proxy: check ALLOWED_HOSTS only for client requests (#6328)

This feature is only intended to identify misdirected browser requests.
The other routes are called by services/tools which will not necessarily
set the 'Host' header and thus break.

Co-authored-by: Adrian Richter <adrian@intevation.de>

proxy/caddy_base.json

@@ -24,27 +24,6 @@
           "listen": [":8000"],
           "allow_h2c": true,
           "routes": [
-            {
-              "handle": [
-                {
-                  "body": "Misdirected Request",
-                  "close": true,
-                  "handler": "static_response",
-                  "status_code": 421
-                }
-              ],
-              "match": [
-                {
-                  "not": [
-                    {
-                      "header": {
-                        "Host": []
-                      }
-                    }
-                  ]
-                }
-              ]
-            },
             {
               "handle": [
                 {
@@ -149,6 +128,23 @@
                 }
               ]
             },
+            {
+              "handle": [
+                {
+                  "handler": "reverse_proxy",
+                  "upstreams": [
+                    {
+                      "dial": "$VOTE_HOST:$VOTE_PORT"
+                    }
+                  ]
+                }
+              ],
+              "match": [
+                {
+                  "path": ["/system/vote*"]
+                }
+              ]
+            },
             {
               "handle": [
                 {
@@ -176,17 +172,21 @@
             {
               "handle": [
                 {
-                  "handler": "reverse_proxy",
+                  "body": "Misdirected Request",
-                  "upstreams": [
+                  "close": true,
-                    {
+                  "handler": "static_response",
-                      "dial": "$VOTE_HOST:$VOTE_PORT"
+                  "status_code": 421
-                    }
-                  ]
                 }
               ],
               "match": [
                 {
-                  "path": ["/system/vote*"]
+                  "not": [
+                    {
+                      "header": {
+                        "Host": []
+                      }
+                    }
+                  ]
                 }
               ]
             },

proxy/entrypoint

@@ -57,10 +57,10 @@ fi
 ### ALLOWED HOSTS ###
 if [ -n "$ALLOWED_HOSTS" ]; then
   for host in $ALLOWED_HOSTS; do
-    jq_write ".apps.http.servers.srv0.routes[0].match[0].not[0].header.Host += [\"$host\"]"
+    jq_write ".apps.http.servers.srv0.routes[-2].match[0].not[0].header.Host += [\"$host\"]"
   done
 else
-  jq_write "del(.apps.http.servers.srv0.routes[0])"
+  jq_write "del(.apps.http.servers.srv0.routes[-2])"
 fi
 
 exec "$@"