Caddy Basic Auth Password reset

1. Caddy version (caddy version):

v2.4.2

2. How I run Caddy:

Docker container (ubuntu:18.04) with supervisord

a. System environment:

Docker container (ubuntu:18.04) with supervisord

b. Command:

caddy run -config /etc/Caddyfile

c. Service/unit/compose file:

# get the caddy executable
FROM caddy AS caddy-build

FROM ubuntu:18.04 

# install geth, python, node, and smart contract development tooling
RUN apt update -y \
  && apt install -y software-properties-common gpg \
  && add-apt-repository -y ppa:deadsnakes/ppa \
  && add-apt-repository -y ppa:ethereum/ethereum \ 
  && apt update -y \
  && apt install -y \
    ethereum solc \
    supervisor \
    python3.8 python3-pip python3.8-dev \
	vim curl tmux git zip unzip vim speedometer net-tools \
  && python3.8 -m pip install web3 py-solc py-solc-x \
  && curl -fsSL https://deb.nodesource.com/setup_12.x | bash - \
  && apt install -y nodejs \
  && npm install -g solc \
  && curl https://rclone.org/install.sh | bash \
  && rm -rf /var/lib/apt/lists/*

# get the Caddy server executable
# copy the caddy server build into this container
COPY --from=caddy-build /usr/bin/caddy /usr/bin/caddy
COPY Caddyfile /etc/
RUN chmod a+rwx /etc/Caddyfile

ENV USERNAME "user"
ENV PASSWORD "admin"
RUN echo "basicauth /* {" > /tmp/hashpass.txt && \
    echo "    {env.USERNAME}" $(caddy hash-password -plaintext $(echo $PASSWORD)) >> /tmp/hashpass.txt && \
    echo "}" >> /tmp/hashpass.txt

ENTRYPOINT ["sh", "-c", "supervisord"]

d. My complete Caddyfile or JSON config:

:8888 {
    log
    root * /home/user1
    redir / /ui/
	
    handle_path /ui/* {
        reverse_proxy http://localhost:3000
        import /tmp/hashpass.txt
    }
}

3. The problem I’m having:

I’m using Caddy to serve a Theia-based IDE, and I’m protecting the UI with Caddy’s basic auth directive where I generate and store to disk the hashed password by running caddy hash-password --plaintext <mypassword>. This works great, but I need to allow for the scenario in which the user wishes to change their password.

I have a UI widget that asks the user to input their old password and I must then validate the password against their old password that has previously been hashed for safefy. It’s kind of silly but I’m just not sure how to go about validating that the old password they provide is indeed the one previously stored after running the hash-password command.

4. Error messages and/or full log output:

5. What I already tried:

I thought I would be clever and put something like this into my Caddyfile:

    handle_path /ui/* {
        reverse_proxy http://localhost:3000
        respond /passwordcheck/ "OK"
        import /tmp/hashpass.txt
    }

so that my widget could hit the /ui/passwordcheck/ subroute with the password provided and if it returned OK, then I would know the password was correct. This works when the password is correct, however, the problem is that I was expecting an incorrect password to return an error code that I could easily catch, but instead it just prompts for the username and password again.

Hopefully my question makes sense. Thanks for any advice you may be able to offer.

6. Links to relevant resources:

Honestly, if you need anything more than simple managed-by-the-admin password support, you should look into using the caddy-auth-portal plugin instead. It’s properly equipped for managing accounts and passwords.

Also, I have to recommend against using supervisord to run multiple services in one Docker container. It kinda goes against the purpose of Docker. It’s better to have one container per service.

1 Like

That’s a cool plugin, I’ll see what I can do with that. Thanks @francislavoie!

This topic was automatically closed after 30 days. New replies are no longer allowed.