thanks for writing caddy, I like it very much. At the moment I’m trying to replace an older Apache installation with caddy to host several sites for multiple different users (mostly Wordpress blogs). They’ve configured passwords and rewrite rules via Apache .htaccess files. I could port those to the caddy configuration, but users complained that they won’t be able to update rewrite rules themselves. I’ve seen that caddy (at least for the moment) can be configured to read HTTP basic auth passwords from a file (which the users can then administer themselves).
Is there a way to make rewrite rules and basic auth user-configurable without giving them write access to the Caddyfile? The latter would be a bad idea as there are several ways to get caddy execute commands…
You could use the import directive.
But please keep in mind that users can put anything in that Caddyfile part, so they could start doing weird things. But maybe import directive with some self-written preprocessing can do the trick.
Hm, but wouldn’t that exactly give the users the option to execute commands as the webserver? e.g. by using the shutdown or startup? I dislike giving the users of the server this ability…
But please keep in mind that users can put anything in that Caddyfile part, so they could start doing weird things. But maybe import directive with some self-written preprocessing can do the trick.
So if you’ll need some checks on the Caddyfile parts they write…
Not only for security, but also because if they make a syntax error in the Caddyfile, all other sites will be down as well…
@fd0 Thanks for your question! I’ll think on a good way to implement this while I work on 0.9. No guarantees, but if there’s a simple way to do it you might get lucky.
Caddy won’t break if there’s an error starting the new Caddyfile; it just rolls back and keeps on serving.
I only thought about it a little bit so far, but I think this is something best implemented outside of Caddy core. Your need seems to involve the concept of users and privileges which is out of the scope for Caddy. But I could see a fairly simple wrapper program in Go that adds user+permissions functionality on top of Caddy.
Using Caddy in a Go program is really easy (caddy.Start(caddyFile), or for the whole thing, caddymain.Run()), so it should be simple enough with Caddy 0.9 to implement this. Thanks to @captncraig for the idea of putting the whole main() function in a separate package.
Here’s how it could work: This program takes as inputs users and their permissions (such as a list of directives that are allowed) and their Caddyfiles. It then can parse the Caddyfile using Caddy’s caddyfile package (coming in 0.9) and inspect the contents to make sure all the directives are allowed, etc. If everything looks good, it can simply concatenate the Caddyfiles into one and start Caddy with that Caddyfile.
Haven’t thought through all the details, obviously, but this makes sense to me…
