Error on basicauth failure

Fastidious · September 7, 2023, 7:59pm

1. The problem I’m having:

I have this on my Caddyfile:

site.example.com {
        import tlsheaders
        import encodings

        tls {
                protocols tls1.2
                curves secp384r1
        }

        reverse_proxy http://127.0.0.1:9999 {
                flush_interval -1
        }

        basicauth /admin* {
                john hashedpasswordhere
        }
}

It works fine (I get the authentication prompt, and can login), but if I fail the authentication, or simply pick cancel, it tries to download an empty “admin” file. I would like it to spit out an error, or perhaps redirect to another page instead. How to accomplish this?

2. Caddy version:

Running Caddy v2.7.0-beta.2

a. System environment:

Ubuntu Linux.

francislavoie · September 7, 2023, 8:05pm

There’s no such thing. The way basic auth is prompted is specifically by responding with a 401 with the Www-Authenticate header. See the protocol:

If you want an error page then you’ll need to use a different authentication mechanism that allows you to have a user interface. For example you could run Authelia and pair it with Caddy’s forward_auth directive.

Fastidious · September 7, 2023, 8:09pm

I am lost. On Apache, or nginx, if I use basic authentication, and don’t pass it, I get a 401. That isn’t happening on Caddy, I am getting an empty download. Are you saying that’s normal operation for Caddy?

francislavoie · September 7, 2023, 8:10pm

Show an example with curl -v. I’m pretty sure Caddy will respond with a 401.

Fastidious · September 7, 2023, 8:12pm

It does. How can I make it show a 401 page instead of initiating an empty file download?

francislavoie · September 7, 2023, 8:15pm

I’m asking for evidence that it initiates a download. I’ve never seen that behaviour. The key is in the response headers, which is why I’m asking for an example with curl -v to prove it.

You removed most of the help topic template, part of which specifically asks for this information including logs. Please do not delete any part of the help topic template, there’s a reason it’s there. It’s to save your time as well as ours.

Fastidious · September 7, 2023, 8:29pm

Apologies for assuming the information I left out was irrelevant. These are the logs:

{"level":"error","ts":1694118272.9459097,"logger":"http.log.access.log3","msg":"handled request","request":{"remote_ip":"10.100.100.20","remote_port":"59649","client_ip":"10.100.100.20","proto":"HTTP/3.0","method":"GET","host":"site.example.com","uri":"/author","headers":{"Accept":["text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8"],"Accept-Language":["en-GB,en;q=0.9"],"Accept-Encoding":["gzip, deflate, br"],"Sec-Fetch-Site":["none"],"Priority":["u=0, i"],"Sec-Fetch-Mode":["navigate"],"User-Agent":["Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/16.6 Safari/605.1.15"],"Sec-Fetch-Dest":["document"]},"tls":{"resumed":false,"version":772,"cipher_suite":4865,"proto":"h3","server_name":"site.example.com"}},"bytes_read":0,"user_id":"","duration":0.00014953,"size":0,"status":401,"resp_headers":{"Www-Authenticate":["Basic realm=\"restricted\""],"Date":["Thu, 07 Sep 2023 20:24:32 GMT"],"Server":["Caddy"],"Strict-Transport-Security":["max-age=31536000"],"X-Xss-Protection":["1; mode=block"],"X-Content-Type-Options":["nosniff"],"X-Frame-Options":["DENY"]}}
{"level":"error","ts":1694118272.9798982,"logger":"http.log.access.log3","msg":"handled request","request":{"remote_ip":"10.100.100.20","remote_port":"59649","client_ip":"10.100.100.20","proto":"HTTP/3.0","method":"GET","host":"site.example.com","uri":"/author","headers":{"User-Agent":["Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/16.6 Safari/605.1.15"],"Sec-Fetch-Dest":["document"],"Accept-Encoding":["gzip, deflate, br"],"Priority":["u=0, i"],"Sec-Fetch-Mode":["navigate"],"Accept-Language":["en-GB,en;q=0.9"],"Accept":["text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8"],"Sec-Fetch-Site":["none"]},"tls":{"resumed":false,"version":772,"cipher_suite":4865,"proto":"h3","server_name":"site.example.com"}},"bytes_read":0,"user_id":"","duration":0.000099731,"size":0,"status":401,"resp_headers":{"Date":["Thu, 07 Sep 2023 20:24:32 GMT"],"Server":["Caddy"],"Strict-Transport-Security":["max-age=31536000"],"X-Xss-Protection":["1; mode=block"],"X-Content-Type-Options":["nosniff"],"X-Frame-Options":["DENY"],"Www-Authenticate":["Basic realm=\"restricted\""]}}
{"level":"error","ts":1694118273.0411742,"logger":"http.log.access.log3","msg":"handled request","request":{"remote_ip":"10.100.100.20","remote_port":"59649","client_ip":"10.100.100.20","proto":"HTTP/3.0","method":"GET","host":"site.example.com","uri":"/author","headers":{"Accept":["text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8"],"Priority":["u=0, i"],"Sec-Fetch-Mode":["navigate"],"Sec-Fetch-Dest":["document"],"Accept-Encoding":["gzip, deflate, br"],"Sec-Fetch-Site":["none"],"User-Agent":["Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/16.6 Safari/605.1.15"],"Accept-Language":["en-GB,en;q=0.9"]},"tls":{"resumed":false,"version":772,"cipher_suite":4865,"proto":"h3","server_name":"site.example.com"}},"bytes_read":0,"user_id":"","duration":0.00012497,"size":0,"status":401,"resp_headers":{"X-Xss-Protection":["1; mode=block"],"X-Content-Type-Options":["nosniff"],"X-Frame-Options":["DENY"],"Www-Authenticate":["Basic realm=\"restricted\""],"Date":["Thu, 07 Sep 2023 20:24:33 GMT"],"Server":["Caddy"],"Strict-Transport-Security":["max-age=31536000"]}}
{"level":"error","ts":1694118288.446701,"logger":"http.log.access.log3","msg":"handled request","request":{"remote_ip":"10.100.100.20","remote_port":"59649","client_ip":"10.100.100.20","proto":"HTTP/3.0","method":"GET","host":"site.example.com","uri":"/author","headers":{"Accept":["text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8"],"Sec-Fetch-Mode":["navigate"],"Sec-Fetch-Dest":["document"],"Accept-Encoding":["gzip, deflate, br"],"Sec-Fetch-Site":["none"],"Priority":["u=0, i"],"User-Agent":["Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/16.6 Safari/605.1.15"],"Accept-Language":["en-GB,en;q=0.9"]},"tls":{"resumed":false,"version":772,"cipher_suite":4865,"proto":"h3","server_name":"site.example.com"}},"bytes_read":0,"user_id":"","duration":0.000083178,"size":0,"status":401,"resp_headers":{"Server":["Caddy"],"Strict-Transport-Security":["max-age=31536000"],"X-Xss-Protection":["1; mode=block"],"X-Content-Type-Options":["nosniff"],"X-Frame-Options":["DENY"],"Www-Authenticate":["Basic realm=\"restricted\""],"Date":["Thu, 07 Sep 2023 20:24:48 GMT"]}}

Fastidious · September 7, 2023, 8:34pm

This is the output of curl:

* TCP_NODELAY set
* Connected to site.example.com (10.100.100.20) port 443 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
* successfully set certificate verify locations:
*   CAfile: /etc/ssl/certs/ca-certificates.crt
  CApath: /etc/ssl/certs
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
* TLSv1.3 (IN), TLS handshake, Server hello (2):
* TLSv1.3 (OUT), TLS change cipher, Change cipher spec (1):
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
* TLSv1.3 (IN), TLS handshake, Server hello (2):
* TLSv1.3 (IN), TLS handshake, Encrypted Extensions (8):
* TLSv1.3 (IN), TLS handshake, Certificate (11):
* TLSv1.3 (IN), TLS handshake, CERT verify (15):
* TLSv1.3 (IN), TLS handshake, Finished (20):
* TLSv1.3 (OUT), TLS handshake, Finished (20):
* SSL connection using TLSv1.3 / TLS_AES_128_GCM_SHA256
* ALPN, server accepted to use h2
* Server certificate:
*  subject: CN=site.example.com
*  start date: Sep  6 18:43:33 2023 GMT
*  expire date: Dec  5 18:43:32 2023 GMT
*  subjectAltName: host "site.example.com" matched cert's "site.example.com"
*  issuer: C=US; O=Let's Encrypt; CN=R3
*  SSL certificate verify ok.
* Using HTTP2, server supports multi-use
* Connection state changed (HTTP/2 confirmed)
* Copying HTTP/2 data in stream buffer to connection buffer after upgrade: len=0
* Server auth using Basic with user 'john'
* Using Stream ID: 1 (easy handle 0x55e69f87a300)
> GET /author HTTP/2
> Host: site.example.com
> authorization: Basic aGLybWVzikZhbGtlxbjIwMDAh
> user-agent: curl/7.68.0
> accept: */*
>
* TLSv1.3 (IN), TLS handshake, Newsession Ticket (4):
* Connection state changed (MAX_CONCURRENT_STREAMS == 250)!
< HTTP/2 401
< alt-svc: h3=":443"; ma=2592000
< server: Caddy
< strict-transport-security: max-age=31536000
* Authentication problem. Ignoring this.
< www-authenticate: Basic realm="restricted"
< x-content-type-options: nosniff
< x-frame-options: DENY
< x-xss-protection: 1; mode=block
< content-length: 0
< date: Thu, 07 Sep 2023 20:30:49 GMT
<
* Connection #0 to host site.example.com left intact

francislavoie · September 7, 2023, 8:47pm

Okay, that looks fine to me.

Maybe you can try with another webserver to show what response headers you get, as a point of comparison?

system · October 7, 2023, 8:47pm

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.