How to exclude files from basic_auth?

Stefano238585 · February 22, 2025, 4:24pm

1. The problem I’m having:

I am using Caddy as a reverse proxy which adds basic auth a webapp. Browsers add the authorization header to almost every request. For manifest.json it is not added.

2. Error messages and/or full log output:

The browser returns a 401 for the manifest.json.

3. Caddy version:

Latest docker image.

4. How I installed and ran Caddy:

This is my current config. I need to exclude manifest.json files.

https://sub.domain.dev {
    tls /etc/certs/fullchain.pem /etc/certs/privkey.pem
    basic_auth {
        user $2y$10$1a/fjasklfdjasldkfjasdf
    }
    reverse_proxy glance:8080
}

a. System environment:

Pop!_OS and docker

Mohammed90 · February 22, 2025, 5:54pm

You need to learn about matchers

Stefano238585 · February 22, 2025, 6:41pm

Thanks for the recommendation.

I tried matcher but this solution isnt also working:

https://sub.domain.dev {
    tls /etc/certs/fullchain.pem /etc/certs/privkey.pem

    # Matcher for requests that are NOT for manifest.json (as a file)
    @notManifest {
        not file manifest.json
    }

    # Apply basic auth only to requests that are NOT for manifest.json
    basic_auth @notManifest {
        user $2y$10$1a/fjasklfdjasldkfjasdf
    }

    # Reverse proxy all requests to glance:8080
    reverse_proxy glance:8080
}

Can you spot the issue?

Mohammed90 · February 22, 2025, 6:53pm

The file matcher checks for the existence of the file, not the path of the file.

timelordx · February 22, 2025, 7:07pm

One of the many possible options:

Caddyfile:

{
	http_port 8080
}

:8080 {
	@manifest {
		path */manifest.json
	}
	handle @manifest {
		respond "Manifest"
	}
	respond "Not manifest"
}

caddy run --config Caddyfile

Test:

$ curl http://localhost:8080
Not manifest

$ curl http://localhost:8080/foo
Not manifest

$ curl http://localhost:8080/manifest.json
Manifest

$ curl http://localhost:8080/foo/manifest.json
Manifest

$ curl 'http://localhost:8080/foo/manifest.json?foo=bar'
Manifest

timelordx · February 22, 2025, 7:13pm

Adapting it to your use case:

Caddyfile

{
	http_port 8080
}

:8080 {
	@notManifest {
		not path */manifest.json
	}
	basic_auth @notManifest {
		user $2y$10$1a/fjasklfdjasldkfjasdf
	}
	reverse_proxy glance:8080
}

Test:

$ curl -vs http://localhost:8080 2>&1 | grep '< HTTP'
< HTTP/1.1 401 Unauthorized

$ curl -vs http://localhost:8080/foo 2>&1 | grep '< HTTP'
< HTTP/1.1 401 Unauthorized

$ curl -vs http://localhost:8080/manifest.json 2>&1 | grep '< HTTP'
< HTTP/1.1 200 OK

$ curl -vs http://localhost:8080/foo/manifest.json 2>&1 | grep '< HTTP'
< HTTP/1.1 200 OK

$ curl -vs 'http://localhost:8080/foo/manifest.json?foo=bar' 2>&1 | grep '< HTTP'
< HTTP/1.1 200 OK

timelordx · February 22, 2025, 7:37pm

Sorry, one more comment - In general, I’d suggest replacing this:

reverse_proxy glance:8080

with this:

reverse_proxy glance:8080 {
	header_up -Authorization
}

This ensures you’re not passing the HTTP Basic Auth header to the back-end server.

In this particular case, it’s probably not a big deal since I assume glance is your own back-end, but if it weren’t, you’d be leaking credentials.

Stefano238585 · February 23, 2025, 12:36pm

That’s it! Thank you everybody!

system · March 25, 2025, 12:36pm

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.