Multiple basicauth for 1 domain name

Erwyn · December 10, 2020, 2:11pm

1. Caddy version (`caddy version`):

v2.2.1 h1:Q62GWHMtztnvyRU+KPOpw6fNfeCD3SkwH7SfT1Tgt2c=

2. How I run Caddy:

a. System environment:

Docker via docker-compose

b. Command:

docker-compose up -d

c. Service/unit/compose file:

version: '2.1'

services:
    caddy:
        container_name: caddy
        image: caddy
        ports:
            - "80:80"
            - "80:80/udp"
            - "443:443"
            - "443:443/udp"
        volumes:
            - ./caddy/Caddyfile:/etc/caddy/Caddyfile
            - caddy-data:/data
            - caddy-config:/config
            - data:/zbra
        environment:
            - ACME_AGREE=true

volumes:
    caddy-data:
    caddy-config:
    data:

d. My complete Caddyfile or JSON config:

https://trouille.mycompany.com {
    encode gzip
    root * /zbra
    file_server /* browse
    basicauth /* bcrypt {
        user1 redacted-password
    }
    basicauth /test.tar bcrypt {
        user2 redacted-password
    }
}

3. The problem I’m having:

I’m making some testing to migrate from Caddy v1 to Caddy v2. In Caddy v1 I had this kind of multiple basicauth directives, the idea was user1 has access to everything including test.tar with its own credentials while user2 can only access test.tar with their credentials.

Now what I experience is user1 has access to everything BUT test.tar and user2 access to nothing, because what happens is that if I try to reach https://trouille.mycompany.com/test.tar as user1 my credentials are asked again and whether I enter user1’s or user2’s credentials, it’s not working.

I checked that credentials were correct by regrouping the two basicauth directives in only one and trying to log with both accounts:

basicauth /* bcrypt {
    user1 redacted-password
    user2 redacted-password
}

4. Error messages and/or full log output:

When trying to access test.tar I only get this in Caddy logs:

caddy                 | 2020/12/10 13:12:55 [ERROR] Authenticating with http_basic: crypto/bcrypt: hashedSecret too short to be a bcrypted password
caddy                 | 2020/12/10 13:13:02 [ERROR] Authenticating with http_basic: crypto/bcrypt: hashedSecret too short to be a bcrypted password

5. What I already tried:

I already tried to change the matchers of the second basic auth to be wider (like /test.tar*). I checked that I hashed correctly the password by merging into one basicauth direct and trying both accounts.

I don’t know if it was working by “pure luck” on Caddy v1 or if I’m doing something wrong while translating to Caddy v2.

6. Links to relevant resources:

nothing

francislavoie · December 10, 2020, 4:08pm

The basicauth directive is not mutually exclusive by default. To solve this, use the handle directive to make them mutually exclusive:

# Only requests to /test.tar exactly
handle /test.tar {
	basicauth {
		user2 password
	}
}

# Any other requests
handle {
	basicauth {
		user1 password
	}
}

Also, I recommend removing the /* from your directives, because it’s making Caddy do an extra path comparison on every request (we’re talking nanoseconds here, so no big deal in terms of performance, but still) and it looks cleaner.

And Caddy v2 doesn’t need ACME_AGREE=true, because the act of using Caddy is enough to agree to the terms of service.

And finally as for the ERROR in your logs, you need to hash your passwords with the caddy hash-password command, as documented:

Erwyn · December 24, 2020, 6:17pm

Thank you very much @francislavoie working like a charm !

system · January 9, 2021, 2:11pm

This topic was automatically closed after 30 days. New replies are no longer allowed.