caddy-docker-proxy
caddy-docker-proxy copied to clipboard
lucaslorentz
Unable to set a `basic_auth` password via an environment variable
Password below is hiccup if anyone wants to attempt to reproduce this. I've generated it using caddy hash-password, using the default algorithm (bcrypt), and produces this:
$2a$14$Zkx19XLiW6VYouLHR5NmfOFU0z2GTNmpkT/5qqR7hx4IjWJPDhjvG
compose.yaml
Three dummy users to test different scenarios. Escaping (doubling) the dollars as it's needed for this syntax.
deploy:
labels:
caddy: mydomain.com
caddy.basic_auth.jeto: "{$$PASSWORD_JETO}"
caddy.basic_auth.jeto2: "{env.PASSWORD_JETO}"
caddy.basic_auth.jeto3: "$$2a$$14$$Zkx19XLiW6VYouLHR5NmfOFU0z2GTNmpkT/5qqR7hx4IjWJPDhjvG"
.caddyenv
This is linked via CADDY_DOCKER_ENVFILE.
PASSWORD_JETO=$$2a$$14$$Zkx19XLiW6VYouLHR5NmfOFU0z2GTNmpkT/5qqR7hx4IjWJPDhjvG
Note: I've doubled the dollar signs because if I don't, I get the following error when running Caddy:
{"level":"error","ts":1736596342.9541228,"logger":"docker-proxy","msg":"Error response from server","server":"localhost","status code":400,"body":"{"error":"loading config: loading new config: loading http app module: provision http: server srv0: setting up route handlers: route 1: loading handler modules: position 0: loading module 'subroute': provision http.handlers.subroute: setting up subroutes: route 0: loading handler modules: position 0: loading module 'authentication': provision http.handlers.authentication: loading authentication providers: module name 'http_basic': provision http.authentication.providers.http_basic: base64-decoding password: illegal base64 data at input byte 52"}\n"}
Resulting Caddyfile
mydomain.com {
basic_auth {
jeto {$BOT_DASHBOARD_PASSWORD_JETO}
jeto2 {env.BOT_DASHBOARD_PASSWORD_JETO}
jeto3 $2a$14$Zkx19XLiW6VYouLHR5NmfOFU0z2GTNmpkT/5qqR7hx4IjWJPDhjvG
}
}
Looks correct to me.
Outcome
I can login with jeto3 but neither jeto or jeto2, which both generate the following error:
crypto/bcrypt: hashedSecret too short to be a bcrypted password
I believe the double dollar should not need to be present in the env file. Actually, if I test it locally with just caddy, it works. The problem is if I don't double them using caddy-docker-proxy, I get the "illegal base64 data" error quoted within the ".caddyenv" section above.
I've also tried surrounding the value with double quotes (both with and without double dollars), but still cannot login.
I feel like I've tried everything possible. Is this a bug, or am I missing something?
Thanks!
Well... I found a solution, kinda randomly, after wasting hours on this.
Turns out, the env variable needed to satisfy both these conditions:
- have normal dollars (they shouldn't be doubled)
- be surrounded by single quotes (not double quotes, and not nothing either)
So this is the only way to make it work... somehow:
PASSWORD_JETO='$2a$14$Zkx19XLiW6VYouLHR5NmfOFU0z2GTNmpkT/5qqR7hx4IjWJPDhjvG'
I'll leave this issue open just in case for now (feel free to close it though). It's probably a caddy issue but I'm not sure, since it works out of the box for me with a local installation of its latest standalone version. Maybe they've fixed something along the way?
This is just a compat issue with Docker's env var loader. Not a Caddy problem.
This is just a compat issue with Docker's env var loader. Not a Caddy problem.
Ah OK, didn't think it'd be Docker-related as I assumed that env variable was just working like --envfile by referencing a file to Caddy, which in turn retrieved the environment variables from it.
Maybe a small paragraph in the README (e.g. "It is recommended to surround complex values with single quotes to avoid character parsing issues.") could help people running into the same thing in the future?
In any case, again, feel free to close this issue.
I'm having this problem too, with dokku adding docker labels
Using command dokku docker-options:add wiseverge-hello-landing-pages deploy "--label caddy.basicauth.teste='$2a$12$J2GpBU5bJTCefCjfTxZKdexLm5mhAsj7mfDH08t/Eb71cHIdnd7ka'"
Tried adding the double $$, also escaping them but no luck
Escaping error:
{"error":"loading config: loading new config: loading http app module: provision http: server srv0: setting up route handlers: route 0: loading handler modules: position 0: loading module 'subroute': provision http.handlers.subroute: setting up subroutes: route 0: loading handler modules: position 0: loading module 'authentication': provision http.handlers.authentication: loading authentication providers: module name 'http_basic': provision http.authentication.providers.http_basic: base64-decoding password: illegal base64 data at input byte 0"}\n"}
Double $$:
{"level":"error","ts":1741082601.882515,"logger":"docker-proxy","msg":"Error response from server","server":"localhost","status code":400,"body":"{\"error\":\"loading config: loading new config: loading http app module: provision http: server srv0: setting up route handlers: route 0: loading handler modules: position 0: loading module 'subroute': provision http.handlers.subroute: setting up subroutes: route 0: loading handler modules: position 0: loading module 'authentication': provision http.handlers.authentication: loading authentication providers: module name 'http_basic': provision http.authentication.providers.http_basic: base64-decoding password: illegal base64 data at input byte 46\"}\n"}
I was able to add basic auth using the following labels:
labels:
caddy: my.sample.site
caddy.basic_auth: /admin* bcrypt "Test Admin"
caddy.basic_auth.admin: "$$2a$$10$$BCRYPT_PASSWORD_REDACTED"
@JoseCWise I believe in that case you want to have double quotes and double dollars, like in my jeto3 example (as well as @jum's).