1. Caddy version (caddy version
):
v2.4.6 h1:HGkGICFGvyrodcqOOclHKfvJC0qTU7vny/7FhYp9hNw=
2. How I run Caddy:
/usr/bin/caddy run --environ --config /etc/caddy/Caddyfile
a. System environment:
systemd, not inside docker, ubuntu 18.04
b. Command:
caddy reload --config /etc/caddy/Caddyfile
c. Service/unit/compose file:
no
d. My complete Caddyfile or JSON config:
adomain.tld {
root * /opt/www/html
header / Strict-Transport-Security "max-age=15768000;"
templates
encode zstd gzip
file_server
log {
output file /var/log/caddy/weblogs.log
}
}
sub.adomain.tld {
route /restricted/* {
# import file_with_several_basicauth_entries like so:
basicauth /restricted/item1.pdf {
a JDJhJDE0.......
}
basicauth /restricted/item2.pdf {
a JDJhJDE0.......
}
basicauth /restricted/item3.pdf {
a JDJhJDE0.......
}
# this above is everything inside file_with_several_basicauth_entries there is nothing else there
# reason it is separated, is because i could easily append / or delete from that file
file_server /restricted/* {
root /opt/www/sub/restricted/
hide /opt
}
}
file_server {
root /opt/www/sub
hide /opt
}
# handle /restricted/* { respond "please provide correct path" }
}
3. The problem I’m having:
First of all, i need to make a correction to above. This is not directly Caddyfile, but my Caddyfile has two lines of import one_file (only with “top level domain” and import “other_file”, I have “merged them” and pasted here together in same order. I hope this doesn’t change anything for you guys.
My intended usage:
- whenever user navigates to
sub.adomain.tld/restricted
it should be redirected to “please provide correct path” - whenever user navigates to
sub.adomain.tld/restricted/no_such_file.pdf
it should be redirected to “please provide correct path” - whenever user navigates to
sub.adomain.tld/restricted/correct_file.pdf
it should first be asked to do basic auth, then the file should be served - whenever user navigates to
sub.adomain.tld
other paths than /restricted, i would want to havefile_server
serving normal www2 - whenever user navigates to
adomain.tld
, i would want to have caddy serving normal www1
Optionally, i would also want to be able to have another reverse_proxy for one sub.adomain.tld/something path. But perhaps this is a separate issue and i don’t want to create confusion here.
4. Error messages and/or full log output:
There aren’t any errors. Caddy loads, but I don’t have any “handler” when wrong URI is typed.
If i remove from route
second file_server and replace it with handle /restricted/* { respond }
then i get the notification - but when i properly authenticate - i don’t get the files served. However when wrong /restricted/badfile is given - i have just blank screen, as no 404 handler is setup.
5. What I already tried:
I have also tried to have
route /restricted/* {
import file_with_several_basicauth_entries
respond "please provide proper /restricted/ path" # or same with handle
}
But in this case, when i provided proper credentials - instead of pdf files i would have 0 bytes, or (on /restricted/bad.pdf i would get pdf with contents “please provide …”
Now i have some (wrong) ideas why is that so. Perhaps when i write them down here, this could be used to improve documentation for others?
- I have read in other thread [1] that basicauth is “propagated” down. So whenever this “worked” it applies to everything what is further in caddyfile.
- i probably should setup handle_errors however i can’t have that for custom matcher
- i think this is because when route ends - it needs to have file server. but in that case perhaps this should be route inside route? I have tried also adding handle_errors inside route:
route /restriced/* {
import files_with_basic_auths
file_server {
}
handle_errors {
@4xx expression `{http.error.status_code} >= 400 && {http.error.status_code} < 500`
respond @4xx "It's a 4xx error!"
respond "It's not a 4xx error."
}
However in this case Caddy fails to reload.