Caddy2 php-fpm authorization

lecris · October 29, 2020, 6:53am

1. Caddy version (`caddy version`):

v2.2.0

2. How I run Caddy:

Installed via the CentOS tutorials and changing the /etc/caddy/Caddyfile

a. System environment:

OS: CentOS stream

b. Command:

systemctl reload caddy

c. Service/unit/compose file:

N/A

d. My complete Caddyfile or JSON config:

## Caddyfile
snipe-it {
   root * /var/www/snipe-it/public
   encode gzip zstd
   file_server
   php_fastcgi unix//run/php-fpm/www.sock {
      env HTTP_AUTHORIZATION {>Authorization}
   }
}

3. The problem I’m having:

I have tried to adapt the information from this post on php-fpm authorization header, but I could not get it to authorize. The errors I get are 401: Unauthorized from the webconsole from a request like:

https://snipe-it/api/v1/groups?search=&sort=name&order=asc&offset=0&limit=20&searchable%5B%5D=id&searchable%5B%5D=name&searchable%5B%5D=users_count&searchable%5B%5D=created_at

The provided .htaccess for snipe-it is:

## .htaccess
<IfModule mod_rewrite.c>
    <IfModule mod_negotiation.c>
        Options -MultiViews
    </IfModule>

    RewriteEngine On

    # Uncomment these two lines to force SSL redirect in Apache
    # RewriteCond %{HTTPS} off
    # RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI} [R=301,L]



    # Redirect Trailing Slashes If Not A Folder...
    RewriteCond %{REQUEST_FILENAME} !-d
    RewriteCond %{REQUEST_URI} (.+)/$
    RewriteRule ^ %1 [L,R=301]

    # Handle Front Controller...
    RewriteCond %{REQUEST_FILENAME} !-d
    RewriteCond %{REQUEST_FILENAME} !-f
    RewriteRule ^ index.php [L]

    # Handle Authorization Header
    RewriteCond %{HTTP:Authorization} .
    RewriteRule .* - [E=HTTP_AUTHORIZATION:%{HTTP:Authorization}]

    # Security Headers
    # Header set Strict-Transport-Security "max-age=2592000" env=HTTPS
    # Header set X-XSS-Protection "1; mode=block"
    # Header set X-Content-Type-Options nosniff
    # Header set X-Permitted-Cross-Domain-Policies "master-only"

</IfModule>
Options -Indexes

I would also want to confirm whether: the first and second rules are already included in the default php_fastcgi. With the current Caddyfile it navigates without a problem so I assume it is set automatically. The third rule however seems to not be working with the present file, and I don’t have the webdev expertise to understand what and how that rule should be set in caddy.

Any hints are appreciated. I have also tried to use Caddy as a reverse-proxy to an apache server, however I have a problem with mixed http/https redirection (other webapps have the same problem for me), which I also don’t know how to properly solve, which is why I am trying to move completely to caddy as a webserver.

4. Error messages and/or full log output:

https://snipe-it/api/v1/groups?search=&sort=name&order=asc&offset=0&limit=20&searchable%5B%5D=id&searchable%5B%5D=name&searchable%5B%5D=users_count&searchable%5B%5D=created_at
401: Unauthorized

5. What I already tried:

Using the Caddyfile above and redirecting to apache server.

6. Links to relevant resources:

francislavoie · October 29, 2020, 3:01pm

Yep, php_fastcgi is a shortcut for this longer bit of config, which shows a bit more clearly it does what those first 2 bits of htaccess do:

Also Caddy’s reverse proxy (fastcgi is a proxy transport) passes through all headers, so that should work out of the box.

The post you linked to was for Caddy v1, which didn’t pass through everything transparently by default.

That said, how does snipe-it authenticate? Is it HTTP Basic auth? Do you get a browser prompt, or does it have a login page you’d go to?

lecris · October 30, 2020, 2:03am

Thank you for the clarification.

As for the snipe-it authentication, as far as I can piece together:

I don’t think it’s HTTP Basic auth, there is a login page
It uses a MySQL database
The api uses Bearer authentication according to this reference
There is an option for LDAP, but I haven’t set it up yet

So far I suspect it is the Bearer API not being setup judging from this screenshot:

francislavoie · October 30, 2020, 4:18am

That doesn’t sound like a Caddy issue, frankly. It’s probably just a Snipe-IT misconfiguration I don’t know enough about the app to know what the issue might be though.

lecris · October 30, 2020, 9:39am

It seems to be the case, I have tried directly accessing with nginx and apache and it still got the same error. But for the life of me, I can’t figure out why this happens

francislavoie · October 30, 2020, 1:26pm

I suggest reaching out to the Snipe-IT people or issue board for help. Also, feel free to mention that their docs could use a Caddy example! (They can reach out to me on Twitter or whatever if they want to chat about it)

lecris · October 31, 2020, 11:31am

Yes, I’ve left an issue on their Github, but they are not as fast as you guys for support . Meanwhile I am trying to setup other apps, some of which have some niche breakage when using Caddy’s route, but I am making a separate issue for it.

system · November 28, 2020, 6:53am

This topic was automatically closed after 30 days. New replies are no longer allowed.