search

caddyserver / caddy

Fast and extensible multi-platform HTTP/1-2-3 web server with automatic HTTPS
https://caddyserver.com
Apache License 2.0
55.72k stars 3.92k forks source link

admin: Issues running with a unix socket #3269

Closed francislavoie closed 4 years ago

francislavoie commented 4 years ago

When using a unix socket for the admin API, there are a couple issues.

Caddyfile:

{
  admin unix/caddy.sock
}

:8889
$ ./caddy2_rc3_linux_amd64 run
2020/04/16 16:48:25.059 INFO    using provided configuration    {"config_file": "Caddyfile-admin-sockets", "config_adapter": ""}
2020/04/16 16:48:25.060 INFO    admin   admin endpoint started  {"address": "unix/caddy.sock", "enforce_origin": false, "origins": [""]}
2020/04/16 12:48:25 [INFO][cache:0xc0004828c0] Started certificate maintenance routine
2020/04/16 12:48:25 [ERROR] Listing contents of certificates/local: open /home/francis/.local/share/caddy/certificates/local/abc.local: permi
ssion denied
2020/04/16 16:48:25.060 INFO    tls     cleaned up storage units
2020/04/16 16:48:25.061 INFO    autosaved config        {"file": "/home/francis/.config/caddy/autosave.json"}
2020/04/16 16:48:25.061 INFO    serving initial configuration
^C2020/04/16 16:48:26.223       INFO    shutting down   {"signal": "SIGINT"}
2020/04/16 12:48:26 [INFO][cache:0xc0004828c0] Stopped certificate maintenance routine
2020/04/16 16:48:26.223 INFO    shutdown done   {"signal": "SIGINT"}

$ ./caddy2_rc3_linux_amd64 run
2020/04/16 16:48:27.346 INFO    using provided configuration    {"config_file": "Caddyfile-admin-sockets", "config_adapter": ""}
run: loading initial config: loading new config: starting caddy administration endpoint: listen unix caddy.sock: bind: address already in use

First time running Caddy works fine, the unix socket file is created. The second time, Caddy fails to start because the unix socket file already exists. Caddy should delete the unix socket file on shutdown to avoid this issue.

As a secondary issue, the file permissions of the unix socket file are too permissive by default. The default permissions I'm seeing are 755 Caddy should set them to 660 I believe for better security.

mholt commented 4 years ago

Fair enough; note that a forceful shutdown may prevent the deletion of the socket file.

mholt commented 4 years ago

Looks like we have to chmod the file after creating it: https://github.com/golang/go/issues/11822

I feel like doing this without user consent might break some things though.

francislavoie commented 4 years ago

Maybe we add an admin_socket_permissions <octal> global option if you're concerned?

mholt commented 4 years ago

I guess we can discuss that in another issue if it arises.