1. Caddy version (caddy version
):
caddy version: v2.4.6
2. How I run Caddy:
a. System environment:
Arch Linux
Linux meaningpoetry.com 5.15.12-arch1-1 #1 SMP PREEMPT Wed, 29 Dec 2021 12:04:56 +0000 x86_64 GNU/Linux
I believe it is systemd
b. Command:
sudo systemctl start caddy.service
c. Service/unit/compose file:
Description=Caddy web server
Documentation=https://caddyserver.com/docs/
After=network-online.target
Wants=network-online.target systemd-networkd-wait-online.service
StartLimitIntervalSec=14400
StartLimitBurst=10
[Service]
User=caddy
Group=caddy
Environment=XDG_DATA_HOME=/var/lib
Environment=XDG_CONFIG_HOME=/etc
ExecStartPre=/usr/bin/caddy validate --config /etc/caddy/Caddyfile
ExecStart=/usr/bin/caddy run --environ --config /etc/caddy/Caddyfile
ExecReload=/usr/bin/caddy reload --config /etc/caddy/Caddyfile
ExecStopPost=/usr/bin/rm -f /run/caddy/admin.socket
# Do not allow the process to be restarted in a tight loop. If the
# process fails to start, something critical needs to be fixed.
Restart=on-abnormal
# Use graceful shutdown with a reasonable timeout
TimeoutStopSec=5s
LimitNOFILE=1048576
LimitNPROC=512
# Hardening options
AmbientCapabilities=CAP_NET_BIND_SERVICE
CapabilityBoundingSet=CAP_NET_BIND_SERVICE
DevicePolicy=closed
LockPersonality=true
MemoryAccounting=true
MemoryDenyWriteExecute=true
NoNewPrivileges=true
PrivateDevices=true
PrivateTmp=true
ProcSubset=pid
ProtectClock=true
ProtectControlGroups=true
ProtectHome=true
ProtectHostname=true
ProtectKernelLogs=true
ProtectKernelModules=true
ProtectKernelTunables=true
ProtectProc=invisible
ProtectSystem=strict
RemoveIPC=true
ReadWritePaths=/var/lib/caddy /var/log/caddy /run/caddy
RestrictNamespaces=true
RestrictRealtime=true
RestrictSUIDSGID=true
[Install]
WantedBy=multi-user.target
d. My complete Caddyfile or JSON config:
# The Caddyfile is an easy way to configure your Caddy web server.
#
# https://caddyserver.com/docs/caddyfile
#
# The configuration below serves a welcome page over HTTP on port 80.
# To use your own domain name (with automatic HTTPS), first make
# sure your domain's A/AAAA DNS records are properly pointed to
# this machine's public IP, then replace the line below with your
# domain name.
#
# https://caddyserver.com/docs/caddyfile/concepts#addresses
{
# Restrict the admin interface to a local unix file socket whose directory
# is restricted to caddy:caddy. By default the TCP socket allows arbitrary
# modification for any process and user that has access to the local
# interface. If admin over TCP is turned on one should make sure
# implications are well understood.
admin "unix//run/caddy/admin.socket"
}
http:// {
# Set this path to your site's directory.
root * /usr/share/caddy
# Enable the static file server.
file_server
# Another common task is to set up a reverse proxy:
#reverse_proxy localhost:3000 {
# header_down Strict-Transport-Security max-age=31536000;
#}
# Or serve a PHP site through php-fpm:
# php_fastcgi localhost:9000
# Refer to the directive documentation for more options.
# https://caddyserver.com/docs/caddyfile/directives
}
# Import additional caddy config files in /etc/caddy/conf.d/
import /etc/caddy/conf.d/*
meaningpoetry.com {
handle_path /hoc/* {
root * /var/www/html/hoc
php_fastcgi unix//run/php-fpm/www.sock
file_server
}
reverse_proxy localhost:3000 {
header_down Strict-Transport-Security max-age=31536000;
}
}
a.meaningpoetry.com {
reverse_proxy localhost:1337 {
header_down Strict-Transport-Security max-age=31536000;
}
}
m.meaningpoetry.com {
reverse_proxy localhost:7700 {
header_down Strict-Transport-Security max-age=31536000;
}
}
roundcube.meaningpoetry.com {
root * /usr/share/webapps/roundcubemail/
encode gzip
file_server
php_fastcgi unix//run/roundcubemail/roundcubemail.sock {
split .php
index index.php
}
}
mad.meaningpoetry.com {
root * /usr/share/webapps/postfixadmin/public/
encode gzip
file_server
php_fastcgi unix//run/postfixadmin/postfixadmin.sock {
split .php
index index.php
}
}
awakening.observer:443 {
root * /home/thero/ao/wordpress
encode gzip
php_fastcgi unix//run/php-fpm/www.sock
file_server
}
3. The problem I’m having:
I serve numerous services fine on https://meaningpoetry.com
including a strapi admin at a.meaningpoetry.com
, I am trying to configure https://awakening.observer
to run a wordpress install, however I am running into a 403 error, and Brave indicates it’s CORS related with redirection to my IP from https://awakening.observer
to 45.56.114.165:443 erroring from strict-origin when cross-origin
4. Error messages and/or full log output:
* Trying 45.56.114.165:80...
* Connected to awakening.observer (45.56.114.165) port 80 (#0)
> GET / HTTP/1.1
> Host: awakening.observer
> User-Agent: curl/7.80.0
> Accept: */*
>
* Mark bundle as not supporting multiuse
< HTTP/1.1 308 Permanent Redirect
< Connection: close
< Location: https://awakening.observer/
< Server: Caddy
< Date: Tue, 04 Jan 2022 21:16:40 GMT
< Content-Length: 0
<
* Closing connection 0
5. What I already tried:
I’ve tried to pinpoint what was happening which is how I stumbled upon the network tab in my browsers and thus found a 403 occurring. All secure files are being rejected.
I’ve tried tweaking Caddyfile from the first few errors I ran into due to outdated citations on the setup of wordpress, I think Caddy is fine, I will be enabling debugging, but not sure where logfiles would go
I did run sudo pacman -Syu
today, but everything with my previous setup for meaningpoetry.com seems a-o.k., no pages yield a 403?