search

caddyserver / caddy

Fast and extensible multi-platform HTTP/1-2-3 web server with automatic HTTPS
https://caddyserver.com
Apache License 2.0
55.45k stars 3.91k forks source link

`basic_auth` does not work with environment variable substitution #6402

Closed notramo closed 2 weeks ago

notramo commented 2 weeks ago

Environment:

# the password is 'secret password'
CADDY_BASICAUTH='username $2a$14$rkcxRuGs92dNHinuDFm9zuhCqcRmZqBaXt1xE/4Jw5.cweUPhE5cy'

Caddyfile

http://localhost:80 {
  basic_auth {
    {$CADDY_BASICAUTH}
  }
  respond "Hello!"
}

It neither works if the env only contains the hashed password:

http://localhost:80 {
  basic_auth {
    username {$CADDY_PASSWORD_HASH}
  }
  respond "Hello!"
}

Checked autosave.json, and both the username and the hash are correct in the parsed JSON config.

francislavoie commented 2 weeks ago

Are you sure ' is valid syntax for your env vars? Most env var styles allow spaces, so you don't need quotes around the value, i.e. the text you have to the right of the = is the literal value, so you don't need quotes to escape any spaces.

notramo commented 2 weeks ago

I tried it with docker-compose, which don't allow spaces, but I tried with both three versions: no quote, single- and double quote.

Also, as I mentioned, the autosave.json config contains the correct hash/username combination, so the env is probably correctly parsed.

mohammed90 commented 2 weeks ago

I'm not able to reproduce it. Here are the logs:

Caddy

~ $ cat Caddyfile
{
    debug
}
http://localhost:80 {
    log
    basic_auth {
        {$CADDY_BASICAUTH}
    }
    respond "Hello!"
}
~ $ CADDY_BASICAUTH='mohammed $2a$14$eVp4P1lnF1JBosShPkdIUexrh0NaV4S/d3kIqzHu7PSlhW4.aDinK' caddy run
2024/06/16 21:33:39.587 INFO    using adjacent Caddyfile
2024/06/16 21:33:39.588 INFO    adapted config to JSON  {"adapter": "caddyfile"}
2024/06/16 21:33:39.590 INFO    admin   admin endpoint started  {"address": "localhost:2019", "enforce_origin": false, "origins": ["//localhost:2019", "//[::1]:2019", "//127.0.0.1:2019"]}
2024/06/16 21:33:39.590 WARN    http.auto_https server is listening only on the HTTP port, so no automatic HTTPS will be applied to this server {"server_name": "srv0", "http_port": 80}
2024/06/16 21:33:39.590 INFO    tls.cache.maintenance   started background certificate maintenance  {"cache": "0xc000412f80"}
2024/06/16 21:33:39.590 DEBUG   http.auto_https adjusted config {"tls": {"automation":{"policies":[{}]}}, "http": {"servers":{"srv0":{"listen":[":80"],"routes":[{"handle":[{"handler":"subroute","routes":[{"handle":[{"handler":"authentication","providers":{"http_basic":{"accounts":[{"password":"$2a$14$eVp4P1lnF1JBosShPkdIUexrh0NaV4S/d3kIqzHu7PSlhW4.aDinK","username":"mohammed"}],"hash":{"algorithm":"bcrypt"},"hash_cache":{}}}},{"body":"Hello!","handler":"static_response"}]}]}],"terminal":true}],"automatic_https":{"disable":true},"logs":{"logger_names":{"localhost":[""]}}}}}}
2024/06/16 21:33:39.591 DEBUG   http    starting server loop    {"address": "[::]:80", "tls": false, "http3": false}
2024/06/16 21:33:39.591 INFO    http.log    server running  {"name": "srv0", "protocols": ["h1", "h2", "h3"]}
2024/06/16 21:33:39.591 INFO    autosaved config (load with --resume flag)  {"file": "/Users/mohammed/Library/Application Support/Caddy/autosave.json"}
2024/06/16 21:33:39.591 INFO    serving initial configuration
2024/06/16 21:33:39.641 INFO    tls storage cleaning happened too recently; skipping for now    {"storage": "FileStorage:/Users/mohammed/Library/Application Support/Caddy", "instance": "5db98ed9-fbc1-43a9-a23e-d5886eb6cf2c", "try_again": "2024/06/17 21:33:39.641", "try_again_in": 86399.999999413}
2024/06/16 21:33:39.641 INFO    tls finished cleaning storage units
2024/06/16 21:33:50.832 DEBUG   http.log.error  not authenticated   {"request": {"remote_ip": "::1", "remote_port": "53295", "client_ip": "::1", "proto": "HTTP/1.1", "method": "GET", "host": "localhost", "uri": "/", "headers": {"User-Agent": ["curl/8.8.0"], "Accept": ["*/*"]}}, "duration": 0.00006838, "status": 401, "err_id": "2sz9uuk1j", "err_trace": "caddyauth.Authentication.ServeHTTP (caddyauth.go:89)"}
2024/06/16 21:33:50.833 INFO    http.log.access handled request {"request": {"remote_ip": "::1", "remote_port": "53295", "client_ip": "::1", "proto": "HTTP/1.1", "method": "GET", "host": "localhost", "uri": "/", "headers": {"User-Agent": ["curl/8.8.0"], "Accept": ["*/*"]}}, "bytes_read": 0, "user_id": "", "duration": 0.00006838, "size": 0, "status": 401, "resp_headers": {"Server": ["Caddy"], "Www-Authenticate": ["Basic realm=\"restricted\""]}}
2024/06/16 21:34:06.423 INFO    http.log.access handled request {"request": {"remote_ip": "::1", "remote_port": "53296", "client_ip": "::1", "proto": "HTTP/1.1", "method": "GET", "host": "localhost", "uri": "/", "headers": {"Authorization": ["REDACTED"], "User-Agent": ["curl/8.8.0"], "Accept": ["*/*"]}}, "bytes_read": 0, "user_id": "mohammed", "duration": 0.994081125, "size": 6, "status": 200, "resp_headers": {"Server": ["Caddy"], "Content-Type": ["text/plain; charset=utf-8"]}}
^C2024/06/16 21:34:14.456   INFO    shutting down   {"signal": "SIGINT"}
2024/06/16 21:34:14.456 WARN    exiting; byeee!! 👋  {"signal": "SIGINT"}
2024/06/16 21:34:14.456 INFO    http    servers shutting down with eternal grace period
2024/06/16 21:34:14.456 INFO    admin   stopped previous server {"address": "localhost:2019"}
2024/06/16 21:34:14.456 INFO    shutdown complete   {"signal": "SIGINT", "exit_code": 0}

curl:

~ $ curl -vvvv localhost
* Host localhost:80 was resolved.
* IPv6: ::1
* IPv4: 127.0.0.1
*   Trying [::1]:80...
* Connected to localhost (::1) port 80
> GET / HTTP/1.1
> Host: localhost
> User-Agent: curl/8.8.0
> Accept: */*
>
* Request completely sent off
< HTTP/1.1 401 Unauthorized
< Server: Caddy
< Www-Authenticate: Basic realm="restricted"
< Date: Sun, 16 Jun 2024 21:33:50 GMT
< Content-Length: 0
<
* Connection #0 to host localhost left intact

~ $ curl -vv -u mohammed:password localhost
* Host localhost:80 was resolved.
* IPv6: ::1
* IPv4: 127.0.0.1
*   Trying [::1]:80...
* Connected to localhost (::1) port 80
* Server auth using Basic with user 'mohammed'
> GET / HTTP/1.1
> Host: localhost
> Authorization: Basic bW9oYW1tZWQ6cGFzc3dvcmQ=
> User-Agent: curl/8.8.0
> Accept: */*
>
* Request completely sent off
< HTTP/1.1 200 OK
< Content-Type: text/plain; charset=utf-8
< Server: Caddy
< Date: Sun, 16 Jun 2024 21:34:06 GMT
< Content-Length: 6
<
* Connection #0 to host localhost left intact
Hello!%

How are you running your system? How are you testing it? What do you see in the logs of both ends? Provide as much details as possible.

francislavoie commented 2 weeks ago

Ultimately this doesn't seem like a bug with Caddy, but rather a problem with however you're defining the env vars. As long as the env vars don't contain any quotes and is literally just <username> <password> with no extra syntactical elements, then it should work just fine, and the Caddyfile parser will split those into two tokens and recognize it as separate things.

I'll close this because I don't think there's anything actionable for us here (other than answering your questions - but we don't need the issue open to do that).

notramo commented 1 week ago

It turns out the config was indeed wrong. Sorry for wasting your time.