Upgrade caddy

[andreeleuterio]

This patches CVE-2021-42377 and CVE-2020-28928.

Checklist

• Sister deploy-sourcegraph change:
• All images have a valid tag and SHA256 sum

Test plan

• CI checks
• @kevinwojo: I created a GCP compute instance and installed SG with Caddy using HTTPS via LetsEncrypt. I then upgraded Caddy to this latest version. Aside from providing a notice to our customers regarding the new trusted_proxies setting, I think this is safe.

[kevinwojo]

We'll want to test this release a little more thoroughly.

From the CHANGELOG:

⚠️ Reverse proxy: Incoming X-Forwarded-* headers will no longer be automatically trusted, to prevent spoofing. Now, trusted_proxies must be configured to specify a list of downstream proxies which are trusted to have sent good values. You only need to configure trusted proxies if Caddy is not the first server being connected to. For example, if you have Cloudflare in front of Caddy, then you should configure this with Cloudflare's list of IP ranges.

We may have to provide some documentation guidance for our customers if they're in this position.

I think we could probably copy/paste this notice into the Docker Compose upgrade notes and let CE know about this inbound change.

[kevinwojo]

Accompanying release note: https://github.com/sourcegraph/sourcegraph/pull/37270

[kevinwojo]

Tested and added release note.

[kevinwojo]

Putting a soft block on this, we need to update a good chunk of docs before we can ship this.

I started typing up a courtesy message for CE and realized we have a lot to communicate.

[andreeleuterio]

@kevinwojo I updated the example docker-compose file and added a sample file for trusted_proxies config.

[kevinwojo]

This is on my list to test today. I am preparing a few internal examples to share with the team internally that we can use for validation of config syntax.

Admittedly the Caddyfile syntax is a little nebulous ... documentation is hard to grok.

[daxmc99]

Paired with @kevinwojo on this, determined that although we don't use the X-Forwarded-For header much we might lose some analytics

I suggest we modify these caddy files to be

# Routes all plain http requests to sourcegraph-frontend - suitable for local testing.
#
# Caddyfile documentation: https://caddyserver.com/docs/caddyfile

:80

# If the customer uses a reverse proxy in front of Caddy,
# add the reverse proxies IPs (or IP CIDR ranges) to the trusted_proxies list.
# More information in https://caddyserver.com/docs/caddyfile/directives/reverse_proxy
reverse_proxy {
to {$SRC_FRONTEND_ADDRESSES}
trusted_proxies 0.0.0.0/0
}

[daxmc99]

@sourcegraph/security for approval of this approach

[daxmc99]

Spoke with @andreeleuterio offline, and he approved this approach. I will commit and merge this.

[daxmc99]

CI is unfortunately borked here 😢
There are failures (seemingly related to the number of containers) but it works locally in my testing (also passes caddy validate)