search

freman / caddy-reauth

Auth your Caddyserver requests against another server
MIT License
27 stars 15 forks source link

First Question! Local PHP Auth #1

Closed goofballtech closed 7 years ago

goofballtech commented 7 years ago

I am trying to use your plugin to authenticate against Organizr. The linked example is NGINX but i have been using Caddy so i posted on their community and was directed to your plug in.

So I have tried a few different ways so far.

I have tried reauth inside and outside of the proxy for /sonarr.

This is the segments of my caddy file regarding reauth

proxy /auth-admin /Organizr/auth.php?admin

reauth {
    path /sonarr
    upstream url=https://my-domain.com/auth-admin
}

proxy /sonarr 127.0.0.1:8989 {          # https://sonarr.tv/
    transparent
}

i have tried to do the url a few different ways as well as tried to just give reauth a relative path directly to the relevant php file. If i could just point to path=/Organizr/auth.php?admin instead of url= i might be able to get it going but don't know if that's a thing.

What i'm getting now is an http auth pop up but since i have not set a simple= statement there is no valid user=pass that will work.

any recommendations on how to get the plugin to point to the correct place and get the expected returns?

freman commented 7 years ago

Hi,

Thanks for being my first question!

Does /Organizr/auth.php?admin do http-basic auth or does it display a form/expect a cookie?

goofballtech commented 7 years ago

auth.php returns either 200 or 401 depended on the current users sign in status as far as im aware.

here is a block from inside the file where the return is happening. 

if (isset($_GET['admin'])) :
    if($USER->authenticated && $USER->role == "admin" && !in_array(strtoupper($USER->username), getBannedUsers($ban))) :
        exit(http_response_code(200));
    else :
        exit(http_response_code(401));
    endif;
freman commented 7 years ago

Looks like that relies on a cookie, I'm not passing any of those back

This was kind of more targeted to making http:basic auth requests.

I can patch in passing the cookie back as an option - anyone without the cookie or with an invalid cookie (or who isn't admin) would get a login box which won't do anything for them.

goofballtech commented 7 years ago

in order to maintain the funcationality would it be possible to do admin, user, and none? then organizr users on caddy could have full functionality of that process using your plugin.

Thanks very much for your help.

freman commented 7 years ago

Should work like that, just from the cookie being passed through - the role seems to be specified via url.

I'll add options to configure the pop op of a login box (http basic), or redirect to a login page, or outright deny too so you can chose.

goofballtech commented 7 years ago

sounds like a plan! thanks very much for your help.

freman commented 7 years ago

How does this look

https://github.com/freman/caddy-reauth#supported-failure-handlers

In theory you should end up with something like

proxy /auth-admin /Organizr/auth.php?admin

reauth {
    path /sonarr
    failure redirect=https://my-domain.com/login
    upstream url=https://my-domain.com/auth-admin,cookies=true
}

proxy /sonarr 127.0.0.1:8989 {          # https://sonarr.tv/
    transparent
}
goofballtech commented 7 years ago

Changed my common.conf as shown, redownloaded caddyserver with your plugin.

For some reason i still get a basic popup whether logged in as user or admin and end up at a 401. Never got redirected to the defined url for failure either.

im sure it's something i am doing, or not doing, though.

will keep messing with it and maybe try to get the Organizr dev in here since he knows his side of this best.

edit - I think there is something up with the failure portion of the code. If i put it as you have above and just redirect to google.com it will usually open caddy fine but on occasion (only during a restart of caddy) it will give me "unknown backend for failure". If i attempt to put it in as you have in the above linked page with a target= command then i get 

2017/07/10 11:00:50 wrong number of arguments for failure: [redirect target=http://google.com] (common.conf:48)

Line 48 is the line that contains my failure code.

causefx commented 7 years ago

@goofballtech what shows in the logs when you try opening the url?

freman commented 7 years ago

I haven't tagged this for caddy yet, was just looking for your opinion of that config before I did. Sort of lighting my brain against your expectations.

I'll tag it shortly then you can get a caddyserver.

In fact, might make a feature request of caddy, an experimental build option where one can tag a plugin version as experimental - so as to not break the build but let you test away with a full build / select beta teters. (I mean, it works for me, but as you can see I already had to push one commit because it didn't quite work as expected - despite tests)

You should be able to do a caddy build now with 1.0.2 of this plugin.

goofballtech commented 7 years ago

@freman Apologies for my misunderstanding of your earlier message. The syntax looked fine for me but i saw your commits and didn't realize that submitting on git and on Caddy specifically were different. Just downloaded again. Now the redirect works fine. my-domain.com/sonarr sends me right to google. Within Organizr though i am just getting a white screen. No basic pop-up and page didn't load. 

    proxy /auth-admin /Organizr/auth.php?admin
    proxy /auth-user /Organizr/auth.php?user

    reauth {
        path /sonarr
                failure redirect target=http://google.com
        upstream url=https://my-domain.com/auth-admin,cookies=true
    }

@causefx Im just getting this basic auth from plex in the log. No apparent errors are appearing when i attempt to refresh the sonarr page for testing. 

2017-07-10 16:17:04|success|goofballtech authenticated by plex
2017-07-10 16:17:04|success|goofballtech has logged in
2017-07-10 16:18:24|success|goofballtech authenticated by plex
2017-07-10 16:18:24|success|goofballtech has logged in
causefx commented 7 years ago

sorry i meant the caddy logs

goofballtech commented 7 years ago

Downloadable or Below quote contain same text.

caddy.txt

25/Jun/2017:14:20:56 -0500 [ERROR 0 /organizr/homepage.php] PHP Warning:  simplexml_load_string(): Entity: line 35: parser error : Opening and ending tag mismatch: link line 34 and head in C:\Caddy\www\Organizr\functions.php on line 861
PHP Warning:  simplexml_load_string(): </head> in C:\Caddy\www\Organizr\functions.php on line 861
PHP Warning:  simplexml_load_string():        ^ in C:\Caddy\www\Organizr\functions.php on line 861
PHP Warning:  simplexml_load_string(): Entity: line 44: parser error : error parsing attribute name in C:\Caddy\www\Organizr\functions.php on line 861
PHP Warning:  simplexml_load_string(): bpackJsonp;window.webpackJsonp=function(t,c,u){for(var i,a,f,l=0,s=[];l<t.length in C:\Caddy\www\Organizr\functions.php on line 861
PHP Warning:  simplexml_load_string():                                                                                ^ in C:\Caddy\www\Organizr\functions.php on line 861
PHP Warning:  simplexml_load_string(): Entity: line 44: parser error : attributes construct error in C:\Caddy\www\Organizr\functions.php on line 861
PHP Warning:  simplexml_load_string(): bpackJsonp;window.webpackJsonp=function(t,c,u){for(var i,a,f,l=0,s=[];l<t.length in C:\Caddy\www\Organizr\functions.php on line 861
PHP Warning:  simplexml_load_string():                                                                                ^ in C:\Caddy\www\Organizr\functions.php on line 861
PHP Warning:  simplexml_load_string(): Entity: line 44: parser error : Couldn't find end of Start Tag t.length line 44 in C:\Caddy\www\Organizr\functions.php on line 861
PHP Warning:  simplexml_load_string(): bpackJsonp;window.webpackJsonp=function(t,c,u){for(var i,a,f,l=0,s=[];l<t.length in C:\Caddy\www\Organizr\functions.php on line 861
PHP Warning:  simplexml_load_string():                                                                                ^ in C:\Caddy\www\Organizr\functions.php on line 861
PHP Warning:  simplexml_load_string(): Entity: line 44: parser error : xmlParseEntityRef: no name in C:\Caddy\www\Organizr\functions.php on line 861
PHP Warning:  simplexml_load_string(): .webpackJsonp=function(t,c,u){for(var i,a,f,l=0,s=[];l<t.length;l++)a=t[l],o[a]& in C:\Caddy\www\Organizr\functions.php on line 861
PHP Warning:  simplexml_load_string():                                                                                ^ in C:\Caddy\www\Organizr\functions.php on line 861
PHP Warning:  simplexml_load_string(): Entity: line 44: parser error : EntityRef: expecting ';' in C:\Caddy\www\Organizr\functions.php on line 861
PHP Warning:  simplexml_load_string(): kJsonp=function(t,c,u){for(var i,a,f,l=0,s=[];l<t.length;l++)a=t[l],o[a]&&s.push in C:\Caddy\www\Organizr\functions.php on line 861
PHP Warning:  simplexml_load_string():                                                                                ^ in C:\Caddy\www\Organizr\functions.php on line 861
PHP Warning:  simplexml_load_string(): Entity: line 44: parser error : xmlParseEntityRef: no name in C:\Caddy\www\Organizr\functions.php on line 861
PHP Warning:  simplexml_load_string(): a]&&s.push(o[a][0]),o[a]=0;for(i in c)Object.prototype.hasOwnProperty.call(c,i)& in C:\Caddy\www\Organizr\functions.php on line 861
PHP Warning:  simplexml_load_string():                                                                                ^ in C:\Caddy\www\Organizr\functions.php on line 861
goofballtech commented 7 years ago

got something. had to do a slight mod. I started looking at other proxy commands and realized there is no base within the proxy for it to know the base path of /Organizr...... so i pull a full domain path there and it seems to be working for Sonarr.

I can access /Sonarr in Organizr as well as access Sonarr directly, as long as i am still logged into organizr. Once i log out of organizr i end up getting the redirected to the main organizr page as expected. Excellent!

    proxy /auth-admin https://my-domain.com/Organizr/auth.php?admin
    proxy /auth-user https://my-domain.com/Organizr/auth.php?user

    reauth {
        path /sonarr
                failure redirect target=https://my-domain.com/organizr
        upstream url=https://my-domain.com/auth-admin,cookies=true
    }

So now, a basic use question for full implementation. 

    reauth {
        path /sonarr
                path /radarr
                path /sabnzbd
                .......
}

Can i do this for a single instance of reauth for multiple pages that would add be under the same auth.php?admin comment?

For subdomain, do i need a separate instance protecting "path /" within that subdomains settings?

I am assuming this is the case. just looking to verify.

Thanks so much for your help! Both of you.

freman commented 7 years ago

The plugin only works with one path at a time.

Not sure why I stuck with that limitation - might have something to do with the excludes (which can be multiple paths)

If you want to protect "all the things" then you probably want tp

reauth {
    path /
}

Otherwise it's one block per path unless you really want the ability to list more than one path per block.

goofballtech commented 7 years ago

i was just looking to make it efficient. Once i have it all working for me i am going to add this to the Caddy page on Organizr's wiki as another option for auth. Short and sweet is the way to be... its not a daily use thing so more blocks wont hurt except for that first time getting it all set up with copy/paste.

Most of the subdomains i have are not really able to turn off authentication anyway as they are external devices (router, power controller, etc) but using your fail redirect would be nice so the wrong users wont even be able to make it to the log in screen. One more layer of security in my mind.

Once again, thanks very much for adding this in to accommodate a (seemingly) very small subset of users. this will make my setup much more efficient for the few folks that check it out on the regular.

freman commented 7 years ago

Making it possible to change the failure handling was always on my radar, thanks for giving me the excuse to do something with it (even if it is a bit of a rush job)

I've patched it now to support multiple paths in one block, just be aware of strange except interactions :D

goofballtech commented 7 years ago

well dang, i just finished my copy/paste operation. :)

Ill go back and test the multipath. Will be easier to keep track of User vs Admin auth that way since they will be better groups in visible lists.

causefx commented 7 years ago

good stuff guys!

goofballtech commented 7 years ago

I've patched it now to support multiple paths in one block, just be aware of strange except interactions :D

Just repacked and update to try the below and i am navigate to all the path's without issue so they are no being protected. No rush as i already have the working copy/paste version but wanted to give you the feedback. 

    reauth {
        path /sonarr
        path /radarr
        path /sabnzbd
        path /deluge
        path /jackett
        path /plexpy
                failure redirect target=https://my-domain.com/organizr
        upstream url=https://my-domain.com/auth-admin,cookies=true
    }

Is this incorrect structure for multiples?

freman commented 7 years ago

Oops.

That was an epic, and tragically insecure brainfart. And worse, none of the tests detected it :(

Will have to write new tests tonight, uploading 1.0.4 now

1.0.4 is out now

goofballtech commented 7 years ago

damn it man. you are freakin' awesome!!

Going try again.

SUCCESS!

freman commented 7 years ago

No friend, if I was awesome, I'd have a test to catch that level of dumb

goofballtech commented 7 years ago

Will have to write new tests tonight

sounds to me like you plan to be awesome tomorrow then. It's good to have goals.