Caddyfile set password securely


(xoron) #1

i have only started to use caddy and i am trying to figure out how to create an endpoint with a secure basicauth configured.

given a configuration like this:

test.my-domain.com {
    basicauth / testuser testpassword
    proxy / http://192.168.1.1:5000
}

i want to know how i can make it so that the password is secured and not in plain text.

i have created a docker secret called TEST_PASSWORD which is imported to a file at the location /run/secrets/TEST_PASSWORD. the content of this file is the password.

according to the documentation, the import directive will read content of the file and replace the line. https://caddyserver.com/docs/caddyfile#import

test.my-domain.com {
    basicauth / testuser import /run/secrets/TEST_PASSWORD
    proxy / http://192.168.1.1:5000
}

but this does not work. i have also tried with the line:

  • basicauth / testuser {import /run/secrets/TEST_PASSWORD}
  • basicauth / testuser {%import /run/secrets/TEST_PASSWORD%}

does anyone know what i am doing wrong here?


(Matthew Fay) #2

While import is special in that it can be outside of a site definition block, it remains like all other directives in that it must be top-level (it can’t be part of another directive).

Here’s one idea for a workaround: while you can’t use import to read a file’s contents into an arbitrary directive value, you can read environmental variables in this way:

https://caddyserver.com/docs/caddyfile#env

You could try using on startup to export the contents of the file to some environmental variable and immediately read it back into your basicauth configuration.

https://caddyserver.com/docs/on


Alternately, you might consider http.login, which - among other sources - can optionally read from a htpasswd file.

https://caddyserver.com/docs/http.login