breakfix: Unable to enable user registrationΒ #441
Description
Describe the issue
When enabling user registration, caddy fails to start because of an error loading an empty registrations.json file (I think).
Error: loading initial config: loading new config: loading security app module: provision security: server initialization failed: failed initializing user registry: user registration configuration for "localdbregistry" instance failed: failed initializing database at "/etc/caddy/registrations.json": unexpected end of JSON input
Configuration
{
order authenticate before respond
order authorize before basicauth
security {
credentials [email protected] {
username [email protected]
password password123
}
messaging email provider proton-smtp {
address smtp.protonmail.ch:587
protocol smtp
sender [email protected] "Auth Portal"
credentials [email protected]
}
local identity store localdb {
realm local
path /etc/caddy/users.json
}
# user registration localdbregistry {
# dropbox /etc/caddy/registrations.json
# title "User Registration"
# code "swordfish"
# require domain mx
# admin email [email protected]
# email provider proton-smtp
# identity store localdb
# }
authentication portal portal_green {
crypto default token lifetime 86400
crypto key sign-verify {env.JWT_SHARED_KEY}
cookie domain green.com
enable identity store localdb
ui {
links {
"files" https://files.green.com icon "las la-file-alt"
"whoami" "/whoami" icon "las la-user"
"immich" https://immich.green.com icon "las la-file-image"
"transmission" https://sus.green.com icon "las la-broadcast-tower"
"unifi" https://unifi.green.com icon "las la-server"
}
}
transform user {
match origin local
action add role authp/user
ui link "settings" "/auth/profile/" icon "las la-cog"
}
}
authorization policy policy_green_admins {
set auth url https://auth.green.com:443
allow roles authp/admin
crypto key verify {env.JWT_SHARED_KEY}
acl rule {
match role authp/admin
allow stop log info
}
acl rule {
match any
deny log warn
}
}
authorization policy policy_green_users {
set auth url https://auth.green.com:443
allow roles authp/admin authp/user
crypto key verify {env.JWT_SHARED_KEY}
acl rule {
match role authp/admin
allow stop log info
}
acl rule {
match role authp/user
allow stop log info
}
acl rule {
match any
deny log warn
}
}
}
}
(shared-security-headers) {
header {
Strict-Transport-Security "max-age=63072000; includeSubDomains; preload"
X-Frame-Options "DENY"
X-Content-Type-Options "nosniff"
Referrer-Policy "strict-origin-when-cross-origin"
Content-Security-Policy "default-src 'self'; script-src 'self'; style-src 'self' 'unsafe-inline'"
Permissions-Policy "geolocation=(), microphone=()"
}
}
http://172.16.0.8:80 {
root * /srv/http
file_server browse
}
http://auth.green.com:80,
http://immich.green.com:80,
http://green.com:80,
http://immich.red.com:80,
http://files.green.com:80 {
redir https://{host}{uri}:443 301
}
auth.green.com {
route {
authenticate with portal_green
}
}
immich.green.com,
immich.red.com {
reverse_proxy http://localhost:2283
}
files.green.com {
authorize with policy_green_users
uri strip_prefix /files
root * /srv/http
file_server browse
}
unifi.green.com {
authorize with policy_green_users
uri strip_prefix /unifi
reverse_proxy https://localhost:8443 {
transport http {
tls_insecure_skip_verify
}
}
}
sus.green.com {
authorize with policy_green_admins
reverse_proxy http://127.0.0.1:9091
}
Version Information
root@theserver:/etc/caddy# caddy list-modules --versions | grep -E "(auth|security)"
http.authentication.hashes.bcrypt v2.10.2
http.authentication.providers.http_basic v2.10.2
http.handlers.authentication v2.10.2
tls.client_auth.verifier.leaf v2.10.2
http.authentication.providers.authorizer v1.1.31
http.handlers.authenticator v1.1.31
security v1.1.31
Expected behavior
Caddy does not crash on startup.
Additional context
With the registration section commented out as above, caddy runs correctly.
When registrations.json is deleted, a different error occurs instead.
Error: loading initial config: loading new config: loading http app module: provision http: server srv0: setting up route handlers: route 1: loading handler modules: position 0: loading module 'subroute': provision http.handlers.subroute: setting up subroutes: route 0: loading handler modules: position 2: loading module 'authentication': provision http.handlers.authentication: loading authentication providers: module name 'authorizer': provision http.authentication.providers.authorizer: loading security app module: provision security: server initialization failed: failed initializing user registry: user registration configuration for "localdbregistry" instance failed: failed initializing database at "/etc/caddy/registrations.json": failed database commit to "/etc/caddy/registrations.json": open /etc/caddy/registrations.json: read-only file system
The file system is definitely not read-only.
root@theserver:/etc/caddy# rm registrations.json
root@theserver:/etc/caddy# sudo -u caddy touch ./registrations.json
root@theserver:/etc/caddy# ls -al
total 32
drwxrwxrwx 2 caddy caddy 4096 Nov 28 16:27 .
drwxr-xr-x 162 root root 12288 Nov 28 06:28 ..
-rwx------ 1 caddy caddy 3249 Nov 28 16:25 Caddyfile
-rwx------ 1 caddy caddy 878 Nov 28 11:48 Caddyfile.bak
-rw-rw-r-- 1 caddy caddy 0 Nov 28 16:27 registrations.json
-rwx------ 1 caddy caddy 1508 Nov 28 15:08 users.json
-rwx------ 1 caddy caddy 194 Nov 28 12:46 users.json.bak