anti/DECNET
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

feat(services): HTTP/2 + HTTP/3 support via Caddy reverse-proxy

Browse Source 
Swap Werkzeug for Caddy as the protocol layer for http and https decoy
services. Flask keeps owning app logic (fake_app, custom_body, headers,
syslog) on 127.0.0.1:8080; Caddy terminates h1/h2/h2c/h3 on the wire
with real-world TLS/QUIC fingerprints.

- Add `multi_enum` FieldType to ServiceConfigField + _coerce
- Add `http_versions` field to HTTPService (h1/h2c) and HTTPSService
  (h1/h2/h3); selecting h3 emits UDP/443 port mapping in compose
- Rewrite both Dockerfiles with multi-stage Caddy binary copy +
  setcap for port binding as the logrelay user
- Entrypoints parse HTTP_VERSIONS JSON, render a Caddyfile, start
  Flask in background, wait for it, then exec Caddy
- https/server.py drops direct TLS handling; Caddy owns the cert
- Add ProxyFix to both server.py so Flask sees real attacker IPs
- Frontend: multi_enum checkbox-group renderer in ServiceConfigFields;
  FormValue union extended to string[]; compactPayload skips []
- Fix stale test_smtp_relay_schema_matches_smtp: relay schema is a
  superset of smtp, not equal; update assertions accordingly
This commit is contained in:
anti
2026-05-10 00:04:37 -04:00
parent ec5b49144e
commit 0653e500b5
14 changed files with 435 additions and 31 deletions
Download Patch File Download Diff File Expand all files Collapse all files

12
decnet/services/https.py
View File

@@ -59,6 +59,14 @@ class HTTPSService(BaseService):
type="textarea",
secret=True,
),
ServiceConfigField(
key="http_versions",
label="Supported HTTP versions",
type="multi_enum",
enum=["http/1.1", "http/2", "http/3"],
default=["http/1.1"],
help="Protocol versions Caddy advertises. HTTP/3 uses QUIC over UDP/443.",
),
]
def compose_fragment(
@@ -103,6 +111,10 @@ class HTTPSService(BaseService):
fragment["environment"]["TLS_KEY"] = cfg["tls_key"]
if "tls_cn" in cfg:
fragment["environment"]["TLS_CN"] = cfg["tls_cn"]
if "http_versions" in cfg:
fragment["environment"]["HTTP_VERSIONS"] = json.dumps(cfg["http_versions"])
if "http/3" in cfg["http_versions"]:
fragment.setdefault("ports", []).append("443:443/udp")
return fragment