{"id":4918,"date":"2026-02-18T05:41:01","date_gmt":"2026-02-18T05:41:01","guid":{"rendered":"https:\/\/softcolontechnologies.com\/blogs\/?p=4918"},"modified":"2026-02-18T05:42:11","modified_gmt":"2026-02-18T05:42:11","slug":"how-to-set-up-basic-authentication-on-your-vps","status":"publish","type":"post","link":"https:\/\/www.softcolon.com\/blogs\/how-to-set-up-basic-authentication-on-your-vps\/","title":{"rendered":"How to Set Up Basic Authentication on Your VPS"},"content":{"rendered":"<h2 class=\"text-3xl font-semibold mt-14 mb-8 \">Introduction: What is Basic Authentication and Why You Need It<\/h2>\n<p class=\" text-lg my-6\">When you deploy a web application, not all content should be publicly accessible. You might have:<\/p>\n<ul class=\"list-disc ml-6 my-6\">\n<li class=\" text-lg my-2\">\n<p class=\" text-lg my-6\">An <strong>admin dashboard<\/strong> that only your team should access<\/p>\n<\/li>\n<li class=\" text-lg my-2\">\n<p class=\" text-lg my-6\">A <strong>staging environment<\/strong> for testing before production<\/p>\n<\/li>\n<li class=\" text-lg my-2\">\n<p class=\" text-lg my-6\"><strong>Internal tools<\/strong> (logs, metrics, deployment systems)<\/p>\n<\/li>\n<li class=\" text-lg my-2\">\n<p class=\" text-lg my-6\"><strong>Temporary access<\/strong> for contractors or partners during a specific project<\/p>\n<\/li>\n<\/ul>\n<p class=\" text-lg my-6\">Without access control, anyone on the internet who finds these URLs can access them. Basic Authentication is the simplest way to protect these routes.<\/p>\n<p class=\" text-lg my-6\"><strong>Basic Authentication<\/strong> (often called &#8220;Basic Auth&#8221;) works by requiring visitors to enter a username and password before accessing protected content. It&#8217;s the simplest form of password protection on the web.<\/p>\n<p class=\" text-lg my-6\">Think of it like:<\/p>\n<ul class=\"list-disc ml-6 my-6\">\n<li class=\" text-lg my-2\">\n<p class=\" text-lg my-6\"><strong>No authentication:<\/strong> Unlocked front door, anyone can walk in<\/p>\n<\/li>\n<li class=\" text-lg my-2\">\n<p class=\" text-lg my-6\"><strong>Basic authentication:<\/strong> Locked front door, need a key (username\/password) to enter<\/p>\n<\/li>\n<li class=\" text-lg my-2\">\n<p class=\" text-lg my-6\"><strong>OAuth\/JWT:<\/strong> Complex security system with multiple layers<\/p>\n<\/li>\n<\/ul>\n<p class=\" text-lg my-6\">Caddy makes Basic Authentication trivially simple\u2014just a few lines of configuration. No plugins, no external dependencies, no complex setup.<\/p>\n<hr \/>\n<h2 class=\"text-3xl font-semibold mt-14 mb-8 \">How Basic Authentication Works<\/h2>\n<h3 class=\"text-2xl mt-10 mb-4 font-bold \">The Request Flow<\/h3>\n<div class=\"relative group\">\n<pre class=\"relative bg-[#1a1a1a] border border-gray-700 rounded-lg overflow-x-auto my-8 p-6\"><code class=\"hljs language-json whitespace-pre-wrap break-words text-gray-300\">User visits https<span class=\"hljs-punctuation\">:<\/span><span class=\"hljs-comment\">\/\/example.com\/admin<\/span>\n    \u2193\nserver checks<span class=\"hljs-punctuation\">:<\/span> <span class=\"hljs-string\">\"Is \/admin protected?\"<\/span>\n    \u2193\nYES \u2192 Server asks for username\/password\n    \u2193\nBrowser shows login popup<span class=\"hljs-punctuation\">:<\/span>\n    Username<span class=\"hljs-punctuation\">:<\/span> <span class=\"hljs-punctuation\">[<\/span>________<span class=\"hljs-punctuation\">]<\/span>\n    Password<span class=\"hljs-punctuation\">:<\/span> <span class=\"hljs-punctuation\">[<\/span>________<span class=\"hljs-punctuation\">]<\/span>\n    \u2193\nUser enters credentials\n    \u2193\nBrowser sends username + password in HTTP header\n    \u2193\nServer verifies<span class=\"hljs-punctuation\">:<\/span> Is the password correct?\n    \u2193\nYES \u2192 Allow access to \/admin\nNO \u2192 Show <span class=\"hljs-string\">\"Unauthorized\"<\/span> error\n<\/code><\/pre>\n<p><button class=\"absolute top-4 cursor-pointer right-4 p-2 rounded-md bg-[#24292e] hover:bg-gray-700 border border-gray-600 opacity-0 group-hover:opacity-100 transition-opacity duration-200\" title=\"Copy code\"><\/button><\/div>\n<h3 class=\"text-2xl mt-10 mb-4 font-bold \">What Gets Sent to the Server<\/h3>\n<p class=\" text-lg my-6\">When you enter credentials in the Basic Auth popup, the browser automatically converts them to a format that&#8217;s sent to the server.<\/p>\n<p class=\" text-lg my-6\"><strong>Plain text version (what you see):<\/strong><\/p>\n<div class=\"relative group\">\n<pre class=\"relative bg-[#1a1a1a] border border-gray-700 rounded-lg overflow-x-auto my-8 p-6\"><code class=\"hljs language-json whitespace-pre-wrap break-words text-gray-300\">username<span class=\"hljs-punctuation\">:<\/span> admin\npassword<span class=\"hljs-punctuation\">:<\/span> MySecurePassword123!\n<\/code><\/pre>\n<p><button class=\"absolute top-4 cursor-pointer right-4 p-2 rounded-md bg-[#24292e] hover:bg-gray-700 border border-gray-600 opacity-0 group-hover:opacity-100 transition-opacity duration-200\" title=\"Copy code\"><\/button><\/div>\n<p class=\" text-lg my-6\"><strong>What gets sent over the network (Base64 encoded):<\/strong><\/p>\n<div class=\"relative group\">\n<pre class=\"relative bg-[#1a1a1a] border border-gray-700 rounded-lg overflow-x-auto my-8 p-6\"><code class=\"hljs language-json whitespace-pre-wrap break-words text-gray-300\">Authorization<span class=\"hljs-punctuation\">:<\/span> Basic YWRtaW46TXlTZWN1cmVQYXNzd29yZDEyMyE=\n<\/code><\/pre>\n<p><button class=\"absolute top-4 cursor-pointer right-4 p-2 rounded-md bg-[#24292e] hover:bg-gray-700 border border-gray-600 opacity-0 group-hover:opacity-100 transition-opacity duration-200\" title=\"Copy code\"><\/button><\/div>\n<p class=\" text-lg my-6\">The browser Base64-encodes (not encrypts) the credentials. This is why <strong>Basic Auth always requires HTTPS<\/strong>\u2014without encryption, anyone on the network can decode the Base64 and see your password.<\/p>\n<hr \/>\n<h2 class=\"text-3xl font-semibold mt-14 mb-8 \">Understanding Password Hashing<\/h2>\n<p class=\" text-lg my-6\">Caddy requires passwords to be stored as <strong>bcrypt hashes<\/strong>, not plain text. This is a critical security feature.<\/p>\n<h3 class=\"text-2xl mt-10 mb-4 font-bold \">Plain Text vs. Hashed Passwords<\/h3>\n<p class=\" text-lg my-6\"><strong>\u274c Storing plain text (DANGEROUS):<\/strong><\/p>\n<div class=\"relative group\">\n<pre class=\"relative bg-[#1a1a1a] border border-gray-700 rounded-lg overflow-x-auto my-8 p-6\"><code class=\"hljs language-json whitespace-pre-wrap break-words text-gray-300\">admin<span class=\"hljs-punctuation\">:<\/span>MyPassword123\nmanager<span class=\"hljs-punctuation\">:<\/span>BossPassword456\n<\/code><\/pre>\n<p><button class=\"absolute top-4 cursor-pointer right-4 p-2 rounded-md bg-[#24292e] hover:bg-gray-700 border border-gray-600 opacity-0 group-hover:opacity-100 transition-opacity duration-200\" title=\"Copy code\"><\/button><\/div>\n<p class=\" text-lg my-6\"><strong>Problems:<\/strong><\/p>\n<ul class=\"list-disc ml-6 my-6\">\n<li class=\" text-lg my-2\">\n<p class=\" text-lg my-6\">If someone accesses your Caddyfile, they get all passwords<\/p>\n<\/li>\n<li class=\" text-lg my-2\">\n<p class=\" text-lg my-6\">If your server is breached, all passwords are compromised<\/p>\n<\/li>\n<li class=\" text-lg my-2\">\n<p class=\" text-lg my-6\">You can see (and misuse) employee passwords<\/p>\n<\/li>\n<\/ul>\n<p class=\" text-lg my-6\"><strong>\u2705 Storing bcrypt hashes (SECURE):<\/strong><\/p>\n<div class=\"relative group\">\n<pre class=\"relative bg-[#1a1a1a] border border-gray-700 rounded-lg overflow-x-auto my-8 p-6\"><code class=\"hljs language-json whitespace-pre-wrap break-words text-gray-300\">admin<span class=\"hljs-punctuation\">:<\/span>$<span class=\"hljs-number\">2<\/span>a$<span class=\"hljs-number\">12<\/span>$riW1ZFwQ6qxUoRpC6kGUo\/Q7yMZeErZvm3Wv0bYl\/fSfl.kkVGCzC\nmanager<span class=\"hljs-punctuation\">:<\/span>$<span class=\"hljs-number\">2<\/span>a$<span class=\"hljs-number\">12<\/span>$N3jZy8R2pLmXqWzYk9vP2.x7S8yH9Q3wKmL4T5rN6sU8vC1dE9g8q\n<\/code><\/pre>\n<p><button class=\"absolute top-4 cursor-pointer right-4 p-2 rounded-md bg-[#24292e] hover:bg-gray-700 border border-gray-600 opacity-0 group-hover:opacity-100 transition-opacity duration-200\" title=\"Copy code\"><\/button><\/div>\n<p class=\" text-lg my-6\"><strong>Benefits:<\/strong><\/p>\n<ul class=\"list-disc ml-6 my-6\">\n<li class=\" text-lg my-2\">\n<p class=\" text-lg my-6\">Passwords are mathematically irreversible<\/p>\n<\/li>\n<li class=\" text-lg my-2\">\n<p class=\" text-lg my-6\">Even if someone accesses the Caddyfile, they can&#8217;t use the hashes<\/p>\n<\/li>\n<li class=\" text-lg my-2\">\n<p class=\" text-lg my-6\">You can&#8217;t recover or misuse passwords<\/p>\n<\/li>\n<li class=\" text-lg my-2\">\n<p class=\" text-lg my-6\">If your server is breached, attackers get only useless hashes<\/p>\n<\/li>\n<\/ul>\n<h3 class=\"text-2xl mt-10 mb-4 font-bold \">How Bcrypt Works<\/h3>\n<p class=\" text-lg my-6\">Bcrypt is a special one-way encryption algorithm:<\/p>\n<ol class=\"list-decimal ml-6 my-6\">\n<li class=\" text-lg my-2\">\n<p class=\" text-lg my-6\"><strong>Hashing:<\/strong> Password \u2192 Hash (one-way process, can&#8217;t reverse)<\/p>\n<div class=\"relative group\">\n<pre class=\"relative bg-[#1a1a1a] border border-gray-700 rounded-lg overflow-x-auto my-8 p-6\"><code class=\"hljs language-json whitespace-pre-wrap break-words text-gray-300\"><span class=\"hljs-string\">\"MyPassword123\"<\/span> \u2192 $<span class=\"hljs-number\">2<\/span>a$<span class=\"hljs-number\">12<\/span>$riW1ZFwQ6qxUoRpC6kGUo\/Q7yMZeErZvm3Wv0bYl\/fSfl.kkVGCzC\n<\/code><\/pre>\n<p><button class=\"absolute top-4 cursor-pointer right-4 p-2 rounded-md bg-[#24292e] hover:bg-gray-700 border border-gray-600 opacity-0 group-hover:opacity-100 transition-opacity duration-200\" title=\"Copy code\"><\/button><\/div>\n<\/li>\n<li class=\" text-lg my-2\">\n<p class=\" text-lg my-6\"><strong>Verification:<\/strong> Password is hashed again and compared to stored hash<\/p>\n<div class=\"relative group\">\n<pre class=\"relative bg-[#1a1a1a] border border-gray-700 rounded-lg overflow-x-auto my-8 p-6\"><code class=\"hljs language-json whitespace-pre-wrap break-words text-gray-300\">User enters<span class=\"hljs-punctuation\">:<\/span> <span class=\"hljs-string\">\"MyPassword123\"<\/span>\nCaddy hashes it<span class=\"hljs-punctuation\">:<\/span> $<span class=\"hljs-number\">2<\/span>a$<span class=\"hljs-number\">12<\/span>$riW1ZFwQ6qxUoRpC6kGUo\/Q7yMZeErZvm3Wv0bYl\/fSfl.kkVGCzC\nCaddy compares<span class=\"hljs-punctuation\">:<\/span> Does it match the stored hash?\nYES \u2192 Access granted\nNO \u2192 Access denied\n<\/code><\/pre>\n<p><button class=\"absolute top-4 cursor-pointer right-4 p-2 rounded-md bg-[#24292e] hover:bg-gray-700 border border-gray-600 opacity-0 group-hover:opacity-100 transition-opacity duration-200\" title=\"Copy code\"><\/button><\/div>\n<\/li>\n<\/ol>\n<p class=\" text-lg my-6\"><strong>Key point:<\/strong> The actual password is never stored or transmitted. Only the hash is stored.<\/p>\n<hr \/>\n<h2 class=\"text-3xl font-semibold mt-14 mb-8 \">Generating Secure Password Hashes<\/h2>\n<h3 class=\"text-2xl mt-10 mb-4 font-bold \">Using Caddy&#8217;s Built-in Command<\/h3>\n<p class=\" text-lg my-6\">Caddy provides a convenient tool to generate bcrypt hashes:<\/p>\n<div class=\"relative group\">\n<pre class=\"relative bg-[#1a1a1a] border border-gray-700 rounded-lg overflow-x-auto my-8 p-6\"><code class=\"hljs language-bash whitespace-pre-wrap break-words text-gray-300\">caddy hash-password\n<\/code><\/pre>\n<p><button class=\"absolute top-4 cursor-pointer right-4 p-2 rounded-md bg-[#24292e] hover:bg-gray-700 border border-gray-600 opacity-0 group-hover:opacity-100 transition-opacity duration-200\" title=\"Copy code\"><\/button><\/div>\n<p class=\" text-lg my-6\"><strong>Interactive process:<\/strong><\/p>\n<div class=\"relative group\">\n<pre class=\"relative bg-[#1a1a1a] border border-gray-700 rounded-lg overflow-x-auto my-8 p-6\"><code class=\"hljs language-bash whitespace-pre-wrap break-words text-gray-300\">$ caddy hash-password\n\nEnter password:\n*** (your password is hidden as you <span class=\"hljs-built_in\">type<\/span>)\n\nConfirm password:\n*** (confirm by typing again)\n\nOutput:\n$2a$12<span class=\"hljs-variable\">$riW1ZFwQ6qxUoRpC6kGUo<\/span>\/Q7yMZeErZvm3Wv0bYl\/fSfl.kkVGCzC\n<\/code><\/pre>\n<p><button class=\"absolute top-4 cursor-pointer right-4 p-2 rounded-md bg-[#24292e] hover:bg-gray-700 border border-gray-600 opacity-0 group-hover:opacity-100 transition-opacity duration-200\" title=\"Copy code\"><\/button><\/div>\n<p class=\" text-lg my-6\">Copy this hash and paste it into your Caddyfile.<\/p>\n<h3 class=\"text-2xl mt-10 mb-4 font-bold \">Generating Multiple Password Hashes<\/h3>\n<p class=\" text-lg my-6\">For multiple users:<\/p>\n<div class=\"relative group\">\n<pre class=\"relative bg-[#1a1a1a] border border-gray-700 rounded-lg overflow-x-auto my-8 p-6\"><code class=\"hljs language-bash whitespace-pre-wrap break-words text-gray-300\"><span class=\"hljs-comment\"># For admin user<\/span>\n$ caddy hash-password\nEnter password: admin123\nOutput: $2a$12<span class=\"hljs-variable\">$abc123<\/span>...\n\n<span class=\"hljs-comment\"># For manager user<\/span>\n$ caddy hash-password\nEnter password: manager456\nOutput: $2a$12<span class=\"hljs-variable\">$def456<\/span>...\n\n<span class=\"hljs-comment\"># For viewer user<\/span>\n$ caddy hash-password\nEnter password: viewer789\nOutput: $2a$12<span class=\"hljs-variable\">$ghi789<\/span>...\n<\/code><\/pre>\n<p><button class=\"absolute top-4 cursor-pointer right-4 p-2 rounded-md bg-[#24292e] hover:bg-gray-700 border border-gray-600 opacity-0 group-hover:opacity-100 transition-opacity duration-200\" title=\"Copy code\"><\/button><\/div>\n<p class=\" text-lg my-6\">Then use them in your Caddyfile:<\/p>\n<div class=\"relative group\">\n<pre class=\"relative bg-[#1a1a1a] border border-gray-700 rounded-lg overflow-x-auto my-8 p-6\"><code class=\"hljs language-json whitespace-pre-wrap break-words text-gray-300\">basicauth <span class=\"hljs-punctuation\">{<\/span>\n    admin $<span class=\"hljs-number\">2<\/span>a$<span class=\"hljs-number\">12<\/span>$abc123...\n    manager $<span class=\"hljs-number\">2<\/span>a$<span class=\"hljs-number\">12<\/span>$def456...\n    viewer $<span class=\"hljs-number\">2<\/span>a$<span class=\"hljs-number\">12<\/span>$ghi789...\n<span class=\"hljs-punctuation\">}<\/span>\n<\/code><\/pre>\n<p><button class=\"absolute top-4 cursor-pointer right-4 p-2 rounded-md bg-[#24292e] hover:bg-gray-700 border border-gray-600 opacity-0 group-hover:opacity-100 transition-opacity duration-200\" title=\"Copy code\"><\/button><\/div>\n<h3 class=\"text-2xl mt-10 mb-4 font-bold \">Changing a Password<\/h3>\n<p class=\" text-lg my-6\">If someone leaves the team or a password is compromised:<\/p>\n<ol class=\"list-decimal ml-6 my-6\">\n<li class=\" text-lg my-2\">\n<p class=\" text-lg my-6\">Generate a new hash: <code class=\"break-words rounded bg-[#24292E] px-2 py-1 text-[#EEEEEE]\">caddy hash-password<\/code><\/p>\n<\/li>\n<li class=\" text-lg my-2\">\n<p class=\" text-lg my-6\">Update the Caddyfile with the new hash<\/p>\n<\/li>\n<li class=\" text-lg my-2\">\n<p class=\" text-lg my-6\">Reload Caddy: <code class=\"break-words rounded bg-[#24292E] px-2 py-1 text-[#EEEEEE]\">caddy reload<\/code><\/p>\n<\/li>\n<li class=\" text-lg my-2\">\n<p class=\" text-lg my-6\">The old password no longer works<\/p>\n<\/li>\n<\/ol>\n<hr \/>\n<h2 class=\"text-3xl font-semibold mt-14 mb-8 \">Use Cases and Real-World Scenarios<\/h2>\n<h3 class=\"text-2xl mt-10 mb-4 font-bold \">Use Case 1: Admin Dashboard<\/h3>\n<p class=\" text-lg my-6\">Your Node.js app has an admin panel at <code class=\"break-words rounded bg-[#24292E] px-2 py-1 text-[#EEEEEE]\">\/admin<\/code> that only your team should access:<\/p>\n<div class=\"relative group\">\n<pre class=\"relative bg-[#1a1a1a] border border-gray-700 rounded-lg overflow-x-auto my-8 p-6\"><code class=\"hljs language-json whitespace-pre-wrap break-words text-gray-300\">example.com <span class=\"hljs-punctuation\">{<\/span>\n    handle_path \/admin<span class=\"hljs-comment\">\/* {\n        basicauth {\n            admin $2a$12$riW1ZFwQ6qxUoRpC6kGUo\/Q7yMZeErZvm3Wv0bYl\/fSfl.kkVGCzC\n        }\n        reverse_proxy localhost:3000\n    }\n\n    handle {\n        reverse_proxy localhost:3000\n    }\n}\n<\/span><\/code><\/pre>\n<p><button class=\"absolute top-4 cursor-pointer right-4 p-2 rounded-md bg-[#24292e] hover:bg-gray-700 border border-gray-600 opacity-0 group-hover:opacity-100 transition-opacity duration-200\" title=\"Copy code\"><\/button><\/div>\n<p class=\" text-lg my-6\"><strong>What this does:<\/strong><\/p>\n<ul class=\"list-disc ml-6 my-6\">\n<li class=\" text-lg my-2\">\n<p class=\" text-lg my-6\"><code class=\"break-words rounded bg-[#24292E] px-2 py-1 text-[#EEEEEE]\">\/admin\/*<\/code> routes require username: <code class=\"break-words rounded bg-[#24292E] px-2 py-1 text-[#EEEEEE]\">admin<\/code> + password<\/p>\n<\/li>\n<li class=\" text-lg my-2\">\n<p class=\" text-lg my-6\">All other routes are publicly accessible<\/p>\n<\/li>\n<li class=\" text-lg my-2\">\n<p class=\" text-lg my-6\">No code changes needed in your Node.js app<\/p>\n<\/li>\n<\/ul>\n<h3 class=\"text-2xl mt-10 mb-4 font-bold \">Use Case 2: Staging Environment<\/h3>\n<p class=\" text-lg my-6\">Test your app before going to production without exposing it to the internet:<\/p>\n<div class=\"relative group\">\n<pre class=\"relative bg-[#1a1a1a] border border-gray-700 rounded-lg overflow-x-auto my-8 p-6\"><code class=\"hljs language-json whitespace-pre-wrap break-words text-gray-300\">staging.example.com <span class=\"hljs-punctuation\">{<\/span>\n    basicauth <span class=\"hljs-punctuation\">{<\/span>\n        dev $<span class=\"hljs-number\">2<\/span>a$<span class=\"hljs-number\">12<\/span>$abc123...\n        qa $<span class=\"hljs-number\">2<\/span>a$<span class=\"hljs-number\">12<\/span>$def456...\n    <span class=\"hljs-punctuation\">}<\/span>\n\n    reverse_proxy localhost<span class=\"hljs-punctuation\">:<\/span><span class=\"hljs-number\">3001<\/span>\n<span class=\"hljs-punctuation\">}<\/span>\n<\/code><\/pre>\n<p><button class=\"absolute top-4 cursor-pointer right-4 p-2 rounded-md bg-[#24292e] hover:bg-gray-700 border border-gray-600 opacity-0 group-hover:opacity-100 transition-opacity duration-200\" title=\"Copy code\"><\/button><\/div>\n<p class=\" text-lg my-6\">Your whole staging site is protected. Anyone needing access gets a username\/password.<\/p>\n<h3 class=\"text-2xl mt-10 mb-4 font-bold \">Use Case 3: Internal Tools<\/h3>\n<p class=\" text-lg my-6\">Keep your monitoring dashboard, logs, or deployment tools private:<\/p>\n<div class=\"relative group\">\n<pre class=\"relative bg-[#1a1a1a] border border-gray-700 rounded-lg overflow-x-auto my-8 p-6\"><code class=\"hljs language-json whitespace-pre-wrap break-words text-gray-300\">monitoring.example.com <span class=\"hljs-punctuation\">{<\/span>\n    basicauth <span class=\"hljs-punctuation\">{<\/span>\n        monitor $<span class=\"hljs-number\">2<\/span>a$<span class=\"hljs-number\">12<\/span>$xyz789...\n    <span class=\"hljs-punctuation\">}<\/span>\n\n    reverse_proxy localhost<span class=\"hljs-punctuation\">:<\/span><span class=\"hljs-number\">9090<\/span>\n<span class=\"hljs-punctuation\">}<\/span>\n<\/code><\/pre>\n<p><button class=\"absolute top-4 cursor-pointer right-4 p-2 rounded-md bg-[#24292e] hover:bg-gray-700 border border-gray-600 opacity-0 group-hover:opacity-100 transition-opacity duration-200\" title=\"Copy code\"><\/button><\/div>\n<p class=\" text-lg my-6\">Only people with the password can see your monitoring system.<\/p>\n<h3 class=\"text-2xl mt-10 mb-4 font-bold \">Use Case 4: Temporary Contractor Access<\/h3>\n<p class=\" text-lg my-6\">Give a contractor access for 3 months:<\/p>\n<div class=\"relative group\">\n<pre class=\"relative bg-[#1a1a1a] border border-gray-700 rounded-lg overflow-x-auto my-8 p-6\"><code class=\"hljs language-json whitespace-pre-wrap break-words text-gray-300\">example.com <span class=\"hljs-punctuation\">{<\/span>\n    handle_path \/contractor<span class=\"hljs-comment\">\/* {\n        basicauth {\n            contractor $2a$12$temp123...\n        }\n        reverse_proxy localhost:3000\n    }\n\n    handle {\n        reverse_proxy localhost:3000\n    }\n}\n<\/span><\/code><\/pre>\n<p><button class=\"absolute top-4 cursor-pointer right-4 p-2 rounded-md bg-[#24292e] hover:bg-gray-700 border border-gray-600 opacity-0 group-hover:opacity-100 transition-opacity duration-200\" title=\"Copy code\"><\/button><\/div>\n<p class=\" text-lg my-6\">When the contract ends, remove the contractor user from the Caddyfile and reload.<\/p>\n<hr \/>\n<h2 class=\"text-3xl font-semibold mt-14 mb-8 \">Pattern 1: Basic Auth for Entire Domain<\/h2>\n<p class=\" text-lg my-6\">Protect all routes on a domain. Useful for staging environments or internal sites.<\/p>\n<h3 class=\"text-2xl mt-10 mb-4 font-bold \">Simple Single-User Setup<\/h3>\n<div class=\"relative group\">\n<pre class=\"relative bg-[#1a1a1a] border border-gray-700 rounded-lg overflow-x-auto my-8 p-6\"><code class=\"hljs language-json whitespace-pre-wrap break-words text-gray-300\">example.com <span class=\"hljs-punctuation\">{<\/span>\n    basicauth <span class=\"hljs-punctuation\">{<\/span>\n        admin $<span class=\"hljs-number\">2<\/span>a$<span class=\"hljs-number\">12<\/span>$riW1ZFwQ6qxUoRpC6kGUo\/Q7yMZeErZvm3Wv0bYl\/fSfl.kkVGCzC\n    <span class=\"hljs-punctuation\">}<\/span>\n\n    reverse_proxy localhost<span class=\"hljs-punctuation\">:<\/span><span class=\"hljs-number\">3000<\/span>\n<span class=\"hljs-punctuation\">}<\/span>\n<\/code><\/pre>\n<p><button class=\"absolute top-4 cursor-pointer right-4 p-2 rounded-md bg-[#24292e] hover:bg-gray-700 border border-gray-600 opacity-0 group-hover:opacity-100 transition-opacity duration-200\" title=\"Copy code\"><\/button><\/div>\n<p class=\" text-lg my-6\"><strong>What this requires:<\/strong><\/p>\n<ul class=\"list-disc ml-6 my-6\">\n<li class=\" text-lg my-2\">\n<p class=\" text-lg my-6\">Username: <code class=\"break-words rounded bg-[#24292E] px-2 py-1 text-[#EEEEEE]\">admin<\/code><\/p>\n<\/li>\n<li class=\" text-lg my-2\">\n<p class=\" text-lg my-6\">Password: (whatever you hashed to get that long string)<\/p>\n<\/li>\n<\/ul>\n<p class=\" text-lg my-6\"><strong>Testing:<\/strong><\/p>\n<div class=\"relative group\">\n<pre class=\"relative bg-[#1a1a1a] border border-gray-700 rounded-lg overflow-x-auto my-8 p-6\"><code class=\"hljs language-bash whitespace-pre-wrap break-words text-gray-300\"><span class=\"hljs-comment\"># Wrong password<\/span>\n$ curl https:\/\/example.com\n<span class=\"hljs-comment\"># Response: Unauthorized<\/span>\n\n<span class=\"hljs-comment\"># Correct password<\/span>\n$ curl -u admin:MyPassword123 https:\/\/example.com\n<span class=\"hljs-comment\"># Response: Your app's content<\/span>\n<\/code><\/pre>\n<p><button class=\"absolute top-4 cursor-pointer right-4 p-2 rounded-md bg-[#24292e] hover:bg-gray-700 border border-gray-600 opacity-0 group-hover:opacity-100 transition-opacity duration-200\" title=\"Copy code\"><\/button><\/div>\n<h3 class=\"text-2xl mt-10 mb-4 font-bold \">Multiple Users with Different Access Levels<\/h3>\n<div class=\"relative group\">\n<pre class=\"relative bg-[#1a1a1a] border border-gray-700 rounded-lg overflow-x-auto my-8 p-6\"><code class=\"hljs language-json whitespace-pre-wrap break-words text-gray-300\">internal.example.com <span class=\"hljs-punctuation\">{<\/span>\n    basicauth <span class=\"hljs-punctuation\">{<\/span>\n        admin $<span class=\"hljs-number\">2<\/span>a$<span class=\"hljs-number\">12<\/span>$abc123...\n        manager $<span class=\"hljs-number\">2<\/span>a$<span class=\"hljs-number\">12<\/span>$def456...\n        viewer $<span class=\"hljs-number\">2<\/span>a$<span class=\"hljs-number\">12<\/span>$ghi789...\n    <span class=\"hljs-punctuation\">}<\/span>\n\n    reverse_proxy localhost<span class=\"hljs-punctuation\">:<\/span><span class=\"hljs-number\">3000<\/span>\n<span class=\"hljs-punctuation\">}<\/span>\n<\/code><\/pre>\n<p><button class=\"absolute top-4 cursor-pointer right-4 p-2 rounded-md bg-[#24292e] hover:bg-gray-700 border border-gray-600 opacity-0 group-hover:opacity-100 transition-opacity duration-200\" title=\"Copy code\"><\/button><\/div>\n<p class=\" text-lg my-6\">All three users can access the site, but only with their own passwords. At this level, they all get the same access (Caddy doesn&#8217;t differentiate). For role-based access (admin vs. viewer permissions), you&#8217;d handle that in your application code.<\/p>\n<h3 class=\"text-2xl mt-10 mb-4 font-bold \">Development Team Access<\/h3>\n<div class=\"relative group\">\n<pre class=\"relative bg-[#1a1a1a] border border-gray-700 rounded-lg overflow-x-auto my-8 p-6\"><code class=\"hljs language-json whitespace-pre-wrap break-words text-gray-300\">dev.example.com <span class=\"hljs-punctuation\">{<\/span>\n    basicauth <span class=\"hljs-punctuation\">{<\/span>\n        dev1 $<span class=\"hljs-number\">2<\/span>a$<span class=\"hljs-number\">12<\/span>$abc123...\n        dev2 $<span class=\"hljs-number\">2<\/span>a$<span class=\"hljs-number\">12<\/span>$def456...\n        dev3 $<span class=\"hljs-number\">2<\/span>a$<span class=\"hljs-number\">12<\/span>$ghi789...\n        qa $<span class=\"hljs-number\">2<\/span>a$<span class=\"hljs-number\">12<\/span>$jkl012...\n    <span class=\"hljs-punctuation\">}<\/span>\n\n    reverse_proxy localhost<span class=\"hljs-punctuation\">:<\/span><span class=\"hljs-number\">3000<\/span>\n<span class=\"hljs-punctuation\">}<\/span>\n<\/code><\/pre>\n<p><button class=\"absolute top-4 cursor-pointer right-4 p-2 rounded-md bg-[#24292e] hover:bg-gray-700 border border-gray-600 opacity-0 group-hover:opacity-100 transition-opacity duration-200\" title=\"Copy code\"><\/button><\/div>\n<p class=\" text-lg my-6\">Each team member gets their own username\/password. They can still access the same content, but you can track who logged in (from logs).<\/p>\n<hr \/>\n<h2 class=\"text-3xl font-semibold mt-14 mb-8 \">Pattern 2: Route-Specific Basic Auth<\/h2>\n<p class=\" text-lg my-6\">Only protect certain paths. Most routes are public, but sensitive ones require authentication.<\/p>\n<h3 class=\"text-2xl mt-10 mb-4 font-bold \">Protect Admin Panel Only<\/h3>\n<div class=\"relative group\">\n<pre class=\"relative bg-[#1a1a1a] border border-gray-700 rounded-lg overflow-x-auto my-8 p-6\"><code class=\"hljs language-json whitespace-pre-wrap break-words text-gray-300\">example.com <span class=\"hljs-punctuation\">{<\/span>\n    handle_path \/admin<span class=\"hljs-comment\">\/* {\n        basicauth {\n            admin $2a$12$riW1ZFwQ6qxUoRpC6kGUo\/Q7yMZeErZvm3Wv0bYl\/fSfl.kkVGCzC\n        }\n        reverse_proxy localhost:3000\n    }\n\n    handle {\n        reverse_proxy localhost:3000\n    }\n}\n<\/span><\/code><\/pre>\n<p><button class=\"absolute top-4 cursor-pointer right-4 p-2 rounded-md bg-[#24292e] hover:bg-gray-700 border border-gray-600 opacity-0 group-hover:opacity-100 transition-opacity duration-200\" title=\"Copy code\"><\/button><\/div>\n<p class=\" text-lg my-6\"><strong>Access behavior:<\/strong><\/p>\n<div class=\"relative group\">\n<pre class=\"relative bg-[#1a1a1a] border border-gray-700 rounded-lg overflow-x-auto my-8 p-6\"><code class=\"hljs language-json whitespace-pre-wrap break-words text-gray-300\">Public user visits<span class=\"hljs-punctuation\">:<\/span>\n  \/products \u2192 \u2705 Allowed (no auth)\n  \/about \u2192 \u2705 Allowed (no auth)\n  \/admin \u2192 \u274c Blocked<span class=\"hljs-punctuation\">,<\/span> asks for password\n  \/admin\/users \u2192 \u274c Blocked<span class=\"hljs-punctuation\">,<\/span> asks for password\n\nAuthenticated user visits (enters password)<span class=\"hljs-punctuation\">:<\/span>\n  \/admin \u2192 \u2705 Allowed\n  \/admin\/settings \u2192 \u2705 Allowed\n<\/code><\/pre>\n<p><button class=\"absolute top-4 cursor-pointer right-4 p-2 rounded-md bg-[#24292e] hover:bg-gray-700 border border-gray-600 opacity-0 group-hover:opacity-100 transition-opacity duration-200\" title=\"Copy code\"><\/button><\/div>\n<h3 class=\"text-2xl mt-10 mb-4 font-bold \">Protect Multiple Paths<\/h3>\n<div class=\"relative group\">\n<pre class=\"relative bg-[#1a1a1a] border border-gray-700 rounded-lg overflow-x-auto my-8 p-6\"><code class=\"hljs language-json whitespace-pre-wrap break-words text-gray-300\">example.com <span class=\"hljs-punctuation\">{<\/span>\n    # Admin panel protected\n    handle_path \/admin<span class=\"hljs-comment\">\/* {\n        basicauth {\n            admin $2a$12$abc123...\n        }\n        reverse_proxy localhost:3000\n    }\n\n    # API for internal use protected\n    handle_path \/api\/internal\/* {\n        basicauth {\n            api $2a$12$def456...\n        }\n        reverse_proxy localhost:3000\n    }\n\n    # Health check endpoint protected\n    handle_path \/health {\n        basicauth {\n            monitor $2a$12$ghi789...\n        }\n        reverse_proxy localhost:3000\n    }\n\n    # Everything else public\n    handle {\n        reverse_proxy localhost:3000\n    }\n}\n<\/span><\/code><\/pre>\n<p><button class=\"absolute top-4 cursor-pointer right-4 p-2 rounded-md bg-[#24292e] hover:bg-gray-700 border border-gray-600 opacity-0 group-hover:opacity-100 transition-opacity duration-200\" title=\"Copy code\"><\/button><\/div>\n<p class=\" text-lg my-6\"><strong>Access patterns:<\/strong><\/p>\n<table>\n<thead>\n<tr>\n<th>Route<\/th>\n<th>Public?<\/th>\n<th>Auth Required<\/th>\n<\/tr>\n<\/thead>\n<tbody>\n<tr>\n<td><code class=\"break-words rounded bg-[#24292E] px-2 py-1 text-[#EEEEEE]\">\/products<\/code><\/td>\n<td>\u2705 Yes<\/td>\n<td>No<\/td>\n<\/tr>\n<tr>\n<td><code class=\"break-words rounded bg-[#24292E] px-2 py-1 text-[#EEEEEE]\">\/about<\/code><\/td>\n<td>\u2705 Yes<\/td>\n<td>No<\/td>\n<\/tr>\n<tr>\n<td><code class=\"break-words rounded bg-[#24292E] px-2 py-1 text-[#EEEEEE]\">\/admin\/*<\/code><\/td>\n<td>\u274c No<\/td>\n<td>Yes (admin user)<\/td>\n<\/tr>\n<tr>\n<td><code class=\"break-words rounded bg-[#24292E] px-2 py-1 text-[#EEEEEE]\">\/api\/internal\/*<\/code><\/td>\n<td>\u274c No<\/td>\n<td>Yes (api user)<\/td>\n<\/tr>\n<tr>\n<td><code class=\"break-words rounded bg-[#24292E] px-2 py-1 text-[#EEEEEE]\">\/health<\/code><\/td>\n<td>\u274c No<\/td>\n<td>Yes (monitor user)<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<h3 class=\"text-2xl mt-10 mb-4 font-bold \">Protect Specific Files<\/h3>\n<p class=\" text-lg my-6\">Protect individual routes within your app:<\/p>\n<div class=\"relative group\">\n<pre class=\"relative bg-[#1a1a1a] border border-gray-700 rounded-lg overflow-x-auto my-8 p-6\"><code class=\"hljs language-json whitespace-pre-wrap break-words text-gray-300\">example.com <span class=\"hljs-punctuation\">{<\/span>\n    # Protect specific endpoints\n    handle_path \/logs <span class=\"hljs-punctuation\">{<\/span>\n        basicauth <span class=\"hljs-punctuation\">{<\/span>\n            admin $<span class=\"hljs-number\">2<\/span>a$<span class=\"hljs-number\">12<\/span>$abc123...\n        <span class=\"hljs-punctuation\">}<\/span>\n        reverse_proxy localhost<span class=\"hljs-punctuation\">:<\/span><span class=\"hljs-number\">3000<\/span>\n    <span class=\"hljs-punctuation\">}<\/span>\n\n    handle_path \/metrics <span class=\"hljs-punctuation\">{<\/span>\n        basicauth <span class=\"hljs-punctuation\">{<\/span>\n            monitor $<span class=\"hljs-number\">2<\/span>a$<span class=\"hljs-number\">12<\/span>$def456...\n        <span class=\"hljs-punctuation\">}<\/span>\n        reverse_proxy localhost<span class=\"hljs-punctuation\">:<\/span><span class=\"hljs-number\">3000<\/span>\n    <span class=\"hljs-punctuation\">}<\/span>\n\n    # Public routes\n    handle <span class=\"hljs-punctuation\">{<\/span>\n        reverse_proxy localhost<span class=\"hljs-punctuation\">:<\/span><span class=\"hljs-number\">3000<\/span>\n    <span class=\"hljs-punctuation\">}<\/span>\n<span class=\"hljs-punctuation\">}<\/span>\n<\/code><\/pre>\n<p><button class=\"absolute top-4 cursor-pointer right-4 p-2 rounded-md bg-[#24292e] hover:bg-gray-700 border border-gray-600 opacity-0 group-hover:opacity-100 transition-opacity duration-200\" title=\"Copy code\"><\/button><\/div>\n<hr \/>\n<h2 class=\"text-3xl font-semibold mt-14 mb-8 \">Pattern 3: Environment-Based Auth<\/h2>\n<p class=\" text-lg my-6\">Different authentication for different deployments.<\/p>\n<h3 class=\"text-2xl mt-10 mb-4 font-bold \">Development with No Auth, Production with Auth<\/h3>\n<p class=\" text-lg my-6\">Don&#8217;t protect dev (faster testing), but protect production:<\/p>\n<div class=\"relative group\">\n<pre class=\"relative bg-[#1a1a1a] border border-gray-700 rounded-lg overflow-x-auto my-8 p-6\"><code class=\"hljs language-json whitespace-pre-wrap break-words text-gray-300\"># Development - no authentication\ndev.example.com <span class=\"hljs-punctuation\">{<\/span>\n    reverse_proxy localhost<span class=\"hljs-punctuation\">:<\/span><span class=\"hljs-number\">3000<\/span>\n<span class=\"hljs-punctuation\">}<\/span>\n\n# Staging - light authentication\nstaging.example.com <span class=\"hljs-punctuation\">{<\/span>\n    basicauth <span class=\"hljs-punctuation\">{<\/span>\n        dev $<span class=\"hljs-number\">2<\/span>a$<span class=\"hljs-number\">12<\/span>$abc123...\n    <span class=\"hljs-punctuation\">}<\/span>\n    reverse_proxy localhost<span class=\"hljs-punctuation\">:<\/span><span class=\"hljs-number\">3001<\/span>\n<span class=\"hljs-punctuation\">}<\/span>\n\n# Production - strong authentication\napi.example.com <span class=\"hljs-punctuation\">{<\/span>\n    basicauth <span class=\"hljs-punctuation\">{<\/span>\n        admin $<span class=\"hljs-number\">2<\/span>a$<span class=\"hljs-number\">12<\/span>$def456...\n        manager $<span class=\"hljs-number\">2<\/span>a$<span class=\"hljs-number\">12<\/span>$ghi789...\n    <span class=\"hljs-punctuation\">}<\/span>\n    reverse_proxy localhost<span class=\"hljs-punctuation\">:<\/span><span class=\"hljs-number\">3002<\/span>\n<span class=\"hljs-punctuation\">}<\/span>\n<\/code><\/pre>\n<p><button class=\"absolute top-4 cursor-pointer right-4 p-2 rounded-md bg-[#24292e] hover:bg-gray-700 border border-gray-600 opacity-0 group-hover:opacity-100 transition-opacity duration-200\" title=\"Copy code\"><\/button><\/div>\n<h3 class=\"text-2xl mt-10 mb-4 font-bold \">Different Credentials per Environment<\/h3>\n<div class=\"relative group\">\n<pre class=\"relative bg-[#1a1a1a] border border-gray-700 rounded-lg overflow-x-auto my-8 p-6\"><code class=\"hljs language-json whitespace-pre-wrap break-words text-gray-300\"># Dev environment - simple password\ndev-api.example.com <span class=\"hljs-punctuation\">{<\/span>\n    basicauth <span class=\"hljs-punctuation\">{<\/span>\n        dev dev123\n    <span class=\"hljs-punctuation\">}<\/span>\n    reverse_proxy localhost<span class=\"hljs-punctuation\">:<\/span><span class=\"hljs-number\">3000<\/span>\n<span class=\"hljs-punctuation\">}<\/span>\n\n# Production environment - strong password\napi.example.com <span class=\"hljs-punctuation\">{<\/span>\n    basicauth <span class=\"hljs-punctuation\">{<\/span>\n        admin $<span class=\"hljs-number\">2<\/span>a$<span class=\"hljs-number\">12<\/span>$StrongHashHereVeryLongString...\n    <span class=\"hljs-punctuation\">}<\/span>\n    reverse_proxy localhost<span class=\"hljs-punctuation\">:<\/span><span class=\"hljs-number\">3000<\/span>\n<span class=\"hljs-punctuation\">}<\/span>\n<\/code><\/pre>\n<p><button class=\"absolute top-4 cursor-pointer right-4 p-2 rounded-md bg-[#24292e] hover:bg-gray-700 border border-gray-600 opacity-0 group-hover:opacity-100 transition-opacity duration-200\" title=\"Copy code\"><\/button><\/div>\n<hr \/>\n<h2 class=\"text-3xl font-semibold mt-14 mb-8 \">Real-World Scenarios<\/h2>\n<h3 class=\"text-2xl mt-10 mb-4 font-bold \">Scenario 1: E-Commerce with Public Shop and Admin Panel<\/h3>\n<div class=\"relative group\">\n<pre class=\"relative bg-[#1a1a1a] border border-gray-700 rounded-lg overflow-x-auto my-8 p-6\"><code class=\"hljs language-json whitespace-pre-wrap break-words text-gray-300\">shop.example.com <span class=\"hljs-punctuation\">{<\/span>\n    # Public shop - no authentication\n    handle_path \/products* <span class=\"hljs-punctuation\">{<\/span>\n        reverse_proxy localhost<span class=\"hljs-punctuation\">:<\/span><span class=\"hljs-number\">3000<\/span>\n    <span class=\"hljs-punctuation\">}<\/span>\n\n    handle_path \/checkout* <span class=\"hljs-punctuation\">{<\/span>\n        reverse_proxy localhost<span class=\"hljs-punctuation\">:<\/span><span class=\"hljs-number\">3000<\/span>\n    <span class=\"hljs-punctuation\">}<\/span>\n\n    handle_path \/account* <span class=\"hljs-punctuation\">{<\/span>\n        reverse_proxy localhost<span class=\"hljs-punctuation\">:<\/span><span class=\"hljs-number\">3000<\/span>\n    <span class=\"hljs-punctuation\">}<\/span>\n\n    # Admin panel - protected\n    handle_path \/admin<span class=\"hljs-comment\">\/* {\n        basicauth {\n            admin $2a$12$abc123...\n            manager $2a$12$def456...\n        }\n        reverse_proxy localhost:3000\n    }\n\n    # Analytics - protected\n    handle_path \/analytics {\n        basicauth {\n            analyst $2a$12$ghi789...\n        }\n        reverse_proxy localhost:3000\n    }\n\n    # Everything else public\n    handle {\n        reverse_proxy localhost:3000\n    }\n}\n<\/span><\/code><\/pre>\n<p><button class=\"absolute top-4 cursor-pointer right-4 p-2 rounded-md bg-[#24292e] hover:bg-gray-700 border border-gray-600 opacity-0 group-hover:opacity-100 transition-opacity duration-200\" title=\"Copy code\"><\/button><\/div>\n<h3 class=\"text-2xl mt-10 mb-4 font-bold \">Scenario 2: SaaS with Multi-Level Access<\/h3>\n<div class=\"relative group\">\n<pre class=\"relative bg-[#1a1a1a] border border-gray-700 rounded-lg overflow-x-auto my-8 p-6\"><code class=\"hljs language-json whitespace-pre-wrap break-words text-gray-300\">app.example.com <span class=\"hljs-punctuation\">{<\/span>\n    # Public landing page\n    handle_path \/ <span class=\"hljs-punctuation\">{<\/span>\n        reverse_proxy localhost<span class=\"hljs-punctuation\">:<\/span><span class=\"hljs-number\">3000<\/span>\n    <span class=\"hljs-punctuation\">}<\/span>\n\n    # User app - users authenticate via app login\n    handle_path \/dashboard* <span class=\"hljs-punctuation\">{<\/span>\n        reverse_proxy localhost<span class=\"hljs-punctuation\">:<\/span><span class=\"hljs-number\">3000<\/span>\n    <span class=\"hljs-punctuation\">}<\/span>\n\n    # Admin panel - HTTP Basic Auth\n    handle_path \/admin<span class=\"hljs-comment\">\/* {\n        basicauth {\n            admin $2a$12$abc123...\n            support $2a$12$def456...\n        }\n        reverse_proxy localhost:3000\n    }\n\n    # Monitoring - HTTP Basic Auth\n    handle_path \/monitoring\/* {\n        basicauth {\n            ops $2a$12$ghi789...\n        }\n        reverse_proxy localhost:3000\n    }\n}\n<\/span><\/code><\/pre>\n<p><button class=\"absolute top-4 cursor-pointer right-4 p-2 rounded-md bg-[#24292e] hover:bg-gray-700 border border-gray-600 opacity-0 group-hover:opacity-100 transition-opacity duration-200\" title=\"Copy code\"><\/button><\/div>\n<h3 class=\"text-2xl mt-10 mb-4 font-bold \">Scenario 3: API with Public and Private Endpoints<\/h3>\n<div class=\"relative group\">\n<pre class=\"relative bg-[#1a1a1a] border border-gray-700 rounded-lg overflow-x-auto my-8 p-6\"><code class=\"hljs language-json whitespace-pre-wrap break-words text-gray-300\">api.example.com <span class=\"hljs-punctuation\">{<\/span>\n    # Public API endpoints (no auth)\n    handle_path \/api\/v1\/public<span class=\"hljs-comment\">\/* {\n        reverse_proxy localhost:3001\n    }\n\n    # Private API endpoints (Basic Auth)\n    handle_path \/api\/v1\/private\/* {\n        basicauth {\n            partner1 $2a$12$abc123...\n            partner2 $2a$12$def456...\n            internal $2a$12$ghi789...\n        }\n        reverse_proxy localhost:3001\n    }\n\n    # Admin API (strict auth)\n    handle_path \/api\/admin\/* {\n        basicauth {\n            admin $2a$12$jkl012...\n        }\n        reverse_proxy localhost:3001\n    }\n}\n<\/span><\/code><\/pre>\n<p><button class=\"absolute top-4 cursor-pointer right-4 p-2 rounded-md bg-[#24292e] hover:bg-gray-700 border border-gray-600 opacity-0 group-hover:opacity-100 transition-opacity duration-200\" title=\"Copy code\"><\/button><\/div>\n<hr \/>\n<h2 class=\"text-3xl font-semibold mt-14 mb-8 \">Common Mistakes to Avoid<\/h2>\n<h3 class=\"text-2xl mt-10 mb-4 font-bold \">Mistake 1: Using Plain Text Passwords<\/h3>\n<div class=\"relative group\">\n<pre class=\"relative bg-[#1a1a1a] border border-gray-700 rounded-lg overflow-x-auto my-8 p-6\"><code class=\"hljs language-json whitespace-pre-wrap break-words text-gray-300\"># \u274c WRONG - Never do this!\nbasicauth <span class=\"hljs-punctuation\">{<\/span>\n    admin MyPassword123\n    manager BossPassword456\n<span class=\"hljs-punctuation\">}<\/span>\n<\/code><\/pre>\n<p><button class=\"absolute top-4 cursor-pointer right-4 p-2 rounded-md bg-[#24292e] hover:bg-gray-700 border border-gray-600 opacity-0 group-hover:opacity-100 transition-opacity duration-200\" title=\"Copy code\"><\/button><\/div>\n<p class=\" text-lg my-6\"><strong>Why it&#8217;s dangerous:<\/strong><\/p>\n<ul class=\"list-disc ml-6 my-6\">\n<li class=\" text-lg my-2\">\n<p class=\" text-lg my-6\">Anyone with Caddyfile access gets all passwords<\/p>\n<\/li>\n<li class=\" text-lg my-2\">\n<p class=\" text-lg my-6\">If the file is leaked, all passwords are compromised<\/p>\n<\/li>\n<li class=\" text-lg my-2\">\n<p class=\" text-lg my-6\">You can see (and misuse) employee passwords<\/p>\n<\/li>\n<li class=\" text-lg my-2\">\n<p class=\" text-lg my-6\">No security benefit<\/p>\n<\/li>\n<\/ul>\n<p class=\" text-lg my-6\"><strong>Solution:<\/strong> Always use hashed passwords:<\/p>\n<div class=\"relative group\">\n<pre class=\"relative bg-[#1a1a1a] border border-gray-700 rounded-lg overflow-x-auto my-8 p-6\"><code class=\"hljs language-json whitespace-pre-wrap break-words text-gray-300\"># \u2705 CORRECT\nbasicauth <span class=\"hljs-punctuation\">{<\/span>\n    admin $<span class=\"hljs-number\">2<\/span>a$<span class=\"hljs-number\">12<\/span>$riW1ZFwQ6qxUoRpC6kGUo\/Q7yMZeErZvm3Wv0bYl\/fSfl.kkVGCzC\n    manager $<span class=\"hljs-number\">2<\/span>a$<span class=\"hljs-number\">12<\/span>$N3jZy8R2pLmXqWzYk9vP2.x7S8yH9Q3wKmL4T5rN6sU8vC1dE9g8q\n<span class=\"hljs-punctuation\">}<\/span>\n<\/code><\/pre>\n<p><button class=\"absolute top-4 cursor-pointer right-4 p-2 rounded-md bg-[#24292e] hover:bg-gray-700 border border-gray-600 opacity-0 group-hover:opacity-100 transition-opacity duration-200\" title=\"Copy code\"><\/button><\/div>\n<h3 class=\"text-2xl mt-10 mb-4 font-bold \">Mistake 2: Forgetting HTTPS<\/h3>\n<p class=\" text-lg my-6\">Basic Auth sends credentials in Base64 encoding (easily reversible, not encrypted). Without HTTPS, anyone on the network can intercept and decode your password.<\/p>\n<div class=\"relative group\">\n<pre class=\"relative bg-[#1a1a1a] border border-gray-700 rounded-lg overflow-x-auto my-8 p-6\"><code class=\"hljs language-json whitespace-pre-wrap break-words text-gray-300\"># \u274c WRONG - HTTP only (insecure)\nexample.com <span class=\"hljs-punctuation\">{<\/span>\n    basicauth <span class=\"hljs-punctuation\">{<\/span>\n        admin $<span class=\"hljs-number\">2<\/span>a$<span class=\"hljs-number\">12<\/span>$abc123...\n    <span class=\"hljs-punctuation\">}<\/span>\n    reverse_proxy localhost<span class=\"hljs-punctuation\">:<\/span><span class=\"hljs-number\">3000<\/span>\n<span class=\"hljs-punctuation\">}<\/span>\n<\/code><\/pre>\n<p><button class=\"absolute top-4 cursor-pointer right-4 p-2 rounded-md bg-[#24292e] hover:bg-gray-700 border border-gray-600 opacity-0 group-hover:opacity-100 transition-opacity duration-200\" title=\"Copy code\"><\/button><\/div>\n<p class=\" text-lg my-6\">An attacker on the same WiFi can see:<\/p>\n<div class=\"relative group\">\n<pre class=\"relative bg-[#1a1a1a] border border-gray-700 rounded-lg overflow-x-auto my-8 p-6\"><code class=\"hljs language-json whitespace-pre-wrap break-words text-gray-300\">Authorization<span class=\"hljs-punctuation\">:<\/span> Basic YWRtaW46TXlQYXNzd29yZA==\n# Decodes to<span class=\"hljs-punctuation\">:<\/span> admin<span class=\"hljs-punctuation\">:<\/span>MyPassword\n<\/code><\/pre>\n<p><button class=\"absolute top-4 cursor-pointer right-4 p-2 rounded-md bg-[#24292e] hover:bg-gray-700 border border-gray-600 opacity-0 group-hover:opacity-100 transition-opacity duration-200\" title=\"Copy code\"><\/button><\/div>\n<p class=\" text-lg my-6\"><strong>Solution:<\/strong> Always use HTTPS:<\/p>\n<div class=\"relative group\">\n<pre class=\"relative bg-[#1a1a1a] border border-gray-700 rounded-lg overflow-x-auto my-8 p-6\"><code class=\"hljs language-json whitespace-pre-wrap break-words text-gray-300\"># \u2705 CORRECT - HTTPS (secure)\nexample.com <span class=\"hljs-punctuation\">{<\/span>\n    # Caddy auto-enables HTTPS and gets certificates\n    basicauth <span class=\"hljs-punctuation\">{<\/span>\n        admin $<span class=\"hljs-number\">2<\/span>a$<span class=\"hljs-number\">12<\/span>$abc123...\n    <span class=\"hljs-punctuation\">}<\/span>\n    reverse_proxy localhost<span class=\"hljs-punctuation\">:<\/span><span class=\"hljs-number\">3000<\/span>\n<span class=\"hljs-punctuation\">}<\/span>\n<\/code><\/pre>\n<p><button class=\"absolute top-4 cursor-pointer right-4 p-2 rounded-md bg-[#24292e] hover:bg-gray-700 border border-gray-600 opacity-0 group-hover:opacity-100 transition-opacity duration-200\" title=\"Copy code\"><\/button><\/div>\n<p class=\" text-lg my-6\">Caddy automatically enables HTTPS for all domains.<\/p>\n<h3 class=\"text-2xl mt-10 mb-4 font-bold \">Mistake 3: Protecting Too Much<\/h3>\n<p class=\" text-lg my-6\">Don&#8217;t require authentication for routes that should be public:<\/p>\n<div class=\"relative group\">\n<pre class=\"relative bg-[#1a1a1a] border border-gray-700 rounded-lg overflow-x-auto my-8 p-6\"><code class=\"hljs language-json whitespace-pre-wrap break-words text-gray-300\"># \u274c WRONG - Protects everything\nexample.com <span class=\"hljs-punctuation\">{<\/span>\n    basicauth <span class=\"hljs-punctuation\">{<\/span>\n        user $<span class=\"hljs-number\">2<\/span>a$<span class=\"hljs-number\">12<\/span>$abc123...\n    <span class=\"hljs-punctuation\">}<\/span>\n\n    handle <span class=\"hljs-punctuation\">{<\/span>\n        reverse_proxy localhost<span class=\"hljs-punctuation\">:<\/span><span class=\"hljs-number\">3000<\/span>\n    <span class=\"hljs-punctuation\">}<\/span>\n<span class=\"hljs-punctuation\">}<\/span>\n<\/code><\/pre>\n<p><button class=\"absolute top-4 cursor-pointer right-4 p-2 rounded-md bg-[#24292e] hover:bg-gray-700 border border-gray-600 opacity-0 group-hover:opacity-100 transition-opacity duration-200\" title=\"Copy code\"><\/button><\/div>\n<p class=\" text-lg my-6\">Now users can&#8217;t visit your site without a password, which:<\/p>\n<ul class=\"list-disc ml-6 my-6\">\n<li class=\" text-lg my-2\">\n<p class=\" text-lg my-6\">Hurts SEO (search engines can&#8217;t crawl)<\/p>\n<\/li>\n<li class=\" text-lg my-2\">\n<p class=\" text-lg my-6\">Frustrates users<\/p>\n<\/li>\n<li class=\" text-lg my-2\">\n<p class=\" text-lg my-6\">Makes sharing links impossible<\/p>\n<\/li>\n<\/ul>\n<p class=\" text-lg my-6\"><strong>Solution:<\/strong> Only protect what needs protection:<\/p>\n<div class=\"relative group\">\n<pre class=\"relative bg-[#1a1a1a] border border-gray-700 rounded-lg overflow-x-auto my-8 p-6\"><code class=\"hljs language-json whitespace-pre-wrap break-words text-gray-300\"># \u2705 CORRECT - Only protect admin\nexample.com <span class=\"hljs-punctuation\">{<\/span>\n    handle_path \/admin<span class=\"hljs-comment\">\/* {\n        basicauth {\n            admin $2a$12$abc123...\n        }\n        reverse_proxy localhost:3000\n    }\n\n    handle {\n        reverse_proxy localhost:3000\n    }\n}\n<\/span><\/code><\/pre>\n<p><button class=\"absolute top-4 cursor-pointer right-4 p-2 rounded-md bg-[#24292e] hover:bg-gray-700 border border-gray-600 opacity-0 group-hover:opacity-100 transition-opacity duration-200\" title=\"Copy code\"><\/button><\/div>\n<h3 class=\"text-2xl mt-10 mb-4 font-bold \">Mistake 4: Same Password for Everyone<\/h3>\n<div class=\"relative group\">\n<pre class=\"relative bg-[#1a1a1a] border border-gray-700 rounded-lg overflow-x-auto my-8 p-6\"><code class=\"hljs language-json whitespace-pre-wrap break-words text-gray-300\"># \u274c WRONG - Can't tell who logged in\nbasicauth <span class=\"hljs-punctuation\">{<\/span>\n    user1 $<span class=\"hljs-number\">2<\/span>a$<span class=\"hljs-number\">12<\/span>$abc123...\n    user2 $<span class=\"hljs-number\">2<\/span>a$<span class=\"hljs-number\">12<\/span>$abc123...  # Same hash!\n    user3 $<span class=\"hljs-number\">2<\/span>a$<span class=\"hljs-number\">12<\/span>$abc123...  # Same hash!\n<span class=\"hljs-punctuation\">}<\/span>\n<\/code><\/pre>\n<p><button class=\"absolute top-4 cursor-pointer right-4 p-2 rounded-md bg-[#24292e] hover:bg-gray-700 border border-gray-600 opacity-0 group-hover:opacity-100 transition-opacity duration-200\" title=\"Copy code\"><\/button><\/div>\n<p class=\" text-lg my-6\">Problems:<\/p>\n<ul class=\"list-disc ml-6 my-6\">\n<li class=\" text-lg my-2\">\n<p class=\" text-lg my-6\">Can&#8217;t track who accessed what<\/p>\n<\/li>\n<li class=\" text-lg my-2\">\n<p class=\" text-lg my-6\">If one person&#8217;s credentials are shared, can&#8217;t revoke just theirs<\/p>\n<\/li>\n<li class=\" text-lg my-2\">\n<p class=\" text-lg my-6\">Audit trail is useless<\/p>\n<\/li>\n<\/ul>\n<p class=\" text-lg my-6\"><strong>Solution:<\/strong> Unique passwords for each user:<\/p>\n<div class=\"relative group\">\n<pre class=\"relative bg-[#1a1a1a] border border-gray-700 rounded-lg overflow-x-auto my-8 p-6\"><code class=\"hljs language-json whitespace-pre-wrap break-words text-gray-300\"># \u2705 CORRECT\nbasicauth <span class=\"hljs-punctuation\">{<\/span>\n    admin $<span class=\"hljs-number\">2<\/span>a$<span class=\"hljs-number\">12<\/span>$abc123...    # Only for admin\n    manager $<span class=\"hljs-number\">2<\/span>a$<span class=\"hljs-number\">12<\/span>$def456...  # Only for manager\n    viewer $<span class=\"hljs-number\">2<\/span>a$<span class=\"hljs-number\">12<\/span>$ghi789...   # Only for viewer\n<span class=\"hljs-punctuation\">}<\/span>\n<\/code><\/pre>\n<p><button class=\"absolute top-4 cursor-pointer right-4 p-2 rounded-md bg-[#24292e] hover:bg-gray-700 border border-gray-600 opacity-0 group-hover:opacity-100 transition-opacity duration-200\" title=\"Copy code\"><\/button><\/div>\n<p class=\" text-lg my-6\">Each user changes their password independently.<\/p>\n<h3 class=\"text-2xl mt-10 mb-4 font-bold \">Mistake 5: Leaving Old Passwords Active<\/h3>\n<p class=\" text-lg my-6\">After someone leaves the company, leaving their account active:<\/p>\n<div class=\"relative group\">\n<pre class=\"relative bg-[#1a1a1a] border border-gray-700 rounded-lg overflow-x-auto my-8 p-6\"><code class=\"hljs language-json whitespace-pre-wrap break-words text-gray-300\"># \u274c WRONG - Ex-employee still has access\nbasicauth <span class=\"hljs-punctuation\">{<\/span>\n    alice $<span class=\"hljs-number\">2<\/span>a$<span class=\"hljs-number\">12<\/span>$abc123...      # Left company <span class=\"hljs-number\">6<\/span> months ago\n    bob $<span class=\"hljs-number\">2<\/span>a$<span class=\"hljs-number\">12<\/span>$def456...        # Currently employed\n    charlie $<span class=\"hljs-number\">2<\/span>a$<span class=\"hljs-number\">12<\/span>$ghi789...    # Left yesterday\n<span class=\"hljs-punctuation\">}<\/span>\n<\/code><\/pre>\n<p><button class=\"absolute top-4 cursor-pointer right-4 p-2 rounded-md bg-[#24292e] hover:bg-gray-700 border border-gray-600 opacity-0 group-hover:opacity-100 transition-opacity duration-200\" title=\"Copy code\"><\/button><\/div>\n<p class=\" text-lg my-6\"><strong>Solution:<\/strong> Remove accounts when people leave:<\/p>\n<div class=\"relative group\">\n<pre class=\"relative bg-[#1a1a1a] border border-gray-700 rounded-lg overflow-x-auto my-8 p-6\"><code class=\"hljs language-json whitespace-pre-wrap break-words text-gray-300\"># \u2705 CORRECT\nbasicauth <span class=\"hljs-punctuation\">{<\/span>\n    bob $<span class=\"hljs-number\">2<\/span>a$<span class=\"hljs-number\">12<\/span>$def456...        # Currently employed only\n<span class=\"hljs-punctuation\">}<\/span>\n<\/code><\/pre>\n<p><button class=\"absolute top-4 cursor-pointer right-4 p-2 rounded-md bg-[#24292e] hover:bg-gray-700 border border-gray-600 opacity-0 group-hover:opacity-100 transition-opacity duration-200\" title=\"Copy code\"><\/button><\/div>\n<p class=\" text-lg my-6\">Or if they might need temporary access, immediately invalidate their password by:<\/p>\n<ol class=\"list-decimal ml-6 my-6\">\n<li class=\" text-lg my-2\">\n<p class=\" text-lg my-6\">Removing the user from Caddyfile<\/p>\n<\/li>\n<li class=\" text-lg my-2\">\n<p class=\" text-lg my-6\">Running <code class=\"break-words rounded bg-[#24292E] px-2 py-1 text-[#EEEEEE]\">caddy reload<\/code><\/p>\n<\/li>\n<\/ol>\n<h3 class=\"text-2xl mt-10 mb-4 font-bold \">Mistake 6: Not Testing Auth Before Deploying<\/h3>\n<p class=\" text-lg my-6\">Deploy auth rules without testing, and you might lock yourself out:<\/p>\n<div class=\"relative group\">\n<pre class=\"relative bg-[#1a1a1a] border border-gray-700 rounded-lg overflow-x-auto my-8 p-6\"><code class=\"hljs language-json whitespace-pre-wrap break-words text-gray-300\"># \u274c WRONG - You don't know what username\/password works!\nhandle_path \/admin<span class=\"hljs-comment\">\/* {\n    basicauth {\n        admin $2a$12$abc123...\n    }\n    reverse_proxy localhost:3000\n}\n<\/span><\/code><\/pre>\n<p><button class=\"absolute top-4 cursor-pointer right-4 p-2 rounded-md bg-[#24292e] hover:bg-gray-700 border border-gray-600 opacity-0 group-hover:opacity-100 transition-opacity duration-200\" title=\"Copy code\"><\/button><\/div>\n<p class=\" text-lg my-6\"><strong>Solution:<\/strong> Test before deploying:<\/p>\n<div class=\"relative group\">\n<pre class=\"relative bg-[#1a1a1a] border border-gray-700 rounded-lg overflow-x-auto my-8 p-6\"><code class=\"hljs language-bash whitespace-pre-wrap break-words text-gray-300\"><span class=\"hljs-comment\"># Generate a password you know<\/span>\n$ caddy hash-password\nEnter password: test123\nOutput: $2a$12<span class=\"hljs-variable\">$xyz789<\/span>...\n\n<span class=\"hljs-comment\"># Test locally<\/span>\ncurl -u admin:test123 http:\/\/localhost\/admin\n<span class=\"hljs-comment\"># Should work!<\/span>\n\n<span class=\"hljs-comment\"># Then use in production<\/span>\n<\/code><\/pre>\n<p><button class=\"absolute top-4 cursor-pointer right-4 p-2 rounded-md bg-[#24292e] hover:bg-gray-700 border border-gray-600 opacity-0 group-hover:opacity-100 transition-opacity duration-200\" title=\"Copy code\"><\/button><\/div>\n<hr \/>\n<h2 class=\"text-3xl font-semibold mt-14 mb-8 \">Viewing Access Logs<\/h2>\n<p class=\" text-lg my-6\">See who&#8217;s accessing your protected routes:<\/p>\n<h3 class=\"text-2xl mt-10 mb-4 font-bold \">Enable Logging in Caddy<\/h3>\n<div class=\"relative group\">\n<pre class=\"relative bg-[#1a1a1a] border border-gray-700 rounded-lg overflow-x-auto my-8 p-6\"><code class=\"hljs language-json whitespace-pre-wrap break-words text-gray-300\">example.com <span class=\"hljs-punctuation\">{<\/span>\n    log <span class=\"hljs-punctuation\">{<\/span>\n        output stdout\n        format json\n    <span class=\"hljs-punctuation\">}<\/span>\n\n    handle_path \/admin<span class=\"hljs-comment\">\/* {\n        basicauth {\n            admin $2a$12$abc123...\n        }\n        reverse_proxy localhost:3000\n    }\n\n    handle {\n        reverse_proxy localhost:3000\n    }\n}\n<\/span><\/code><\/pre>\n<p><button class=\"absolute top-4 cursor-pointer right-4 p-2 rounded-md bg-[#24292e] hover:bg-gray-700 border border-gray-600 opacity-0 group-hover:opacity-100 transition-opacity duration-200\" title=\"Copy code\"><\/button><\/div>\n<h3 class=\"text-2xl mt-10 mb-4 font-bold \">View Logs<\/h3>\n<div class=\"relative group\">\n<pre class=\"relative bg-[#1a1a1a] border border-gray-700 rounded-lg overflow-x-auto my-8 p-6\"><code class=\"hljs language-bash whitespace-pre-wrap break-words text-gray-300\"><span class=\"hljs-comment\"># If running as service<\/span>\n<span class=\"hljs-built_in\">sudo<\/span> journalctl -u caddy -f\n\n<span class=\"hljs-comment\"># If running in Docker<\/span>\ndocker logs -f caddy-container-name\n<\/code><\/pre>\n<p><button class=\"absolute top-4 cursor-pointer right-4 p-2 rounded-md bg-[#24292e] hover:bg-gray-700 border border-gray-600 opacity-0 group-hover:opacity-100 transition-opacity duration-200\" title=\"Copy code\"><\/button><\/div>\n<p class=\" text-lg my-6\">Look for lines like:<\/p>\n<div class=\"relative group\">\n<pre class=\"relative bg-[#1a1a1a] border border-gray-700 rounded-lg overflow-x-auto my-8 p-6\"><code class=\"hljs language-json whitespace-pre-wrap break-words text-gray-300\"><span class=\"hljs-punctuation\">{<\/span>\n  <span class=\"hljs-attr\">\"request\"<\/span><span class=\"hljs-punctuation\">:<\/span> <span class=\"hljs-punctuation\">{<\/span>\n    <span class=\"hljs-attr\">\"remote_ip\"<\/span><span class=\"hljs-punctuation\">:<\/span> <span class=\"hljs-string\">\"203.0.113.10\"<\/span><span class=\"hljs-punctuation\">,<\/span>\n    <span class=\"hljs-attr\">\"method\"<\/span><span class=\"hljs-punctuation\">:<\/span> <span class=\"hljs-string\">\"GET\"<\/span><span class=\"hljs-punctuation\">,<\/span>\n    <span class=\"hljs-attr\">\"uri\"<\/span><span class=\"hljs-punctuation\">:<\/span> <span class=\"hljs-string\">\"\/admin\/users\"<\/span><span class=\"hljs-punctuation\">,<\/span>\n    <span class=\"hljs-attr\">\"proto\"<\/span><span class=\"hljs-punctuation\">:<\/span> <span class=\"hljs-string\">\"HTTP\/2.0\"<\/span>\n  <span class=\"hljs-punctuation\">}<\/span><span class=\"hljs-punctuation\">,<\/span>\n  <span class=\"hljs-attr\">\"resp_headers\"<\/span><span class=\"hljs-punctuation\">:<\/span> <span class=\"hljs-punctuation\">{<\/span>\n    <span class=\"hljs-attr\">\"Authorization\"<\/span><span class=\"hljs-punctuation\">:<\/span> <span class=\"hljs-punctuation\">[<\/span><span class=\"hljs-string\">\"Basic ...\"<\/span><span class=\"hljs-punctuation\">]<\/span>\n  <span class=\"hljs-punctuation\">}<\/span><span class=\"hljs-punctuation\">,<\/span>\n  <span class=\"hljs-attr\">\"status\"<\/span><span class=\"hljs-punctuation\">:<\/span> <span class=\"hljs-number\">200<\/span>\n<span class=\"hljs-punctuation\">}<\/span>\n<\/code><\/pre>\n<p><button class=\"absolute top-4 cursor-pointer right-4 p-2 rounded-md bg-[#24292e] hover:bg-gray-700 border border-gray-600 opacity-0 group-hover:opacity-100 transition-opacity duration-200\" title=\"Copy code\"><\/button><\/div>\n<p class=\" text-lg my-6\">This shows who accessed <code class=\"break-words rounded bg-[#24292E] px-2 py-1 text-[#EEEEEE]\">\/admin\/users<\/code> and when.<\/p>\n<hr \/>\n<h2 class=\"text-3xl font-semibold mt-14 mb-8 \">Changing Passwords<\/h2>\n<p class=\" text-lg my-6\">When a password is compromised or someone leaves:<\/p>\n<h3 class=\"text-2xl mt-10 mb-4 font-bold \">Step 1: Generate a New Hash<\/h3>\n<div class=\"relative group\">\n<pre class=\"relative bg-[#1a1a1a] border border-gray-700 rounded-lg overflow-x-auto my-8 p-6\"><code class=\"hljs language-bash whitespace-pre-wrap break-words text-gray-300\">$ caddy hash-password\nEnter password: new_secure_password_123\nOutput: $2a$12<span class=\"hljs-variable\">$newHashHere<\/span>...\n<\/code><\/pre>\n<p><button class=\"absolute top-4 cursor-pointer right-4 p-2 rounded-md bg-[#24292e] hover:bg-gray-700 border border-gray-600 opacity-0 group-hover:opacity-100 transition-opacity duration-200\" title=\"Copy code\"><\/button><\/div>\n<h3 class=\"text-2xl mt-10 mb-4 font-bold \">Step 2: Update Caddyfile<\/h3>\n<div class=\"relative group\">\n<pre class=\"relative bg-[#1a1a1a] border border-gray-700 rounded-lg overflow-x-auto my-8 p-6\"><code class=\"hljs language-json whitespace-pre-wrap break-words text-gray-300\">basicauth <span class=\"hljs-punctuation\">{<\/span>\n    admin $<span class=\"hljs-number\">2<\/span>a$<span class=\"hljs-number\">12<\/span>$newHashHere...  # Updated\n    manager $<span class=\"hljs-number\">2<\/span>a$<span class=\"hljs-number\">12<\/span>$def456...     # Unchanged\n<span class=\"hljs-punctuation\">}<\/span>\n<\/code><\/pre>\n<p><button class=\"absolute top-4 cursor-pointer right-4 p-2 rounded-md bg-[#24292e] hover:bg-gray-700 border border-gray-600 opacity-0 group-hover:opacity-100 transition-opacity duration-200\" title=\"Copy code\"><\/button><\/div>\n<h3 class=\"text-2xl mt-10 mb-4 font-bold \">Step 3: Reload Caddy<\/h3>\n<div class=\"relative group\">\n<pre class=\"relative bg-[#1a1a1a] border border-gray-700 rounded-lg overflow-x-auto my-8 p-6\"><code class=\"hljs language-bash whitespace-pre-wrap break-words text-gray-300\">caddy reload\n<\/code><\/pre>\n<p><button class=\"absolute top-4 cursor-pointer right-4 p-2 rounded-md bg-[#24292e] hover:bg-gray-700 border border-gray-600 opacity-0 group-hover:opacity-100 transition-opacity duration-200\" title=\"Copy code\"><\/button><\/div>\n<p class=\" text-lg my-6\"><strong>Zero downtime:<\/strong> Current users stay connected, new users use the new password.<\/p>\n<h3 class=\"text-2xl mt-10 mb-4 font-bold \">Revoking a User&#8217;s Access<\/h3>\n<p class=\" text-lg my-6\">Simply remove their entry:<\/p>\n<div class=\"relative group\">\n<pre class=\"relative bg-[#1a1a1a] border border-gray-700 rounded-lg overflow-x-auto my-8 p-6\"><code class=\"hljs language-json whitespace-pre-wrap break-words text-gray-300\"># \u274c BEFORE - Alice still has access\nbasicauth <span class=\"hljs-punctuation\">{<\/span>\n    alice $<span class=\"hljs-number\">2<\/span>a$<span class=\"hljs-number\">12<\/span>$abc123...\n    bob $<span class=\"hljs-number\">2<\/span>a$<span class=\"hljs-number\">12<\/span>$def456...\n<span class=\"hljs-punctuation\">}<\/span>\n\n# \u2705 AFTER - Alice removed\nbasicauth <span class=\"hljs-punctuation\">{<\/span>\n    bob $<span class=\"hljs-number\">2<\/span>a$<span class=\"hljs-number\">12<\/span>$def456...\n<span class=\"hljs-punctuation\">}<\/span>\n<\/code><\/pre>\n<p><button class=\"absolute top-4 cursor-pointer right-4 p-2 rounded-md bg-[#24292e] hover:bg-gray-700 border border-gray-600 opacity-0 group-hover:opacity-100 transition-opacity duration-200\" title=\"Copy code\"><\/button><\/div>\n<p class=\" text-lg my-6\">Then reload:<\/p>\n<div class=\"relative group\">\n<pre class=\"relative bg-[#1a1a1a] border border-gray-700 rounded-lg overflow-x-auto my-8 p-6\"><code class=\"hljs language-bash whitespace-pre-wrap break-words text-gray-300\">caddy reload\n<\/code><\/pre>\n<p><button class=\"absolute top-4 cursor-pointer right-4 p-2 rounded-md bg-[#24292e] hover:bg-gray-700 border border-gray-600 opacity-0 group-hover:opacity-100 transition-opacity duration-200\" title=\"Copy code\"><\/button><\/div>\n<p class=\" text-lg my-6\">Alice&#8217;s old password no longer works.<\/p>\n<hr \/>\n<h2 class=\"text-3xl font-semibold mt-14 mb-8 \">Combining Basic Auth with Other Security<\/h2>\n<h3 class=\"text-2xl mt-10 mb-4 font-bold \">Basic Auth + IP Filtering<\/h3>\n<p class=\" text-lg my-6\">Protect sensitive routes with both password and IP restrictions:<\/p>\n<div class=\"relative group\">\n<pre class=\"relative bg-[#1a1a1a] border border-gray-700 rounded-lg overflow-x-auto my-8 p-6\"><code class=\"hljs language-json whitespace-pre-wrap break-words text-gray-300\">example.com <span class=\"hljs-punctuation\">{<\/span>\n    handle_path \/admin<span class=\"hljs-comment\">\/* {\n        # Only from internal network\n        @internal {\n            remote_ip 10.0.0.0\/8\n        }\n\n        handle @internal {\n            # Also requires password\n            basicauth {\n                admin $2a$12$abc123...\n            }\n            reverse_proxy localhost:3000\n        }\n\n        respond \"Access denied\" 403\n    }\n\n    handle {\n        reverse_proxy localhost:3000\n    }\n}\n<\/span><\/code><\/pre>\n<p><button class=\"absolute top-4 cursor-pointer right-4 p-2 rounded-md bg-[#24292e] hover:bg-gray-700 border border-gray-600 opacity-0 group-hover:opacity-100 transition-opacity duration-200\" title=\"Copy code\"><\/button><\/div>\n<p class=\" text-lg my-6\"><strong>Combined security:<\/strong><\/p>\n<ul class=\"list-disc ml-6 my-6\">\n<li class=\" text-lg my-2\">\n<p class=\" text-lg my-6\">Must be on internal network (IP filter)<\/p>\n<\/li>\n<li class=\" text-lg my-2\">\n<p class=\" text-lg my-6\">AND must know the password (Basic Auth)<\/p>\n<\/li>\n<\/ul>\n<h3 class=\"text-2xl mt-10 mb-4 font-bold \">Basic Auth + Rate Limiting<\/h3>\n<p class=\" text-lg my-6\">Protect login routes with both password and rate limiting:<\/p>\n<div class=\"relative group\">\n<pre class=\"relative bg-[#1a1a1a] border border-gray-700 rounded-lg overflow-x-auto my-8 p-6\"><code class=\"hljs language-json whitespace-pre-wrap break-words text-gray-300\">example.com <span class=\"hljs-punctuation\">{<\/span>\n    # Public login form\n    handle_path \/login <span class=\"hljs-punctuation\">{<\/span>\n        rate_limit <span class=\"hljs-punctuation\">{<\/span>\n            zone login <span class=\"hljs-punctuation\">{<\/span>\n                key <span class=\"hljs-punctuation\">{<\/span>remote_host<span class=\"hljs-punctuation\">}<\/span>\n                events <span class=\"hljs-number\">10<\/span>\n                window <span class=\"hljs-number\">1<\/span>m\n            <span class=\"hljs-punctuation\">}<\/span>\n        <span class=\"hljs-punctuation\">}<\/span>\n        reverse_proxy localhost<span class=\"hljs-punctuation\">:<\/span><span class=\"hljs-number\">3000<\/span>\n    <span class=\"hljs-punctuation\">}<\/span>\n\n    # Admin panel with password\n    handle_path \/admin<span class=\"hljs-comment\">\/* {\n        basicauth {\n            admin $2a$12$abc123...\n        }\n        reverse_proxy localhost:3000\n    }\n\n    handle {\n        reverse_proxy localhost:3000\n    }\n}\n<\/span><\/code><\/pre>\n<p><button class=\"absolute top-4 cursor-pointer right-4 p-2 rounded-md bg-[#24292e] hover:bg-gray-700 border border-gray-600 opacity-0 group-hover:opacity-100 transition-opacity duration-200\" title=\"Copy code\"><\/button><\/div>\n<hr \/>\n<h2 class=\"text-3xl font-semibold mt-14 mb-8 \">Complete Production-Ready Examples<\/h2>\n<h3 class=\"text-2xl mt-10 mb-4 font-bold \">Full Setup with Multiple Domains<\/h3>\n<div class=\"relative group\">\n<pre class=\"relative bg-[#1a1a1a] border border-gray-700 rounded-lg overflow-x-auto my-8 p-6\"><code class=\"hljs language-json whitespace-pre-wrap break-words text-gray-300\"># Production website - public\nshop.example.com <span class=\"hljs-punctuation\">{<\/span>\n    reverse_proxy localhost<span class=\"hljs-punctuation\">:<\/span><span class=\"hljs-number\">3000<\/span>\n<span class=\"hljs-punctuation\">}<\/span>\n\n# Admin panel - password protected\nadmin.example.com <span class=\"hljs-punctuation\">{<\/span>\n    basicauth <span class=\"hljs-punctuation\">{<\/span>\n        admin $<span class=\"hljs-number\">2<\/span>a$<span class=\"hljs-number\">12<\/span>$riW1ZFwQ6qxUoRpC6kGUo\/Q7yMZeErZvm3Wv0bYl\/fSfl.kkVGCzC\n        manager $<span class=\"hljs-number\">2<\/span>a$<span class=\"hljs-number\">12<\/span>$N3jZy8R2pLmXqWzYk9vP2.x7S8yH9Q3wKmL4T5rN6sU8vC1dE9g8q\n    <span class=\"hljs-punctuation\">}<\/span>\n\n    log <span class=\"hljs-punctuation\">{<\/span>\n        output stdout\n        format json\n    <span class=\"hljs-punctuation\">}<\/span>\n\n    reverse_proxy localhost<span class=\"hljs-punctuation\">:<\/span><span class=\"hljs-number\">3001<\/span>\n<span class=\"hljs-punctuation\">}<\/span>\n\n# Staging environment - team access\nstaging.example.com <span class=\"hljs-punctuation\">{<\/span>\n    basicauth <span class=\"hljs-punctuation\">{<\/span>\n        dev $<span class=\"hljs-number\">2<\/span>a$<span class=\"hljs-number\">12<\/span>$abc123...\n        qa $<span class=\"hljs-number\">2<\/span>a$<span class=\"hljs-number\">12<\/span>$def456...\n        product $<span class=\"hljs-number\">2<\/span>a$<span class=\"hljs-number\">12<\/span>$ghi789...\n    <span class=\"hljs-punctuation\">}<\/span>\n\n    reverse_proxy localhost<span class=\"hljs-punctuation\">:<\/span><span class=\"hljs-number\">3002<\/span>\n<span class=\"hljs-punctuation\">}<\/span>\n\n# Monitoring - ops team only\nmonitoring.example.com <span class=\"hljs-punctuation\">{<\/span>\n    basicauth <span class=\"hljs-punctuation\">{<\/span>\n        ops $<span class=\"hljs-number\">2<\/span>a$<span class=\"hljs-number\">12<\/span>$jkl012...\n    <span class=\"hljs-punctuation\">}<\/span>\n\n    log <span class=\"hljs-punctuation\">{<\/span>\n        output stdout\n    <span class=\"hljs-punctuation\">}<\/span>\n\n    reverse_proxy localhost<span class=\"hljs-punctuation\">:<\/span><span class=\"hljs-number\">9090<\/span>\n<span class=\"hljs-punctuation\">}<\/span>\n<\/code><\/pre>\n<p><button class=\"absolute top-4 cursor-pointer right-4 p-2 rounded-md bg-[#24292e] hover:bg-gray-700 border border-gray-600 opacity-0 group-hover:opacity-100 transition-opacity duration-200\" title=\"Copy code\"><\/button><\/div>\n<h3 class=\"text-2xl mt-10 mb-4 font-bold \">Mixed Authentication Setup<\/h3>\n<div class=\"relative group\">\n<pre class=\"relative bg-[#1a1a1a] border border-gray-700 rounded-lg overflow-x-auto my-8 p-6\"><code class=\"hljs language-json whitespace-pre-wrap break-words text-gray-300\">example.com <span class=\"hljs-punctuation\">{<\/span>\n    # Public routes - no auth\n    handle_path \/products* <span class=\"hljs-punctuation\">{<\/span>\n        reverse_proxy localhost<span class=\"hljs-punctuation\">:<\/span><span class=\"hljs-number\">3000<\/span>\n    <span class=\"hljs-punctuation\">}<\/span>\n\n    handle_path \/api\/public<span class=\"hljs-comment\">\/* {\n        reverse_proxy localhost:3000\n    }\n\n    # Customer dashboard - app handles login\n    handle_path \/dashboard* {\n        reverse_proxy localhost:3000\n    }\n\n    # Partner API - Basic Auth\n    handle_path \/api\/partners\/* {\n        basicauth {\n            partner1 $2a$12$abc123...\n            partner2 $2a$12$def456...\n        }\n        reverse_proxy localhost:3000\n    }\n\n    # Internal admin - Basic Auth + IP filtering\n    handle_path \/admin\/* {\n        @internal {\n            remote_ip 10.0.0.0\/8 203.45.67.0\/24\n        }\n\n        handle @internal {\n            basicauth {\n                admin $2a$12$ghi789...\n            }\n            reverse_proxy localhost:3000\n        }\n\n        respond \"Admin access restricted\" 403\n    }\n\n    # Monitoring - Basic Auth only\n    handle_path \/metrics {\n        basicauth {\n            monitor $2a$12$jkl012...\n        }\n        reverse_proxy localhost:3000\n    }\n\n    # Everything else public\n    handle {\n        reverse_proxy localhost:3000\n    }\n}\n<\/span><\/code><\/pre>\n<p><button class=\"absolute top-4 cursor-pointer right-4 p-2 rounded-md bg-[#24292e] hover:bg-gray-700 border border-gray-600 opacity-0 group-hover:opacity-100 transition-opacity duration-200\" title=\"Copy code\"><\/button><\/div>\n<hr \/>\n<h2 class=\"text-3xl font-semibold mt-14 mb-8 \">Security Best Practices<\/h2>\n<h3 class=\"text-2xl mt-10 mb-4 font-bold \">1. Use Strong Passwords<\/h3>\n<p class=\" text-lg my-6\">When generating password hashes, use strong passwords:<\/p>\n<div class=\"relative group\">\n<pre class=\"relative bg-[#1a1a1a] border border-gray-700 rounded-lg overflow-x-auto my-8 p-6\"><code class=\"hljs language-bash whitespace-pre-wrap break-words text-gray-300\"><span class=\"hljs-comment\"># \u274c WEAK - Easy to guess<\/span>\n$ caddy hash-password\nEnter password: admin123\n<\/code><\/pre>\n<p><button class=\"absolute top-4 cursor-pointer right-4 p-2 rounded-md bg-[#24292e] hover:bg-gray-700 border border-gray-600 opacity-0 group-hover:opacity-100 transition-opacity duration-200\" title=\"Copy code\"><\/button><\/div>\n<p class=\" text-lg my-6\"><strong>Result:<\/strong> Attackers can guess this in seconds.<\/p>\n<div class=\"relative group\">\n<pre class=\"relative bg-[#1a1a1a] border border-gray-700 rounded-lg overflow-x-auto my-8 p-6\"><code class=\"hljs language-bash whitespace-pre-wrap break-words text-gray-300\"><span class=\"hljs-comment\"># \u2705 STRONG - Hard to guess<\/span>\n$ caddy hash-password\nEnter password: Y8@kL#mN9pQ<span class=\"hljs-variable\">$xZ4<\/span>&amp;bC2!vW6*rT1%sF3\n<\/code><\/pre>\n<p><button class=\"absolute top-4 cursor-pointer right-4 p-2 rounded-md bg-[#24292e] hover:bg-gray-700 border border-gray-600 opacity-0 group-hover:opacity-100 transition-opacity duration-200\" title=\"Copy code\"><\/button><\/div>\n<p class=\" text-lg my-6\"><strong>Result:<\/strong> Takes billions of years to guess.<\/p>\n<h3 class=\"text-2xl mt-10 mb-4 font-bold \">2. Use Unique Usernames<\/h3>\n<p class=\" text-lg my-6\">Don&#8217;t use generic names like &#8220;admin&#8221;:<\/p>\n<div class=\"relative group\">\n<pre class=\"relative bg-[#1a1a1a] border border-gray-700 rounded-lg overflow-x-auto my-8 p-6\"><code class=\"hljs language-json whitespace-pre-wrap break-words text-gray-300\"># \u274c WEAK - Standard username everyone tries\nbasicauth <span class=\"hljs-punctuation\">{<\/span>\n    admin $<span class=\"hljs-number\">2<\/span>a$<span class=\"hljs-number\">12<\/span>$abc123...\n<span class=\"hljs-punctuation\">}<\/span>\n\n# \u2705 STRONG - Unique username\nbasicauth <span class=\"hljs-punctuation\">{<\/span>\n    alice $<span class=\"hljs-number\">2<\/span>a$<span class=\"hljs-number\">12<\/span>$abc123...\n    bob $<span class=\"hljs-number\">2<\/span>a$<span class=\"hljs-number\">12<\/span>$def456...\n<span class=\"hljs-punctuation\">}<\/span>\n<\/code><\/pre>\n<p><button class=\"absolute top-4 cursor-pointer right-4 p-2 rounded-md bg-[#24292e] hover:bg-gray-700 border border-gray-600 opacity-0 group-hover:opacity-100 transition-opacity duration-200\" title=\"Copy code\"><\/button><\/div>\n<p class=\" text-lg my-6\">Usernames are sent in clear during authentication, so don&#8217;t reveal what system they use (don&#8217;t use &#8220;wordpress&#8221; for WordPress, &#8220;django&#8221; for Django, etc.).<\/p>\n<h3 class=\"text-2xl mt-10 mb-4 font-bold \">3. Store Passwords Securely<\/h3>\n<p class=\" text-lg my-6\">Your Caddyfile contains password hashes. Protect it:<\/p>\n<div class=\"relative group\">\n<pre class=\"relative bg-[#1a1a1a] border border-gray-700 rounded-lg overflow-x-auto my-8 p-6\"><code class=\"hljs language-bash whitespace-pre-wrap break-words text-gray-300\"><span class=\"hljs-comment\"># Restrict Caddyfile permissions<\/span>\n<span class=\"hljs-built_in\">sudo<\/span> <span class=\"hljs-built_in\">chmod<\/span> 600 \/etc\/caddy\/Caddyfile\n\n<span class=\"hljs-comment\"># Only root and caddy user can read it<\/span>\n<span class=\"hljs-built_in\">ls<\/span> -l \/etc\/caddy\/Caddyfile\n<span class=\"hljs-comment\"># -rw------- 1 caddy caddy 2048 Jan 15 12:00 \/etc\/caddy\/Caddyfile<\/span>\n<\/code><\/pre>\n<p><button class=\"absolute top-4 cursor-pointer right-4 p-2 rounded-md bg-[#24292e] hover:bg-gray-700 border border-gray-600 opacity-0 group-hover:opacity-100 transition-opacity duration-200\" title=\"Copy code\"><\/button><\/div>\n<h3 class=\"text-2xl mt-10 mb-4 font-bold \">4. Rotate Passwords Regularly<\/h3>\n<p class=\" text-lg my-6\">Change passwords monthly or quarterly:<\/p>\n<div class=\"relative group\">\n<pre class=\"relative bg-[#1a1a1a] border border-gray-700 rounded-lg overflow-x-auto my-8 p-6\"><code class=\"hljs language-bash whitespace-pre-wrap break-words text-gray-300\"><span class=\"hljs-comment\"># Generate new password<\/span>\n$ caddy hash-password\nEnter password: new_password_2025_01\n\n<span class=\"hljs-comment\"># Update Caddyfile<\/span>\n<span class=\"hljs-comment\"># Reload Caddy<\/span>\ncaddy reload\n<\/code><\/pre>\n<p><button class=\"absolute top-4 cursor-pointer right-4 p-2 rounded-md bg-[#24292e] hover:bg-gray-700 border border-gray-600 opacity-0 group-hover:opacity-100 transition-opacity duration-200\" title=\"Copy code\"><\/button><\/div>\n<h3 class=\"text-2xl mt-10 mb-4 font-bold \">5. Audit Access Logs<\/h3>\n<p class=\" text-lg my-6\">Regularly check who&#8217;s accessing protected routes:<\/p>\n<div class=\"relative group\">\n<pre class=\"relative bg-[#1a1a1a] border border-gray-700 rounded-lg overflow-x-auto my-8 p-6\"><code class=\"hljs language-bash whitespace-pre-wrap break-words text-gray-300\"><span class=\"hljs-comment\"># Check logs for \/admin access<\/span>\n<span class=\"hljs-built_in\">sudo<\/span> journalctl -u caddy | grep <span class=\"hljs-string\">\"\/admin\"<\/span>\n\n<span class=\"hljs-comment\"># Check for failed authentication attempts<\/span>\n<span class=\"hljs-built_in\">sudo<\/span> journalctl -u caddy | grep <span class=\"hljs-string\">\"401\\|Unauthorized\"<\/span>\n<\/code><\/pre>\n<p><button class=\"absolute top-4 cursor-pointer right-4 p-2 rounded-md bg-[#24292e] hover:bg-gray-700 border border-gray-600 opacity-0 group-hover:opacity-100 transition-opacity duration-200\" title=\"Copy code\"><\/button><\/div>\n<hr \/>\n<h2 class=\"text-3xl font-semibold mt-14 mb-8 \">Key Takeaways<\/h2>\n<ol class=\"list-decimal ml-6 my-6\">\n<li class=\" text-lg my-2\">\n<p class=\" text-lg my-6\"><strong>Basic Auth is simple:<\/strong> Caddy makes it trivial to add password protection without any plugins.<\/p>\n<\/li>\n<li class=\" text-lg my-2\">\n<p class=\" text-lg my-6\"><strong>Always use hashed passwords:<\/strong> Use <code class=\"break-words rounded bg-[#24292E] px-2 py-1 text-[#EEEEEE]\">caddy hash-password<\/code> to generate bcrypt hashes, never plain text.<\/p>\n<\/li>\n<li class=\" text-lg my-2\">\n<p class=\" text-lg my-6\"><strong>HTTPS is essential:<\/strong> Basic Auth only works safely with HTTPS encryption.<\/p>\n<\/li>\n<li class=\" text-lg my-2\">\n<p class=\" text-lg my-6\"><strong>Protect selectively:<\/strong> Only require auth for sensitive routes, keep public routes accessible.<\/p>\n<\/li>\n<li class=\" text-lg my-2\">\n<p class=\" text-lg my-6\"><strong>One password per user:<\/strong> Give each person their own username\/password for tracking and revocation.<\/p>\n<\/li>\n<li class=\" text-lg my-2\">\n<p class=\" text-lg my-6\"><strong>Test before deploying:<\/strong> Verify auth works before pushing to production.<\/p>\n<\/li>\n<li class=\" text-lg my-2\">\n<p class=\" text-lg my-6\"><strong>Track access:<\/strong> Enable logging to audit who accesses protected routes.<\/p>\n<\/li>\n<li class=\" text-lg my-2\">\n<p class=\" text-lg my-6\"><strong>Change passwords regularly:<\/strong> Update passwords when people leave or periodically rotate them.<\/p>\n<\/li>\n<li class=\" text-lg my-2\">\n<p class=\" text-lg my-6\"><strong>Use strong passwords:<\/strong> Make passwords long and random, not easy to guess.<\/p>\n<\/li>\n<li class=\" text-lg my-2\">\n<p class=\" text-lg my-6\"><strong>Combine with other security:<\/strong> Layer Basic Auth with IP filtering and rate limiting for maximum protection.<\/p>\n<\/li>\n<\/ol>\n<hr \/>\n<h2 class=\"text-3xl font-semibold mt-14 mb-8 \">Common Questions<\/h2>\n<h3 class=\"text-2xl mt-10 mb-4 font-bold \">Q: Is Basic Auth secure enough for production?<\/h3>\n<p class=\" text-lg my-6\"><strong>A:<\/strong> Basic Auth is secure <em>when used with HTTPS<\/em>. However, it&#8217;s best for:<\/p>\n<ul class=\"list-disc ml-6 my-6\">\n<li class=\" text-lg my-2\">\n<p class=\" text-lg my-6\">Internal tools<\/p>\n<\/li>\n<li class=\" text-lg my-2\">\n<p class=\" text-lg my-6\">Staging environments<\/p>\n<\/li>\n<li class=\" text-lg my-2\">\n<p class=\" text-lg my-6\">Temporary access<\/p>\n<\/li>\n<\/ul>\n<p class=\" text-lg my-6\">For public-facing apps, use OAuth 2.0 or session-based authentication in your application.<\/p>\n<h3 class=\"text-2xl mt-10 mb-4 font-bold \">Q: Can I use Basic Auth with a database of users?<\/h3>\n<p class=\" text-lg my-6\"><strong>A:<\/strong> Not directly with Caddy&#8217;s <code class=\"break-words rounded bg-[#24292E] px-2 py-1 text-[#EEEEEE]\">basicauth<\/code> directive. For dynamic user management:<\/p>\n<ul class=\"list-disc ml-6 my-6\">\n<li class=\" text-lg my-2\">\n<p class=\" text-lg my-6\">Use your application&#8217;s built-in authentication<\/p>\n<\/li>\n<li class=\" text-lg my-2\">\n<p class=\" text-lg my-6\">Or use OAuth 2.0 providers (Google, GitHub, etc.)<\/p>\n<\/li>\n<li class=\" text-lg my-2\">\n<p class=\" text-lg my-6\">Or add a reverse proxy with authentication module<\/p>\n<\/li>\n<\/ul>\n<h3 class=\"text-2xl mt-10 mb-4 font-bold \">Q: How many users can I add?<\/h3>\n<p class=\" text-lg my-6\"><strong>A:<\/strong> Thousands, but it becomes unwieldy. Each user needs an entry in your Caddyfile:<\/p>\n<div class=\"relative group\">\n<pre class=\"relative bg-[#1a1a1a] border border-gray-700 rounded-lg overflow-x-auto my-8 p-6\"><code class=\"hljs language-json whitespace-pre-wrap break-words text-gray-300\">basicauth <span class=\"hljs-punctuation\">{<\/span>\n    user1 $<span class=\"hljs-number\">2<\/span>a$<span class=\"hljs-number\">12<\/span>$...\n    user2 $<span class=\"hljs-number\">2<\/span>a$<span class=\"hljs-number\">12<\/span>$...\n    user3 $<span class=\"hljs-number\">2<\/span>a$<span class=\"hljs-number\">12<\/span>$...\n    ...\n<span class=\"hljs-punctuation\">}<\/span>\n<\/code><\/pre>\n<p><button class=\"absolute top-4 cursor-pointer right-4 p-2 rounded-md bg-[#24292e] hover:bg-gray-700 border border-gray-600 opacity-0 group-hover:opacity-100 transition-opacity duration-200\" title=\"Copy code\"><\/button><\/div>\n<p class=\" text-lg my-6\">For many users, use your application&#8217;s authentication instead.<\/p>\n<h3 class=\"text-2xl mt-10 mb-4 font-bold \">Q: What if I forget a password?<\/h3>\n<p class=\" text-lg my-6\"><strong>A:<\/strong> Users can&#8217;t recover their password from the hash. Generate a new one:<\/p>\n<div class=\"relative group\">\n<pre class=\"relative bg-[#1a1a1a] border border-gray-700 rounded-lg overflow-x-auto my-8 p-6\"><code class=\"hljs language-bash whitespace-pre-wrap break-words text-gray-300\">$ caddy hash-password\nEnter password: new_password\nOutput: $2a$12<span class=\"hljs-variable\">$newHashHere<\/span>...\n<\/code><\/pre>\n<p><button class=\"absolute top-4 cursor-pointer right-4 p-2 rounded-md bg-[#24292e] hover:bg-gray-700 border border-gray-600 opacity-0 group-hover:opacity-100 transition-opacity duration-200\" title=\"Copy code\"><\/button><\/div>\n<p class=\" text-lg my-6\">Update the Caddyfile and reload.<\/p>\n<hr \/>\n<h2 class=\"text-3xl font-semibold mt-14 mb-8 \">Further Reading<\/h2>\n<ul class=\"list-disc ml-6 my-6\">\n<li class=\" text-lg my-2\">\n<p class=\" text-lg my-6\"><a class=\"! !underline\" href=\"https:\/\/caddyserver.com\/docs\/caddyfile\/directives\/basicauth\" target=\"_blank\" rel=\"noopener noreferrer\">Caddy Documentation &#8211; Basic Authentication<\/a><\/p>\n<\/li>\n<li class=\" text-lg my-2\">\n<p class=\" text-lg my-6\"><a class=\"! !underline\" href=\"https:\/\/auth0.com\/blog\/hashing-in-action-understanding-bcrypt\/\" target=\"_blank\" rel=\"noopener noreferrer\">Bcrypt Explained<\/a><\/p>\n<\/li>\n<li class=\" text-lg my-2\">\n<p class=\" text-lg my-6\"><a class=\"! !underline\" href=\"https:\/\/developer.mozilla.org\/en-US\/docs\/Web\/HTTP\/Authentication\" target=\"_blank\" rel=\"noopener noreferrer\">HTTP Basic Auth Security<\/a><\/p>\n<\/li>\n<li class=\" text-lg my-2\">\n<p class=\" text-lg my-6\"><a class=\"! !underline\" href=\"https:\/\/cheatsheetseries.owasp.org\/cheatsheets\/Authentication_Cheat_Sheet.html\" target=\"_blank\" rel=\"noopener noreferrer\">OWASP Authentication Cheat Sheet<\/a><\/p>\n<\/li>\n<li class=\" text-lg my-2\">\n<p class=\" text-lg my-6\"><a class=\"! !underline\" href=\"https:\/\/cheatsheetseries.owasp.org\/cheatsheets\/Authentication_Cheat_Sheet.html#password-strength-controls\" target=\"_blank\" rel=\"noopener noreferrer\">Password Strength Requirements<\/a><\/p>\n<\/li>\n<\/ul>\n","protected":false},"excerpt":{"rendered":"<p>Introduction: What is Basic Authentication and Why You Need It When you deploy a web application, not all content should be publicly accessible. You might have: An admin dashboard that only your team should access A staging environment for testing before production Internal tools (logs, metrics, deployment systems) Temporary access for contractors or partners during&#8230;<\/p>\n","protected":false},"author":1,"featured_media":4919,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[212,236],"tags":[220],"class_list":["post-4918","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-devops-infrastructure","category-digital-transformation","tag-web","th-blog blog-single has-post-thumbnail"],"_links":{"self":[{"href":"https:\/\/www.softcolon.com\/blogs\/wp-json\/wp\/v2\/posts\/4918","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.softcolon.com\/blogs\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.softcolon.com\/blogs\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.softcolon.com\/blogs\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.softcolon.com\/blogs\/wp-json\/wp\/v2\/comments?post=4918"}],"version-history":[{"count":2,"href":"https:\/\/www.softcolon.com\/blogs\/wp-json\/wp\/v2\/posts\/4918\/revisions"}],"predecessor-version":[{"id":4922,"href":"https:\/\/www.softcolon.com\/blogs\/wp-json\/wp\/v2\/posts\/4918\/revisions\/4922"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.softcolon.com\/blogs\/wp-json\/wp\/v2\/media\/4919"}],"wp:attachment":[{"href":"https:\/\/www.softcolon.com\/blogs\/wp-json\/wp\/v2\/media?parent=4918"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.softcolon.com\/blogs\/wp-json\/wp\/v2\/categories?post=4918"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.softcolon.com\/blogs\/wp-json\/wp\/v2\/tags?post=4918"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}