Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

ReverseProxy: Multiple BasicAuth queries in succession #6509

Open
Gill-Bates opened this issue Aug 11, 2024 · 1 comment
Open

ReverseProxy: Multiple BasicAuth queries in succession #6509

Gill-Bates opened this issue Aug 11, 2024 · 1 comment

Comments

@Gill-Bates
Copy link

Gill-Bates commented Aug 11, 2024
edited
Loading

I am running Caddy v2.8.4 as a Reverse Proxy for some Docker Containers. I use Basic Auth to protect their GUIs:

example.com {
        reverse_proxy http://localhost:3007
        encode gzip

        header {
                Strict-Transport-Security max-age=31536000;
        }

        log {
                output file /var/log/caddy/access.log {
                        roll_size 10mb
                }
        }

        basic_auth /* {
                admin $2a$*******£
        }
}

Let‘s Encrypt will take care of the TLS-Stuff. ssllabs.com attest me A+ for correct implementation.

I now have the problem that I am repeatedly asked for the password when I access the website. The password is hashed correctly. Somehow it looks to me as if the Authorization header is not being passed on correctly to Docker.

"level":"info","ts":1723369504.0853302,"logger":"http.log.access.log6","msg":"handled request","request":{"remote_ip":"89.******","remote_port":"17014","client_ip":"89.******","proto":"HTTP/1.1","method":"GET","host":"example.com","uri":"/socket.io/?EIO=4&transport=websocket&sid=-s92Aa5quf4tyBA6AAAE","headers":{"Pragma":["no-cache"],"Sec-Websocket-Version":["13"],"Cache-Control":["no-cache"],"Accept-Language":["de-DE,de;q=0.9"],"Upgrade":["websocket"],"Accept":["*/*"],"Origin":["https://example..com"],"Connection":["Upgrade"],"Accept-Encoding":["gzip, deflate"],"Sec-Fetch-Dest":["websocket"],"Sec-Websocket-Key":["sREJvB/BDDaprjbIIT0gkQ=="],"Sec-Fetch-Site":["same-origin"],"Sec-Websocket-Extensions":["permessage-deflate"],"Sec-Fetch-Mode":["websocket"],"User-Agent":["Mozilla/5.0 (iPhone; CPU iPhone OS 17_6_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/17.6 Mobile/15E148 Safari/604.1"]},"tls":{"resumed":false,"version":772,"cipher_suite":4865,"proto":"http/1.1","server_name":"example.com"}},"bytes_read":0,"user_id":"","duration":0.000064317,"size":0,"status":401,"resp_headers":{"Server":["Caddy"],"Alt-Svc":["h3=\":443\"; ma=2592000"],"Strict-Transport-Security":["max-age=31536000;"],"Www-Authenticate":["Basic realm=\"restricted\""]}}
@francislavoie
Copy link
Member

We remove the Authorization header from access logs. See https://caddyserver.com/docs/caddyfile/options#log-credentials

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@francislavoie @Gill-Bates