Settings Page Returns Page Not Found

[WalterSchirmacher]

When clicking on the Settings link, a "Page Not Found" page appears instead of the expected settings page.

Configuration

{
	email [email protected]

	order authenticate before respond
	order authorize before basicauth

	security {
		credentials myuname-icloud {
			username myuname
			password {env.icloudpass}
		}

		messaging email provider icloud-smtp-server {
			address smtp.mail.me.com:587
			protocol smtp
			credentials myusername-icloud
			sender myusernameicloud.com "Example Portal"
			bcc [email protected]
		}

		local identity store localdb {
			realm local
			path /etc/caddy/users.json
		}

		authentication portal myportal {
			crypto default token lifetime 86400
			crypto key sign-verify {env.JWT_SHARED_KEY}
			enable identity store localdb
			cookie domain mydomain.url
			cookie lifetime 86400

				ui {
						"My Identity" "/whoami" icon "las la-user"
					}
			}

			transform user {
				match origin local
				require mfa
			}

			transform user {
				match email [email protected]
				ui link "My Portal Settings" /settings icon "las la-cog"
			}

			transform user {
				match email [email protected]
				ui link "Portal Settings" /settings icon "las la-cog"
			}
		}

		authorization policy mypolicy {
			set auth url https://auth.example.com
			crypto key verify {env.JWT_SHARED_KEY}
			allow roles authp/admin authp/user
			validate bearer header
			inject headers with claims
		}
	}
}

(myHost) {
	tls {
		dns myhost {
			api_key {env.MYHOST_API_KEY}
			api_secret_key {env.MYHOST_API_PASSWORD}
		}
	}
}

www.mywebsite.com {
	redir https://mywebsite.com{uri}
	import myHost
}

mywebsite.com {
	encode gzip zstd
	root * /data/exampleuser/ExampleDrive/MyWebsite
	file_server {
		hide .git
	}
	import myHost

	log {
		output file /var/log/access.log
	}
}

*.mywebsite.com {
	encode gzip zstd
	import myHost

	log {
		output file /var/log/access.log
	}

	@test host test.mywebsite.com
	handle @test {
		authorize with mypolicy 
		reverse_proxy 192.168.0.160:8000 {
			header_up Host {http.reverse_proxy.upstream.hostport}
		}
	}

	#Authorize
	@theauth host auth.mywebsite.com
	handle @theauth {
		authenticate with myportal
	}

	#Fallback for unhandled domains
	handle {
		abort
	}
}

Version Information

Provide output of caddy list-modules --versions | grep -E "(auth|security)" below:

http.authentication.hashes.bcrypt v2.7.6
http.authentication.hashes.scrypt v2.7.6
http.authentication.providers.http_basic v2.7.6
http.handlers.authentication v2.7.6
tls.client_auth.leaf v2.7.6
http.authentication.providers.authorizer v1.1.29
http.handlers.authenticator v1.1.29
security v1.1.29

Expected behavior

The settings page would appear and be functional.

[greenpau]

@WalterSchirmacher , please server the portal from “/auth/*” path. The settings are available via “/auth/profile”

[greenpau]

@WalterSchirmacher , serve it from “auth.mywebsite.com/auth/“

[WalterSchirmacher]

I tried changing it to "auth/settings" (so https://auth.mywebsite.com/auth/settings" instead of " https://auth.mywebsite.com/settings") and it didn't work.

For reference, the "whoami" works and is located at https://auth.mywebsite.com/whoami".

Caddy is hosted on Ubuntu 22.04 (LTS) and the system is only about 2 months old. This is a fresh Caddy install.

I had a previous instance on a different box for a few months (an old Mac) but didn't reuse the Caddy file directly (though I did copy/paste some bits to avoid retyping). The Caddy Security users.json is newly setup to avoid any permission issues. I can provide the whoami info later tonight if that is helpful. Caddy is setup with its own user, and I double checked to ensure it has the appropriate RWX access for where everything is stored.

Thank you,

Walter B. Schirmacher @.***

On Sun, May 5, 2024 at 12:41 AM Paul Greenberg @.***> wrote:

@WalterSchirmacher https://github.com/WalterSchirmacher , serve it from “auth.mywebsite.com/auth/“

— Reply to this email directly, view it on GitHub https://github.com/greenpau/caddy-security/issues/337#issuecomment-2094590863, or unsubscribe https://github.com/notifications/unsubscribe-auth/A5DDVMFATYYSU4OSY3XQJT3ZAWZ7HAVCNFSM6AAAAABHG64FRCVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMZDAOJUGU4TAOBWGM . You are receiving this because you were mentioned.Message ID: @.***>

[greenpau]

@WalterSchirmacher , there are no more "settings". It is "/auth/profile".

[WalterSchirmacher]

I tried /auth/profile and still get page not found. I also tried /profile with the same result.

[greenpau]

@WalterSchirmacher , please share the snippet how you are serving “authenticate with” directive.

[WalterSchirmacher]

Here are the relevant parts:

{ authentication portal myportal { crypto default token lifetime 86400 crypto key sign-verify {env.JWT_SHARED_KEY} enable identity store localdb cookie domain mydomain.url cookie lifetime 86400

			ui {
					"My Identity" "/whoami" icon "las la-user"
				}
		}

		transform user {
			match origin local
			require mfa
		}

		transform user {
			match email [email protected]
			ui link "My Portal Settings" /settings icon "las la-cog"
			ui link "My Portal Settings" /profile icon "las la-cog"
			ui link "My Portal Settings" /auth/profile icon "las la-cog"
			ui link "My Portal Settings" /auth/settings icon "las la-cog"
		}

		transform user {
			match email [email protected]
			ui link "Portal Settings" /settings icon "las la-cog"
			ui link "My Portal Settings" /profile icon "las la-cog"
			ui link "My Portal Settings" /auth/profile icon "las la-cog"
			ui link "My Portal Settings" /auth/settings icon "las la-cog"
		}
	}

	authorization policy mypolicy {
		set auth url https://auth.example.com
		crypto key verify {env.JWT_SHARED_KEY}
		allow roles authp/admin authp/user
		validate bearer header
		inject headers with claims
	}

}

*.mywebsite.com { encode gzip zstd import myHost

log {
	output file /var/log/access.log
}

@test host test.mywebsite.com
handle @test {
	authorize with mypolicy 
	reverse_proxy 192.168.0.160:8000 {
		header_up Host {http.reverse_proxy.upstream.hostport}
	}
}

#Authorize
@theauth host auth.mywebsite.com
handle @theauth {
	authenticate with myportal
}

#Fallback for unhandled domains
handle {
	abort
}

}

[greenpau]

@WalterSchirmacher , the issue is here

@theauth host auth.mywebsite.com handle @theauth { authenticate with myportal }

you are serving it from “/“, you need to have a redirect from “/“ to “/auth/“ and handle the path “/auth*”

[alyssondiasmec]

I am with the same error, following routes are not accessible:

• /auth/settings
• /auth/profile

This is my Caddyfile:

{
    debug
    https_port 443

    order authenticate before respond
    order authorize before basicauth

    security {
        local identity store localdb {
            realm local
            path /etc/caddy/users.json
        }

        authentication portal myportal {
            crypto default token lifetime 2592000
            enable identity store localdb

            transform user {
                match origin local
                action add role authp/user
                ui link "Portal Settings 1" /auth/profile icon "las la-cog"
                ui link "Portal Settings 2" /auth/settings icon "las la-cog"
            }
            
        }
        authorization policy mypolicy {
            with api key auth portal myportal realm local
            acl default allow
        }
    }
}

(internal_config) {
    handle /auth* {
        authenticate with myportal
    }
}

:80 {
    # import internal_config
    redir https://caddy_edge{uri}
}

https://localhost:443, {$HOST_DOMAIN_ADDRESS} {
    import internal_config
}

[alyssondiasmec]

@WalterSchirmacher , the issue is here

@theauth host auth.mywebsite.com handle @theauth { authenticate with myportal }

you are serving it from “/“, you need to have a redirect from “/“ to “/auth/“ and handle the path “/auth*”

I tried to do this, however with no success.

I might be forgetting something.

[ooiuri]

@WalterSchirmacher , the issue is here @theauth host auth.mywebsite.com handle @theauth { authenticate with myportal } you are serving it from “/“, you need to have a redirect from “/“ to “/auth/“ and handle the path “/auth*”

I tried to do this, however with no success.

I might be forgetting something.

I was also facing the same issue with a very similar configuration and for me worked on putting the '/' at the end of the url, like:

mydomain.com/auth/profile/

for some reason:

mydomain.com/auth/profile would give me a 404 not found

[alyssondiasmec]

@WalterSchirmacher , the issue is here @theauth host auth.mywebsite.com handle @theauth { authenticate with myportal } you are serving it from “/“, you need to have a redirect from “/“ to “/auth/“ and handle the path “/auth*”

I tried to do this, however with no success. I might be forgetting something.

I was also facing the same issue with a very similar configuration and for me worked on putting the '/' at the end of the url, like:

mydomain.com/auth/profile/

for some reason:

mydomain.com/auth/profile would give me a 404 not found

Thanks @ooiuri. That was it!

Solved for my side.

[WalterSchirmacher]

Thank you @ooiuri - that was it for me as well.

Combining @greenpau change to /auth/profile (instead of settings) and adding the final / was the solution.

mydomain.com/auth/profile/ works.

[greenpau]

@WalterSchirmacher , please share your final config.

[tribor]

                        transform user {
                                match origin local
                                action add role authp/user
-				ui link "My Portal Settings" /settings icon "las la-cog"
+                               ui link "User Dashboard" /auth/profile/ icon "las la-cog"
                        }