breakfix: Implementing an acl default allow policy at the web server rootΒ #446
Description
Describe the issue
Can't complete LetsEncrypt challenge once I set a security policy.
Configuration
Paste full Caddyfile below:
{
debug
acme_ca https://acme-staging-v02.api.letsencrypt.org/directory # For testing
acme_dns cloudflare {env.CLOUDFLARE_KEY}
order authorize before basicauth
security {
authorization policy publicpolicy {
acl default allow
}
authorization policy securepolicy {
set token sources cookie
set auth url https://auth.example.com/realms/qa/protocol/openid-connect/auth
allow roles user admin log debug
crypto key verify {env.JWKS_SK}
}
}
}
example.com {
redir https://www.example.com{uri}
}
www.example.com {
authorize with publicpolicy
route /site/* {
authorize with securepolicy
reverse_proxy localhost:3000
}
}
Version Information
Provide output of caddy list-modules --versions | grep -E "(auth|security)" below:
http.authentication.hashes.bcrypt v2.10.2
http.authentication.providers.http_basic v2.10.2
http.handlers.authentication v2.10.2
tls.client_auth.verifier.leaf v2.10.2
http.authentication.providers.authorizer v1.1.31
http.handlers.authenticator v1.1.31
security v1.1.31
Expected behavior
I was trying to get the public policy to anything that's not explicitly listed with a separate policy, ex. things like favicon, css assets for error pages, as well as LetsEncrypt challenges.
https://docs.authcrunch.com/docs/authorize/bypass would let me explicitly whitelist specific endpoints but wouldn't work for LE
Essentially, I want everything world readable unless there's an overriding policy in a specific route
Additional context
N/A