Caddy doesn't serve symlinks

1. The problem I’m having:

Caddy doesn’t serve symlinks, neither from Firefox, curl, nor wget, despite log entries showing an HTTP code of ‘200’ for these requests. If a regular ip-blocs.json file is placed in the directory instead of a symlink, it downloads normally. Permissions on the symlink:

-rw-r--r-- 1 jeanluc jeanluc 64478830 Dec 26 08:19 global.json
lrwxrwxrwx 1 jeanluc jeanluc       16 Dec 27 15:27 ip-blocs.json -> /tmp/global.json

2. Error messages and/or full log output:

{
  "level": "info",
  "ts": 1703689466.547738,
  "logger": "http.log.access.log0",
  "msg": "handled request",
  "request": {
    "remote_addr": "109.88.69.141:50774",
    "proto": "HTTP/2.0",
    "method": "GET",
    "host": "lacroix.it",
    "uri": "/ip-blocs/ip-blocs.json",
    "headers": {
      "Accept": [
        "text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8"
      ],
      "Cookie": [
        "PHPSESSID=s8ggoofh4khlkogd3bh6j10rjb; FileRunSID=3i257cei7556hhljhkc2qahd12"
      ],
      "Sec-Fetch-Dest": [
        "document"
      ],
      "Sec-Fetch-Mode": [
        "navigate"
      ],
      "Sec-Fetch-Site": [
        "none"
      ],
      "User-Agent": [
        "Mozilla/5.0 (X11; Linux x86_64; rv:109.0) Gecko/20100101 Firefox/115.0"
      ],
      "Accept-Language": [
        "en-GB,en;q=0.5"
      ],
      "Accept-Encoding": [
        "gzip, deflate, br"
      ],
      "Upgrade-Insecure-Requests": [
        "1"
      ],
      "Sec-Fetch-User": [
        "?1"
      ],
      "Te": [
        "trailers"
      ]
    },
    "tls": {
      "resumed": true,
      "version": 772,
      "cipher_suite": 4865,
      "proto": "h2",
      "proto_mutual": true,
      "server_name": "lacroix.it"
    }
  },
  "common_log": "109.88.69.141 - - [27/Dec/2023:16:04:26 +0100] \"GET /ip-blocs/ip-blocs.json HTTP/2.0\" 200 694",
  "user_id": "",
  "duration": 0.001354002,
  "size": 694,
  "status": 200,
  "resp_headers": {
    "Server": [
      "Caddy"
    ],
    "Content-Type": [
      "text/html; charset=UTF-8"
    ],
    "Content-Encoding": [
      "gzip"
    ],
    "Vary": [
      "Accept-Encoding"
    ]
  }
}

2.1 Curl verbose output on client side

> GET /ip-blocs/ip-blocs.json HTTP/2
> Host: lacroix.it
> user-agent: curl/7.88.1
> accept: */*
> 
* TLSv1.3 (IN), TLS handshake, Newsession Ticket (4):
< HTTP/2 200 
< content-type: text/html; charset=UTF-8
< server: Caddy
< content-length: 1143
< date: Wed, 27 Dec 2023 15:26:46 GMT
< 

3. Caddy version:

v2.4.6

4. How I installed and ran Caddy:

jeanluc@vps321764:/etc/caddy$ sudo systemctl status caddy
● caddy.service
     Loaded: loaded (/etc/systemd/system/caddy.service; enabled; vendor preset: enabled)
     Active: active (running) since Wed 2023-12-27 15:33:06 CET; 2s ago
   Main PID: 804694 (caddy)
      Tasks: 12 (limit: 2261)
     Memory: 25.3M
        CPU: 870ms
     CGroup: /system.slice/caddy.service
             ├─804694 /usr/bin/caddy run --environ --config /etc/caddy/Caddyfile
             ├─804706 sudo -- tee /usr/local/share/ca-certificates/Caddy_Local_Authority_-_2022_ECC_Root_2439666126240306232711>
             └─804707 sendmail -t

a. System environment:

Linux - systemd

d. My complete Caddy config:

lacroix.it {
	root * /var/www
	file_server
	import common.conf

	log {
		output file /var/log/caddy/lacroix.it.log
	}

}

common.conf

# php hook
php_fastcgi unix//var/run/php/php7.4-fpm.sock 

# compress response
encode gzip

# clean url
try_files {path}/index.html {path}.php {path}
try_files {path} /login.php

Caddy can serve symlinks just fine. The issue is not with the symlinks. The standard systemd unit file we ship sets PrivateTemp=true, for which systemd maps a completely separate /tmp for the process, so caddy can’t actually find /tmp/global.json.

https://www.freedesktop.org/software/systemd/man/latest/systemd.exec.html#PrivateTmp=

Our intent is to ship secure defaults. You can override those configuration parameters for your own use and have a guide for it.

3 Likes

That was it. Works like a charm now. Thanks for your post.

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.