Dear all!
1. The problem I’m having:
The EU institution I work for uses Caddy already to run its Mastodon server. Thank you! Maybe Caddy can also help us with another problem:
The Nextcloud instance of our organisation comes with a WebDAV API that we would like to talk to from LibreOffice and from the Windows file explorer. We want to avoid dealing on user computers with API keys and rather use existing client certificates already installed on the computers.
It seems that changing the code on Nextcloud to enable WebDAV auth other than BasicAuth is hard.
The Apache docs have here an interesting directive with AuthBasicFake – more at mod_auth_basic - Apache HTTP Server Version 2.4 . That’s how it can be used to translate a Client Cert Auth to BasicAuth upstream:
<Location "/secure">
AuthBasicFake "%{SSL_CLIENT_S_DN_Email}" "%{sha1:passphrase-%{SSL_CLIENT_S_DN_Email}}"
</Location>
I have found already that Caddy comes with variables {http.request.tls.client....}
for data in the client cert and specifically {http.request.tls.client.san.emails.*}
may do the job here.
However, using the email also for the password would be unsafe obviously.
Question: How could Caddy compute a password dependent on the email address? In our case, a hard-coded lookup table would be best, but computing a SHA1 with some salt could work as well.
2. Error messages and/or full log output:
I have not tried to implement it yet.