feat(services): HTTP/2 + HTTP/3 support via Caddy reverse-proxy

Swap Werkzeug for Caddy as the protocol layer for http and https decoy services. Flask keeps owning app logic (fake_app, custom_body, headers, syslog) on 127.0.0.1:8080; Caddy terminates h1/h2/h2c/h3 on the wire with real-world TLS/QUIC fingerprints. - Add `multi_enum` FieldType to ServiceConfigField + _coerce - Add `http_versions` field to HTTPService (h1/h2c) and HTTPSService (h1/h2/h3); selecting h3 emits UDP/443 port mapping in compose - Rewrite both Dockerfiles with multi-stage Caddy binary copy + setcap for port binding as the logrelay user - Entrypoints parse HTTP_VERSIONS JSON, render a Caddyfile, start Flask in background, wait for it, then exec Caddy - https/server.py drops direct TLS handling; Caddy owns the cert - Add ProxyFix to both server.py so Flask sees real attacker IPs - Frontend: multi_enum checkbox-group renderer in ServiceConfigFields; FormValue union extended to string[]; compactPayload skips [] - Fix stale test_smtp_relay_schema_matches_smtp: relay schema is a superset of smtp, not equal; update assertions accordingly
2026-05-10 00:04:37 -04:00
parent ec5b49144e
commit 0653e500b5
14 changed files with 435 additions and 31 deletions
--- a/decnet/templates/http/entrypoint.sh
+++ b/decnet/templates/http/entrypoint.sh
@@ -1,3 +1,43 @@
 #!/bin/bash
 set -e
-exec python3 /opt/server.py
+
+# Parse HTTP_VERSIONS JSON → Caddy protocol tokens (h1 / h2c)
+CADDY_PROTOCOLS=$(python3 -c "
+import json, os
+versions = json.loads(os.environ.get('HTTP_VERSIONS', '[\"http/1.1\"]'))
+tokens = []
+if 'http/1.1' in versions:
+    tokens.append('h1')
+if 'http/2' in versions:
+    tokens.append('h2c')
+print(' '.join(tokens) if tokens else 'h1')
+")
+
+cat > /etc/caddy/Caddyfile <<EOF
+{
+  admin off
+  servers :80 {
+    protocols ${CADDY_PROTOCOLS}
+  }
+}
+
+:80 {
+  reverse_proxy 127.0.0.1:8080
+}
+EOF
+
+python3 /opt/server.py &
+
+# Wait for Flask to be ready before handing off to Caddy
+python3 -c "
+import socket, time
+for _ in range(40):
+    try:
+        s = socket.create_connection(('127.0.0.1', 8080), timeout=0.25)
+        s.close()
+        break
+    except OSError:
+        time.sleep(0.1)
+"
+
+exec caddy run --config /etc/caddy/Caddyfile