I am currently in the process of testing out if I can transfer over my sites towards Caddy.
My current setup on my current server is as follows:
Every website has it’s own user and group
Every website has it’s own PHP-FPM pool, which runs with the website’s specific user
The website folder is owned by the user and Nginx has group access to the folder.
This way I try to seperate everything as much as possible.
I’ve tried to adapt this approach to Caddy and kept leaping into some problems - is this a way of working that can work with Caddy, or is it a bad idea?
What is the suggested approach with Caddy, and does my seperation even make sense with Caddy?
I’m curious to see what your point of view here is.
I’ve never tried to run PHP-FPM this way, how does this look exactly? Do you have per-site unix sockets or TCP ports? How does nginx do that?
This should be fine, if Caddy has access, then it should work.
What problems exactly? We could try to help more if you describe specifically what you ran into.
I will say that Caddy is probably not well suited to shared hosting environments where you run untrusted code on your machine (i.e. you don’t control what code others put on your server).
Be aware that by default Caddy’s admin API listens on localhost:2019, so any of those PHP sites could run curl commands to access the Caddy’s configuration API and potentially do plenty of damage.
It’s possible to run the admin API via a unix socket instead which should let you lock that down. I think there’s some unreleased changes to with that, hopefully coming in the next release.
