anti/DECNET
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

feat(services): HTTP/2 + HTTP/3 support via Caddy reverse-proxy

Browse Source 
Swap Werkzeug for Caddy as the protocol layer for http and https decoy
services. Flask keeps owning app logic (fake_app, custom_body, headers,
syslog) on 127.0.0.1:8080; Caddy terminates h1/h2/h2c/h3 on the wire
with real-world TLS/QUIC fingerprints.

- Add `multi_enum` FieldType to ServiceConfigField + _coerce
- Add `http_versions` field to HTTPService (h1/h2c) and HTTPSService
  (h1/h2/h3); selecting h3 emits UDP/443 port mapping in compose
- Rewrite both Dockerfiles with multi-stage Caddy binary copy +
  setcap for port binding as the logrelay user
- Entrypoints parse HTTP_VERSIONS JSON, render a Caddyfile, start
  Flask in background, wait for it, then exec Caddy
- https/server.py drops direct TLS handling; Caddy owns the cert
- Add ProxyFix to both server.py so Flask sees real attacker IPs
- Frontend: multi_enum checkbox-group renderer in ServiceConfigFields;
  FormValue union extended to string[]; compactPayload skips []
- Fix stale test_smtp_relay_schema_matches_smtp: relay schema is a
  superset of smtp, not equal; update assertions accordingly
This commit is contained in:
anti
2026-05-10 00:04:37 -04:00
parent ec5b49144e
commit 0653e500b5
14 changed files with 435 additions and 31 deletions
Download Patch File Download Diff File Expand all files Collapse all files

15
tests/services/test_config_schema.py
View File

@@ -236,11 +236,16 @@ def test_smtp_mta_enum_rejects_unknown():
SMTPService().validate_cfg({"mta": "qmail"})
def test_smtp_relay_schema_matches_smtp():
assert (
{f.key for f in SMTPRelayService.config_schema}
== {f.key for f in SMTPService.config_schema}
)
def test_smtp_relay_schema_is_superset_of_smtp():
base_keys = {f.key for f in SMTPService.config_schema}
relay_keys = {f.key for f in SMTPRelayService.config_schema}
assert base_keys <= relay_keys, f"Relay schema missing base keys: {base_keys - relay_keys}"
relay_only = relay_keys - base_keys
assert relay_only == {"upstream_host", "upstream_port", "upstream_user",
"upstream_pass", "upstream_sender", "probe_limit"}
def test_smtp_relay_compose_sets_open_relay_and_propagates_banner():
svc = SMTPRelayService()
frag = svc.compose_fragment(
"decky-test", service_cfg=svc.validate_cfg({"banner": "x", "mta": "postfix"})