search

greenpau / caddy-security

🔐 Authentication, Authorization, and Accounting (AAA) App and Plugin for Caddy v2. 💎 Implements Form-Based, Basic, Local, LDAP, OpenID Connect, OAuth 2.0 (Github, Google, Facebook, Okta, etc.), SAML Authentication. MFA/2FA with App Authenticators and Yubico. 💎 Authorization with JWT/PASETO tokens. 🔐
https://authcrunch.com/
Apache License 2.0
1.47k stars 72 forks source link

question: Help transitioning from caddy-auth-portal to caddy-security #49

Closed samcro1967 closed 2 years ago

samcro1967 commented 2 years ago

Working to get converted from caddy-auth-portal to caddy-security. I have a new docker image and Caddyfile. I am able to go to http://192.168.1.106 and am returned "Client sent an HTTP request to an HTTPS server". Good sign caddy is listening on port 80. When I go to https://192.168.1.106/auth or https://192.168.1.106/portainer I get "This site can’t provide a secure connection". I am not seeing any errors in the logs. Not sure what I am missing.

Version

docker exec -it caddy /bin/sh -c "caddy list-modules -versions | grep security"
security v1.0.13

Caddyfile

{
    debug
    https_port  80
    http_port           443
    local_certs

    security {
        credentials smtp.contoso.com {
            username foo
            password bar
            domain contoso.com
        }

        authentication portal myportal {
            cookie lifetime 86400
            crypto default token lifetime 3600
            crypto key sign-verify <redacted>
            backend local /config/caddy/users.json local
            ui {
                links {
                    "Portainer" "/portainer" icon "las la-star"
                    "My Identity" "/auth/whoami" icon "las la-user"
                }
            }
            transform user {
                match origin local
                action add role authp/user
                ui link "Portal Settings" /auth/settings icon "las la-cog"
            }
        }

        authorization policy mypolicy {
            set auth url /auth/
            crypto key verify <redacted>
            allow roles authp/admin authp/user
        }
    }
}

192.168.1.106, 127.0.0.1, localhost {
    route /version* {
        respond * "1.0.0" 200
    }

    route /auth* {
        authenticate * with myportal
    }

    route /xauth* {
        authenticate * with myportal
    }

    route /portainer/* {
        authorize with mypolicy
        reverse_proxy 192.168.1.106:9000
    }

    route {
        redir https://{hostport}/auth 302
    }
}

Dockerfile

ARG CADDY_VERSION=2.4.6

FROM caddy:${CADDY_VERSION}-builder AS builder

RUN xcaddy build \
    --with github.com/lucaslorentz/caddy-docker-proxy/plugin/v2 \
    --with github.com/greenpau/caddy-security \
    --with github.com/greenpau/caddy-trace \
    --with github.com/porech/caddy-maxmind-geolocation \
    --with github.com/caddy-dns/cloudflare \
    --with github.com/kirsch33/realip

FROM caddy:${CADDY_VERSION}-alpine

# Timezone
ENV TIMEZONE America/Chicago

# Install timezone data and setup timezone
RUN apk --update add --no-cache --virtual .tz-deps tzdata \
    && cp /usr/share/zoneinfo/${TIMEZONE} /etc/localtime \
    && echo ${TIMEZONE} > /etc/timezone \
    && apk del .tz-deps

COPY --from=builder /usr/bin/caddy /usr/bin/caddy

CMD ["caddy", "docker-proxy"]

Caddy Logs

{"level":"info","ts":1644499353.9904323,"logger":"http.handlers.authenticator","msg":"validated authenticator","portal_name":"myportal","portal_id":"f375cf79-c7e6-42e6-a02a-a33d07113777","path":"*","id":"e9adc199-52b5-4649-a0b6-14837dd8bd85"}
{"level":"info","ts":1644499353.998644,"logger":"pki.ca.local","msg":"root certificate is already trusted by system","path":"storage:pki/authorities/local/root.crt"}
{"level":"debug","ts":1644499353.9987516,"logger":"security","msg":"starting app instance","app":"security"}
{"level":"debug","ts":1644499353.998758,"logger":"security","msg":"started app instance","app":"security"}
{"level":"debug","ts":1644499353.9988534,"logger":"http","msg":"starting server loop","address":"[::]:80","http3":false,"tls":true}
{"level":"debug","ts":1644499353.9989147,"logger":"http","msg":"starting server loop","address":"[::]:443","http3":false,"tls":false}
{"level":"info","ts":1644499353.998918,"logger":"http","msg":"enabling automatic TLS certificate management","domains":["192.168.1.106","127.0.0.1","localhost"]}
{"level":"info","ts":1644499353.9989662,"logger":"tls","msg":"cleaning storage unit","description":"FileStorage:/data/caddy"}
{"level":"info","ts":1644499353.9995062,"logger":"tls","msg":"finished cleaning storage units"}
{"level":"warn","ts":1644499353.999512,"logger":"tls","msg":"stapling OCSP","error":"no OCSP stapling for [192.168.1.106]: no OCSP server specified in certificate"}
{"level":"debug","ts":1644499353.9995527,"logger":"tls.cache","msg":"added certificate to cache","subjects":["192.168.1.106"],"expiration":1644541671,"managed":true,"issuer_key":"local","hash":"a616768686a916945332dfc420f5fc7149ea6d967e4ff05979cca3af67dbb1d0","cache_size":1,"cache_capacity":10000}
{"level":"warn","ts":1644499353.999942,"logger":"tls","msg":"stapling OCSP","error":"no OCSP stapling for [127.0.0.1]: no OCSP server specified in certificate"}
{"level":"debug","ts":1644499353.9999826,"logger":"tls.cache","msg":"added certificate to cache","subjects":["127.0.0.1"],"expiration":1644541564,"managed":true,"issuer_key":"local","hash":"f6d0146c2e8582b7398d38326853364c47a137adb6a56716ececbc478e31117c","cache_size":2,"cache_capacity":10000}
{"level":"warn","ts":1644499354.000346,"logger":"tls","msg":"stapling OCSP","error":"no OCSP stapling for [localhost]: no OCSP server specified in certificate"}
{"level":"debug","ts":1644499354.0003831,"logger":"tls.cache","msg":"added certificate to cache","subjects":["localhost"],"expiration":1644541564,"managed":true,"issuer_key":"local","hash":"d36df32c8163a53370c558c82aa9e7876da1e5b3faa3c1ebf85888810093e3c2","cache_size":3,"cache_capacity":10000}
{"level":"info","ts":1644499354.000548,"msg":"autosaved config (load with --resume flag)","file":"/config/caddy/autosave.json"}
{"level":"info","ts":1644499354.0006375,"logger":"admin.api","msg":"load complete"}
{"level":"info","ts":1644499354.000823,"logger":"docker-proxy","msg":"Successfully configured","server":"localhost"}
{"level":"info","ts":1644499354.0030348,"logger":"admin","msg":"stopped previous server","address":"tcp/localhost:2019"}{"level":"info","ts":1644499354.0676877,"logger":"docker-proxy","msg":"Skipping swarm config caddyfiles because swarm is not available"}
{"level":"info","ts":1644499354.0692687,"logger":"docker-proxy","msg":"Skipping swarm services because swarm is not available"}
{"level":"info","ts":1644499384.0679076,"logger":"docker-proxy","msg":"Skipping swarm config caddyfiles because swarm is not available"}
greenpau commented 2 years ago

@samcro1967 , “ http_port” should be 80 ;-) you can remove http/s port directives if you are using default ports.

samcro1967 commented 2 years ago

Ah geez. Sometimes it just takes someone else to find your dumb mistake. Been looking at that Caddyfile for an hour lol. Obviously that got me a little further.

{"level":"debug","ts":1644501041.6167905,"logger":"tls.handshake","msg":"no matching certificates and no custom selection logic","identifier":"172.18.0.2"}
{"level":"debug","ts":1644501041.6168334,"logger":"tls.handshake","msg":"no certificate matching TLS ClientHello","server_name":"","remote":"192.168.1.103:52164","identifier":"172.18.0.2","cipher_suites":[47802,4865,4866,4867,49195,49199,49196,49200,52393,52392,49171,49172,156,157,47,53],"cert_cache_fill":0.0003,"load_if_necessary":true,"obtain_if_necessary":true,"on_demand":false}
{"level":"debug","ts":1644501041.6169038,"logger":"http.stdlib","msg":"http: TLS handshake error from 192.168.1.103:52164: no certificate available for '172.18.0.2'"}
{"level":"debug","ts":1644501041.6179514,"logger":"tls.handshake","msg":"no matching certificates and no custom selection logic","identifier":"172.18.0.2"}
{"level":"debug","ts":1644501041.6180127,"logger":"tls.handshake","msg":"no certificate matching TLS ClientHello","server_name":"","remote":"192.168.1.103:52165","identifier":"172.18.0.2","cipher_suites":[2570,4865,4866,4867,49195,49199,49196,49200,52393,52392,49171,49172,156,157,47,53],"cert_cache_fill":0.0003,"load_if_necessary":true,"obtain_if_necessary":true,"on_demand":false}
{"level":"debug","ts":1644501041.618122,"logger":"http.stdlib","msg":"http: TLS handshake error from 192.168.1.103:52165: no certificate available for '172.18.0.2'"}
greenpau commented 2 years ago

@samcro1967 , the above set of errors is saying you don’t have a cert for the 192.168 address. This is not caddy-security

samcro1967 commented 2 years ago

Ok. I thought caddy was able to generate and manage internal certs, but I am not finding anything in a quick search. Not sure I want to mess with generating and managing internal certs for testing purposes. Will probably move testing back to production now that I am further along. Appreciate your help.

greenpau commented 2 years ago

Ok. I thought caddy was able to generate and manage internal certs

@samcro1967 , I maintain my own root and intermediate cert authorities and issue certificates myself.