1. Output of caddy version
:
./caddy-dav version
v2.6.2 h1:wKoFIxpmOJLGl3QXoo6PNbYvGW4xLEgo32GPBEjWL8o=
2. How I run Caddy:
I want to run Caddy as a WebDAV server. I’ve built with the DAV module, and am trying to set up authn/authz appropriately. I’d like one set of accounts to have access to all resources and grant some accounts access to subdirectories for the server.
For example, I’d like to have rootuser
have access to everything under /
, and auser
under /a
.
a. System environment:
Running on debian testing at the moment, but also seen the behavior on Arch.
b. Command:
./caddy-dav run --config Caddyfile
c. My complete Caddy config:
{
auto_https off
}
(commonuser) {
rootuser $2a$14$4hhw4M3lnbJsmAzZQ7ulWerfPVYweV9gx5Cfd2eBJZhQv/cOFb0fG
}
:7890 {
log {
output stderr
format console
}
root * /tmp/caddydav/root
route {
handle /a/* {
basicauth bcrypt "a" {
import commonuser
auser $2a$14$4hhw4M3lnbJsmAzZQ7ulWerfPVYweV9gx5Cfd2eBJZhQv/cOFb0fG
}
}
handle /* {
basicauth bcrypt "root" {
import commonuser
}
}
@get method GET
file_server @get {
browse
}
webdav
}
}
Note that the password for both accounts is testing123
.
3. The problem I’m having:
I expect that the user auser
has access to only /a/
, but rootuser
has access to everything. rootuser
works, but auser
does not.
curl -u rootuser:testing123 -v http://localhost:7890/a/index.html
* Trying ::1:7890...
* Trying 127.0.0.1:7890...
* Connected to localhost (127.0.0.1) port 7890 (#0)
* Server auth using Basic with user 'rootuser'
> GET /a/index.html HTTP/1.1
> Host: localhost:7890
> Authorization: Basic cm9vdHVzZXI6dGVzdGluZzEyMw==
> User-Agent: curl/7.74.0
> Accept: */*
> Referer:
>
* Mark bundle as not supporting multiuse
< HTTP/1.1 200 OK
< Accept-Ranges: bytes
< Content-Length: 10
< Content-Type: text/html; charset=utf-8
< Etag: "rojke1a"
< Last-Modified: Sun, 15 Jan 2023 19:20:25 GMT
< Server: Caddy
< Date: Sun, 15 Jan 2023 21:00:29 GMT
<
this is a
curl -u auser:testing123 -v http://localhost:7890/a/index.html
* Trying ::1:7890...
* Trying 127.0.0.1:7890...
* Connected to localhost (127.0.0.1) port 7890 (#0)
* Server auth using Basic with user 'auser'
> GET /a/index.html HTTP/1.1
> Host: localhost:7890
> Authorization: Basic YXVzZXI6dGVzdGluZzEyMw==
> User-Agent: curl/7.74.0
> Accept: */*
> Referer:
>
* Mark bundle as not supporting multiuse
< HTTP/1.1 401 Unauthorized
< Server: Caddy
* Authentication problem. Ignoring this.
< Www-Authenticate: Basic realm="root"
< Date: Sun, 15 Jan 2023 21:12:55 GMT
< Content-Length: 0
<
Note that it requires realm root
, but I understand that handle
blocks should be mutually exclusive. Is there something I am not understanding about this?
4. Error messages and/or full log output:
2023/01/15 21:14:27.101 INFO using provided configuration {"config_file": "Caddyfile", "config_adapter": ""}
2023/01/15 21:14:27.103 INFO admin admin endpoint started {"address": "localhost:2019", "enforce_origin": false, "origins": ["//localhost:2019", "//[::1]:2019", "//127.0.0.1:2019"]}
2023/01/15 21:14:27.103 WARN http automatic HTTPS is completely disabled for server {"server_name": "srv0"}
2023/01/15 21:14:27.103 INFO tls.cache.maintenance started background certificate maintenance {"cache": "0xc000960e00"}
2023/01/15 21:14:27.103 DEBUG http starting server loop {"address": "[::]:7890", "tls": false, "http3": false}
2023/01/15 21:14:27.103 INFO http.log server running {"name": "srv0", "protocols": ["h1", "h2", "h3"]}
2023/01/15 21:14:27.103 INFO tls cleaning storage unit {"description": "FileStorage:/home/user/.local/share/caddy"}
2023/01/15 21:14:27.103 INFO tls finished cleaning storage units
2023/01/15 21:14:27.103 INFO autosaved config (load with --resume flag) {"file": "/home/user/.config/caddy/autosave.json"}
2023/01/15 21:14:27.103 INFO serving initial configuration
2023/01/15 21:14:39.123 DEBUG http.log.error.log0 not authenticated {"request": {"remote_ip": "127.0.0.1", "remote_port": "45252", "proto": "HTTP/1.1", "method": "GET", "host": "localhost:7890", "uri": "/a/index.html", "headers": {"User-Agent": ["curl/7.74.0"], "Accept": ["*/*"], "Referer": [""], "Authorization": []}}, "duration": 1.594662275, "status": 401, "err_id": "885f5qwp8", "err_trace": "caddyauth.Authentication.ServeHTTP (caddyauth.go:88)"}
2023/01/15 21:14:39.123 ERROR http.log.access.log0 handled request {"request": {"remote_ip": "127.0.0.1", "remote_port": "45252", "proto": "HTTP/1.1", "method": "GET", "host": "localhost:7890", "uri": "/a/index.html", "headers": {"Referer": [""], "Authorization": [], "User-Agent": ["curl/7.74.0"], "Accept": ["*/*"]}}, "user_id": "auser", "duration": 1.594662275, "size": 0, "status": 401, "resp_headers": {"Server": ["Caddy"], "Www-Authenticate": ["Basic realm=\"root\""]}}
5. What I already tried:
- Read the docs on
handle
blocks repeatedly. - Tried both
/*
and no path on the fall-through handle block.