Caddy: Basicauth and proxy not working

Created on 3 Jan 2017  路  5Comments  路  Source: caddyserver/caddy

1. What version of Caddy are you running (caddy -version)?

Caddy 0.9.4 (on windows 10)

2. What are you trying to do?

Protect a reverse proxy via basicauth

3. What is your entire Caddyfile?

example.com:801 {
  errors errors.log
  log access.log
  tls off

  basicauth /admin "r" "r"
  proxy /admin/monitor 192.168.3.9:80
}

4. How did you run Caddy (give the full command and describe the execution environment)?

caddy.exe in the command prompt

5. What did you expect to see?

> curl -u r:r http://example.com:801/admin/monitor
<!doctype html>...
> curl -u hacker:r http://example.com:801/admin/monitor
401 Unauthorized

The first command should return the page from the proxy, while the second should return a 404 (the r is missing - meaning the auth was successful)

6. What did you see instead (give full error messages and/or log)?

> curl -u r:r http://example.com:801/admin/monitor
{"message":"Basic auth failed"}
> curl -u hacker:r http://example.com:801/admin/monitor
401 Unauthorized

The first command fails to authenticate!

If I request a page not behind the proxy admin/test for instance, I get an error 404 or 401 as expected (depending if the auth was successful).

picture oliverpool

Most helpful comment

Try this in your proxy directive:

header_upstream -Authorization

We changed proxy recently so that it _will_ forward the Authorization header, but in the cases where Caddy's basicauth successfully completes the authorization, perhaps that header should be removed.

In any case, what I showed you should work.

picture mholt on 3 Jan 2017
👍2

All 5 comments

Caddy doesn't write a JSON response when basic auth fails... it looks like Caddy's basic auth is succeeding but your backend is seeing it as failed and writing some sort of JSON response.

mholt picture mholt on 3 Jan 2017

Thanks for your very quick reply!
Can I prevent caddy from forwarding the basic auth info to the backend?

Edit: I'm looking at header_upstream which should do this

oliverpool picture oliverpool on 3 Jan 2017

Try this in your proxy directive:

header_upstream -Authorization

We changed proxy recently so that it _will_ forward the Authorization header, but in the cases where Caddy's basicauth successfully completes the authorization, perhaps that header should be removed.

In any case, what I showed you should work.

mholt picture mholt on 3 Jan 2017
👍2

Great, it works!

Thank you very much for this quick and efficient support :1st_place_medal:

oliverpool picture oliverpool on 3 Jan 2017
👍1

@oliverpool No problem, see #1325. This _should_ mean you won't need to manually unset that header. I don't think my change will break anyone but we'll see. (If it does break someone, I think they're doing something strange...)

mholt picture mholt on 4 Jan 2017
Was this page helpful?
0 / 5 - 0 ratings

Related issues

billop picture billop  路  3Comments
lorddaedra picture lorddaedra  路  3Comments
aeroxy picture aeroxy  路  3Comments
jgsqware picture jgsqware  路  3Comments
SteffenDE picture SteffenDE  路  3Comments