databasetime-seriesbasic-authenticationcaddyquestdb

How to add Basic Auth to a Caddy config with TLS and auto renewal to Serve QuestDB via Docker

Since QuestDB OSS does not have basic auth and TLS, I want to use caddy to proxy it, and it will also auto renew my TLS certificates.

So far I had success on properly serving QuestDB with TLS, but I am stuck at basic auth. I copied an example from the docs and it works fine, but when I try to use env variables basic Auth is not working for me. This is what I have so far:

docker-compose.yaml for Caddy proxy (direct copy/paste from the docs)

version: "3.7"
services:
  caddy:
    image: lucaslorentz/caddy-docker-proxy:ci-alpine
    ports:
      - 80:80
      - 443:443
    environment:
      - CADDY_INGRESS_NETWORKS=caddy
    networks:
      - caddy
    volumes:
      - /var/run/docker.sock:/var/run/docker.sock
      - ./caddy_data:/data
    restart: unless-stopped

networks:
  caddy:
    external: true

volumes:
  caddy_data: {}

I already created the caddy network and I have this docker-compose.yml for QuestDB

version: '3.7'
services:
  questdb:
    image: questdb/questdb:7.3.10
    environment:
      QDB_PG_USER: ${QDB_PG_USER:-admin}
      QDB_PG_PASSWORD: ${QDB_PG_PASSWORD:-password}
      QDB_PG_READONLY_USER_ENABLED: "true"
      QDB_PG_READONLY_USER: ${QDB_PG_READONLY_USER:-readonly}
      QDB_PG_READONLY_PASSWORD: ${QDB_PG_READONLY_PASSWORD:-quest}
    networks:
      - caddy
    labels:
      caddy: localhost
      caddy.reverse_proxy: "{{upstreams 9000}}"      
      #caddy.basicauth: "/"
      #caddy.basicauth./: "${BASIC_AUTH_USER:-readonly} ${BASIC_AUTH_HASHED_PASSWORD:-quest}"

networks:
  caddy:
    external: true

When I start this configuration with basic auth commented out, it all works fine and I can go to https://localhost (http will get properly redirected). I intend to change my domain name when I deploy this. But the moment I uncomment my basic auth config, the questdb container seems to be starting just fine, but I cannot access from localhost. Any ideas?

Solution

  • It turns out I couldn't see any issues because I was starting caddy as a docker compose daemon and didn't see the logs. When I check the logs I can actually see this:

    {\"error\":\"loading config: loading new config: loading http app module: provision http: server srv0: setting up route handlers: route 0: loading handler modules: position 0: loading module 'subroute': provision http.handlers.subroute: setting up subroutes: route 0: loading handler modules: position 0: loading module 'authentication': provision http.handlers.authentication: loading authentication providers: module name 'http_basic': provision http.authentication.providers.http_basic: base64-decoding salt: illegal base64 data at input byte 4\"}\n"}

    Since I was providing a clear password as the default value, it couldn't start. Once I create a hashed password using, for example, htpasswd -nbB username 'password', I can pass it as an env variable and things just work fine.