Trying to combine basicauth with other directives for h5ai restricted access, and some SSL issues depending on the computers used to visit

Mat · November 21, 2020, 4:42pm

1. Caddy version (`caddy version`):

v2.2.1 h1:Q62GWHMtztnvyRU+KPOpw6fNfeCD3SkwH7SfT1Tgt2c=

2. How I run Caddy:

I have a Caddy service (automatically created when installing Caddy on Debian Buster) and I reload my Caddyfile configuration using sudo caddy reload.

a. System environment:

Debian Buster, php7.3-fpm.

b. Command:

sudo systemctl start caddy
sudo caddy reload

c. Service/unit/compose file:

[Unit]
Description=Caddy
Documentation=https://caddyserver.com/docs/
After=network.target network-online.target
Requires=network-online.target

[Service]
User=caddy
Group=caddy
ExecStart=/usr/bin/caddy run --environ --config /etc/caddy/Caddyfile
ExecReload=/usr/bin/caddy reload --config /etc/caddy/Caddyfile
TimeoutStopSec=5s
LimitNOFILE=1048576
LimitNPROC=512
PrivateTmp=true
ProtectSystem=full
AmbientCapabilities=CAP_NET_BIND_SERVICE

[Install]
WantedBy=multi-user.target

d. My complete Caddyfile or JSON config:

mlaparie.fr, www.mlaparie.fr {
        tls ma@email.com
        root * /var/www/mlaparie.fr/wordpress
        # /work/
        handle /work/* {
        php_fastcgi unix//run/php/php7.3-fpm.sock
        file_server
        @no_index {
                not file {
                try_files {path}.html {path} {path}/index.html
                }
        }
        rewrite @no_index /work/_h5ai/public/index.php
        }
        handle /work/_h5ai/private/* {
                respond 404
        }
        # /misc/
        handle /misc/* {
                php_fastcgi unix//run/php/php7.3-fpm.sock
                file_server
                @no_index {
                        not file {
                                try_files {path}.html {path} {path}/index.html
                        }
                }
                rewrite @no_index /misc/_h5ai/public/index.php
        }
        handle /misc/_h5ai/private/* {
                respond 404
        }
        encode gzip
        php_fastcgi unix//run/php/php7.3-fpm.sock
        # Prevent malicious PHP uploads from running
        @uploads {
                path_regexp path /uploads\/(.*)\.php
        }
        rewrite @uploads /
        file_server
}

grav.mlaparie.fr, www.grav.mlaparie.fr {
        tls ma@email.com
        root * /var/www/mlaparie.fr/grav/base
        encode gzip
        php_fastcgi unix//run/php/php7.3-fpm.sock
        file_server
}

mattermost.mlaparie.fr, www.mattermost.mlaparie.fr {
        tls ma@email.com
        reverse_proxy 127.0.0.1:8065
}

syncthing.mlaparie.fr, www.syncthing.mlaparie.fr {
        tls ma@email.com
        reverse_proxy 127.0.0.1:8384 {
                header_up Host 127.0.0.1
        }
}

3. The problem I’m having:

I would like the h5ai browsing mode to be restricted to authenticated users for /work, but I don’t know how to combine caddy’s basicauth with the somewhat complex syntax that currently works for h5ai public access. Failure to authenticate should either redirect to the homepage or throw an error.
I would like the h5ai browsing mode to be restricted to authenticated users for /misc, while allowing access to direct files URL to anyone, provided they got the URL correct. Situational example: if I post an image somewhere, I want all viewers to see it where it was posted, but I want to be the only one with browsing access in /misc to get the exact picture URL in the first place).
Depending on computers (mine, plus reports from friends on their own) and browsers, I sometimes get SSL errors on some of the subdomains or the main domain. What is wrong with my configuration? Could it be some kind of cache or TTL issue that would solve itself if I just wait?

4. Error messages and/or full log output:

N/A

5. What I already tried:

I am new to Caddy (and loving it so far, it’s so much straightforward than Nginx to me), but it is still difficult for me to really know what I am doing for those kind of specific uses. I tried combining the different directives but obviously didn’t do it correctly because caddy reload would throw errors, so I just reverted my changes.

6. Links to relevant resources:

h5ai

francislavoie · November 21, 2020, 9:00pm

You can use request matchers to decide when to require basicauth.

For your “if the file exists, serve it” thing, you can do it like this:

@fileNotExists not file
basicauth @fileNotExists {
	...
}

And you can put that inside your handle blocks.

You may need to use a route block to ensure that rewrites don’t happen before basicauth gets a chance to look at the request paths, due to the default directive order:

Also, I recommend using the caddy fmt command to clean up the indentation in your config. It’s a bit hard to read because the indentation isn’t right.

You can also make those @no_index matchers shorter, like this:

@no_index not file {path}.html {path} {path}/index.html

This uses the single-line named matcher syntax, plus the short file matcher syntax.

You have a lot of repetition in your example.com site, I think. Ultimately the only thing your handle blocks are doing is doing some rewrites, since you already have php_fastcgi and file_server at the end. Something like this might work the same:

example.com, www.example.com {
    tls ma@email.com

    root * /var/www/example.com/wordpress

    # Prevent malicious PHP uploads from running
    @uploads path_regexp path /uploads\/(.*)\.php
    rewrite @uploads /

    encode gzip

    handle /work/_h5ai/private/* {
        respond 404
    }
    handle /work/* {
        @no_index not file {path}.html {path} {path}/index.html
        rewrite @no_index /work/_h5ai/public/index.php
    }
    handle /misc/_h5ai/private/* {
        respond 404
    }
    handle /misc/* {
        @no_index not file {path}.html {path} {path}/index.html
        rewrite @no_index /misc/_h5ai/public/index.php
    }

    php_fastcgi unix//run/php/php7.3-fpm.sock   
    file_server
}

Mat · November 22, 2020, 11:33am

Thanks a lot for your detailed answer, much appreciated!

So if I understand correctly, you would recommend something like that?

    handle /misc/* {
        @no_index not file {path}.html {path} {path}/index.html
        rewrite @no_index /misc/_h5ai/public/index.php
        @fileNotExists not file
        basicauth @fileNotExists {
	        user base64pass
        }
    }

And same without @fileNotExists if I want restricted access even when the visitor has a full URL to an existing file? I am not sure how to use the route block you suggested.

Additional question: friends and I are having SSL issues with the domains or subdomains I serve with Caddy. The certificates exist and are valid, but I’m wondering if this is because the TTL duration is longer and makes new certificates issued when I caddy reload not be fetched. Is there a way to keep caddy reload from renewing certificates? Or is it another issue?

Mat · November 22, 2020, 12:42pm

Regarding SSL errors, this might be the same issue detailed here: Intermittent SSL handshake errors - #2 by Tracy-P

Time will tell if this is actually a solution, but it seems restarting the Caddy service instead of using caddy reload might solve the problem with my websites too.

francislavoie · November 22, 2020, 10:47pm

Yeah - maybe like this:

    route /misc/* {
        @fileNotExists not file
        basicauth @fileNotExists {
	        user base64pass
        }
        @no_index not file {path}.html {path} {path}/index.html
        rewrite @no_index /misc/_h5ai/public/index.php
    }

route makes sure that they run in that specific order (basicauth before rewrite). route blocks get ordered after handle blocks according to the directive order, but this should still do the right thing for you here.

That’s a bit vague. What are the symptoms?

Caddy only renews certificates when it actually needs to, i.e. when they’re close to being expired. Reloading does run the certificate maintenance routine, but that routine will do nothing if the certificates are still fresh enough.

Mat · November 23, 2020, 12:53am

Unfortunately I’m not prompted for authentication with this: h5ai browse mode is visible to all users. It seems basicauth is ignored. I added the block right after the following:

…
    handle /misc/_h5ai/private/* {
        respond 404
    }

I also tried the code I had posted before your answer, and there I was asked for a password, but it was giving me access for both /work/ and /misc/.

The SSL errors were handshake issues. They seem to happen very frequently and from several machines when using caddy reload in the folder where the Caddyfile is, but all those issues appear to go away when using systemctl restart caddy instead.

Mat · December 6, 2020, 8:15pm

Any idea of what could be wrong with this basicauth block?

francislavoie · December 6, 2020, 8:23pm

We should start over from the beginning here.

What’s your full Caddyfile? What’s in your logs? What do you get when you make the request with curl -v?

We need a full explanation of where you’re at now and exactly what the goal is, including which request paths you expect to be authenticated and which you don’t. Otherwise I’ll just be making guesses and that’s not helpful.

Mat · December 16, 2020, 2:14pm

Sorry for the delay @francislavoie, I missed the notification of your answer here!

You’re right, let’s do it properly:

I want domain.tld/work/ to be restricted access.
I want domain.tld/misc/ to be restricted access for browsing (wiht h5ai as the browser) but would like full URLs to files within misc/ to work without authentication. In other words, I want to be the only one able to browse the content, but I want the file URLs I post somewhere to be visible/accessible to everyone.

Right now, this is my Caddyfile:

mlaparie.fr, www.mlaparie.fr {
    tls ma@email.com
    
    root * /var/www/mlaparie.fr/wordpress

    # Prevent malicious PHP uploads from running
    @uploads path_regexp path /uploads\/(.*)\.php
    rewrite @uploads /

    encode gzip

        # Restricted access to /work/ and /misc/
        # (except for direct url to files in /misc/)
    handle /work/_h5ai/private/* {
        respond 404
    }
    route /work/* {
        @fileNotExists not file
        basicauth @fileNotExists {
                user [base64pass]
        }
        @no_index not file {path}.html {path} {path}/index.html
        rewrite @no_index /work/_h5ai/public/index.php
    }

    handle /misc/_h5ai/private/* {
        respond 404
    }
    route /misc/* {
        @fileNotExists not file
        basicauth @fileNotExists {
                user [base64pass]
        }
        @no_index not file {path}.html {path} {path}/index.html
        rewrite @no_index /misc/_h5ai/public/index.php
    }

    php_fastcgi unix//run/php/php7.3-fpm.sock   
    file_server
}

verbose.mlaparie.fr, www.verbose.mlaparie.fr {
        tls ma@email.com

        root * /var/www/mlaparie.fr/grav/base

        encode gzip

        php_fastcgi unix//run/php/php7.3-fpm.sock
        file_server
}

mattermost.mlaparie.fr, www.mattermost.mlaparie.fr {
        tls ma@email.com

        reverse_proxy 127.0.0.1:8065
}

syncthing.mlaparie.fr, www.syncthing.mlaparie.fr {
        tls ma@email.com

        reverse_proxy 127.0.0.1:8384 {
                header_up Host 127.0.0.1
        }
}

When using curl -v on that, I get:

~ $ curl -v mlaparie.fr/misc/
*   Trying 194.36.144.124:80...
* Connected to mlaparie.fr (194.36.144.124) port 80 (#0)
> GET /misc/ HTTP/1.1
> Host: mlaparie.fr
> User-Agent: curl/7.73.0
> Accept: */*
> 
* Mark bundle as not supporting multiuse
< HTTP/1.1 308 Permanent Redirect
< Connection: close
< Location: https://mlaparie.fr/misc/
< Server: Caddy
< Date: Wed, 16 Dec 2020 14:08:07 GMT
< Content-Length: 0
< 
* Closing connection 0
~ $ curl -v mlaparie.fr/work/
*   Trying 194.36.144.124:80...
* Connected to mlaparie.fr (194.36.144.124) port 80 (#0)
> GET /work/ HTTP/1.1
> Host: mlaparie.fr
> User-Agent: curl/7.73.0
> Accept: */*
> 
* Mark bundle as not supporting multiuse
< HTTP/1.1 308 Permanent Redirect
< Connection: close
< Location: https://mlaparie.fr/work/
< Server: Caddy
< Date: Wed, 16 Dec 2020 14:08:09 GMT
< Content-Length: 0
< 
* Closing connection 0
~ $ curl -v https://mlaparie.fr/misc/800px/_DSC2891s.jpg
*   Trying 194.36.144.124:443...
* Connected to mlaparie.fr (194.36.144.124) port 443 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
* successfully set certificate verify locations:
*  CAfile: none
*  CApath: /etc/ssl/certs
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
* TLSv1.3 (IN), TLS handshake, Server hello (2):
* TLSv1.3 (IN), TLS handshake, Encrypted Extensions (8):
* TLSv1.3 (IN), TLS handshake, Certificate (11):
* TLSv1.3 (IN), TLS handshake, CERT verify (15):
* TLSv1.3 (IN), TLS handshake, Finished (20):
* TLSv1.3 (OUT), TLS change cipher, Change cipher spec (1):
* TLSv1.3 (OUT), TLS handshake, Finished (20):
* SSL connection using TLSv1.3 / TLS_AES_128_GCM_SHA256
* ALPN, server accepted to use h2
* Server certificate:
*  subject: CN=mlaparie.fr
*  start date: Nov 20 23:06:19 2020 GMT
*  expire date: Feb 18 23:06:19 2021 GMT
*  subjectAltName: host "mlaparie.fr" matched cert's "mlaparie.fr"
*  issuer: C=US; O=Let's Encrypt; CN=Let's Encrypt Authority X3
*  SSL certificate verify ok.
* Using HTTP2, server supports multi-use
* Connection state changed (HTTP/2 confirmed)
* Copying HTTP/2 data in stream buffer to connection buffer after upgrade: len=0
* Using Stream ID: 1 (easy handle 0x1301ad0)
> GET /misc/800px/_DSC2891s.jpg HTTP/2
> Host: mlaparie.fr
> user-agent: curl/7.73.0
> accept: */*
> 
* TLSv1.3 (IN), TLS handshake, Newsession Ticket (4):
* Connection state changed (MAX_CONCURRENT_STREAMS == 250)!
< HTTP/2 200 
< accept-ranges: bytes
< content-type: image/jpeg
< etag: "ouadhq5et1"
< last-modified: Sun, 06 Aug 2017 23:05:50 GMT
< server: Caddy
< content-length: 252469
< date: Wed, 16 Dec 2020 14:08:11 GMT
< 
Warning: Binary output can mess up your terminal. Use "--output -" to tell 
Warning: curl to output it to your terminal anyway, or consider "--output 
Warning: <FILE>" to save to a file.
* Failure writing output to destination
* stopped the pause stream!
* Connection #0 to host mlaparie.fr left intact

When starting a private browser with no cookies or saved passwords, I can still access domain.tld/work/ and domain.tld/misc/ without authentication. The real domain is listed above, you can try and will see that you have access to both too. Be sure to add the trailing / after work/ and /misc, or you’ll get a 404.

(By the way, I would prefer to redact the real domain in the messages here so that my forum nickname is not associated with my pro website; do you think this will be possible when this is all sorted out? I posted it because it’s specifically requested in the forum rules here, but thought maybe this can be edited afterwards when the problem is solved.)

francislavoie · December 16, 2020, 6:11pm

When you request curl -v example.com/work/, you’re being served an HTTP->HTTPS redirect. That’s as expected. You can use curl -vL to follow the redirect (L for Location, the header used for redirects), or just use https:// in front in the first place.

Mat · December 17, 2020, 3:59pm

Oh indeed, sorry:

~ $ curl -vL mlaparie.fr/work/
*   Trying 194.36.144.124:80...
* Connected to mlaparie.fr (194.36.144.124) port 80 (#0)
> GET /work/ HTTP/1.1
> Host: mlaparie.fr
> User-Agent: curl/7.73.0
> Accept: */*
> 
* Mark bundle as not supporting multiuse
< HTTP/1.1 308 Permanent Redirect
< Connection: close
< Location: https://mlaparie.fr/work/
< Server: Caddy
< Date: Thu, 17 Dec 2020 15:57:29 GMT
< Content-Length: 0
< 
* Closing connection 0
* Issue another request to this URL: 'https://mlaparie.fr/work/'
*   Trying 194.36.144.124:443...
* Connected to mlaparie.fr (194.36.144.124) port 443 (#1)
* ALPN, offering h2
* ALPN, offering http/1.1
* successfully set certificate verify locations:
*  CAfile: none
*  CApath: /etc/ssl/certs
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
* TLSv1.3 (IN), TLS handshake, Server hello (2):
* TLSv1.3 (IN), TLS handshake, Encrypted Extensions (8):
* TLSv1.3 (IN), TLS handshake, Certificate (11):
* TLSv1.3 (IN), TLS handshake, CERT verify (15):
* TLSv1.3 (IN), TLS handshake, Finished (20):
* TLSv1.3 (OUT), TLS change cipher, Change cipher spec (1):
* TLSv1.3 (OUT), TLS handshake, Finished (20):
* SSL connection using TLSv1.3 / TLS_AES_128_GCM_SHA256
* ALPN, server accepted to use h2
* Server certificate:
*  subject: CN=mlaparie.fr
*  start date: Nov 20 23:06:19 2020 GMT
*  expire date: Feb 18 23:06:19 2021 GMT
*  subjectAltName: host "mlaparie.fr" matched cert's "mlaparie.fr"
*  issuer: C=US; O=Let's Encrypt; CN=Let's Encrypt Authority X3
*  SSL certificate verify ok.
* Using HTTP2, server supports multi-use
* Connection state changed (HTTP/2 confirmed)
* Copying HTTP/2 data in stream buffer to connection buffer after upgrade: len=0
* Using Stream ID: 1 (easy handle 0x1f3bad0)
> GET /work/ HTTP/2
> Host: mlaparie.fr
> user-agent: curl/7.73.0
> accept: */*
> 
* TLSv1.3 (IN), TLS handshake, Newsession Ticket (4):
* Connection state changed (MAX_CONCURRENT_STREAMS == 250)!
< HTTP/2 200 
< cache-control: no-store, no-cache, must-revalidate
< content-type: text/html;charset=utf-8
< expires: Thu, 19 Nov 1981 08:52:00 GMT
< pragma: no-cache
< server: Caddy
< set-cookie: PHPSESSID=njfvrsu86b70qq0j7peqhvkhvm; path=/
< content-length: 2110
< date: Thu, 17 Dec 2020 15:57:30 GMT
< 
<!DOCTYPE html><html class="no-js" lang="en"><head><meta charset="utf-8"><meta http-equiv="x-ua-compatible" content="ie=edge"><title>index - powered by h5ai v0.29.0 (https://larsjung.de/h5ai/)</title><meta name="description" content="index - powered by h5ai v0.29.0 (https://larsjung.de/h5ai/)"><meta name="viewport" content="width=device-width, initial-scale=1"><link rel="shortcut icon" href="/work/_h5ai/public/images/favicon/favicon-16-32.ico"><link rel="apple-touch-icon-precomposed" type="image/png" href="/work/_h5ai/public/images/favicon/favicon-152.png"><link rel="stylesheet" href="/work/_h5ai/public/css/styles.css"><link rel="stylesheet" href="//fonts.googleapis.com/css?family=Ubuntu:300,400,700%7CUbuntu+Mono:400,700" class="x-head"><style class="x-head">#root,input,select{font-family:"Ubuntu","Roboto","Helvetica","Arial","sans-serif"!important}pre,code{font-family:"Ubuntu Mono","Monaco","Lucida Sans Typewriter","monospace"!important}</style></head><body class="index" id="root"><div id="fallback-hints"><span class="backlink"><a href="https://larsjung.de/h5ai/" title="h5ai v0.29.0 - Modern HTTP web server index.">powered by h5ai</a></span></div><div id="fallback"><table><tr><th class="fb-i"></th><th class="fb-n"><span>Name</span></th><th class="fb-d"><span>Last modified</span></th><th class="fb-s"><span>Size</span></th></tr><tr><td class="fb-i"><img src="/work/_h5ai/public/images/fallback/folder.png" alt="folder"/></td><td class="fb-n"><a href="/work/data-reports/">data-reports</a></td><td class="fb-d">2017-09-14 16:44</td><td class="fb-s"></td></tr><tr><td class="fb-i"><img src="/work/_h5ai/public/images/fallback/folder.png" alt="folder"/></td><td class="fb-n"><a href="/work/presentations/">presentations</a></td><td class="fb-d">2020-11-30 13:10</td><td class="fb-s"></td></tr><tr><td class="fb-i"><img src="/work/_h5ai/public/images/fallback/folder.png" alt="folder"/></td><td class="fb-n"><a href="/work/projects/">projects</a></td><td class="fb-d">2017-08-07 01:11</td><td class="fb-s"></td></tr></table></div><* Connection #1 to host mlaparie.fr left intact
/body></html><!-- h5ai v0.29.0 - https://larsjung.de/h5ai/ -->

~ $ curl -vL mlaparie.fr/misc/
*   Trying 194.36.144.124:80...
* Connected to mlaparie.fr (194.36.144.124) port 80 (#0)
> GET /misc/ HTTP/1.1
> Host: mlaparie.fr
> User-Agent: curl/7.73.0
> Accept: */*
> 
* Mark bundle as not supporting multiuse
< HTTP/1.1 308 Permanent Redirect
< Connection: close
< Location: https://mlaparie.fr/misc/
< Server: Caddy
< Date: Thu, 17 Dec 2020 15:57:36 GMT
< Content-Length: 0
< 
* Closing connection 0
* Issue another request to this URL: 'https://mlaparie.fr/misc/'
*   Trying 194.36.144.124:443...
* Connected to mlaparie.fr (194.36.144.124) port 443 (#1)
* ALPN, offering h2
* ALPN, offering http/1.1
* successfully set certificate verify locations:
*  CAfile: none
*  CApath: /etc/ssl/certs
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
* TLSv1.3 (IN), TLS handshake, Server hello (2):
* TLSv1.3 (IN), TLS handshake, Encrypted Extensions (8):
* TLSv1.3 (IN), TLS handshake, Certificate (11):
* TLSv1.3 (IN), TLS handshake, CERT verify (15):
* TLSv1.3 (IN), TLS handshake, Finished (20):
* TLSv1.3 (OUT), TLS change cipher, Change cipher spec (1):
* TLSv1.3 (OUT), TLS handshake, Finished (20):
* SSL connection using TLSv1.3 / TLS_AES_128_GCM_SHA256
* ALPN, server accepted to use h2
* Server certificate:
*  subject: CN=mlaparie.fr
*  start date: Nov 20 23:06:19 2020 GMT
*  expire date: Feb 18 23:06:19 2021 GMT
*  subjectAltName: host "mlaparie.fr" matched cert's "mlaparie.fr"
*  issuer: C=US; O=Let's Encrypt; CN=Let's Encrypt Authority X3
*  SSL certificate verify ok.
* Using HTTP2, server supports multi-use
* Connection state changed (HTTP/2 confirmed)
* Copying HTTP/2 data in stream buffer to connection buffer after upgrade: len=0
* Using Stream ID: 1 (easy handle 0x21f4ad0)
> GET /misc/ HTTP/2
> Host: mlaparie.fr
> user-agent: curl/7.73.0
> accept: */*
> 
* TLSv1.3 (IN), TLS handshake, Newsession Ticket (4):
* Connection state changed (MAX_CONCURRENT_STREAMS == 250)!
< HTTP/2 200 
< cache-control: no-store, no-cache, must-revalidate
< content-type: text/html;charset=utf-8
< expires: Thu, 19 Nov 1981 08:52:00 GMT
< pragma: no-cache
< server: Caddy
< set-cookie: PHPSESSID=snl8e541vhuql4tvcn8pjpuuea; path=/
< date: Thu, 17 Dec 2020 15:57:36 GMT
< 
<!DOCTYPE html><html class="no-js" lang="en"><head><meta charset="utf-8"><meta http-equiv="x-ua-compatible" content="ie=edge"><title>index - powered by h5ai v0.29.0 (https://larsjung.de/h5ai/)</title><meta name="description" content="index - powered by h5ai v0.29.0 (https://larsjung.de/h5ai/)"><meta name="viewport" content="width=device-width, initial-scale=1"><link rel="shortcut icon" href="/misc/_h5ai/public/images/favicon/favicon-16-32.ico"><link rel="apple-touch-icon-precomposed" type="image/png" href="/misc/_h5ai/public/images/favicon/favicon-152.png"><link rel="stylesheet" href="/misc/_h5ai/public/css/styles.css"><link rel="stylesheet" href="//fonts.googleapis.com/css?family=Ubuntu:300,400,700%7CUbuntu+Mono:400,700" class="x-head"><style class="x-head">#root,input,select{font-family:"Ubuntu","Roboto","Helvetica","Arial","sans-serif"!important}pre,code{font-family:"Ubuntu Mono","Monaco","Lucida Sans Typewriter","monospace"!important}</style></head><body class="index" id="root"><div id="fallback-hints"><span class="backlink"><a href="https://larsjung.de/h5ai/" title="h5ai v0.29.0 - Modern HTTP web server index.">powered by h5ai</a></span></div><div id="fallback"><table><tr><th class="fb-i"></th><th class="fb-n"><span>Name</span></th><th class="fb-d"><span>Last modified</span></th><th class="fb-s"><span>Size</span></th></tr><tr><td class="fb-i"><img src="/misc/_h5ai/public/images/fallback/folder.png" alt="folder"/></td><td class="fb-n"><a href="/misc/800px/">800px</a></td><td class="fb-d">2019-08-11 16:40</td><td class="fb-s"></td></tr><tr><td class="fb-i"><img src="/misc/_h5ai/public/images/fallback/folder.png" alt="folder"/></td><td class="fb-n"><a href="/misc/gear/">gear</a></td><td class="fb-d">2017-08-07 01:04</td><td class="fb-s"></td></tr><tr><td class="fb-i"><img src="/misc/_h5ai/public/images/fallback/folder.png" alt="folder"/></td><td class="fb-n"><a href="/misc/iceland/">iceland</a></td><td class="fb-d">2017-08-07 01:06</td><td class="fb-s"></td></tr><tr><td class="fb-i"><img src="/misc/_h5ai/public/images/fallback/folder.png" alt="folder"/></td><td class="fb-n"><a href="/misc/Kittens/">Kittens</a></td><td class="fb-d">2017-08-07 01:06</td><td class="fb-s"></td></tr><tr><td class="fb-i"><img src="/misc/_h5ai/public/images/fallback/folder.png" alt="folder"/></td><td class="fb-n"><a href="/misc/media/">media</a></td><td class="fb-d">2017-08-07 01:04</td><td class="fb-s"></td></tr><tr><td class="fb-i"><img src="/misc/_h5ai/public/images/fallback/folder.png" alt="folder"/></td><td class="fb-n"><a href="/misc/N900/">N900</a></td><td class="fb-d">2017-08-07 01:06</td><td class="fb-s"></td></tr><tr><td class="fb-i"><img src="/misc/_h5ai/public/images/fallback/file.png" alt="file"/></td><td class="fb-n"><a href="/misc/001as.jpg">001as.jpg</a></td><td class="fb-d">2017-08-07 01:04</td><td class="fb-s">399 KB</td></tr><tr><td class="fb-i"><img src="/misc/_h5ai/public/images/fallback/file.png" alt="file"/></td><td class="fb-n"><a href="/misc/17.html">17.html</a></td><td class="fb-d">2017-08-07 01:04</td><td class="fb-s">42 KB</td></tr><tr><td class="fb-i"><img src="/misc/_h5ai/public/images/fallback/file.png" alt="file"/></td><td class="fb-n"><a href="/misc/20150419_001.jpg">20150419_001.jpg</a></td><td class="fb-d">2017-08-07 01:04</td><td class="fb-s">425 KB</td></tr><tr><td class="fb-i"><img src="/misc/_h5ai/public/images/fallback/file.png" alt="file"/></td><td class="fb-n"><a href="/misc/20150419_003.jpg">20150419_003.jpg</a></td><td class="fb-d">2017-08-07 01:04</td><td class="fb-s">640 KB</td></tr><tr><td class="fb-i"><img src="/misc/_h5ai/public/images/fallback/file.png" alt="file"/></td><td class="fb-n"><a href="/misc/20150419_004.jpg">20150419_004.jpg</a></td><td class="fb-d">2017-08-07 01:04</td><td class="fb-s">632 KB</td></tr><tr><td class="fb-i"><img src="/misc/_h5ai/public/images/fallback/file.png" alt="file"/></td><td class="fb-n"><a href="/misc/%5BGroup%206%5D-IMG_2152_IMG_2164-13%20images-2.tif">[Group 6]-IMG_2152_IMG_2164-13 images-2.tif</a></td><td class="fb-d">2017-08-07 01:05</td><td class="fb-s">347803 KB</td></tr><tr><td class="fb-i"><img src="/misc/_h5ai/public/images/fallback/file.png" alt="file"/></td><td class="fb-n"><a href="/misc/Coil%20whine%2020170731.mp3">Coil whine 20170731.mp3</a></td><td class="fb-d">2017-08-07 01:04</td><td class="fb-s">694 KB</td></tr><tr><td class="fb-i"><img src="/misc/_h5ai/public/images/fallback/file.png" alt="file"/></td><td class="fb-n"><a href="/misc/Conqu%C3%A9rants%20-%20Processionnaire%20du%20pin%20-%20Arte%2025.09.2013.mp4">Conquérants - Processionnaire du pin - Arte 25.09.2013.mp4</a></td><td class="fb-d">2017-08-07 01:04</td><td class="fb-s">802964 KB</td></tr><tr><td class="fb-i"><img src="/misc/_h5ai/public/images/fallback/file.png" alt="file"/></td><td class="fb-n"><a href="/misc/DSC00462.jpg">DSC00462.jpg</a></td><td class="fb-d">2017-08-07 01:04</td><td class="fb-s">3229 KB</td></tr><tr><td class="fb-i"><img src="/misc/_h5ai/public/images/fallback/file.png" alt="file"/></td><td class="fb-n"><a href="/misc/DSC00462Crop100.jpg">DSC00462Crop100.jpg</a></td><td class="fb-d">2017-08-07 01:04</td><td class="fb-s">230 KB</td></tr><tr><td class="fb-i"><img src="/misc/_h5ai/public/images/fallback/file.png" alt="file"/></td><td class="fb-n"><a href="/misc/D%C3%A9part%20Crozet.MTS">Départ Crozet.MTS</a></td><td class="fb-d">2017-08-07 01:04</td><td class="fb-s">143628 KB</td></tr><tr><td class="fb-i"><img src="/misc/_h5ai/public/images/fallback/file.png" alt="file"/></td><td class="fb-n"><a href="/misc/Enfants_de_l_ocean_roadtrip_teaser.mp4">Enfants_de_l_ocean_roadtrip_teaser.mp4</a></td><td class="fb-d">2017-08-07 01:04</td><td class="fb-s">49843 KB</td></tr><tr><td class="fb-i"><img src="/misc/_h5ai/public/images/fallback/file.png" alt="file"/></td><td class="fb-n"><a href="/misc/Extatosoma.webm">Extatosoma.webm</a></td><td class="fb-d">2017-08-07 01:04</td><td class="fb-s">8141 KB</td></tr><tr><td class="fb-i"><img src="/misc/_h5ai/public/images/fallback/file.png" alt="file"/></td><td class="fb-n"><a href="/misc/GameData-2014-05-08.7z">GameData-2014-05-08.7z</a></td><td class="fb-d">2017-08-07 01:04</td><td class="fb-s">475705 KB</td></tr><tr><td class="fb-i"><img src="/misc/_h5ai/public/images/fallback/file.png" alt="file"/></td><td class="fb-n"><a href="/misc/IMG_2677.jpg">IMG_2677.jpg</a></td><td class="fb-d">2017-08-07 01:04</td><td class="fb-s">189 KB</td></tr><tr><td class="fb-i"><img src="/misc/_h5ai/public/images/fallback/file.png" alt="file"/></td><td class="fb-n"><a href="/misc/IMG_3278.jpg">IMG_3278.jpg</a></td><td class="fb-d">2017-08-07 01:04</td><td class="fb-s">5865 KB</td></tr><tr><td class="fb-i"><img src="/misc/_h5ai/public/images/fallback/file.png" alt="file"/></td><td class="fb-n"><a href="/misc/Jolla-concept.png">Jolla-concept.png</a></td><td class="fb-d">2017-08-07 01:04</td><td class="fb-s">2328 KB</td></tr><tr><td class="fb-i"><img src="/misc/_h5ai/public/images/fallback/file.png" alt="file"/></td><td class="fb-n"><a href="/misc/KSP-2014-04-21.7z">KSP-2014-04-21.7z</a></td><td class="fb-d">2017-08-07 01:04</td><td class="fb-s">435675 KB</td></tr><tr><td class="fb-i"><img src="/misc/_h5ai/public/images/fallback/file.png" alt="file"/></td><td class="fb-n"><a href="/misc/Orion%20Nebula%202.jpg">Orion Nebula 2.jpg</a></td><td class="fb-d">2017-08-07 01:04</td><td class="fb-s">231 KB</td></tr><tr><td class="fb-i"><img src="/misc/_h5ai/public/images/fallback/file.png" alt="file"/></td><td class="fb-n"><a href="/misc/Orion%20Nebula%203.jpg">Orion Nebula 3.jpg</a></td><td class="fb-d">2017-08-07 01:04</td><td class="fb-s">639 KB</td></tr><tr><td class="fb-i"><img src="/misc/_h5ai/public/images/fallback/file.png" alt="file"/></td><td class="fb-n"><a href="/misc/Orion%20Nebula.jpg">Orion Nebula.jpg</a></td><td class="fb-d">2017-08-07 01:04</td><td class="fb-s">194 KB</td></tr><tr><td class="fb-i"><img src="/misc/_h5ai/public/images/fallback/file.png" alt="file"/></td><td class="fb-n"><a href="/misc/revealjs.png">revealjs.png</a></td><td class="fb-d">2017-08-07 01:05</td><td class="fb-s">213 KB</td></tr><tr><td class="fb-i"><img src="/misc/_h5ai/public/images/fallback/file.png" alt="file"/></td><td class="fb-n"><a href="/misc/Roadtrip1-1920x1080_30fps_h264.mp4">Roadtrip1-1920x1080_30fps_h264.mp4</a></td><td class="fb-d">2017-08-07 01:04</td><td class="fb-s">24544 KB</td></tr><tr><td class="fb-i"><img src="/misc/_h5ai/public/images/fallback/file.png" alt="file"/></td><td class="fb-n"><a href="/misc/Solar%20eclipse%20%2820140320%2C%20Vik%2C%20Iceland%29_25%20FPS.mp4">Solar eclipse (20140320, Vik, Iceland)_25 FPS.mp4</a></td><td class="fb-d">2017-08-07 01:04</td><td class="fb-s">1557 KB</td></tr><tr><td class="fb-i"><img src="/misc/_h5ai/public/images/fallback/file.png" alt="file"/></td><td class="fb-n"><a href="/misc/Solar%20eclipse%202015-03-20.gif">Solar eclipse 2015-03-20.gif</a></td><td class="fb-d">2017-08-07 01:04</td><td class="fb-s">888 KB</td></tr><tr><td class="fb-i"><img src="/misc/_h5ai/public/images/fallback/file.png" alt="file"/></td><td class="fb-n"><a href="/misc/tree.js">tree.js</a></td><td class="fb-d">2017-08-07 01:05</td><td class="fb-s">6 KB* Connection #1 to host mlaparie.fr left intact
</td></tr><tr><td class="fb-i"><img src="/misc/_h5ai/public/images/fallback/file.png" alt="file"/></td><td class="fb-n"><a href="/misc/Un%20jour%20%C3%A0%20Crozet%20%28PO%20SBP%29.mpg">Un jour à Crozet (PO SBP).mpg</a></td><td class="fb-d">2017-08-07 01:05</td><td class="fb-s">1152909 KB</td></tr></table></div></body></html><!-- h5ai v0.29.0 - https://larsjung.de/h5ai/ -->

 ~ $ curl -vL mlaparie.fr/misc/800px/_DSC2891s.jpg
*   Trying 194.36.144.124:80...
* Connected to mlaparie.fr (194.36.144.124) port 80 (#0)
> GET /misc/800px/_DSC2891s.jpg HTTP/1.1
> Host: mlaparie.fr
> User-Agent: curl/7.73.0
> Accept: */*
> 
* Mark bundle as not supporting multiuse
< HTTP/1.1 308 Permanent Redirect
< Connection: close
< Location: https://mlaparie.fr/misc/800px/_DSC2891s.jpg
< Server: Caddy
< Date: Thu, 17 Dec 2020 15:57:57 GMT
< Content-Length: 0
< 
* Closing connection 0
* Issue another request to this URL: 'https://mlaparie.fr/misc/800px/_DSC2891s.jpg'
*   Trying 194.36.144.124:443...
* Connected to mlaparie.fr (194.36.144.124) port 443 (#1)
* ALPN, offering h2
* ALPN, offering http/1.1
* successfully set certificate verify locations:
*  CAfile: none
*  CApath: /etc/ssl/certs
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
* TLSv1.3 (IN), TLS handshake, Server hello (2):
* TLSv1.3 (IN), TLS handshake, Encrypted Extensions (8):
* TLSv1.3 (IN), TLS handshake, Certificate (11):
* TLSv1.3 (IN), TLS handshake, CERT verify (15):
* TLSv1.3 (IN), TLS handshake, Finished (20):
* TLSv1.3 (OUT), TLS change cipher, Change cipher spec (1):
* TLSv1.3 (OUT), TLS handshake, Finished (20):
* SSL connection using TLSv1.3 / TLS_AES_128_GCM_SHA256
* ALPN, server accepted to use h2
* Server certificate:
*  subject: CN=mlaparie.fr
*  start date: Nov 20 23:06:19 2020 GMT
*  expire date: Feb 18 23:06:19 2021 GMT
*  subjectAltName: host "mlaparie.fr" matched cert's "mlaparie.fr"
*  issuer: C=US; O=Let's Encrypt; CN=Let's Encrypt Authority X3
*  SSL certificate verify ok.
* Using HTTP2, server supports multi-use
* Connection state changed (HTTP/2 confirmed)
* Copying HTTP/2 data in stream buffer to connection buffer after upgrade: len=0
* Using Stream ID: 1 (easy handle 0xe5dad0)
> GET /misc/800px/_DSC2891s.jpg HTTP/2
> Host: mlaparie.fr
> user-agent: curl/7.73.0
> accept: */*
> 
* TLSv1.3 (IN), TLS handshake, Newsession Ticket (4):
* Connection state changed (MAX_CONCURRENT_STREAMS == 250)!
< HTTP/2 200 
< accept-ranges: bytes
< content-type: image/jpeg
< etag: "ouadhq5et1"
< last-modified: Sun, 06 Aug 2017 23:05:50 GMT
< server: Caddy
< content-length: 252469
< date: Thu, 17 Dec 2020 15:57:57 GMT
< 
Warning: Binary output can mess up your terminal. Use "--output -" to tell 
Warning: curl to output it to your terminal anyway, or consider "--output 
Warning: <FILE>" to save to a file.
* Failure writing output to destination
* stopped the pause stream!
* Connection #1 to host mlaparie.fr left intact

If I understand correctly, this shows that everything is served without authentication despite the basicauth block, correct?

francislavoie · December 17, 2020, 9:04pm

Ah, I see. It’s because the file matcher still matches on requests to /work/ because that directory does exist. So the matcher would need to be a bit more sophisticated to include requests to directories as well. Maybe like…

@fileNotExists not {
	not path */
	file
}

I tried that locally and it seems to work. With this file tree:

.
└── work
    └── foo.txt

Requests:

/work/ has the header Www-Authenticate: Basic realm="restricted"
/work/index.html has the header Www-Authenticate: Basic realm="restricted"
/work/foo.txt returns the file as-is

This relies on the fact that not matchers are OR’ed, so basically this reads:

not [(a path that doesn't end in `/`) OR (a file that exists)]

So by De Morgan’s laws this means:

(a path that ends in /) AND (the file does not exist)

Mat · December 18, 2020, 1:27am

Awesome, it works. Thanks a lot for your help and patience!

For /work/, given that I don’t want files to be served without authentication, I tried:

    route /work/* {   
        basicauth {
                user [base64pass]
        }
        @no_index not file {path}.html {path} {path}/index.html
        rewrite @no_index /work/_h5ai/public/index.php
    }

That seems to work from my tests. Can you confirm that this is the most parcimonious way to do it?

francislavoie · December 18, 2020, 8:29am

Yep, not specifying a matcher means “always” (within the current scope, i.e. /work/* cause it’s in a route)

Glad we got this resolved!

Mat · December 20, 2020, 1:39am

Yup that’s great, I’m very grateful, thanks a lot for taking the time to help me!

francislavoie · December 20, 2020, 3:13am

FWIW anyone can click on the pencil in the top-right of any post to see edit history. So what’s done is done, even if edited out of the posts.

Mat · December 20, 2020, 10:45am

Oh, right I didn’t notice that. It is not too big a deal, if someone really wants to look hard it’s okay, but avoiding to have it indexed is good already. Thanks a lot!

[Edit] Oh, however I realize I can’t edit my old messages anymore, there must be a limited time frame for user edits, so problem solved.

system · December 21, 2020, 4:42pm

This topic was automatically closed after 30 days. New replies are no longer allowed.