Transate Client Cert Auth to Upstream BasicAuth

Dear all!

1. The problem I’m having:

The EU institution I work for uses Caddy already to run its Mastodon server. Thank you! Maybe Caddy can also help us with another problem:

The Nextcloud instance of our organisation comes with a WebDAV API that we would like to talk to from LibreOffice and from the Windows file explorer. We want to avoid dealing on user computers with API keys and rather use existing client certificates already installed on the computers.

It seems that changing the code on Nextcloud to enable WebDAV auth other than BasicAuth is hard.

The Apache docs have here an interesting directive with AuthBasicFake – more at mod_auth_basic - Apache HTTP Server Version 2.4 . That’s how it can be used to translate a Client Cert Auth to BasicAuth upstream:

<Location "/secure">
    AuthBasicFake "%{SSL_CLIENT_S_DN_Email}" "%{sha1:passphrase-%{SSL_CLIENT_S_DN_Email}}"
</Location>

I have found already that Caddy comes with variables {http.request.tls.client....} for data in the client cert and specifically {http.request.tls.client.san.emails.*} may do the job here.

However, using the email also for the password would be unsafe obviously.

Question: How could Caddy compute a password dependent on the email address? In our case, a hard-coded lookup table would be best, but computing a SHA1 with some salt could work as well.

2. Error messages and/or full log output:

I have not tried to implement it yet.

5. Links to relevant resources:

• mod_auth_basic - Apache HTTP Server Version 2.4
• JSON Config Structure - Caddy Documentation and JSON Config Structure - Caddy Documentation
• Accessing Nextcloud files using WebDAV — Nextcloud latest User Manual latest documentation

I did some more research and found a discussion from 2013 on how to accomplish this with nginx:

In short, either use rewrite_by_lua or use map with hard-coded dictionary.

Then, I noticed that also caddy has a map statement:

So I assume I could do this here:

map {http.request.tls.client.san.emails.0} {webdav_user} {webdav_token} {webdav_base64} {
    robert@my.host "robert" "15cb79c4-fcc18e33" "<BASE_64_OF: robert:15cb79c4-fcc18e33>"
}

reverse_proxy webdav:8080 {
    header_up Authorization "Basic {webdav_base64}"
}

Better would be even header_up Authorization "Basic {base64:{webdav_user}:{webdav_token}}", but I have not found such a function yet.

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.