Proxy cleanups

Remove things not supported, fix docs.

4 files changed, 57 insertions, 33 deletions

diff --git a/Corefile b/Corefile
index 35a7ad239..d30059783 100644
--- a/Corefile
+++ b/Corefile
@@ -1,4 +1,6 @@
 .:1053 {
     log stdout
-    proxy . 8.8.8.8:53
+    rewrite ANY HINFO
+#    proxy . 8.8.8.8:53
+    proxy miek.nl linode.atoom.net:53
 }
diff --git a/middleware.md b/middleware.md
index 323eb15f5..d6e82bcfd 100644
--- a/middleware.md
+++ b/middleware.md
@@ -17,6 +17,12 @@ From the Caddy docs:
 In the DNS status codes are called rcodes and it's slightly harder to return the correct
 answer in case of failure.
 
-So CoreDNS treats only SERVFAIL (dns.RcodeServerFailure) as special and will then assume
-nothing has written to the client. In all other cases it is assume something has been written
-to the client.
+So CoreDNS treats
+
+* SERVFAIL (dns.RcodeServerFailure)
+* REFUSED (dns.RecodeRefused)
+* FORMERR (dns.RcodeFormatError)
+* NOTIMP (dns.RcodeNotImplemented)
+
+as special and will then assume nothing has written to the client. In all other cases it is assume
+something has been written to the client.
diff --git a/middleware/proxy/proxy.md b/middleware/proxy/proxy.md
index 5f11bc1b6..794037901 100644
--- a/middleware/proxy/proxy.md
+++ b/middleware/proxy/proxy.md
@@ -23,59 +23,61 @@ proxy from to... {
 	fail_timeout duration
 	max_fails integer
 	health_check path [duration]
-	proxy_header name value
-	without prefix
-	except ignored_paths...
-	insecure_skip_verify
+	except ignored_names...
 	preset
 }
 ~~~
 
-* from is the base path to match for the request to be proxied.
-* to is the destination endpoint to proxy to. At least one is required, but multiple may be specified.
-* policy is the load balancing policy to use; applies only with multiple backends. May be one of random, least_conn, or round_robin. Default is random.
-* fail_timeout specifies how long to consider a backend as down after it has failed. While it is down, requests will not be routed to that backend. A backend is "down" if Caddy fails to communicate with it. The default value is 10 seconds ("10s").
-* max_fails is the number of failures within fail_timeout that are needed before considering a backend to be down. If 0, the backend will never be marked as down. Default is 1.
-* health_check will check path on each backend. If a backend returns a status code of 200-399, then that backend is healthy. If it doesn't, the backend is marked as unhealthy for duration and no requests are routed to it. If this option is not provided then health checks are disabled. The default duration is 10 seconds ("10s").
-* proxy_header sets headers to be passed to the backend. The field name is name and the value is value. This option can be specified multiple times for multiple headers, and dynamic values can also be inserted using request placeholders.
-* prefix is a URL prefix to trim before proxying the request upstream. A request to /api/foo without /api, for example, will result in a proxy request to /foo.
-* ignored_paths... is a space-separated list of paths to exclude from proxying. Requests that match any of these paths will be passed thru.
-* insecure_skip_verify overrides verification of the backend TLS certificate, essentially disabling security features over HTTPS.
+* `from` is the base path to match for the request to be proxied.
+* `to` is the destination endpoint to proxy to. At least one is required, but multiple may be specified.
+* `policy` is the load balancing policy to use; applies only with multiple backends. May be one of random, least_conn, or round_robin. Default is random.
+* `fail_timeout` specifies how long to consider a backend as down after it has failed. While it is down, requests will not be routed to that backend. A backend is "down" if Caddy fails to communicate with it. The default value is 10 seconds ("10s").
+* `max_fails` is the number of failures within fail_timeout that are needed before considering a backend to be down. If 0, the backend will never be marked as down. Default is 1.
+* `health_check` will check path on each backend. If a backend returns a status code of 200-399, then that backend is healthy. If it doesn't, the backend is marked as unhealthy for duration and no requests are routed to it. If this option is not provided then health checks are disabled. The default duration is 10 seconds ("10s").
+* `ignored_names...` is a space-separated list of paths to exclude from proxying. Requests that match any of these paths will be passed thru.
 
 ## Policies
 
 There are three load balancing policies available:
-* random (default) - Randomly select a backend
-* least_conn - Select backend with the fewest active connections
-* round_robin - Select backend in round-robin fashion
+* *random* (default) - Randomly select a backend
+* *least_conn* - Select backend with the fewest active connections
+* *round_robin* - Select backend in round-robin fashion
 
 ## Examples
 
-Proxy all requests within /api to a backend system:
-proxy /api localhost:9005
+Proxy all requests within example.org. to a backend system:
+
+~~~
+proxy example.org localhost:9005
+~~~
+
 Load-balance all requests between three backends (using random policy):
+
+~~~
 proxy / web1.local:80 web2.local:90 web3.local:100
+~~~
 
 Same as above, but round-robin style:
 
+~~~
 proxy / web1.local:80 web2.local:90 web3.local:100 {
 	policy round_robin
 }
+~~~
 
 With health checks and proxy headers to pass hostname, IP, and scheme upstream:
 
+~~~
 proxy / web1.local:80 web2.local:90 web3.local:100 {
 	policy round_robin
 	health_check /health
-	proxy_header Host {host}
-	proxy_header X-Real-IP {remote}
-	proxy_header X-Forwarded-Proto {scheme}
-}
-Proxy WebSocket connections:
-proxy / localhost:8080 {
-	websocket
 }
+~~~
+
 Proxy everything except requests to /static or /robots.txt:
+
+~~~
 proxy / backend:1234 {
 	except /static /robots.txt
 }
+~~~
diff --git a/server/server.go b/server/server.go
index 827812af7..66dfbeb1a 100644
--- a/server/server.go
+++ b/server/server.go
@@ -260,7 +260,7 @@ func (s *Server) ServeDNS(w dns.ResponseWriter, r *dns.Msg) {
 		// In case the user doesn't enable error middleware, we still
 		// need to make sure that we stay alive up here
 		if rec := recover(); rec != nil {
-			DefaultErrorFunc(w, r, rcode)
+			DefaultErrorFunc(w, r, dns.RcodeServerFailure)
 		}
 	}()
 
@@ -286,7 +286,7 @@ func (s *Server) ServeDNS(w dns.ResponseWriter, r *dns.Msg) {
 		if h, ok := s.zones[string(b[:l])]; ok {
 			if r.Question[0].Qtype != dns.TypeDS {
 				rcode, _ := h.stack.ServeDNS(ctx, w, r)
-				if rcode == dns.RcodeServerFailure {
+				if RcodeNoClientWrite(rcode) {
 					DefaultErrorFunc(w, r, rcode)
 				}
 				return
@@ -300,7 +300,7 @@ func (s *Server) ServeDNS(w dns.ResponseWriter, r *dns.Msg) {
 	// Wildcard match, if we have found nothing try the root zone as a last resort.
 	if h, ok := s.zones["."]; ok {
 		rcode, _ := h.stack.ServeDNS(ctx, w, r)
-		if rcode == dns.RcodeServerFailure {
+		if RcodeNoClientWrite(rcode) {
 			DefaultErrorFunc(w, r, rcode)
 		}
 		return
@@ -415,3 +415,17 @@ func ShutdownCallbacks(servers []*Server) []error {
 	}
 	return errs
 }
+
+func RcodeNoClientWrite(rcode int) bool {
+	switch rcode {
+	case dns.RcodeServerFailure:
+		fallthrough
+	case dns.RcodeRefused:
+		fallthrough
+	case dns.RcodeFormatError:
+		fallthrough
+	case dns.RcodeNotImplemented:
+		return true
+	}
+	return false
+}