1. The problem I’m having:
I want Caddy to automatically log me as a Zabbix user via HTTP authentication which Zabbix supports. I do not want Zabbix to ask me for any credentials. My current configuration fails to fulfill this task.
2. Error messages and/or full log output:
$ curl -Lv https://zabbix.b3das.com/index_http.php
* Host zabbix.b3das.com:443 was resolved.
* IPv6: (none)
* IPv4: 144.91.93.145
* Trying 144.91.93.145:443...
* ALPN: curl offers h2,http/1.1
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
* CAfile: /etc/ssl/certs/ca-certificates.crt
* CApath: none
* TLSv1.3 (IN), TLS handshake, Server hello (2):
* TLSv1.3 (IN), TLS change cipher, Change cipher spec (1):
* TLSv1.3 (IN), TLS handshake, Encrypted Extensions (8):
* TLSv1.3 (IN), TLS handshake, Certificate (11):
* TLSv1.3 (IN), TLS handshake, CERT verify (15):
* TLSv1.3 (IN), TLS handshake, Finished (20):
* TLSv1.3 (OUT), TLS change cipher, Change cipher spec (1):
* TLSv1.3 (OUT), TLS handshake, Finished (20):
* SSL connection using TLSv1.3 / TLS_AES_128_GCM_SHA256 / x25519 / id-ecPublicKey
* ALPN: server accepted h2
* Server certificate:
* subject: CN=zabbix.b3das.com
* start date: Nov 5 20:00:34 2024 GMT
* expire date: Feb 3 20:00:33 2025 GMT
* subjectAltName: host "zabbix.b3das.com" matched cert's "zabbix.b3das.com"
* issuer: C=US; O=Let's Encrypt; CN=E5
* SSL certificate verify ok.
* Certificate level 0: Public key type EC/prime256v1 (256/128 Bits/secBits), signed using ecdsa-with-SHA384
* Certificate level 1: Public key type EC/secp384r1 (384/192 Bits/secBits), signed using sha256WithRSAEncryption
* Certificate level 2: Public key type RSA (4096/152 Bits/secBits), signed using sha256WithRSAEncryption
* TLSv1.3 (IN), TLS handshake, Newsession Ticket (4):
* Connected to zabbix.b3das.com (144.91.93.145) port 443
* using HTTP/2
* [HTTP/2] [1] OPENED stream for https://zabbix.b3das.com/index_http.php
* [HTTP/2] [1] [:method: GET]
* [HTTP/2] [1] [:scheme: https]
* [HTTP/2] [1] [:authority: zabbix.b3das.com]
* [HTTP/2] [1] [:path: /index_http.php]
* [HTTP/2] [1] [user-agent: curl/8.10.1]
* [HTTP/2] [1] [accept: */*]
> GET /index_http.php HTTP/2
> Host: zabbix.b3das.com
> User-Agent: curl/8.10.1
> Accept: */*
>
* Request completely sent off
< HTTP/2 200
< alt-svc: h3=":443"; ma=2592000
< authorization: Basic QWRtaW46emFiYml4
< content-type: text/html; charset=UTF-8
< date: Sat, 09 Nov 2024 11:22:12 GMT
< server: Caddy
< server: nginx
< x-powered-by: PHP/7.3.14
<
<!DOCTYPE html>
<html>
<head>
<meta http-equiv="X-UA-Compatible" content="IE=Edge"/>
<meta charset="utf-8" />
<meta name="viewport" content="width=device-width, initial-scale=1">
<meta name="Author" content="Zabbix SIA" />
<title>Warning [refreshed every 30 sec.]</title>
<link rel="icon" href="favicon.ico">
<link rel="apple-touch-icon-precomposed" sizes="76x76" href="assets/img/apple-touch-icon-76x76-precomposed.png">
<link rel="apple-touch-icon-precomposed" sizes="120x120" href="assets/img/apple-touch-icon-120x120-precomposed.png">
<link rel="apple-touch-icon-precomposed" sizes="152x152" href="assets/img/apple-touch-icon-152x152-precomposed.png">
<link rel="apple-touch-icon-precomposed" sizes="180x180" href="assets/img/apple-touch-icon-180x180-precomposed.png">
<link rel="icon" sizes="192x192" href="assets/img/touch-icon-192x192.png">
<meta name="csrf-token" content=""/>
<meta name="msapplication-TileImage" content="assets/img/ms-tile-144x144.png">
<meta name="msapplication-TileColor" content="#d40000">
<meta name="msapplication-config" content="none"/>
<link rel="stylesheet" type="text/css" href="assets/styles/blue-theme.css" />
</head>
<body lang="en"><main><output class="msg-bad msg-global">You are not logged in<div class="msg-details"><ul class="msg-details-border"><li>Login name or password is incorrect.</li></ul></div><div class="msg-buttons"><button type="button" id="login" name="login" onclick="document.location = "index.php?form=default";">Login</button></div></output></main><script type="text/javascript">
setTimeout('document.location.reload();', 30000);
* Connection #0 to host zabbix.b3das.com left intact
</script></body></html>
Caddy debug log:
{"level":"info","ts":1731152315.643794,"msg":"using config from file","file":"/etc/caddy/Caddyfile"}
{"level":"info","ts":1731152315.6455708,"msg":"adapted config to JSON","adapter":"caddyfile"}
{"level":"warn","ts":1731152315.6455946,"msg":"Caddyfile input is not formatted; run 'caddy fmt --overwrite' to fix inconsistencies","adapter":"caddyfile","file":"/etc/caddy/Caddyfile","line":2}
{"level":"info","ts":1731152315.6471949,"logger":"admin","msg":"admin endpoint started","address":"localhost:2019","enforce_origin":false,"origins":["//127.0.0.1:2019","//localhost:2019","//[::1]:2019"]}
{"level":"info","ts":1731152315.6473749,"logger":"http.auto_https","msg":"server is listening only on the HTTPS port but has no TLS connection policies; adding one to enable TLS","server_name":"srv0","https_port":443}
{"level":"info","ts":1731152315.6475017,"logger":"http.auto_https","msg":"enabling automatic HTTP->HTTPS redirects","server_name":"srv0"}
{"level":"info","ts":1731152315.6474576,"logger":"tls.cache.maintenance","msg":"started background certificate maintenance","cache":"0xc00013f000"}
{"level":"debug","ts":1731152315.6475425,"logger":"http.auto_https","msg":"adjusted config","tls":{"automation":{"policies":[{}]}},"http":{"servers":{"remaining_auto_https_redirects":{"listen":[":80"],"routes":[{},{}]},"srv0":{"listen":[":443"],"routes":[{"handle":[{"handler":"subroute","routes":[{"handle":[{"handler":"reverse_proxy","headers":{"request":{"replace":{"Authorization":[{"replace":"QWRtaW46emFiYml4","search_regexp":"Basic"}]}}},"upstreams":[{"dial":"localhost:8080"}]}]}]}],"terminal":true}],"tls_connection_policies":[{}],"automatic_https":{}}}}}
{"level":"info","ts":1731152315.6481287,"logger":"http","msg":"enabling HTTP/3 listener","addr":":443"}
{"level":"info","ts":1731152315.648219,"msg":"failed to sufficiently increase receive buffer size (was: 208 kiB, wanted: 7168 kiB, got: 416 kiB). See https://github.com/quic-go/quic-go/wiki/UDP-Buffer-Sizes for details."}
{"level":"debug","ts":1731152315.648619,"logger":"http","msg":"starting server loop","address":"[::]:443","tls":true,"http3":true}
{"level":"info","ts":1731152315.6486373,"logger":"http.log","msg":"server running","name":"srv0","protocols":["h1","h2","h3"]}
{"level":"debug","ts":1731152315.6486855,"logger":"http","msg":"starting server loop","address":"[::]:80","tls":false,"http3":false}
{"level":"info","ts":1731152315.6486936,"logger":"http.log","msg":"server running","name":"remaining_auto_https_redirects","protocols":["h1","h2","h3"]}
{"level":"info","ts":1731152315.6486976,"logger":"http","msg":"enabling automatic TLS certificate management","domains":["zabbix.b3das.com"]}
{"level":"debug","ts":1731152315.6493323,"logger":"tls.cache","msg":"added certificate to cache","subjects":["zabbix.b3das.com"],"expiration":1738612834,"managed":true,"issuer_key":"acme-v02.api.letsencrypt.org-directory","hash":"c76f708dec8be7a11c189295ff160316bd5663c259aea34fdea05e6a3c18f6b8","cache_size":1,"cache_capacity":10000}
{"level":"debug","ts":1731152315.6493952,"logger":"events","msg":"event","name":"cached_managed_cert","id":"f64fbfa3-92c0-4236-a570-921004b62261","origin":"tls","data":{"sans":["zabbix.b3das.com"]}}
{"level":"info","ts":1731152315.6505263,"logger":"tls","msg":"storage cleaning happened too recently; skipping for now","storage":"FileStorage:/data/caddy","instance":"cbe60ac2-8745-40e1-b692-d3bd5d0bdf22","try_again":1731238715.6505232,"try_again_in":86399.999999298}
{"level":"info","ts":1731152315.6506495,"logger":"tls","msg":"finished cleaning storage units"}
{"level":"info","ts":1731152315.6508505,"msg":"autosaved config (load with --resume flag)","file":"/config/caddy/autosave.json"}
{"level":"info","ts":1731152315.6510017,"msg":"serving initial configuration"}
{"level":"debug","ts":1731152318.8298652,"logger":"events","msg":"event","name":"tls_get_certificate","id":"488155bf-8db5-4f37-9986-90944f5e7576","origin":"tls","data":{"client_hello":{"CipherSuites":[4866,4867,4865,49196,49200,159,52393,52392,52394,49195,49199,158,49188,49192,107,49187,49191,103,49162,49172,57,49161,49171,51,157,156,61,60,53,47],"ServerName":"zabbix.b3das.com","SupportedCurves":[29,23,30,25,24,256,257,258,259,260],"SupportedPoints":"AAEC","SignatureSchemes":[1027,1283,1539,2055,2056,2074,2075,2076,2057,2058,2059,2052,2053,2054,1025,1281,1537,771,769,770,1026,1282,1538],"SupportedProtos":["h2","http/1.1"],"SupportedVersions":[772,771],"RemoteAddr":{"IP":"10.0.2.100","Port":42022,"Zone":""},"LocalAddr":{"IP":"10.0.2.100","Port":443,"Zone":""}}}}
{"level":"debug","ts":1731152318.8299167,"logger":"tls.handshake","msg":"choosing certificate","identifier":"zabbix.b3das.com","num_choices":1}
{"level":"debug","ts":1731152318.8299363,"logger":"tls.handshake","msg":"default certificate selection results","identifier":"zabbix.b3das.com","subjects":["zabbix.b3das.com"],"managed":true,"issuer_key":"acme-v02.api.letsencrypt.org-directory","hash":"c76f708dec8be7a11c189295ff160316bd5663c259aea34fdea05e6a3c18f6b8"}
{"level":"debug","ts":1731152318.829946,"logger":"tls.handshake","msg":"matched certificate in cache","remote_ip":"10.0.2.100","remote_port":"42022","subjects":["zabbix.b3das.com"],"managed":true,"expiration":1738612834,"hash":"c76f708dec8be7a11c189295ff160316bd5663c259aea34fdea05e6a3c18f6b8"}
{"level":"debug","ts":1731152318.8567958,"logger":"http.handlers.reverse_proxy","msg":"selected upstream","dial":"localhost:8080","total_upstreams":1}
{"level":"debug","ts":1731152318.9522004,"logger":"http.handlers.reverse_proxy","msg":"upstream roundtrip","upstream":"localhost:8080","duration":0.095265993,"request":{"remote_ip":"10.0.2.100","remote_port":"42022","client_ip":"10.0.2.100","proto":"HTTP/2.0","method":"GET","host":"zabbix.b3das.com","uri":"/index_http.php","headers":{"Accept":["*/*"],"X-Forwarded-For":["10.0.2.100"],"X-Forwarded-Proto":["https"],"X-Forwarded-Host":["zabbix.b3das.com"],"User-Agent":["curl/8.10.1"]},"tls":{"resumed":false,"version":772,"cipher_suite":4865,"proto":"h2","server_name":"zabbix.b3das.com"}},"headers":{"Keep-Alive":["timeout=20"],"X-Powered-By":["PHP/7.3.14"],"Authorization":["REDACTED"],"Server":["nginx"],"Date":["Sat, 09 Nov 2024 11:38:38 GMT"],"Content-Type":["text/html; charset=UTF-8"],"Connection":["keep-alive"]},"status":200}
3. Caddy version:
v2.8.4 h1:q3pe0wpBj1OcHFZ3n/1nl4V4bxBrYoSoab7rL9BMYNk=
4. How I installed and ran Caddy:
podman pod create --name mypod -p 80:80 -p 443:443
podman run -d --pod mypod --name caddytest -v caddy_data:/data -v $PWD/caddy:/etc/caddy docker.io/caddy:latest
podman run -d --pod mypod --name zabbix docker.io/zabbix/zabbix-appliance
a. System environment:
rootless podman version 3.4.4, x86_64, Ubuntu 22.04 jammy
b. Command:
podman pod create --name mypod -p 80:80 -p 443:443
cd /path/to/caddy
podman run -d --pod mypod --name caddytest -v caddy_data:/data -v $PWD/caddy:/etc/caddy docker.io/caddy:latest
d. My complete Caddy config:
{
debug
}
zabbix.b3das.com {
reverse_proxy http://localhost:8080 {
header_up Authorization Basic QWRtaW46emFiYml4
}
}
5. Links to relevant resources:
QWRtaW46emFiYml4 is the default zabbix credentials (Admin:zabbix).
https://hub.docker.com/r/zabbix/zabbix-appliance/
NGINX within Zabbix was configured to run on port 8080 instead of the default 80.
Credentials seem to work when run within Zabbix container:
$ podman exec -it zabbix /bin/bash
$ curl -sL http://localhost:8080/index_http.php | grep passw
<body lang="en"><main><output class="msg-bad msg-global">You are not logged in<div class="msg-details"><ul class="msg-details-border"><li>Login name or password is incorrect.</li></ul></div><div class="msg-buttons"><button type="button" id="login" name="login" onclick="document.location = "index.php?form=default";">Login</button></div></output></main><script type="text/javascript">
$ curl -sL http://localhost:8080/index_http.php -u Admin:zabbix | grep passw
bash-5.0#
