Permissions of Caddyfile

Hi all,

I’m trying to test Caddy as a replacement for nginx on a Debian 9 (stretch) system. I’ve followed the instructions at https://github.com/caddyserver/caddy/tree/master/dist/init/linux-systemd up to a prick, /etc/caddy/Caddyfile is -rw-r--r-- 1 root root, cadyy runs as user www-data (well, should run, but should be no problem, because nginx runs successful as www-data).

Despite all this, starting the service fails with the error message:

loading Caddyfile via flag: open /etc/caddy/Caddyfile: permission denied

Ironically, running caddy from the command line works fine. I’ve tried to chown the Caddyfile to user www-data, and even setting it to 666, but it’s always the same.

What could I try to change for letting the caddy.service work?

Best
Joachim

Hi @jotteerr, welcome to the Caddy community!

If it’s working on the command line with the right permissions, but systemd has decided that it doesn’t like it… Well. I’ve personally done as much as I can to avoid using systemd.

I figure it probably has something to do with this section:

Seems to be focused on restricting access. Could try commenting ProtectSystem, maybe.

Outside of that, and assuming we don’t have any systemd gurus pop in on this thread, you might have better luck on a systemd-specific forum somewhere.

1 Like

@Whitestrake, thanks for your answer and the welcome!

I’m not insisting on systemd, I followed the description an GitHub because I thought this would be the ‘official’ way to get caddy up and running. I saw that the nginx on my server doesn’t use systemd, but has a simple (OK, not so simple … :wink:) start/stop script in /etc/init.d/. Do you (or someone else) have a working script you could show me – I assume your not really starting caddy from the command line manually …

I commented out all the “Private” and “Protect” related lines and skipped the “log” and “root” arguments from the start line, but to no avail.

I run all my stuff in Docker. Here’s what my Compose file looks like for Caddy, specifically.

  caddy:
    build:
      context: github.com/abiosoft/caddy-docker.git
      args:
        - plugins=git,cloudflare,jwt,login,filter
        - version=1.0.1
    command: ["-log", "stdout", "-agree", "-quiet",
      "-email", "letsencrypt@whitestrake.net",
      "-conf", "/etc/caddyfile"]
    ports:
      - 80:80/tcp
      - 443:443/tcp
    environment:
      CLOUDFLARE_EMAIL:  [snip]
      CLOUDFLARE_API_KEY: [snip]
    volumes:
      - ./conf/caddy/certs:/root/.caddy
      - ./conf/caddy/caddyfile:/etc/caddyfile
      - ./conf/caddy/.htpasswd:/etc/.htpasswd
      - ./conf/caddy/sites:/srv
    restart: unless-stopped

Standard disclaimer: don’t run restart: unless-stopped unless you’ve thoroughly tested your setup.

OK, now I detected that there is a SysVinit file at https://github.com/caddyserver/caddy/tree/master/dist/init/linux-sysvinit (looks very similar to my working nginx script). I downloaded it, but now it’s getting more complicated: when I do service caddy start the script seemingly runs successful, and I get the syslog message

systemd[1]: Starting LSB: starts the caddy web server...
caddy[6262]: Starting caddy

but the server is not running anyway. service caddy status yields exited. Again, on the command line, Caddy starts flawlessly.

Turned out, the problem was a simple misconfiguration of directory /etc/caddy. I don’t know why, but it was drwx------ 2 root www-data, not drwxr-xr-x 2 root root, as all the other directories in /etc.

Now I don’t know why this has to be so, but with those permissions Caddy runs perfectly with systemd and the caddy.service file on GitHub. Many thanks to @aspeteRakete, which apparently set up the instructions there. I propose to add sudo chmod 755 /etc/caddyafter sudo chown -R root:root /etc/caddy.

2 Likes