Caddy 2.11 HTTP 403 error via docker exec caddy reload #7528
Description
Issue Details
Per https://caddy.community/t/caddy-2-11-http-403-error-via-docker-exec-caddy-reload/33526; Caddy's origin host header checking on the Admin interface may be affecting how caddy reload functions in a container-based Caddy deployment.
We utilise caddy running as a docker image as an 'ingress service router' for our platform. As part of the update process, our CI/CD pipeline (Gitlab CI/CD) connects to the docker host, refreshes the project and then will run ‘caddy reload’ to ensure up to date config is loaded.
This is is done via:
docker exec -w /etc/caddy ingress-router-caddy-1 caddy reload
This has worked without issue on Caddy v2.10. After updating the image to Caddy v2.11.1 this morning, we now see the following problem:
$ docker exec -w /etc/caddy ingress-router-caddy-1 caddy reload
{"level":"info","ts":1772070489.923556,"msg":"using adjacent Caddyfile"}
{"level":"warn","ts":1772070489.945869,"msg":"The nested 'metrics' option inside `servers` is deprecated and will be removed in the next major version. Use the global 'metrics' option instead."}
{"level":"info","ts":1772070489.9707046,"msg":"adapted config to JSON","adapter":"caddyfile"}
Error: sending configuration to instance: caddy responded with error: HTTP 403: {"error":"client is not allowed to access from origin 'http://localhost:2019'"}
This occurs both manually and in the Gitlab CI/CD pipeline.
Caddy version:
$ docker exec -w /etc/caddy ingress-router-caddy-1 caddy version
v2.11.1 h1:C7sQpsFOC5CH+31KqJc7EoOf8mXrOEkFyYd6GpIqm/s=