But here begins my problem: I got different users on a system. All of these users can login using ssh and, even if I limit the caddy port using the firewall, edit the caddy config using the API.
This is, of course, something I want to prevent.
What would be the best way to:
Allow the usage of systemctl reload caddy
Limit the usage of the API in order to forbid other users than the root or caddy user to modify the config
3. Caddy version:
caddy version
v2.8.4 h1:q3pe0wpBj1OcHFZ3n/1nl4V4bxBrYoSoab7rL9BMYNk=
You can configure the admin endpoint to listen on a unix socket, which allows you to control which users can access it via the file system ACL. This is mentioned in the admin section on the Caddyfile Global options page, which I’ve linked to directly in the below.
Okay. /run is owned by root and caddy is using a separate user, so I guess, caddy cannot create that socket. So I changed it to:
admin unix//etc/caddy/socket/caddy-admin.sock
}
which is writeable for that user:
drwxr-xr-x 2 caddy caddy 4.0K Oct 1 05:03 socket
But still it’s having it’s troubles:
Oct 01 05:03:31 server1 caddy[54982]: Error: loading initial config: loading new config: starting caddy administration endpoint: unable to set permissions (--w-------) on /etc/caddy/socket/caddy-admin.sock: chmod /etc/caddy/socket/caddy-admin.sock: no such file or directory
The standard systemd unit file shipped with Caddy uses ProtectSystem=full, which makes most directories inaccessible except for selected few. Systemd documentation elaborates more on this config.
caddy 2.9.0 (yet to be released) will have support for socket activation.
It looks like the admin API socket can be configured with socket activation too.
I verified that it is possible to set ownership of the socket file in the socket unit.
For example the file /etc/systemd/system/caddy.socket
could contain
In this example the unix socket can be used for the admin API by adding
{
auto_https disable_redirects
admin fd/4
}
to a Caddyfile.
The number 4 is used because the Unix socket is the second socket in the unit file. For details about the counting, see SD_LISTEN_FDS_START in the man page sd_listen_fds