Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Pass sign_key as environment variable #36

Closed
djohn156 opened this issue Mar 14, 2023 · 6 comments
Closed

Pass sign_key as environment variable #36

djohn156 opened this issue Mar 14, 2023 · 6 comments

Comments

@djohn156
Copy link

djohn156 commented Mar 14, 2023

Hi, this plugin works in principle great and reliable. However, is there any means of passing the sign key as an environment variable? Currently, in our pipelines, we're replacing the sign_key in our caddyfile via sed, but his does not seem like a clean approach. However, we did not succeed in directly passing the sign_key as an environment variable directly to Caddy similar to the approach explained in the docs.

Are we missing something here (if so, any guidance is appreciated and we would love to read something about it in the docs) or would this be an additional feature? In both cases, this would surely help #1

@ggicci
Copy link
Owner

ggicci commented Mar 16, 2023

Hi @djohn156 , I tried the environment variable substitutions {$VAR_NAME}, as well as the runtime env var placeholder {env.VAR_NAME}. Both didn't work. While this should work as expected by you and me and possibly others. I will dig futher cuz I'm not sure at this time should this problem be handled by Caddy or community modules themselves.

@ggicci ggicci added bug Something isn't working enhancement New feature or request and removed bug Something isn't working labels Mar 16, 2023
@ggicci
Copy link
Owner

ggicci commented Mar 16, 2023

Hello, I made a mistake when starting the caddy server in BASH script. I tested it out again and it worked as intended. Could you verify it for me?

caddy-jwt on  main [!] via 🐹 v1.20 took 18s
❯ cat /tmp/Caddyfile
{
  order jwtauth before basicauth
}

localhost {
  jwtauth {
    sign_key {$CADDY_JWTAUTH_SIGN_KEY}
    sign_alg HS256
  }

  root * /var/www/localhost
  file_server
}

caddy-jwt on  main [!] via 🐹 v1.20
❯ cat /tmp/start_caddy.sh
#!/usr/bin/env bash

CADDY_JWTAUTH_SIGN_KEY='TkZMNSowQmMjOVU2RUB0bm1DJkU3U1VONkd3SGZMbVk=' ./caddy run --config /tmp/Caddyfile

caddy-jwt on  main [!] via 🐹 v1.20
❯ sudo bash /tmp/start_caddy.sh
2023/03/16 19:16:29.928 INFO    using provided configuration    {"config_file": "/tmp/Caddyfile", "config_adapter": ""}
2023/03/16 19:16:29.929 WARN    Caddyfile input is not formatted; run the 'caddy fmt' command to fix inconsistencies    {"adapter": "caddyfile", "file": "/tmp/Caddyfile", "line": 2}
2023/03/16 19:16:29.929 INFO    admin   admin endpoint started  {"address": "localhost:2019", "enforce_origin": false, "origins": ["//localhost:2019", "//[::1]:2019", "//127.0.0.1:2019"]}
2023/03/16 19:16:29.929 INFO    http    server is listening only on the HTTPS port but has no TLS connection policies; adding one to enable TLS {"server_name": "srv0", "https_port": 443}
2023/03/16 19:16:29.929 INFO    http    enabling automatic HTTP->HTTPS redirects        {"server_name": "srv0"}
2023/03/16 19:16:29.929 INFO    tls.cache.maintenance   started background certificate maintenance      {"cache": "0xc000450ee0"}
2023/03/16 19:16:29.971 INFO    pki.ca.local    root certificate is already trusted by system   {"path": "storage:pki/authorities/local/root.crt"}
2023/03/16 19:16:29.971 INFO    http    enabling HTTP/3 listener        {"addr": ":443"}
2023/03/16 19:16:29.971 INFO    failed to sufficiently increase receive buffer size (was: 208 kiB, wanted: 2048 kiB, got: 416 kiB). See https://github.com/quic-go/quic-go/wiki/UDP-Receive-Buffer-Size for details.
2023/03/16 19:16:29.971 INFO    http.log        server running  {"name": "srv0", "protocols": ["h1", "h2", "h3"]}
2023/03/16 19:16:29.971 INFO    http.log        server running  {"name": "remaining_auto_https_redirects", "protocols": ["h1", "h2", "h3"]}
2023/03/16 19:16:29.971 INFO    http    enabling automatic TLS certificate management   {"domains": ["localhost"]}
2023/03/16 19:16:29.971 WARN    tls     stapling OCSP   {"error": "no OCSP stapling for [localhost]: no OCSP server specified in certificate", "identifiers": ["localhost"]}
2023/03/16 19:16:29.971 INFO    tls     cleaning storage unit   {"description": "FileStorage:/root/.local/share/caddy"}
2023/03/16 19:16:29.972 INFO    autosaved config (load with --resume flag)      {"file": "/root/.config/caddy/autosave.json"}
2023/03/16 19:16:29.972 INFO    serving initial configuration
2023/03/16 19:16:29.972 INFO    tls     finished cleaning storage units

@ggicci ggicci removed the enhancement New feature or request label Mar 16, 2023
@ggicci
Copy link
Owner

ggicci commented Mar 16, 2023

I will close this issue and if you have any problems. Please free free to open it again :)

@ggicci ggicci closed this as completed Mar 16, 2023
@djohn156
Copy link
Author

Hi @ggicci , thanks for the quick response. However, I've not managed to get this working with a RSA256 key. Yet, that does not seem like a bug in the plugin to me - so not reopening the issue. But if you have a working example with an RSA key, I'd appreciate any hint :)

@ggicci
Copy link
Owner

ggicci commented Mar 17, 2023

Hi @djohn156 , you can try this command:

CADDY_JWTAUTH_SIGN_KEY="\"$( cat /tmp/test-key.pub.pem )\"" ./caddy run --config /tmp/Caddyfile

It worth noting that you have to quote the content of the public key when assigning to the environment variable. Using multi-line content in directives should be quoted by refering to Caddy's doc.

full output:

❯ cat /tmp/test-key.pub.pem
-----BEGIN PUBLIC KEY-----
MIIBojANBgkqhkiG9w0BAQEFAAOCAY8AMIIBigKCAYEAlhCew/srwoBziytNAJCm
H0oZ50I+iDh5Nh7GfXHjTDmaa0tbUu+seI4ibHZ9C5m9E8yVSthjAiWua9u9T70E
8Rv78Fg0Lwy66LDI5MwhZt+N6h4iJcrQw1RHL200a19mdnOOrdJd6bNcjTqSkzri
eW0Okp4K/95MHnbgec+JjAnpKNGslkCE3qHu9KyLSDr08A4v/12or6Ye2qFLeXeL
bclulJfFNL7WJNisW2rvz+jB8f658zo2IzCMeX5VinW+NN6GMgPkj8wdru8ALk0Z
IXP4QAdApBtDvC6OQVGaZ/WEPMZhd9GX35AN7m3IPUlnSEu8pkpjztFqH4GjuVLP
5IHYo7fjvgyx4kQo88OQFjKCJoQS/HWR4kXl1GKE0/XZs6PQy3qLIXLUSMgMwsJQ
4FPlY2NW9W6UyOJ7wFhnydBFzN1Q32Rr3e+uxKYW4UURe0/+PeX0MxABJwQ2NEok
s2zW70bUht5QhokDWqw5tBmBXh7OC2cEI4z9fwSJvQHfAgMBAAE=
-----END PUBLIC KEY-----

caddy-jwt on  main [!] via 🐹 v1.20 took 1m42s
❯ cat /tmp/Caddyfile
{
  order jwtauth before basicauth
}

localhost {
  jwtauth {
    sign_key {$CADDY_JWTAUTH_SIGN_KEY}
  }

  root * /var/www/localhost
  file_server
}

caddy-jwt on  main [!] via 🐹 v1.20
❯ cat /tmp/start_caddy.sh
#!/usr/bin/env bash

CADDY_JWTAUTH_SIGN_KEY="\"$( cat /tmp/test-key.pub.pem )\"" ./caddy run --config /tmp/Caddyfile

caddy-jwt on  main [!] via 🐹 v1.20
❯ sudo bash /tmp/start_caddy.sh
2023/03/17 21:37:52.609 INFO    using provided configuration    {"config_file": "/tmp/Caddyfile", "config_adapter": ""}
2023/03/17 21:37:52.610 WARN    Caddyfile input is not formatted; run the 'caddy fmt' command to fix inconsistencies    {"adapter": "caddyfile", "file": "/tmp/Caddyfile", "line": 2}
2023/03/17 21:37:52.611 INFO    admin   admin endpoint started  {"address": "localhost:2019", "enforce_origin": false, "origins": ["//localhost:2019", "//[::1]:2019", "//127.0.0.1:2019"]}
2023/03/17 21:37:52.612 INFO    http    server is listening only on the HTTPS port but has no TLS connection policies; adding one to enable TLS {"server_name": "srv0", "https_port": 443}
2023/03/17 21:37:52.612 INFO    http    enabling automatic HTTP->HTTPS redirects        {"server_name": "srv0"}
2023/03/17 21:37:52.612 INFO    tls.cache.maintenance   started background certificate maintenance      {"cache": "0xc0004b1420"}
2023/03/17 21:37:52.613 INFO    http.log        server running  {"name": "remaining_auto_https_redirects", "protocols": ["h1", "h2", "h3"]}
2023/03/17 21:37:52.613 INFO    http    enabling HTTP/3 listener        {"addr": ":443"}
2023/03/17 21:37:52.613 INFO    failed to sufficiently increase receive buffer size (was: 208 kiB, wanted: 2048 kiB, got: 416 kiB). See https://github.com/quic-go/quic-go/wiki/UDP-Receive-Buffer-Size for details.
2023/03/17 21:37:52.613 INFO    http.log        server running  {"name": "srv0", "protocols": ["h1", "h2", "h3"]}
2023/03/17 21:37:52.613 INFO    http    enabling automatic TLS certificate management   {"domains": ["localhost"]}
2023/03/17 21:37:52.613 WARN    tls     stapling OCSP   {"error": "no OCSP stapling for [localhost]: no OCSP server specified in certificate", "identifiers": ["localhost"]}
2023/03/17 21:37:52.613 INFO    tls     cleaning storage unit   {"description": "FileStorage:/root/.local/share/caddy"}
2023/03/17 21:37:52.613 INFO    tls     finished cleaning storage units
2023/03/17 21:37:52.651 INFO    pki.ca.local    root certificate is already trusted by system   {"path": "storage:pki/authorities/local/root.crt"}
2023/03/17 21:37:52.652 INFO    autosaved config (load with --resume flag)      {"file": "/root/.config/caddy/autosave.json"}
2023/03/17 21:37:52.652 INFO    serving initial configuration

@djohn156
Copy link
Author

Hi @ggicci for anyone else stumbling upon this issue:

  1. The solution presented above works, BUT it seems like working with multiline Keys is not well supported across tools and different workarounds may apply. However,
  2. I stumbled upon this thread Using multi line environment variable in stack.yml results in an error openfaas/faas-cli#857 (comment) - and using the base64-encoded value works well and you don't need to struggle with how multiple lines are represented

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

2 participants