What should be the correct folder permission for /etc/caddy

donaldpooh · October 8, 2022, 10:11am

1. Output of `caddy version`:

v2.6.1 h1:EDqo59TyYWhXQnfde93Mmv4FJfYe00dO60zMiEt+pzo=

2. How I run Caddy:

Use systemctl enable caddy, systemctl start caddy

a. System environment:

NAME=“Ubuntu”
VERSION=“18.04.6 LTS (Bionic Beaver)” systemd

b. Command:

/usr/bin/caddy

c. Service/unit/compose file:

# caddy.service
#
# For using Caddy with a config file.
#
# Make sure the ExecStart and ExecReload commands are correct
# for your installation.
#
# See https://caddyserver.com/docs/install for instructions.
#
# WARNING: This service does not use the --resume flag, so if you
# use the API to make changes, they will be overwritten by the
# Caddyfile next time the service is restarted. If you intend to
# use Caddy's API to configure it, add the --resume flag to the
# `caddy run` command or use the caddy-api.service file instead.

[Unit]
Description=Caddy
Documentation=https://caddyserver.com/docs/
After=network.target network-online.target
Requires=network-online.target

[Service]
Type=notify
User=caddy
Group=caddy
ExecStart=/usr/bin/caddy run --environ --config /etc/caddy/Caddyfile
ExecReload=/usr/bin/caddy reload --config /etc/caddy/Caddyfile --force
TimeoutStopSec=5s
LimitNOFILE=1048576
LimitNPROC=512
PrivateTmp=true
ProtectSystem=full
AmbientCapabilities=CAP_NET_BIND_SERVICE

[Install]
WantedBy=multi-user.target

d. My complete Caddy config:

{
        order reverse_proxy before route
        admin off
        log {
                output file /var/log/caddy/access.log
                level ERROR
        }
}

:443, mywebsite.com {        
        tls {
                ciphers TLS_AES_256_GCM_SHA384 TLS_AES_128_GCM_SHA256 TLS_CHACHA20_POLY1305_SHA256 TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256
                curves x25519 secp521r1 secp384r1 secp256r1
                alpn http/1.1 h2
        }

        @tws {
                header Connection *Upgrade*
                header Upgrade websocket
                path /apathname        }
        reverse_proxy @tws 127.0.0.1:2022
        @host {
                host mywebsite.com        }
        route @host {
                header {
                        Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" 
                }
                file_server {
                        root /var/www/html                 }
        }
}

3. The problem I’m having:

It’s said /etc/caddy is read-only although:
/etc/caddy# ll
total 16
drwxrwxr-x 3 caddy caddy 4096 Oct 8 09:14 ./
drwxr-xr-x 86 root root 4096 Oct 8 02:17 …/
drwxrwxr-x 3 caddy caddy 4096 Feb 22 2022 .config/
-rw-rw-r-- 1 caddy caddy 1119 Oct 8 09:14 Caddyfile

4. Error messages and/or full log output:

{"level":"error","ts":1665220447.3730838,"logger":"tls","msg":"job failed","error":"mywebsite.com: obtaining certificate: failed storage check: mkdir /etc/caddy/.local: read-only file system - storage is probably misconfigured"}
{"level":"error","ts":1665220447.4814124,"msg":"unable to autosave config","file":"/etc/caddy/.config/caddy/autosave.json","error":"open /etc/caddy/.config/caddy/autosave.json: read-only file system"}
{"level":"error","ts":1665220447.481637,"logger":"tls","msg":"job failed","error":"mywebsite.com: obtaining certificate: failed storage check: mkdir /etc/caddy/.local: read-only file system - storage is probably misconfigured"}
{"level":"error","ts":1665222732.764062,"msg":"unable to autosave config","file":"/etc/caddy/.config/caddy/autosave.json","error":"open /etc/caddy/.config/caddy/autosave.json: read-only file system"}
{"level":"error","ts":1665222732.7723339,"logger":"tls","msg":"job failed","error":"mywebsite.com: obtaining certificate: failed storage check: mkdir /etc/caddy/.local: read-only file system - storage is probably misconfigured"}
{"level":"error","ts":1665222732.7731318,"logger":"tls","msg":"job failed","error":"mywebsite.com: obtaining certificate: failed storage check: mkdir /etc/caddy/.local: read-only file system - storage is probably misconfigured"}
{"level":"error","ts":1665222942.4845963,"msg":"unable to autosave config","file":"/etc/caddy/.config/caddy/autosave.json","error":"open /etc/caddy/.config/caddy/autosave.json: read-only file system"}
{"level":"error","ts":1665222942.492277,"logger":"tls","msg":"job failed","error":"mywebsite.com: obtaining certificate: failed storage check: mkdir /etc/caddy/.local: read-only file system - storage is probably misconfigured"}
{"level":"error","ts":1665222942.4925766,"logger":"tls","msg":"job failed","error":"mywebsite.com: obtaining certificate: failed storage check: mkdir /etc/caddy/.local: read-only file system - storage is probably misconfigured"}

5. What I already tried:

Tried to give w permission to caddy:caddy for /etc/caddy

6. Links to relevant resources:

francislavoie · October 8, 2022, 12:40pm

Don’t try to run Caddy directly. It should be running as a systemd service. See the docs:

There’s no reason for Caddy to write to /etc/caddy unless you tried running it directly, so that’s why I’m assuming that’s what you tried to do.

donaldpooh:

        tls {
                ciphers TLS_AES_256_GCM_SHA384 TLS_AES_128_GCM_SHA256 TLS_CHACHA20_POLY1305_SHA256 TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256
                curves x25519 secp521r1 secp384r1 secp256r1
                alpn http/1.1 h2
        }

Remove all this stuff from your config. It’s not useful. Caddy’s defaults are modern and secure.

Careful with the syntax. The } must go on its own line. Same thing in various places.

Don’t turn off admin unless you have a particular reason to do it (I highly doubt you do). The admin endpoint is what allows you to perform graceful config reloads.

You don’t need to reorder directives like this, you can change your site’s config to make it work the way you expect:

header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload"

@ws `header({'Connection': '*Upgrade*', 'Upgrade': 'websocket'})`
reverse_proxy @ws 127.0.0.1:2022

root * /var/www/html
file_server

The log global options doesn’t configure access logs, it configures Caddy’s runtime logs; the filename you used doesn’t really make sense.

Also, be careful to override the level of the default logger like this, because it’s important to see Caddy’s runtime logs to check up on it to make sure it’s running as expected. INFO and WARNING level runtime logs are important to keep around.

donaldpooh · October 8, 2022, 2:13pm

Hi, this is not a normal Caddyfile for a real website, but a reverse proxy server to bypass ISP censorship with other proxy tools like v2ray, which blend web traffic into tls traffic so it can’t be censored. I have no understanding of the content but I doubt it’s problematic for its purpose, as they are used by lots of people.

I don’t run caddy using /bin/caddy. I do run it using a systemd service. I did not understand the forum posting template asking what’s the command to run caddy.

My only problem is caddy says /etc/caddy is read-only when the dir permission shows otherwise, and I can also do “sudo -u caddy touch /etc/caddy/testingfile” without problem.

It’s not the first time I encounter it. Before I just moved the whole caddy dir out of /etc and it stopped complaining. I wonder why the default caddy dir /etc/caddy is in fact not working.

donaldpooh · October 9, 2022, 1:22am

Ironically, running directly the command
/usr/bin/caddy run --environ --config /etc/caddy/Caddyfile
there is no problem.
But using
systemctl enable/start caddy, it’s no go.

donaldpooh · October 9, 2022, 1:53am

OK. It’s becasue from systemd

Blockquote
ProtectSystem= Takes a boolean argument or the special values “full” or “strict”. If true, mounts the [/usr](file:///usr) and [/boot](file:///boot) directories read-only for processes invoked by this unit. If set to “full”, the [/etc](file:///etc) directory is mounted read-only, too. If set to “strict” the entire file system hierarchy is mounted read-only, except for the API file system subtrees [/dev](file:///dev), [/proc](file:///proc) and [/sys](file:///sys) (protect these directories using PrivateDevices=, ProtectKernelTunables=, ProtectControlGroups=).

This default setup is stupid. In normal cases Caddy doesn’t need write permission in its storage folder?? I don’t think so. Then why it’s set up like this by default.

matt · October 9, 2022, 3:54am

There should be no reason for Caddy to modify the contents of /etc

The default setup does not set /etc as its storage folder.

What is the output in the logs when you start the caddy service? Since it has --environ you will see Caddy print its environment to the logs. That should tell you why Caddy is trying to write to /etc instead of read from it.

donaldpooh · October 9, 2022, 4:58am

It sets up /etc/caddy as its storage folder, which is under /etc, and that’s mount as read-only.

matt · October 9, 2022, 5:02am

What is the output in your logs though? If you run caddy environ you will see environment var output. That same kind of output will be visible in your journalctl -u caddy -f output after you start the Caddy service. Paste that output here.

Mohammed90 · October 9, 2022, 7:08am

Your data should be in somewhere else, such as the caddy user or www-data user $HOME or other place that is outside of the designated location for system configuration.

If you choose to store the data in /etc/caddy, you can always set ReadWritePaths=/etc/caddy. The default setup is good for the 99.99% of use cases, including installing using the package manager, e.g. apt.

donaldpooh · October 9, 2022, 9:56am

caddy.HomeDir=/home/tom
caddy.AppDataDir=/home/tom/.local/share/caddy
caddy.AppConfigDir=/home/tom/.config/caddy
caddy.ConfigAutosavePath=/home/tom/.config/caddy/autosave.json
caddy.Version=v2.6.1 h1:EDqo59TyYWhXQnfde93Mmv4FJfYe00dO60zMiEt+pzo=

but caddy decides to use /etc/caddy as storage folder. I didn’t chose the location so I guess it’s default to go there by ubuntu’s caddy installation setup.
In fact, my question is how do I chose to use other dir as the storage location.

matt · October 10, 2022, 2:44am

Hmm, to clarify, I meant what is the output of the environment using the command I showed you: journalctl -u caddy -f – it looks like you just ran caddy environ and pasted (some of) the output here, but that won’t be helpful because running Caddy like that has a totally different environment. That’s why I’m asking you to restart the Caddy service and show what is in the logs using that journalctl command.

It shouldn’t be, which is why I’m asking for more details to help figure this out.

Once we get to the bottom of that, we’ll be happy to help you with a solution, but we need to understand the problem first.

donaldpooh · October 10, 2022, 6:15am

I’ve find a way to make it work, and don’t feel like posting too many info. In my place, the big brother does not only watch you, he sends invitation to have a tea with you.

matt · October 10, 2022, 2:26pm

What?

Ok, well, we can’t help you if you won’t cooperate. I am not even sure why you bothered posting in the first place.

system · November 7, 2022, 10:11am

This topic was automatically closed after 30 days. New replies are no longer allowed.