forwardproxy icon indicating copy to clipboard operation
forwardproxy copied to clipboard
verified publisher icon caddyserver

Support multiple basic_auth statements in caddy2

Open klzgrad opened this issue 5 years ago • 8 comments

https://github.com/caddyserver/forwardproxy/blob/8d6f47b4c4f3bdbecba34d9f65c8c5629ca0a5b3/forwardproxy.go#L729-L732

Multiple basic_auth statements are not supported because it was not clear what json structure you wanted for doing it @mholt.

Some users are complaining https://github.com/klzgrad/naiveproxy/issues/137.

klzgrad avatar Oct 13 '20 11:10 klzgrad

Sure, that's something that can be added I'm pretty sure.

mholt avatar Oct 13 '20 16:10 mholt

I can add it but what json structure you want for doing this?

klzgrad avatar Oct 13 '20 23:10 klzgrad

Hi @mholt, can you choose one json format for multiple basicauths from below so I can start making a PR?

"basicauths": [
  {"user": "me", "password": "hunter"}
]

"users": ["me"],
"passwords": ["hunter"],

"basicauths": [
  ["me", "hunter"]
]

klzgrad avatar Oct 14 '20 16:10 klzgrad

Maybe one more choice for your reference:

In traefik, users can configure multiple basicauths in a list. Below is an example of toml format used in traefik.

# Declaring the user list
[http.middlewares]
  [http.middlewares.test-auth.basicAuth]
    users = [
      "test:$apr1$H6uskkkW$IgXLP6ewTrSuBkTrqE8wj/", 
      "test2:$apr1$d9hr9HBB$4HxwgUir3HP4EsggP/QNo0",
    ]

I don't know implementation details but would be nice to use hashed passwords in conf, which is safe to expose in a plain text.

Thanks.

wiserain avatar Oct 14 '20 16:10 wiserain

Thanks for helping with this!

Before we go too far on this, I am quickly skimming the code and realizing that I only brought over the basicauth functionality to get the tests to pass temporarily. Caddy 2 already has a very flexible and capable authentication module that supports basicauth: https://caddyserver.com/docs/modules/http.authentication.providers.http_basic

Ideally we wouldn't have any authentication logic in this proxy module at all, since it exists in that module. However, if it's necessary for probe resistance, then at least we should look into simply embedding that module into this one, rather than re-implementing it.

For an example of this, Caddy's reverse_proxy module embeds the headers module which manipulates request/response headers: https://github.com/caddyserver/caddy/blob/385adf5d878939c381c7f73c771771d34523a1a7/modules/caddyhttp/reverseproxy/reverseproxy.go#L91

What do you think about that? Should be easier and faster right?

mholt avatar Oct 14 '20 18:10 mholt

Forward proxy in Caddy1 implements its own basicauth to try to avoid side channel attacks with this https://github.com/caddyserver/forwardproxy/blob/247c0bafaabd39e17ecf82c2c957c46957c2efcc/forwardproxy.go#L177-L182

I'll have to remove this constant time compare if I'm to do it with the authentication module. ~~This mitigation is only theoretical but there are real people waiting to use this feature.~~

Edit: Ok, the purpose of this constant time compare is to hide the existence of the auth check so to realize probe resistance, i.e. arbitrary auth input regardless of success or not should take the same amount of time. A real test case is that if I craft a Proxy-Authorization header with a very long password, and if it takes more time to process than a short password, this reveals the existence of an auth checking proxy.

I don't think Caddy 2's auth module is capable of constant time authentication. Even hashed password as requested by wiserain above is suspect without audited constant time hashing algorithm.

klzgrad avatar Oct 15 '20 11:10 klzgrad

Any update for this?

ha-ku avatar May 03 '21 17:05 ha-ku

Any update on this?

Bryan2333 avatar Oct 09 '22 06:10 Bryan2333

Fixed after https://github.com/caddyserver/forwardproxy/pull/74

klzgrad avatar Feb 18 '24 11:02 klzgrad