allow disabling auth again even with list of users (delegating authentication)

[Cyrix126]

From the 5.0.0 release note:

auth option no longer exists and it will be inferred from the users.

My setup was using nginx to authenticate users with a LDAP server and forwarding the header X-Forwarded-For so that webdav recognize the user and give gim the right directory for him. I was using auth: false in the config of webdav.

With the latest version, I can't do this anymore since authentication is mandatory.
Please allow to again disable authentication so we can transfer the authentication to another service if we need to.

[mohammed90]

The README says:

The list of users. If users is empty, then there will be no authentication.

Have you tried that?

[Cyrix126]

The README says:

The list of users. If users is empty, then there will be no authentication.

Have you tried that?

I need the list to give them access to custom path based on their username.

[hacdias]

My setup was using nginx to authenticate users with a LDAP server and forwarding the header X-Forwarded-For so that webdav recognize the user and give gim the right directory for him. I was using auth: false in the config of webdav.

This is a very interesting use case. It seems you were relying on something we had built in in version 4.2.0 and older that was designed to work out with the old plugin for Caddy (see code here). I had this code removed from version 4.3.0 since it was never meant to be used for other purposes.

However, I think you have a valid point and I will see how we can best do this. I assume you're proxying the basic auth user. I see three options:

1. Re-adding the auth option and enabling/disabling it by default according to the users list (preserving compatibility with v5.0.0), but allowing you to override it with false, and then outputting a warning.
2. Adding a noPassword configuration option, which disables the password check, indicating this should only be used when delegating the authentication. Print warning,.
3. You just set the same password for every user and proxy this static password anyway. That should also work. At least as a temporary workaround.

Since this "feature" was never intended to be used this way I'm a bit torn. I'm more inclined for option 2.

[Cyrix126]

It seems you were relying on something we had built in in version 4.2.0 and older

Correct. I wanted to update it since I had trouble with missing files/directories, (possibly unrelated to this webdav server) and saw the breaking changes.

I assume you're proxying the basic auth user.

Here's my setup:
I'm using lldap and protect requests in nginx with nginx-ldap-auth-service and with nginx module ngx_http_auth_request_module.

I did this configuration a while ago and I'm not sure if everything is required, I intend to switch to kanidm, but principal is the same: check method of auth (can be other than basic) and if valid transfer request adding a header with username to backend service.

auth_ldap "Forbidden";
# webdav here is name of ldap config included in nginx to check if basic auth username is in group and password is valid.
        auth_ldap_servers webdav; 
  location / {
    proxy_pass http://127.0.0.1:xxxx; # port used by webdav service
    proxy_redirect        off;
    proxy_set_header      Host $http_host;
    proxy_set_header      X-Forwarded-For $proxy_add_x_forwarded_for;
    proxy_set_header      X-Forwarded-Proto $scheme;
    proxy_set_header      X-Forwarded-Ssl on;
    proxy_set_header      Connection "";
    proxy_pass_header     Date;
    proxy_pass_header     Server;
  }

I see two options:

(you mean three).

Option 2 is indeed the best, option 3 is impossible since password in the authorizing service are unknown (hashed).

[hacdias]

@Cyrix126 I indeed meant three, I updated the comment quite a few times. I will take a better look at #175 and release it soon.