Since QuestDB OSS does not have basic auth and TLS, I want to use caddy to proxy it, and it will also auto renew my TLS certificates.
So far I had success on properly serving QuestDB with TLS, but I am stuck at basic auth. I copied an example from the docs and it works fine, but when I try to use env variables basic Auth is not working for me. This is what I have so far:
docker-compose.yaml for Caddy proxy (direct copy/paste from the docs)
version: "3.7"
services:
caddy:
image: lucaslorentz/caddy-docker-proxy:ci-alpine
ports:
- 80:80
- 443:443
environment:
- CADDY_INGRESS_NETWORKS=caddy
networks:
- caddy
volumes:
- /var/run/docker.sock:/var/run/docker.sock
- ./caddy_data:/data
restart: unless-stopped
networks:
caddy:
external: true
volumes:
caddy_data: {}
I already created the caddy network and I have this docker-compose.yml for QuestDB
version: '3.7'
services:
questdb:
image: questdb/questdb:7.3.10
environment:
QDB_PG_USER: ${QDB_PG_USER:-admin}
QDB_PG_PASSWORD: ${QDB_PG_PASSWORD:-password}
QDB_PG_READONLY_USER_ENABLED: "true"
QDB_PG_READONLY_USER: ${QDB_PG_READONLY_USER:-readonly}
QDB_PG_READONLY_PASSWORD: ${QDB_PG_READONLY_PASSWORD:-quest}
networks:
- caddy
labels:
caddy: localhost
caddy.reverse_proxy: "{{upstreams 9000}}"
#caddy.basicauth: "/"
#caddy.basicauth./: "${BASIC_AUTH_USER:-readonly} ${BASIC_AUTH_HASHED_PASSWORD:-quest}"
networks:
caddy:
external: true
When I start this configuration with basic auth commented out, it all works fine and I can go to https://localhost
(http
will get properly redirected). I intend to change my domain name when I deploy this. But the moment I uncomment my basic auth config, the questdb container seems to be starting just fine, but I cannot access from localhost. Any ideas?
It turns out I couldn't see any issues because I was starting caddy as a docker compose daemon and didn't see the logs. When I check the logs I can actually see this:
{\"error\":\"loading config: loading new config: loading http app module: provision http: server srv0: setting up route handlers: route 0: loading handler modules: position 0: loading module 'subroute': provision http.handlers.subroute: setting up subroutes: route 0: loading handler modules: position 0: loading module 'authentication': provision http.handlers.authentication: loading authentication providers: module name 'http_basic': provision http.authentication.providers.http_basic: base64-decoding salt: illegal base64 data at input byte 4\"}\n"}
Since I was providing a clear password as the default value, it couldn't start. Once I create a hashed password using, for example, htpasswd -nbB username 'password'
, I can pass it as an env variable and things just work fine.