranges: bytes
< content-type: text/plain; charset=utf-8
< etag: "ozcxw0cr"
< last-modified: Mon, 13 Nov 2017 13:09:36 GMT
< server: Caddy
< content-length: 459
< date: Mon, 13 Nov 2017 15:05:54 GMT
< 

No error logs generated by Caddy.

8. How can someone who is starting from scratch reproduce the bug as minimally as possible?

Run Caddy 0.10.10 with cors directive, and multiple site in 1 conf file. Not sure if the problem is the mulsite conf.

Using docker container for caddy : abiosoft/caddy:latest

[captncraig]

CORS is usually not applied to GET requests. Do you experience the same thing for a POST or OPTIONS?

[hydrosIII]

Yes, Tried the same thing with

curl -vvv -X POST --data "hi" https://myurl/config.json
or just
curl -vvv -X POST https://myurl/config.json
also
curl -vvv -X OPTIONS https://myurl.config.json

Note: Unnecessary use of -X or --request, POST is already inferred.
*   Trying 45.32.171.245...
* TCP_NODELAY set
* Connected to mapa.rutasdelamemoria.org (45.32.171.245) port 443 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
* Cipher selection: ALL:!EXPORT:!EXPORT40:!EXPORT56:!aNULL:!LOW:!RC4:@STRENGTH
* successfully set certificate verify locations:
*   CAfile: /etc/ssl/certs/ca-certificates.crt
  CApath: none
* TLSv1.2 (OUT), TLS handshake, Client hello (1):
* TLSv1.2 (IN), TLS handshake, Server hello (2):
* TLSv1.2 (IN), TLS handshake, Certificate (11):
* TLSv1.2 (IN), TLS handshake, Server key exchange (12):
* TLSv1.2 (IN), TLS handshake, Server finished (14):
* TLSv1.2 (OUT), TLS handshake, Client key exchange (16):
* TLSv1.2 (OUT), TLS change cipher, Client hello (1):
* TLSv1.2 (OUT), TLS handshake, Finished (20):
* TLSv1.2 (IN), TLS handshake, Finished (20):
* SSL connection using TLSv1.2 / ECDHE-RSA-AES256-GCM-SHA384
* ALPN, server accepted to use h2
* Server certificate:
*  subject: CN=mapa.rutasdelamemoria.org
*  start date: Oct 26 00:27:46 2017 GMT
*  expire date: Jan 24 00:27:46 2018 GMT
*  subjectAltName: host "mapa.rutasdelamemoria.org" matched cert's "mapa.rutasdelamemoria.org"
*  issuer: C=US; O=Let's Encrypt; CN=Let's Encrypt Authority X3
*  SSL certificate verify ok.
* Using HTTP2, server supports multi-use
* Connection state changed (HTTP/2 confirmed)
* Copying HTTP/2 data in stream buffer to connection buffer after upgrade: len=0
* Using Stream ID: 1 (easy handle 0x563bf36eac10)
> POST /config.json HTTP/2
> Host: mapa.rutasdelamemoria.org
> User-Agent: curl/7.55.1
> Accept: */*
> Content-Length: 2
> Content-Type: application/x-www-form-urlencoded
> 
* Connection state changed (MAX_CONCURRENT_STREAMS updated)!
* We are completely uploaded and fine
< HTTP/2 200 
< accept-ranges: bytes
< content-type: text/plain; charset=utf-8
< etag: "ozcxw0cr"
< last-modified: Mon, 13 Nov 2017 13:09:36 GMT
< server: Caddy
< content-length: 459
< date: Sun, 19 Nov 2017 21:58:17 GMT
<

CORS directive just gets ignored

[git001]

I have exact the same problem as @hydrosIII described. How can I help to debug it?
I use the latest caddy version go get github.com/mholt/caddy

[captncraig]

None of the requests posted above have an Origin header from the client, so will not process the allowed-origin logic.

This is expected behaviour. Have you tried an actual cross-origin request from a browser?

[git001]

okay looks like the plugin works when I use the right curl command.

Request

curl -v -X OPTIONS \
  -d @/home/al/test-file.json \
  -H 'Content-Type: application/json' \
  -H 'Access-Control-Request-Headers: Origin, Accept, Content-Type' \
  -H "Origin: https://DOMAIN.netlify.com" \
  -H "Access-Control-Request-Method: POST" \
  https://DOMAIN.com/registration

Response

*   Trying IP-addr ...
* Connected to DOMAIN.com (IP-addr) port 443 (#0)
* found 148 certificates in /etc/ssl/certs/ca-certificates.crt
* found 599 certificates in /etc/ssl/certs
* ALPN, offering http/1.1
* SSL connection using TLS1.2 / ECDHE_RSA_AES_256_GCM_SHA384
*        server certificate verification OK
*        server certificate status verification SKIPPED
*        common name: DOMAIN.com (matched)
*        server certificate expiration date OK
*        server certificate activation date OK
*        certificate public key: RSA
*        certificate version: #3
*        subject: CN=DOMAIN.com
*        start date: Mon, 05 Feb 2018 20:15:52 GMT
*        expire date: Sun, 06 May 2018 20:15:52 GMT
*        issuer: C=US,O=Let's Encrypt,CN=Let's Encrypt Authority X3
*        compression: NULL
* ALPN, server accepted to use http/1.1
> OPTIONS /registration HTTP/1.1
> Host: DOMAIN.com
> User-Agent: curl/7.47.0
> Accept: */*
> Content-Type: application/json
> Access-Control-Request-Headers: Origin, Accept, Content-Type
> Origin: https://DOMAIN.netlify.com
> Access-Control-Request-Method: POST
> Content-Length: 263
>
* upload completely sent off: 263 out of 263 bytes
< HTTP/1.1 200 OK
< Access-Control-Allow-Credentials: true
< Access-Control-Allow-Headers: Content-Type
< Access-Control-Allow-Methods: POST, GET, OPTIONS, PUT, DELETE
< Access-Control-Allow-Origin: https://DOMAIN.netlify.com
< Server: Caddy
< Vary: Origin
< Date: Wed, 21 Feb 2018 21:00:56 GMT
< Content-Length: 0
< Content-Type: text/plain; charset=utf-8
<
* Connection #0 to host DOMAIN.com left intact

caddy file

DOMAIN.com {

  #root /home/data/webroot

  cors /registration {
    origin https://DOMAIN.netlify.com
#    allow_credentials true
    allowed_headers Content-Type
  }
}