1. Caddy version (caddy version
):
2.4.5
2. How I run Caddy:
a. System environment:
Arch Linux, systemd, Linode default Arch Container
caddy was installed via pacman -S caddy
b. Command:
sudo systemctl start caddy.service
c. Service/unit/compose file:
# caddy.service
#
# For using Caddy with a config file.
#
# Make sure the ExecStart and ExecReload commands are correct
# for your installation.
#
# See https://caddyserver.com/docs/install for instructions.
#
# WARNING: This service does not use the --resume flag, so if you
# use the API to make changes, they will be overwritten by the
# Caddyfile next time the service is restarted. If you intend to
# use Caddy's API to configure it, add the --resume flag to the
# `caddy run` command or use the caddy-api.service file instead.
[Unit]
Description=Caddy web server
Documentation=https://caddyserver.com/docs/
After=network-online.target
Wants=network-online.target systemd-networkd-wait-online.service
StartLimitIntervalSec=14400
StartLimitBurst=10
[Service]
User=caddy
Group=caddy
Environment=XDG_DATA_HOME=/var/lib
Environment=XDG_CONFIG_HOME=/etc
ExecStartPre=/usr/bin/caddy validate --config /etc/caddy/Caddyfile
ExecStart=/usr/bin/caddy run --environ --config /etc/caddy/Caddyfile
ExecReload=/usr/bin/caddy reload --config /etc/caddy/Caddyfile
ExecStopPost=/usr/bin/rm -f /run/caddy/admin.socket
# Do not allow the process to be restarted in a tight loop. If the
# process fails to start, something critical needs to be fixed.
Restart=on-abnormal
# Use graceful shutdown with a reasonable timeout
TimeoutStopSec=5s
LimitNOFILE=1048576
LimitNPROC=512
# Hardening options
AmbientCapabilities=CAP_NET_BIND_SERVICE
CapabilityBoundingSet=CAP_NET_BIND_SERVICE
DevicePolicy=closed
LockPersonality=true
MemoryAccounting=true
MemoryDenyWriteExecute=true
NoNewPrivileges=true
PrivateDevices=true
PrivateTmp=true
ProcSubset=pid
ProtectClock=true
ProtectControlGroups=true
ProtectHome=true
ProtectHostname=true
ProtectKernelLogs=true
ProtectKernelModules=true
ProtectKernelTunables=true
ProtectProc=invisible
ProtectSystem=strict
RemoveIPC=true
ReadWritePaths=/var/lib/caddy /var/log/caddy /run/caddy
RestrictNamespaces=true
RestrictRealtime=true
RestrictSUIDSGID=true
[Install]
WantedBy=multi-user.target
d. My complete Caddyfile or JSON config:
meaningpoetry.com {
handle_path /hoc/* {
root * /home/thero/mp/mpcom
php_fastcgi unix//run/php-fpm/www.sock
file_server * browse
}
reverse_proxy localhost:3000 {
header_down Strict-Transport-Security max-age=31536000;
}
}
a.meaningpoetry.com {
reverse_proxy localhost:1337 {
header_down Strict-Transport-Security max-age=31536000;
}
}
roundcube.meaningpoetry.com {
root * /usr/share/webapps/roundcubemail/
encode gzip
file_server
php_fastcgi unix//run/roundcubemail/roundcubemail.sock {
split .php
index index.php
}
}
mad.meaningpoetry.com {
root * /usr/share/webapps/postfixadmin/public/
encode gzip
file_server
php_fastcgi unix//run/postfixadmin/postfixadmin.sock {
split .php
index index.php
}
}
3. The problem I’m having:
I am having a problem with systemctl, starting caddy manually yields static files, but running through systemctl gives all static files 403 Forbidden errors aside from the PHP ones.
The problem is as described HERE
However, I’m not sure what else to do as I don’t have, or at least I didn’t install and configure, SELinux, and as far as I’m aware, Linode’s Arch Image is Vanilla, plain old K.I.S.S. DIY Arch.
4. Error messages and/or full log output:
5. What I already tried:
I tried manually executing as mentioned above in the thread I linked in relation
I would be happy to move my files, if I knew where to how to what with why.
Judging from the two linked threads below, I need to put it somewhere where user:group caddy:caddy has permission to +x
thero@meaningpoetry ~/mp/mpfe sudo /usr/bin/caddy run --environ --config /etc/caddy/Caddyfile
6. Links to relevant resources:
The problem is as described HERE
And HERE , However, I haven’t tried moving it to /var/www as I do not have these directories?