Basic auth path exception?

pwFoo · June 6, 2016, 6:46pm

I have a special setup and need a exception from the basic auth configured just for one (sub-)path or source ip addresses.

Is it possible or could it be added as a new feature to the basic auth plugin?

matt · June 6, 2016, 6:47pm

Exceptions add complexity. How would you propose this work with the basicauth plugin?

pwFoo · June 6, 2016, 6:59pm

Hi @matt

if it would add to much complexity just forget my idea

I try to get direct access for some source ip addresses to the /api path, but all users should be authenticated by basic auth, client cert, … Just to secure the web admin interface

Any way / idea how to get something like that working? Another way could be a second reverse proxy and a rewrite from api subdomain to the /api path.

matt · June 6, 2016, 7:01pm

Okay How much or what kind of complexity is still unclear, and I don’t want to dismiss the idea before then.

So you want all users who access /api to have client cert? Or basic auth? (or both?) But not the rest of the site. Right?

pwFoo · June 6, 2016, 7:10pm

The API (/api) doen’t support additional pre-auth (like basic auth or cert auth), because the backend use token auth.

So I try to secure the web admin ("/"), but need an exception for the API path /api without any additional (reverse proxy) auth.

So basic auth required for all, but NO basic auth for path /api

A workaround could ba a additional revproxy / vhost with a subdomain mapped to the api

api.example.com → example.com/api as workaround if the is no “simple” solution to work with an exception.

jacob · June 7, 2016, 1:32pm

I would use the subdomain and then just rewrite:

api.example.com {
    rewrite / example.com/api
}

Very simple compared to adding exception rules to the basic auth plugin.

pwFoo · June 7, 2016, 2:12pm

I have created a new vhost with a different subdomain which proxies to the api backend server and access restriction by ipfilter.

Thanks!

jacob · June 7, 2016, 2:14pm

You’re welcome! I’m glad that will work for you

thechriswalker · August 9, 2016, 10:08am

I needed this functionality for a project of mine that has a Web App Manifest. I wanted the app to be behind basic auth but the manifest file must not be for it to be recognised.

I have simply amended the code and rebuilt from source, with the new (backwards compatible) syntax:

basicauth user pass {
    /
    not /manifest.json
}

Seems to work fine - the question is (@matt), should I go to the trouble of adding tests and submitting a pull request? I understand you not wanting to add complexity, so won’t bother if you don’t want this in mainline caddy. But I would be happy to if you did.

system · November 7, 2016, 10:08am

This topic was automatically closed 90 days after the last reply. New replies are no longer allowed.