V2 basicauth bug?

smebberson · January 7, 2020, 5:46am

1. My Caddy version (`caddy -version`):

v2.0.0-beta12 h1:LZnXOGDr1SbeJNyln8Xc/hXjWCa/a9qFpCbWt2iwJPw=

2. How I run Caddy:

a. System environment:

Testing on MacOS 10.15.1 but will eventually migrate to Linux in Docker.

b. Command:

BASIC_AUTH_PASSWORD=$(echo "pass" | base64) ./caddy adapt --config caddy.conf --pretty

c. Service/unit/compose file:

?

d. My complete Caddyfile:

https://test.dev.net {
    import partials/caddy.conf
}

http://test-redirect.dev.net {
    redir http://test.dev.net{uri} 308
}

This is partials/caddy.conf:

matcher all {
    path /
}

matcher www {
    path *
}

matcher all-excluding-local-files {
    path /
    not {
        path /css /fonts /images /js /favicon.ico /robots.txt
    }
}

basicauth match:all {
    {env.BASIC_AUTH_USERNAME} {env.BASIC_AUTH_PASSWORD}
}

headers match:all {
    Content-Security-Policy "frame-ancestors 'none'"
    X-Content-Type-Options "nosniff"
    X-Frame-Options "DENY"
    X-XSS-Protection "1; mode=block"
}

encode match:all {
    gzip
}

reverse_proxy match:all-excluding-local-files factory:4000 {
    header_up Host {host}
    header_up X-Real-IP {remote}
    header_up X-Forwarded-For {remote}
    header_up X-Forwarded-Port {server-port}
    header_up X-Forwarded-Proto {scheme}
}

file_server match:all {
    root /www
}

3. The problem I’m having:

I’m trying to use caddy adapt to see example JSON output.

4. Error messages and/or full log output:

adapt: parsing caddyfile tokens for ‘basicauth’: [redacted]/partials/caddy.conf:17 - Error during parsing: decoding password: illegal base64 data at input byte 0

5. What I already tried:

I’m trying to use a value from the environment as the password for the basicauth directive. It would seem as though it’s not using the value from the environment but rather the string itself {env.BASIC_AUTH_PASSWORD}? It doesn’t matter if the value in the environment variable is base64 encoded already or not (i.e. BASIC_AUTH_PASSWORD=$(echo "pass" | base64) ./caddy adapt --config caddy.conf --pretty).

I’ve tested to make sure Caddy does have access to the value and BASIC_AUTH_PASSWORD=$(echo "pass" | base64) ./caddy environ | grep APP_BASIC outputs BASIC_AUTH_PASSWORD=cGFzcwo= as you’d expect.

Using an environment variable for the password in the basicauth directive did work in v1. Although, I was using the alternative syntax {$BASIC_AUTH_PASSWORD}.

6. Links to relevant resources:

N/A

matt · January 7, 2020, 6:26am

Oh, possibly because I haven’t added support for placeholders there. I can do that first thing tomorrow, it’s like 1 or 2 lines of code.

smebberson · January 7, 2020, 6:46am

Ah, awesome That’d be great, thanks.

matt · January 7, 2020, 2:35pm

Since Caddy 2 doesn’t believe in storing plaintext passwords, it expects a base64-encoded password hash, normally. The easiest thing to do would be to expect whatever is replaced to also be a base64-encoded hash.

You can easily craft this by doing:

BASIC_AUTH_PASSWORD=$(caddy hash-password --plaintext 'topsecret')

Anyway, just wanted to let you know that’s the reality. I’ll update here again when I’ve pushed the commit.

matt · January 7, 2020, 3:50pm

@smebberson Okay, fixed: basicauth: Accept placeholders; move base64 decoding to provision · caddyserver/caddy@78e98c4 · GitHub

smebberson · January 7, 2020, 10:09pm

@matt, awesome, that’s great. I’ll give it a run

system · April 6, 2020, 10:09pm

This topic was automatically closed 90 days after the last reply. New replies are no longer allowed.