Multiple basicauth for 1 domain name

1. Caddy version (caddy version):

v2.2.1 h1:Q62GWHMtztnvyRU+KPOpw6fNfeCD3SkwH7SfT1Tgt2c=

2. How I run Caddy:

a. System environment:

Docker via docker-compose

b. Command:

docker-compose up -d

c. Service/unit/compose file:

version: '2.1'

        container_name: caddy
        image: caddy
            - "80:80"
            - "80:80/udp"
            - "443:443"
            - "443:443/udp"
            - ./caddy/Caddyfile:/etc/caddy/Caddyfile
            - caddy-data:/data
            - caddy-config:/config
            - data:/zbra
            - ACME_AGREE=true


d. My complete Caddyfile or JSON config: {
    encode gzip
    root * /zbra
    file_server /* browse
    basicauth /* bcrypt {
        user1 redacted-password
    basicauth /test.tar bcrypt {
        user2 redacted-password

3. The problem I’m having:

I’m making some testing to migrate from Caddy v1 to Caddy v2. In Caddy v1 I had this kind of multiple basicauth directives, the idea was user1 has access to everything including test.tar with its own credentials while user2 can only access test.tar with their credentials.

Now what I experience is user1 has access to everything BUT test.tar and user2 access to nothing, because what happens is that if I try to reach as user1 my credentials are asked again and whether I enter user1’s or user2’s credentials, it’s not working.

I checked that credentials were correct by regrouping the two basicauth directives in only one and trying to log with both accounts:

basicauth /* bcrypt {
    user1 redacted-password
    user2 redacted-password

4. Error messages and/or full log output:

When trying to access test.tar I only get this in Caddy logs:

caddy                 | 2020/12/10 13:12:55 [ERROR] Authenticating with http_basic: crypto/bcrypt: hashedSecret too short to be a bcrypted password
caddy                 | 2020/12/10 13:13:02 [ERROR] Authenticating with http_basic: crypto/bcrypt: hashedSecret too short to be a bcrypted password

5. What I already tried:

I already tried to change the matchers of the second basic auth to be wider (like /test.tar*). I checked that I hashed correctly the password by merging into one basicauth direct and trying both accounts.

I don’t know if it was working by “pure luck” on Caddy v1 or if I’m doing something wrong while translating to Caddy v2.

6. Links to relevant resources:


The basicauth directive is not mutually exclusive by default. To solve this, use the handle directive to make them mutually exclusive:

# Only requests to /test.tar exactly
handle /test.tar {
	basicauth {
		user2 password

# Any other requests
handle {
	basicauth {
		user1 password

Also, I recommend removing the /* from your directives, because it’s making Caddy do an extra path comparison on every request (we’re talking nanoseconds here, so no big deal in terms of performance, but still) and it looks cleaner.

And Caddy v2 doesn’t need ACME_AGREE=true, because the act of using Caddy is enough to agree to the terms of service.

And finally as for the ERROR in your logs, you need to hash your passwords with the caddy hash-password command, as documented:

1 Like

Thank you very much @francislavoie working like a charm !

1 Like

This topic was automatically closed after 30 days. New replies are no longer allowed.