Access controls for admin API

harrisreynolds · June 24, 2020, 3:07pm

Hey guys. I found this discussion [1] and hate it did not turn out well. I am struggling to get Caddy to work for my use case but am convinced it is the best solution and want to keep working at it and help make the platform better.

I need the Admin API available on a public URL but would like some simple API token security so if anyone ever found the end point, they could only call it if they also could found the API key.

Is anyone interested in discussing this? I am happy to help and am very grateful to all the work going in to Caddy.

–harris

[1] v2: Access controls for admin API · Issue #2850 · caddyserver/caddy · GitHub

francislavoie · June 24, 2020, 4:03pm

An approach some have used is to use the origin option as essentially an authentication mechanism. Set the allowed origins to only some secret hash value.

Enable enforce_origin and specify a secret origin (wrapped in an array).

Whitestrake · June 24, 2020, 4:09pm

I wonder if the simplest method wouldn’t be to just have the http app reverse proxy to the admin endpoint and implement auth handlers.

matt · June 24, 2020, 4:18pm

This creates a deadlock. When the admin endpoint applies changes, it waits for the proxied request to finish, but the proxied request doesn’t finish until the changes are applied. It times out after a few seconds and I think it still works, but the admin API client will get an error response because the proxied request was forcefully terminated. You won’t really know if your changes succeeded or not.

I have plans to make the admin endpoint more readily exposable to external networks, but nothing in the short-term dev tree. (Right now my focus is on the website.)

harrisreynolds · June 24, 2020, 9:57pm

Matt - I am happy to sponsor some development work on this.

Every time I have tried to do anything on that Admin API on any URI other than localhost I lose all ability to connect to Admin.

To start I’d much rather pay a one-time sponsor fee than have to get a monthly support contract from Ardan Labs. But I am kind of dead in the water now and wasting a lot of time with trial and error.

I really think over time I can help you with Caddy if I can use it to support custom domains on Webase. But right now I am merely “a friend in need”!

I know your time is valuable. Let me know.

–harris

matt · June 24, 2020, 11:46pm

Hmm, Ardan should be able to do a one-time development service too. Did they say they’ll only do a monthly contract? Let me double check. Did you email Miguel (and/or use our contact form) with your request?

harrisreynolds · June 25, 2020, 2:46pm

I am trying this enforce_origin approach and using the most simple test case I can in order isolate the problem.

I loaded this caddy.json file:

{
“admin”: {
“listen”: “0.0.0.0:2019”,
“origins”: [“webase://pl2ks-9c94kkg-ss9g224”],
“enforce_origin”: true
},

"apps": {
    "http": {
        "servers": {
            "example": {
                "listen": [":2015"],
                "routes": [
                    {
                        "handle": [{
                                       "handler": "static_response",
                                       "body": "Hello, world!"
                                   }]
                    }
                ]
            }
        }
    }
}

}

Then I ran the following commands:

Harriss-MacBook-Pro-4:~ harris$ curl localhost:2019/config/
{“error”:“missing required Origin header”}

Nice… what I would have expected. So lets add the origin header.

Harriss-MacBook-Pro-4:~ harris$ curl localhost:2019/config/ -H “Origin: webase://pl2ks-9c94kkg-ss9g224”
{“error”:“client is not allowed to access from origin pl2ks-9c94kkg-ss9g224”}

But it still does not work.

How exactly is this origin header technique supposed to work?

–harris

matt · June 25, 2020, 2:59pm

Try putting only the host in the origin, I don’t think we support schemes (because it’s all HTTP anyway).

francislavoie · June 25, 2020, 3:57pm

FYI, please use ``` on lines before and after your code for code formatting in forum comments. > is for block quotes. Code blocks preserve whitespace correctly and use a monospaced font.

harrisreynolds · June 25, 2020, 4:00pm

Sweet. It works without a URI scheme. I had put the scheme in there based on the Origin documentation here: Origin - HTTP | MDN

FYI francislavoie … the ``` does not work well when you paste JSON into the forum topic editor. No one loves well-formatted messages more than me! … BUT… this editor is not as robust as Slack and just doesn’t work a good bit of the time!

–harris

francislavoie · June 25, 2020, 4:02pm

Just type ```, hit enter, paste your JSON, hit enter, type another 3 backticks. That’s all you need to do. Works perfectly fine for me.

harrisreynolds · June 25, 2020, 4:21pm

This is a test. I am about to type three backticks and press enter and paste some JSON.

{
    "admin": {
        "listen": "0.0.0.0:2019",
        "origins": ["secret.webase.com"],
        "enforce_origin": true
    },

    "apps": {
        "http": {
            "servers": {
                "example": {
                    "listen": [":2015"],
                    "routes": [
                        {
                            "handle": [{
                                           "handler": "static_response",
                                           "body": "Hello, world!"
                                       }]
                        }
                    ]
                }
            }
        }
    }
}

This is so great. Ok… so you need newlines on the beginning and ending for the formatting to work.

Back to work everyone… nothing to see here!

francislavoie · June 25, 2020, 4:33pm

Yep, as per the markdown spec: Extended Syntax | Markdown Guide

Slack is very loose with their markdown support… it’s very much not conformant.

matt · June 25, 2020, 4:40pm

Slack’s editor is broken.

system · July 24, 2020, 3:07pm

This topic was automatically closed after 30 days. New replies are no longer allowed.