Caddy v2 basic auth and fail2ban failregexp to catch incorrect login attempts

1. Caddy version (caddy version):

v2.3.0

2. How I run Caddy:

N/A

a. System environment:

UBUNTU 20.04 LTS

b. Command:

N/A

c. Service/unit/compose file:

N/A

d. My complete Caddyfile or JSON config:

(authentication) {
  basicauth {
    user1=1234567890hash
  }
}

(logging) {
  log {
    format single_field common_log
    output file /var/log/caddy/{args.0}.access.log {
         roll_size 30
         roll_age 1,440
         roll_keep 20
    }
  }
}


example.com {
    handle {
        import authentication
        root * /var/www
    }
    encode gzip
    file_server

    import logging example.com

3. The problem I’m having:

Questions:

  1. Is there a way to make caddy emit a log something like “authentification failed” (similar to ngnix or apache) when the user types incorrect login credentials?

  2. What would be the synthax to catch incorrect login attempts when user enters wrong credentials when using basic auth?

Using this filter in fail2ban failregex = ^<HOST>.+\s(400|401)\s.+ is not a good idea as it bans users even without them trying to authenticate.

  1. What would be an alternative approach to count incorrect authentication attempts?

Thanks.

Unfortunately, not currently. See these issues on github:

https://github.com/caddyserver/caddy/pull/3364

If you want to help champion this by re-implementing and testing this, it could make it in, but the people who were previously interested in this failed to help us bring it to completion.

Thanks very much Francis. Yes, sure, I’d like to help. We are currently using caddy for the staging environment and it would be a shame to make a switch back to the “classic” ngnix, etc due to a lack of this particular feature. Please tell me how can I help?

Please read the discussion in both links, then rebase or reapply the changes in the PR on the master branch, build and test, and show proof that the changes do what you were asking.

This topic was automatically closed after 30 days. New replies are no longer allowed.