caddyserver / caddy

Fast and extensible multi-platform HTTP/1-2-3 web server with automatic HTTPS
https://caddyserver.com
Apache License 2.0
58.09k stars 4.03k forks source link

ReverseProxy: Multiple BasicAuth queries in succession #6509

Open Gill-Bates opened 2 months ago

Gill-Bates commented 2 months ago

I am running Caddy v2.8.4 as a Reverse Proxy for some Docker Containers. I use Basic Auth to protect their GUIs:

example.com {
        reverse_proxy http://localhost:3007
        encode gzip

        header {
                Strict-Transport-Security max-age=31536000;
        }

        log {
                output file /var/log/caddy/access.log {
                        roll_size 10mb
                }
        }

        basic_auth /* {
                admin $2a$*******£
        }
}

Let‘s Encrypt will take care of the TLS-Stuff. ssllabs.com attest me A+ for correct implementation.

I now have the problem that I am repeatedly asked for the password when I access the website. The password is hashed correctly. Somehow it looks to me as if the Authorization header is not being passed on correctly to Docker.

"level":"info","ts":1723369504.0853302,"logger":"http.log.access.log6","msg":"handled request","request":{"remote_ip":"89.******","remote_port":"17014","client_ip":"89.******","proto":"HTTP/1.1","method":"GET","host":"example.com","uri":"/socket.io/?EIO=4&transport=websocket&sid=-s92Aa5quf4tyBA6AAAE","headers":{"Pragma":["no-cache"],"Sec-Websocket-Version":["13"],"Cache-Control":["no-cache"],"Accept-Language":["de-DE,de;q=0.9"],"Upgrade":["websocket"],"Accept":["*/*"],"Origin":["https://example..com"],"Connection":["Upgrade"],"Accept-Encoding":["gzip, deflate"],"Sec-Fetch-Dest":["websocket"],"Sec-Websocket-Key":["sREJvB/BDDaprjbIIT0gkQ=="],"Sec-Fetch-Site":["same-origin"],"Sec-Websocket-Extensions":["permessage-deflate"],"Sec-Fetch-Mode":["websocket"],"User-Agent":["Mozilla/5.0 (iPhone; CPU iPhone OS 17_6_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/17.6 Mobile/15E148 Safari/604.1"]},"tls":{"resumed":false,"version":772,"cipher_suite":4865,"proto":"http/1.1","server_name":"example.com"}},"bytes_read":0,"user_id":"","duration":0.000064317,"size":0,"status":401,"resp_headers":{"Server":["Caddy"],"Alt-Svc":["h3=\":443\"; ma=2592000"],"Strict-Transport-Security":["max-age=31536000;"],"Www-Authenticate":["Basic realm=\"restricted\""]}}

francislavoie commented 2 months ago

We remove the Authorization header from access logs. See https://caddyserver.com/docs/caddyfile/options#log-credentials