github.com/mholt/caddy-l4@v0.0.0-20241104153248-ec8fae209322/README.md (about) 1 Project Conncept: a TCP/UDP app for Caddy 2 ======================================= 3 4 **Project Conncept** is an experimental layer 4 app for Caddy. It facilitates composable handling of raw TCP/UDP connections based on properties of the connection or the beginning of the stream. 5 6 With it, you can listen on sockets/ports and express logic such as: 7 8 - "Echo all input back to the client." 9 - "Proxy all the raw bytes to 10.0.3.14:1592." 10 - "If connection is TLS, terminate TLS then proxy all bytes to :5000." 11 - "Terminate TLS; then if it is HTTP, proxy to localhost:80; otherwise echo." 12 - "If connection is TLS, proxy to :443 without terminating; if HTTP, proxy to :80; if SSH, proxy to :22." 13 - "If the HTTP Host is `example.com` or the TLS ServerName is `example.com`, then proxy to 192.168.0.4." 14 - "Block connections from these IP ranges: ..." 15 - "Throttle data flow to simulate slow connections." 16 - And much more! 17 18 **⚠️ This app is very capable and flexible, but is still in development. Please expect breaking changes.** 19 20 Because this is a caddy app, it can be used alongside other Caddy apps such as the [HTTP server](https://caddyserver.com/docs/modules/http) or [TLS certificate manager](https://caddyserver.com/docs/modules/tls). 21 22 Note that both Caddyfile and JSON configs are available at this time. More documentation will come soon. For now, please read the code, especially type definitions and their comments. It's actually a pretty simple code base. See below for tips and examples writing config. 23 24 > [!NOTE] 25 > This is not an official repository of the [Caddy Web Server](https://github.com/caddyserver) organization. 26 27 ## Introduction 28 29 This app works similarly to the `http` app. You define servers, and each server consists of routes. A route has a set of matchers and handlers; if a connection matches, the associated handlers are invoked. 30 31 Current matchers: 32 33 - **layer4.matchers.clock** - matches connections on the time they are wrapped/matched. 34 - **layer4.matchers.http** - matches connections that start with HTTP requests. In addition, any [`http.matchers` modules](https://caddyserver.com/docs/modules/) can be used for matching on HTTP-specific properties of requests, such as header or path. Note that only the first request of each connection can be used for matching. 35 - **layer4.matchers.local_ip** - matches connections based on local IP (or CIDR range). 36 - **layer4.matchers.not** - matches connections that aren't matched by inner matcher sets. 37 - **layer4.matchers.openvpn** - matches connections that look like [OpenVPN](https://openvpn.net/community-resources/openvpn-protocol/) connections. 38 - **layer4.matchers.postgres** - matches connections that look like Postgres connections. 39 - **layer4.matchers.proxy_protocol** - matches connections that start with [HAPROXY proxy protocol](https://www.haproxy.org/download/1.8/doc/proxy-protocol.txt). 40 - **layer4.matchers.quic** - matches connections that look like [QUIC](https://quic.xargs.org/). In addition, any [`tls.handshake_match` modules](https://caddyserver.com/docs/modules/) can be used for matching on TLS-specific properties of the ClientHello, such as ServerName (SNI). 41 - **layer4.matchers.rdp** - matches connections that look like [RDP](https://winprotocoldoc.blob.core.windows.net/productionwindowsarchives/MS-RDPBCGR/%5BMS-RDPBCGR%5D.pdf). 42 - **layer4.matchers.regexp** - matches connections that have the first packet bytes matching a regular expression. 43 - **layer4.matchers.remote_ip** - matches connections based on remote IP (or CIDR range). 44 - **layer4.matchers.socks4** - matches connections that look like [SOCKSv4](https://www.openssh.com/txt/socks4.protocol). 45 - **layer4.matchers.socks5** - matches connections that look like [SOCKSv5](https://www.rfc-editor.org/rfc/rfc1928.html). 46 - **layer4.matchers.ssh** - matches connections that look like SSH connections. 47 - **layer4.matchers.tls** - matches connections that start with TLS handshakes. In addition, any [`tls.handshake_match` modules](https://caddyserver.com/docs/modules/) can be used for matching on TLS-specific properties of the ClientHello, such as ServerName (SNI). 48 - **layer4.matchers.winbox** - matches connections that look like those initiated by [Winbox](https://help.mikrotik.com/docs/display/ROS/WinBox), a graphical tool for MikroTik hardware and software routers management. 49 - **layer4.matchers.wireguard** - matches connections the look like [WireGuard](https://www.wireguard.com/protocol/) connections. 50 - **layer4.matchers.xmpp** - matches connections that look like [XMPP](https://xmpp.org/about/technology-overview/). 51 52 Current handlers: 53 54 - **layer4.handlers.echo** - An echo server. 55 - **layer4.handlers.proxy** - Powerful layer 4 proxy, capable of multiple upstreams (with load balancing and health checks) and establishing new TLS connections to backends. Optionally supports sending the [HAProxy proxy protocol](https://www.haproxy.org/download/1.8/doc/proxy-protocol.txt). 56 - **layer4.handlers.proxy_protocol** - Accepts the [HAPROXY proxy protocol](https://www.haproxy.org/download/1.8/doc/proxy-protocol.txt) on the receiving side. 57 - **layer4.handlers.socks5** - Handles [SOCKSv5](https://www.rfc-editor.org/rfc/rfc1928.html) proxy protocol connections. 58 - **layer4.handlers.subroute** - Implements recursion logic, i.e. allows to match and handle already matched connections. 59 - **layer4.handlers.tee** - Branches the handling of a connection into a concurrent handler chain. 60 - **layer4.handlers.throttle** - Throttle connections to simulate slowness and latency. 61 - **layer4.handlers.tls** - TLS termination. 62 63 Like the `http` app, some handlers are "terminal" meaning that they don't call the next handler in the chain. For example: `echo` and `proxy` are terminal handlers because they consume the client's input. 64 65 66 ## Compiling 67 68 The recommended way is to use [xcaddy](https://github.com/caddyserver/xcaddy): 69 70 ``` 71 $ xcaddy build --with github.com/mholt/caddy-l4 72 ``` 73 74 Alternatively, to hack on the plugin code, you can clone it down, then build and run like so: 75 76 1. Download or clone this repo: `git clone https://github.com/mholt/caddy-l4.git` 77 2. In the project folder, run `xcaddy` just like you would run `caddy`. For example: `xcaddy list-modules --versions` (you should see the `layer4` modules). 78 79 80 ## Writing config 81 82 This app supports Caddyfile, but you may also use Caddy's native JSON format to configure it. I highly recommend [this caddy-json-schema plugin by @abiosoft](https://github.com/abiosoft/caddy-json-schema) which can give you auto-complete and documentation right in your editor as you write your config! 83 84 See below for some examples to help you get started. 85 86 87 ## Config examples 88 89 A simple echo server: 90 91 <details> 92 <summary>Caddyfile</summary> 93 94 ``` 95 { 96 layer4 { 97 127.0.0.1:5000 { 98 route { 99 echo 100 } 101 } 102 } 103 } 104 ``` 105 </details> 106 <details> 107 <summary>JSON</summary> 108 109 ```json 110 { 111 "apps": { 112 "layer4": { 113 "servers": { 114 "example": { 115 "listen": ["127.0.0.1:5000"], 116 "routes": [ 117 { 118 "handle": [ 119 {"handler": "echo"} 120 ] 121 } 122 ] 123 } 124 } 125 } 126 } 127 } 128 ``` 129 </details> 130 131 132 A simple echo server with TLS termination that uses a self-signed cert for `localhost`: 133 134 <details> 135 <summary>Caddyfile</summary> 136 137 ``` 138 { 139 layer4 { 140 127.0.0.1:5000 { 141 route { 142 tls 143 echo 144 } 145 } 146 } 147 } 148 ``` 149 </details> 150 <details> 151 <summary>JSON</summary> 152 153 ```json 154 { 155 "apps": { 156 "layer4": { 157 "servers": { 158 "example": { 159 "listen": ["127.0.0.1:5000"], 160 "routes": [ 161 { 162 "handle": [ 163 {"handler": "tls"}, 164 {"handler": "echo"} 165 ] 166 } 167 ] 168 } 169 } 170 }, 171 "tls": { 172 "certificates": { 173 "automate": ["localhost"] 174 }, 175 "automation": { 176 "policies": [ 177 { 178 "issuers": [{"module": "internal"}] 179 } 180 ] 181 } 182 } 183 } 184 } 185 ``` 186 </details> 187 188 A simple TCP reverse proxy that terminates TLS on 993, and sends the PROXY protocol header to 1143 through 143: 189 190 <details> 191 <summary>Caddyfile</summary> 192 193 ``` 194 { 195 layer4 { 196 0.0.0.0:993 { 197 route { 198 tls 199 proxy { 200 proxy_protocol v1 201 upstream localhost:143 202 } 203 } 204 } 205 0.0.0.0:143 { 206 route { 207 proxy_protocol 208 proxy { 209 proxy_protocol v2 210 upstream localhost:1143 211 } 212 } 213 } 214 } 215 } 216 ``` 217 </details> 218 <details> 219 <summary>JSON</summary> 220 221 ```json 222 { 223 "apps": { 224 "layer4": { 225 "servers": { 226 "secure-imap": { 227 "listen": ["0.0.0.0:993"], 228 "routes": [ 229 { 230 "handle": [ 231 { 232 "handler": "tls" 233 }, 234 { 235 "handler": "proxy", 236 "proxy_protocol": "v1", 237 "upstreams": [ 238 {"dial": ["localhost:143"]} 239 ] 240 } 241 ] 242 } 243 ] 244 }, 245 "normal-imap": { 246 "listen": ["0.0.0.0:143"], 247 "routes": [ 248 { 249 "handle": [ 250 { 251 "handler": "proxy_protocol" 252 }, 253 { 254 "handler": "proxy", 255 "proxy_protocol": "v2", 256 "upstreams": [ 257 {"dial": ["localhost:1143"]} 258 ] 259 } 260 ] 261 } 262 ] 263 } 264 } 265 } 266 } 267 } 268 ``` 269 </details> 270 271 A multiplexer that proxies HTTP to one backend, and TLS to another (without terminating TLS): 272 273 <details> 274 <summary>Caddyfile</summary> 275 276 ``` 277 { 278 layer4 { 279 127.0.0.1:5000 { 280 @insecure http 281 route @insecure { 282 proxy localhost:80 283 } 284 @secure tls 285 route @secure { 286 proxy localhost:443 287 } 288 } 289 } 290 } 291 ``` 292 </details> 293 <details> 294 <summary>JSON</summary> 295 296 ```json 297 { 298 "apps": { 299 "layer4": { 300 "servers": { 301 "example": { 302 "listen": ["127.0.0.1:5000"], 303 "routes": [ 304 { 305 "match": [ 306 { 307 "http": [] 308 } 309 ], 310 "handle": [ 311 { 312 "handler": "proxy", 313 "upstreams": [ 314 {"dial": ["localhost:80"]} 315 ] 316 } 317 ] 318 }, 319 { 320 "match": [ 321 { 322 "tls": {} 323 } 324 ], 325 "handle": [ 326 { 327 "handler": "proxy", 328 "upstreams": [ 329 {"dial": ["localhost:443"]} 330 ] 331 } 332 ] 333 } 334 ] 335 } 336 } 337 } 338 } 339 } 340 ``` 341 </details> 342 343 Same as previous, but only applies to HTTP requests with specific hosts: 344 345 <details> 346 <summary>Caddyfile</summary> 347 348 ``` 349 { 350 layer4 { 351 127.0.0.1:5000 { 352 @example http host example.com 353 route @example { 354 subroute { 355 @insecure http 356 route @insecure { 357 proxy localhost:80 358 } 359 @secure tls 360 route @secure { 361 proxy localhost:443 362 } 363 } 364 } 365 } 366 } 367 } 368 ``` 369 </details> 370 <details> 371 <summary>JSON</summary> 372 373 ```json 374 { 375 "apps": { 376 "layer4": { 377 "servers": { 378 "example": { 379 "listen": ["127.0.0.1:5000"], 380 "routes": [ 381 { 382 "match": [ 383 { 384 "http": [ 385 {"host": ["example.com"]} 386 ] 387 } 388 ], 389 "handle": [ 390 { 391 "handler": "subroute", 392 "routes": [ 393 { 394 "match": [ 395 { 396 "http": [] 397 } 398 ], 399 "handle": [ 400 { 401 "handler": "proxy", 402 "upstreams": [ 403 {"dial": ["localhost:80"]} 404 ] 405 } 406 ] 407 }, 408 { 409 "match": [ 410 { 411 "tls": {} 412 } 413 ], 414 "handle": [ 415 { 416 "handler": "proxy", 417 "upstreams": [ 418 {"dial": ["localhost:443"]} 419 ] 420 } 421 ] 422 } 423 ] 424 } 425 ] 426 } 427 ] 428 } 429 } 430 } 431 } 432 } 433 ``` 434 </details> 435 436 Same as previous, but filter by HTTP Host header and/or TLS ClientHello ServerName: 437 438 <details> 439 <summary>Caddyfile</summary> 440 441 ``` 442 { 443 layer4 { 444 127.0.0.1:5000 { 445 @insecure http host example.com 446 route @insecure { 447 proxy localhost:80 448 } 449 @secure tls sni example.net 450 route @secure { 451 proxy localhost:443 452 } 453 } 454 } 455 } 456 ``` 457 </details> 458 <details> 459 <summary>JSON</summary> 460 461 ```json 462 { 463 "apps": { 464 "layer4": { 465 "servers": { 466 "example": { 467 "listen": ["127.0.0.1:5000"], 468 "routes": [ 469 { 470 "match": [ 471 { 472 "http": [ 473 {"host": ["example.com"]} 474 ] 475 } 476 ], 477 "handle": [ 478 { 479 "handler": "proxy", 480 "upstreams": [ 481 {"dial": ["localhost:80"]} 482 ] 483 } 484 ] 485 }, 486 { 487 "match": [ 488 { 489 "tls": { 490 "sni": ["example.net"] 491 } 492 } 493 ], 494 "handle": [ 495 { 496 "handler": "proxy", 497 "upstreams": [ 498 {"dial": ["localhost:443"]} 499 ] 500 } 501 ] 502 } 503 ] 504 } 505 } 506 } 507 } 508 } 509 ``` 510 </details> 511 512 Forwarding SOCKSv4 to a remote server and handling SOCKSv5 directly in caddy. 513 While only allowing connections from a specific network and requiring a username and password for SOCKSv5. 514 515 <details> 516 <summary>Caddyfile</summary> 517 518 ``` 519 { 520 layer4 { 521 0.0.0.0:1080 { 522 @s5 { 523 socks5 524 ip 10.0.0.0/24 525 } 526 route @s5 { 527 socks5 { 528 credentials bob qHoEtVpGRM 529 } 530 } 531 @s4 socks4 532 route @s4 { 533 proxy 10.64.0.1:1080 534 } 535 } 536 } 537 } 538 ``` 539 </details> 540 <details> 541 <summary>JSON</summary> 542 543 ```json 544 { 545 "apps": { 546 "layer4": { 547 "servers": { 548 "socks": { 549 "listen": ["0.0.0.0:1080"], 550 "routes": [ 551 { 552 "match": [ 553 { 554 "socks5": {}, 555 "remote_ip": {"ranges": ["10.0.0.0/24"]} 556 } 557 ], 558 "handle": [ 559 { 560 "handler": "socks5", 561 "credentials": { 562 "bob": "qHoEtVpGRM" 563 } 564 } 565 ] 566 }, 567 { 568 "match": [ 569 { 570 "socks4": {} 571 } 572 ], 573 "handle": [ 574 { 575 "handler": "proxy", 576 "upstreams": [ 577 {"dial": ["10.64.0.1:1080"]} 578 ] 579 } 580 ] 581 } 582 ] 583 } 584 } 585 } 586 } 587 } 588 ``` 589 </details> 590 591 ## Placeholders support 592 593 Environment variables having `{$VAR}` syntax are supported in Caddyfile only. They are evaluated once at launch before Caddyfile is parsed. 594 595 Runtime placeholders having `{...}` syntax, including environment variables referenced as `{env.VAR}`, are supported in both Caddyfile and pure JSON, with some caveats described below. 596 - Options of *int*, *float*, *big.int*, *duration*, and other numeric types don't support runtime placeholders at all. 597 - Options of *string* type containing IPs or CIDRs (e.g. `remote_ip` matcher), regular expressions (e.g. `cookie_hash_regexp` of `rdp` matcher), or special values (e.g. `commands` and `credentials` of `socks5` handler) support runtime placeholders, but they are evaluated __once at provision__ due to the existing optimizations. A special case is `dial` in `upstream` of `proxy` handler: it is evaluated 2 times: at handler provision for all known placeholders (e.g. `{env.*}`) and at dial for all placeholders (e.g. `{l4.*}`). 598 - Other options of *string* type (e.g. `alpn` of `tls` matcher) generally support runtime placeholders, and they are evaluated __each time at match or handle__. However, there are some exceptions, e.g. `tls_*` options inside `upstream` of `proxy` handler, and all options inside `connection_policy` of `tls` handler, that don't support runtime placeholders at all. 599 600 Please note that runtime placeholders support depends on handler/matcher implementations. Given some matchers and handlers are outside of this repository, it's up to their developers to support or restrict usage of runtime placeholders.