anti/DECNET
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

feat(services): HTTP/2 + HTTP/3 support via Caddy reverse-proxy

Browse Source 
Swap Werkzeug for Caddy as the protocol layer for http and https decoy
services. Flask keeps owning app logic (fake_app, custom_body, headers,
syslog) on 127.0.0.1:8080; Caddy terminates h1/h2/h2c/h3 on the wire
with real-world TLS/QUIC fingerprints.

- Add `multi_enum` FieldType to ServiceConfigField + _coerce
- Add `http_versions` field to HTTPService (h1/h2c) and HTTPSService
  (h1/h2/h3); selecting h3 emits UDP/443 port mapping in compose
- Rewrite both Dockerfiles with multi-stage Caddy binary copy +
  setcap for port binding as the logrelay user
- Entrypoints parse HTTP_VERSIONS JSON, render a Caddyfile, start
  Flask in background, wait for it, then exec Caddy
- https/server.py drops direct TLS handling; Caddy owns the cert
- Add ProxyFix to both server.py so Flask sees real attacker IPs
- Frontend: multi_enum checkbox-group renderer in ServiceConfigFields;
  FormValue union extended to string[]; compactPayload skips []
- Fix stale test_smtp_relay_schema_matches_smtp: relay schema is a
  superset of smtp, not equal; update assertions accordingly
This commit is contained in:
anti
2026-05-10 00:04:37 -04:00
parent ec5b49144e
commit 0653e500b5
14 changed files with 435 additions and 31 deletions
Download Patch File Download Diff File Expand all files Collapse all files

6
decnet/templates/http/server.py
View File

@@ -11,6 +11,7 @@ import os
from pathlib import Path
from flask import Flask, request, send_from_directory
from werkzeug.middleware.proxy_fix import ProxyFix
from werkzeug.serving import make_server, WSGIRequestHandler
import instance_seed as _seed
@@ -27,7 +28,7 @@ logging.getLogger("werkzeug").setLevel(logging.ERROR)
NODE_NAME = os.environ.get("NODE_NAME", "webserver")
SERVICE_NAME = "http"
LOG_TARGET = os.environ.get("LOG_TARGET", "")
PORT = int(os.environ.get("PORT", "80"))
PORT = int(os.environ.get("PORT", "8080"))
# Per-instance Server header. Every decky running one identical Apache
# version string is a one-query fleet discovery for any scanner.
@@ -85,6 +86,7 @@ _FAKE_APP_BODIES: dict[str, str] = {
}
app = Flask(__name__)
app.wsgi_app = ProxyFix(app.wsgi_app, x_for=1, x_proto=1, x_host=1) # type: ignore[method-assign]
@app.after_request
def _fix_server_header(response):
@@ -161,5 +163,5 @@ class _SilentHandler(WSGIRequestHandler):
if __name__ == "__main__":
_log("startup", msg=f"HTTP server starting as {NODE_NAME}")
srv = make_server("0.0.0.0", PORT, app, request_handler=_SilentHandler) # nosec B104
srv = make_server("127.0.0.1", PORT, app, request_handler=_SilentHandler)
srv.serve_forever()