fix(proxy): validate stored config matches proxy type (#9146)

2026-03-24 21:53:48 +01:00 · 2026-03-24 21:53:48 +01:00 · 5c460dd2a1
commit 5c460dd2a1
parent 4f1f8713e9 b8e52c6a45
3 changed files with 106 additions and 3 deletions
--- a/app/Actions/Proxy/GetProxyConfiguration.php
+++ b/app/Actions/Proxy/GetProxyConfiguration.php
@ -2,10 +2,12 @@

 namespace App\Actions\Proxy;

+use App\Enums\ProxyTypes;
 use App\Models\Server;
 use App\Services\ProxyDashboardCacheService;
 use Illuminate\Support\Facades\Log;
 use Lorisleiva\Actions\Concerns\AsAction;
+use Symfony\Component\Yaml\Yaml;

 class GetProxyConfiguration
 {
@ -24,6 +26,17 @@ public function handle(Server $server, bool $forceRegenerate = false): string
            // Primary source: database
            $proxy_configuration = $server->proxy->get('last_saved_proxy_configuration');

+            // Validate stored config matches current proxy type
+            if (! empty(trim($proxy_configuration ?? ''))) {
+                if (! $this->configMatchesProxyType($proxyType, $proxy_configuration)) {
+                    Log::warning('Stored proxy config does not match current proxy type, will regenerate', [
+                        'server_id' => $server->id,
+                        'proxy_type' => $proxyType,
+                    ]);
+                    $proxy_configuration = null;
+                }
+            }
+
            // Backfill: existing servers may not have DB config yet — read from disk once
            if (empty(trim($proxy_configuration ?? ''))) {
                $proxy_configuration = $this->backfillFromDisk($server);
@ -55,6 +68,29 @@ public function handle(Server $server, bool $forceRegenerate = false): string
        return $proxy_configuration;
    }

+    /**
+     * Check that the stored docker-compose YAML contains the expected service
+     * for the server's current proxy type. Returns false if the config belongs
+     * to a different proxy type (e.g. Traefik config on a CADDY server).
+     */
+    private function configMatchesProxyType(string $proxyType, string $configuration): bool
+    {
+        try {
+            $yaml = Yaml::parse($configuration);
+            $services = data_get($yaml, 'services', []);
+
+            return match ($proxyType) {
+                ProxyTypes::TRAEFIK->value => isset($services['traefik']),
+                ProxyTypes::CADDY->value => isset($services['caddy']),
+                ProxyTypes::NGINX->value => isset($services['nginx']),
+                default => true,
+            };
+        } catch (\Throwable $e) {
+            // If YAML is unparseable, don't block — let the existing flow handle it
+            return true;
+        }
+    }
+
    /**
     * Backfill: read config from disk for servers that predate DB storage.
     * Stores the result in the database so future reads skip SSH entirely.
--- a/app/Models/Server.php
+++ b/app/Models/Server.php
@ -1471,6 +1471,9 @@ public function changeProxy(string $proxyType, bool $async = true)
        if ($validProxyTypes->contains(str($proxyType)->lower())) {
            $this->proxy->set('type', str($proxyType)->upper());
            $this->proxy->set('status', 'exited');
+            $this->proxy->set('last_saved_proxy_configuration', null);
+            $this->proxy->set('last_saved_settings', null);
+            $this->proxy->set('last_applied_settings', null);
            $this->save();
            if ($this->proxySet()) {
                if ($async) {
--- a/tests/Unit/ProxyConfigRecoveryTest.php
+++ b/tests/Unit/ProxyConfigRecoveryTest.php
@ -10,20 +10,26 @@
    Cache::spy();
 });

-function mockServerWithDbConfig(?string $savedConfig): object
+function mockServerWithDbConfig(?string $savedConfig, string $proxyType = 'TRAEFIK'): object
 {
    $proxyAttributes = Mockery::mock(SchemalessAttributes::class);
    $proxyAttributes->shouldReceive('get')
        ->with('last_saved_proxy_configuration')
        ->andReturn($savedConfig);

+    $proxyPath = match ($proxyType) {
+        'CADDY' => '/data/coolify/proxy/caddy',
+        'NGINX' => '/data/coolify/proxy/nginx',
+        default => '/data/coolify/proxy/',
+    };
+
    $server = Mockery::mock('App\Models\Server');
    $server->shouldIgnoreMissing();
    $server->shouldReceive('getAttribute')->with('proxy')->andReturn($proxyAttributes);
    $server->shouldReceive('getAttribute')->with('id')->andReturn(1);
    $server->shouldReceive('getAttribute')->with('name')->andReturn('Test Server');
-    $server->shouldReceive('proxyType')->andReturn('TRAEFIK');
-    $server->shouldReceive('proxyPath')->andReturn('/data/coolify/proxy');
+    $server->shouldReceive('proxyType')->andReturn($proxyType);
+    $server->shouldReceive('proxyPath')->andReturn($proxyPath);

    return $server;
 }
@ -107,3 +113,61 @@ function mockServerWithDbConfig(?string $savedConfig): object

    expect($result)->toBe($savedConfig);
 });
+
+it('rejects stored Traefik config when proxy type is CADDY', function () {
+    Log::swap(new \Illuminate\Log\LogManager(app()));
+    Log::spy();
+
+    $traefikConfig = "services:\n  traefik:\n    image: traefik:v3.6\n";
+    $server = mockServerWithDbConfig($traefikConfig, 'CADDY');
+
+    // Config type mismatch should trigger regeneration, which will try
+    // backfillFromDisk (instant_remote_process) then generateDefault.
+    // Both will fail in test env, but the warning log proves mismatch was detected.
+    try {
+        GetProxyConfiguration::run($server);
+    } catch (\Throwable $e) {
+        // Expected — regeneration requires SSH/full server setup
+    }
+
+    Log::shouldHaveReceived('warning')
+        ->withArgs(fn ($message) => str_contains($message, 'does not match current proxy type'))
+        ->once();
+});
+
+it('rejects stored Caddy config when proxy type is TRAEFIK', function () {
+    Log::swap(new \Illuminate\Log\LogManager(app()));
+    Log::spy();
+
+    $caddyConfig = "services:\n  caddy:\n    image: lucaslorentz/caddy-docker-proxy:2.8-alpine\n";
+    $server = mockServerWithDbConfig($caddyConfig, 'TRAEFIK');
+
+    try {
+        GetProxyConfiguration::run($server);
+    } catch (\Throwable $e) {
+        // Expected — regeneration requires SSH/full server setup
+    }
+
+    Log::shouldHaveReceived('warning')
+        ->withArgs(fn ($message) => str_contains($message, 'does not match current proxy type'))
+        ->once();
+});
+
+it('accepts stored Caddy config when proxy type is CADDY', function () {
+    $caddyConfig = "services:\n  caddy:\n    image: lucaslorentz/caddy-docker-proxy:2.8-alpine\n";
+    $server = mockServerWithDbConfig($caddyConfig, 'CADDY');
+
+    $result = GetProxyConfiguration::run($server);
+
+    expect($result)->toBe($caddyConfig);
+});
+
+it('accepts stored config when YAML parsing fails', function () {
+    $invalidYaml = "this: is: not: [valid yaml: {{{}}}";
+    $server = mockServerWithDbConfig($invalidYaml, 'TRAEFIK');
+
+    // Invalid YAML should not block — configMatchesProxyType returns true on parse failure
+    $result = GetProxyConfiguration::run($server);
+
+    expect($result)->toBe($invalidYaml);
+});