Hi

It seems that I cannot build caddy-reauth anymore due to the following error:

freman/caddy-reauth/backends/refresh/auth.go:393:23: undefined: bigcache.EntryNotFoundError

Did some dependency change?

Greetings,
Valen

I am attempting LDAP configuration.

My config looks similar to this one.

reauth {
    path /
    ldap {"host":"ldap.jumpcloud.com","port":636,"ldaps":true,"tls":false,"timeout":"5s","bindUsername":"xxx","bindPassword":"xxx","base":"ou=Users,o=xxx,dc=jumpcloud,dc=com","filter":"(&(objectClass=inetOrgPerson)(uid=%s))"}
}

When validating the config, I get:

# caddy -validate -conf /etc/caddy/Caddyfile
2019/11/11 09:47:56 wrong number of arguments for ldap:   [{"host":"ldap.jumpcloud.com" ...

Using the LDAP backend on one proof-of-concept HTTP request works, but as soon as I protect a real-world web application with multiple resources accessed at the same time, there is crash:

04/Jul/2018:16:37:09 +0000 [ERROR 500 /lib/jquery-2.2.4.min.js] bind with "uid=jbq,ou=Users,o=xxx,dc=jumpcloud,dc=com": unable to read LDAP response packet: unexpected EOF
172.18.0.2 - - [04/Jul/2018:16:37:09 +0000] "GET /lib/jquery-2.2.4.min.js HTTP/1.1" 500 26
04/Jul/2018:16:37:09 +0000 [PANIC /css/bootstrap-toggle-2.2.2.min.css] /go/src/gopkg.in/ldap.v2/conn.go:172 - runtime error: invalid memory address or nil pointer dereference
172.18.0.2 - - [04/Jul/2018:16:37:09 +0000] "GET /css/bootstrap-toggle-2.2.2.min.css HTTP/1.1" 500 26

Looks like the LDAP backend is not able to handle multiple requests at the same time.

I like using my domain for shorthand within my network (plex.[domain].com) rather than type out IPs when configuring clients that interconnect so that changes in address structure don't break configurations.

Is there a way to allow a client to access the proxy even if the upstream check fails?

sonarr.domain.com:443 {
        reauth {
                path /
                ignore localclients #or something
                failure redirect target=https://organizr.domain.com/
                upstream url=https://organizr.domain.com/auth.php?user,cookies=true
        }
        proxy / 10.0.0.110 { transparent websocket }
}

I'm trying to serve an application via proxy (in this case Kibana, but similar usecase is Django, Flask, or Rails. I'm relatively new to Caddy, so I could have some basic misunderstanding of the config as well.

I have static files stored under /srv/app/static that I would like protected by a reauth upstream authorization. To the user, it would appear that all the pages are protected by the application's login screen. Since it's all hosted on the same host endpoint, auth cookies will be passed, etcd.

Here's my current config (I'm running this in docker):

0.0.0.0 {
    proxy / kibana:5601 {
        except /app/static
    }

    reauth {
        path /app/static
        upstream url=http://kibana:5601/app/kibana,cookies=true
        failure redirect target=/login?next={uri}
    }

    root /srv
    log stdout
    errors stdout
}

When I browse to localhost:2015, Kibana correctly picks up the request via the proxy block above. When I am not authenticated, I get redirected to the Kibana login page (/login?next=%2F). However, when I browse to localhost:2015/app/static, I get a status 500. I can see in the logs that Kibana is in fact receiving the auth request from Caddy.

proxy_1          | 22/May/2019:14:39:47 +0000 [ERROR 500 /app/static/] Get /login?next=%2Fapp%2Fkibana: follow redirects disabled
proxy_1          | 172.22.0.1 - - [22/May/2019:14:39:47 +0000] "GET /app/static/ HTTP/1.1" 500 26
kibana_1         | {"type":"response","@timestamp":"2019-05-22T14:39:47Z","tags":[],"pid":1,"method":"get","statusCode":302,"req":{"url":"/app/kibana","method":"get","headers":{"host":"kibana:5601","user-agent":"Go-http-client/1.1","accept-encoding":"gzip"},"remoteAddress":"172.22.0.2","userAgent":"172.22.0.2"},"res":{"statusCode":302,"responseTime":5,"contentLength":9},"message":"GET /app/kibana 302 5ms - 9.0B"}

However, if I am already authenticated to Kibana, it places a cookie called sid (by default).

I saw the error follow redirects disabled in the unauthenticated example, and so I thought maybe I need to apply redirects to the upstream backend. The problem here is that Kibana provides a redirect 302, and the login page /login sends a 200.

What am I doing wrong and/or how can I get more info?

Side note, my first attempt to do this was the following. I kept getting the 500 and was getting frustrated thinking I was doing something wrong. After doing the analysis above, I think the logic is effectively the same. The config below is nicer since I don't have to create an arbitrary dir structure in the root to support the URI subpath.

0.0.0.0 {
    proxy / kibana:5601 {
        except /app/static
    }
   log stdout
   errors stdout
}
0.0.0.0/app/static {
    reauth {
        path /app/static
        upstream url=http://kibana:5601/app/kibana,cookies=true
        failure redirect target=/login?next={uri}
    }

    root /srv
    log stdout
    errors stdout
}

I am setting the value of username in LDAP configuration as user's CN. There are a number of systems (e.g. Grafana, Apache Airflow) requiring a CN, as opposed to samAccountName

username="CN=WebAdmin,OU=Management\u0020Accounts,,DC=CONTOSO,DC=COM"

In the error log, I see the username being truncated:

bind with "username=\"CN=WebAdmin": LDAP Result Code 49 "Invalid Credentials": 80090308: LdapErr: DSID-0C09042F, comment: AcceptSecurityContext error, data 52e, v2580

Is it a feature request?

It's me again from #1

I have been using your plugin successfully for sub directories as we discussed. Now i would like to tyr to apply it to a subdomain and the syntax is kicking my butt.

this is what i have currently. Have tried it a few different ways but the below is the longest form of what was attempted so everything is there. I know if just going to be a syntax error, just don't know what it might be.

sonarr.domain.com {

	proxy / 127.0.0.1:8989 {
		transparent
	}
	
	proxy /auth-admin https://domain.com/Organizr/auth.php?admin
	proxy /auth-user https://domain.com/Organizr/auth.php?user
	reauth {
		path /
		failure redirect target=https://domain.com/organizr
		upstream url=https://domain.com/organizr/auth-admin,cookies=true
	}
}

edit* when i click on the link it always redirects no matter what. If i pull the reauth block though it loads as expected.

This plugin is failing to build on the v1.0.4 download page: https://caddyserver.com/v1/download Can you take a look and see why?

I tried to build manually, I use Windows so I downloaded Go for Windows 64bit. Perhaps I didn't get the go file right... It downloads the package, but doesn't spit out a useful error message. This output is after successfully building caddy without reauth. I just added the "github.com/freman/caddy-reauth" to the import directive and ran go install again.

C:\Users\xxxxx\go\src\caddy>go install
go: finding github.com/freman/caddy-reauth latest
go: extracting github.com/freman/caddy-reauth v0.0.0-20191025011741-deaa60e56872
# caddy
.\caddy.go:5:2: imported and not used: "github.com/freman/caddy-reauth" as reauth

Contents of caddy.go

package main

import (
	"github.com/caddyserver/caddy/caddy/caddymain"
	"github.com/freman/caddy-reauth"
	
	// plug in plugins here, for example:
	// _ "import/path/here"
)

func main() {
	// optional: disable telemetry
	// caddymain.EnableTelemetry = false
	caddymain.Run()
}

Maybe related to #19

The browser now correctly asks for a new password if it is wrong or the user does not exist.

The only times it now yields an 500 (without change to rectify the situation) is when you enter a user that exists and enter no password.

Greetings,
Valen

Wondering if this supports caddy v2?

Caddy's import path (and Go module name) has changed from

github.com/mholt/caddy

to

github.com/caddyserver/caddy

Unfortunately, Go modules are not yet mature enough to handle a change like this (see https://golang.org/issue/26904 - "haven't implemented that part yet" but high on priority list for Go 1.14) which caught me off-guard. Using Go module's replace feature didn't act the way I expected, either. Caddy now fails to build with plugins until they update their import paths.

I've hacked a fix into the build server, so downloading Caddy with your plugin from our website should continue working without any changes on your part, for now. However, please take a moment and update your import paths, and do a new deploy on the website, because the workaround involves ignoring module checksums and performing a delicate recursive search-and-replace.

I'm terribly sorry about this. I did a number of tests and dry-runs to ensure the change would be smooth, but apparently some unknown combination of GOPATH, Go modules' lack of maturity, and other hidden variables in the system or environment must have covered up something I missed.

This bash script should make it easy (run it from your project's top-level directory):

find . -name '*.go' | while read -r f; do
	sed -i.bak 's/\/mholt\/caddy/\/caddyserver\/caddy/g' $f && rm $f.bak
done

We use this script in the build server as part of the temporary workaround.

Let me know if you have any questions! Sorry again for the inconvenience.

Would it maybe be possible to authenticate against an LDAP source?

I am trying to use your plugin to authenticate against Organizr. The linked example is NGINX but i have been using Caddy so i posted on their community and was directed to your plug in.

So I have tried a few different ways so far.

I have tried reauth inside and outside of the proxy for /sonarr.

This is the segments of my caddy file regarding reauth

proxy /auth-admin /Organizr/auth.php?admin

reauth {
	path /sonarr
	upstream url=https://my-domain.com/auth-admin
}

proxy /sonarr 127.0.0.1:8989 {          # https://sonarr.tv/
	transparent
}

i have tried to do the url a few different ways as well as tried to just give reauth a relative path directly to the relevant php file. If i could just point to path=/Organizr/auth.php?admin instead of url= i might be able to get it going but don't know if that's a thing.

What i'm getting now is an http auth pop up but since i have not set a simple= statement there is no valid user=pass that will work.

any recommendations on how to get the plugin to point to the correct place and get the expected returns?

Hi, I try to setup reauth with LDAP backend following the example at: https://github.com/freman/caddy-reauth#ldap

I can't figure out how to specify the LDAP timeout, the example mentions "timeout":"5s" but this value is not recognized.

Here is my Caddyfile:

0.0.0.0

browse

log stdout

errors stdout

reauth {
    path /
    ldap {"host":"ldap.jumpcloud.com","port":636,"ldaps":true,"tls":false,"timeout":"5s","bindUsername":"xxx","bindPassword":"xxx","base":"ou=Users,o=xxx,dc=jumpcloud,dc=com","filter":"(&(objectClass=inetOrgPerson)(uid=%s))"}
}

Here is the caddy error log:

2018/07/04 12:24:23 json: cannot unmarshal string into Go struct field LDAP.timeout of type time.Duration for ldap (/etc/Caddyfile:11)

Hey there,

I'm using reauth with a custom LDAP authenticator.

I would like to redirect the user to the URL they originally tried to access after the authentication.
The method I tried is to add the request URI to the redirect using a placeholder, which unfortunately doesn't seem to be supported by reauth.

This is what I'm trying to do:

reauth {
  path /
  except /auth
  failure redirect target=/auth/?redir={uri}
  upstream url=https://example.org/caddy.php,cookies=true
}

Unfortunately, {uri} is not replaced by the value behind it but left as-is.
I'm open to alternative solutions of course :)

For clarification: The authenticator starts a PHP session, sets a server-side variable marking the session as authenticated and sets a cookie with the session ID. The upstream URL verifies the session and returns 200 when authenticated, 401 if not.

This works great, but a user accessing http://example.org/somefolder/ is redirected to /auth/, which doesn't know where the user originally tried to go.

Thanks for this really useful plugin!

Best,
kenny

The version of the plugin available through the download sites was updated 29 Jun 2017, where version 1.0.4 was released 10 Jul 2017.

am trying to enable reauth to my existing application

Error: 06/Nov/2019:13:13:53 +0000 [ERROR 500 /login] Get http://localhost:5650: net/http: HTTP/1.x transport connection broken: malformed HTTP response "\x15\x03\x01\x00\x02\x02"

my Caddyfile

kibana-test.xxx.io:5000 {
tls /root/config/star_tajawal_io.crt /root/config/XXXX-io-sub-domain-private-key.pem
#basicauth / kibana-test kibana-test
jwt {
path /
redirect /login
}
reauth {
path /
upstream url=http://localhost:5650
ldap url=ldap://prod-devops-freeipa-ldap-public-xxxx.eu-west-1.elb.amazonaws.com:389,timeout=5s,username=qa.xxx,password=xxxx,base="OU=Users,OU=tajawal,DC=tajawal,DC=io"
}
log stdout
errors visible
}

am running in container..

Logs from Caddy:

$ sudo docker-compose up
Starting caddy_kibana_test ... done
Attaching to caddy_kibana_test
caddy_kibana_test | 2019/11/06 13:13:47 [INFO] Successfully loaded TLS assets from /root/config/star_tajawal_io.crt and /root/config/xxxx-io-sub-domain-private-key.pem
caddy_kibana_test | Activating privacy features... done.
caddy_kibana_test | JWT middleware is initiated
caddy_kibana_test |
caddy_kibana_test | Serving HTTPS on port 5000
caddy_kibana_test | https://kibana-test.XXXX.io:5000
caddy_kibana_test |
caddy_kibana_test | 2019/11/06 13:13:47 [INFO] Serving https://kibana-test.xxxx.io:5000
caddy_kibana_test | 2019/11/06 13:13:47 [INFO][cache:0xc000186f00] Started certificate maintenance routine
caddy_kibana_test | 2019/11/06 13:13:47 [NOTICE] Sending telemetry: we were too early; waiting 19h27m31.015992392s before trying again
caddy_kibana_test | 5.195.224.30 - - [06/Nov/2019:13:13:49 +0000] "GET /login HTTP/2.0" 500 172
caddy_kibana_test | 5.195.224.30 - - [06/Nov/2019:13:13:49 +0000] "GET /favicon.ico HTTP/2.0" 500 178
caddy_kibana_test | 5.19

Please advise @freman

I'm sure that I just have something setup wrong, but can't figure out what that may be. I am using this to allow access to subdirectories through organizr but it seems to just be opening another instance of organizr instead of proxying to the correct subdirectory. If I disable the path for the subdirectory it loads as expected.

Everything is running in Docker.

This is what I'm experiencing

here's my Caddyfile

   ####################################################################################
# Snippets
####################################################################################
 
####### Snippet 1 #######
 
(mycommon) {
  ext .html .htm .php
  root /srv           # Change path syntax for your OS or your preferred location!
  gzip
 
  header / {
    X-Content-Type-Options nosniff
    X-XSS-Protection "1; mode=block"
    Strict-Transport-Security "max-age=31536000;"
  }
}

####### Snippet 2 #######
 
(mylocations) {

   # This code allows your browser/server to look at Organizr and verify if the currently logged in user's status is 
   # admin, user, or neither. This is based on assigned group in Organizer's "Manage users" tab
   # Admin allows users to see Admin, User, and guest pages
   # User allows a user to see User and Guest pages. 
   # Guest pages should not be assigned to either of these options.
   # each page should only be present in ONE of the blocks if auth is required.

	proxy /auth-admin https://domain.com/organizr/auth.php?admin
	proxy /auth-user https://domain.com/organizr/auth.php?user
	
   # this is where the protection happens. there is one call for users and one for admins
	
  reauth {
	path /sonarr
	path /radarr
	path /lidarr
	path /mylar
	path /lazy
	path /nzbget
	path /hydra2
	path /pihole
	
    # if someone is not authorized for a page, send them here instead of allowing them through to the intended page
	
	failure redirect target=https://domain.com/organizr/
	
	# The above listed directories with be pretected from anyone not listed in Organizr as an Admin  
	
	upstream url=https://domain.com/organizr/auth-admin,cookies=true  
	}
	
    # This bracket does the same as the above annotated bracket but the minimum required group is User
  
  reauth {
	path /tautulli
	
	failure redirect target=https://domain.com/organizr/
	
	upstream url=https://domain.com/organizr/auth-user,cookies=true
	}


	
  proxy /organizr 172.10.0.12:80 {			#https://organizr.us/
	without /organizr
	transparent
	}

  proxy /radarr 172.10.0.4:7878 {            # https://radarr.video/
    transparent
    }
   
  proxy /sonarr 172.10.0.5:8989 {          # https://sonarr.tv/
    transparent
    }

  proxy /lidarr 172.10.0.6:8686 {			# https://github.com/lidarr/Lidarr
    transparent
    }

  proxy /mylar 172.10.0.8:8090 {		# https://github.com/evilhero/mylar
    without /mylar
	transparent
	}
 
  proxy /lazy 172.10.0.7:5299 {            # https://github.com/DobyTang/LazyLibrarian
    transparent
    }
  
  proxy /nzbget 172.10.0.3:6789 {          # http://nzbget.net/
    without /nzbget
	transparent
    }
 
  proxy /hydra2 172.10.0.2:5076 {        # https://github.com/theotherp/nzbhydra2
    transparent
    }

  #rewrite /ombi /ombi/
	
  proxy /ombi 172.10.0.10:3579 {            # https://github.com/tidusjar/Ombi
	transparent
    }
  
  proxy /tautulli 172.10.0.14:8181 {          # http://tautulli.com/ PARTIALLY WORKING
    without /tautulli
	transparent
    }
	
  proxy /pihole 172.10.0.11:80 {        # https://pi-hole.net/
    without /pihole
	transparent
	header_downstream X-Frame-Options "SAMEORIGIN"
    }
  
  proxy /portainer 172.10.0.20:9000 {            # https://portainer.io/
    without /portainer
	transparent
    }	
	
  # The code below will proxy PHP requests
	
  fastcgi / 127.0.0.1:9000 php # php variant only
  
}
  
####################################################################################
# web domain server block
####################################################################################

domain.com {
 
  tls [email protected]
	
  log /srv/logs/access.log {
	rotate_size 1          # Rotate after 1 MB
    rotate_age  7          # Keep log files for 7 days
    rotate_keep 2          # Keep at most 2 log files
	}
	
  errors /srv/logs/errors.log {
	rotate_size 1          # Rotate after 1 MB
    rotate_age  7          # Keep log files for 7 days
    rotate_keep 2          # Keep at most 2 log files
	}	
  
  on startup php-fpm7 # php variant only

  redir 301 {
    if {path} is /              # Only redirect if the request is for the webroot
    / https://domain.com/organizr/   # Replace with wherever you like
  }
  
  import mycommon          # Import code snippet 1 defined above
  import mylocations       # Import code snippet 2 defined above	
 
}
 
####################################################################################
# localhost or Machine server block
####################################################################################
 
http://localhost http://192.168.29.1 {
 
  import mycommon          # Import code snippet 1 defined above
  import mylocations       # Import code snippet 2 defined above
 
}
 
####################################################################################
# subdomains
####################################################################################
 
plex.domain.com {

  tls [email protected]
	
  gzip
  timeouts none
 
  # Separate log file for Plex server
 
  log /srv/logs/plexaccess.log {
    rotate_size 1          # Rotate after 1 MB
    rotate_age  7          # Keep log files for 7 days
    rotate_keep 2          # Keep at most 2 log files
  }
 
  errors /srv/logs/plexerror.log {
    rotate_size 1          # Set max size 1 MB
    rotate_age  7          # Keep log files for 7 days
    rotate_keep 2          # Keep at most 2 log files
  }
 
  proxy / 192.168.29.10:32400 {
    transparent
    }
 
}
 
qnap.domain.com {

  tls [email protected]
	
  gzip
 
  proxy / 192.168.29.2:8080 {
    transparent
    }
 
}

In file go.sum still require module from git.apache.org. And I can't figure out it came from which dependency.
How can I fix this ?

Hi!

I Configured reauth to use ldap with a group filter. As failure mechanism I use Basic Auth.

When I try to log in with a user that is not in the group, or a non-existing user, caddy now yields an error 500.

Due to the browser mechanics it stays that way until I clear all caches.

I Think it should yield a 401 so the user can try again.

Greetings!
Valen

Hi,

It's failing to build due to labbsr0x/goh#3

Could you update this?

Recently needed to filter using an LDAP OU= with a space in it. After some trial-and-error, it looks like c/c++/java escaping works here: OU=GROUP\u0020NAME

Please consider adding to the README if this is expected and/or supported.

Hi, first of all, thanks for making this awesome plugins.

i would like to know if it is possible to include request placeholder in upstream url?

I would like to use it to protect my private docker registry using my private gitea. currently, i am able to permit only user of my gitea to access the private registry. But i would like to add additional access control, that is to make sure the user of the private registry are also the user or a member of an organization in gitea. e.g /v2/someuser/* in registry can only be accessed by user someuser or member of someuser (if someuser is an organization).

so i am thinking of passing the request path to the upstream uri, e.g. upstream url=https://my.gitea.host/v1/api{path},

Not sure what happened to https://github.com/startsmartlabs/caddy-secrets and who to ping, but it 404s and leads to a build error when trying to build this plugin.

It works when I set as this.I can login in.

ldap url=ldap://192.168.3.200:389,timeout=5s,base="OU=XXXXXXXXXXX,OU=SGR_NJ,OU=XXX,DC=xxx,DC=com",username="CN=Administrator,CN=Users,DC=xxx,DC=com",password="XXXXXXXXX",filter="(&(objectClass=user)(sAMAccountName=%s))"

but when I filter with group.

ldap url=ldap://192.168.3.200:389,timeout=5s,base="OU=XXX,DC=xxx,DC=com",username="CN=Administrator,CN=Users,DC=xxx,DC=com",password="XXXXXXXXX",filter="(&(memberOf=CN=Bioinfo,OU=NAS,OU=Service,OU=XXX,DC=xxx,DC=com)(objectClass=user)(sAMAccountName=%s))"

I cannot login anymore