Lines 6-27
To enable caddy:
Link Here
|
6 |
|
6 |
|
7 |
- Edit %%ETCDIR%%/Caddyfile |
7 |
- Edit %%ETCDIR%%/Caddyfile |
8 |
See https://caddyserver.com/docs/ |
8 |
See https://caddyserver.com/docs/ |
9 |
- Add caddy_enable="YES" to /etc/rc.conf |
9 |
- Run 'service enable caddy' |
|
|
10 |
|
11 |
Note while Caddy currently defaults to running as root:wheel, it is strongly |
12 |
recommended to run the server as an unprivileged user, such as www:www -- |
13 |
|
14 |
- Use security/portacl-rc to enable privileged port binding: |
15 |
|
16 |
# pkg install security/portacl-rc |
17 |
# sysrc portacl_users+=www |
18 |
# sysrc portacl_user_www_tcp="http https" |
19 |
# sysrc portacl_user_www_udp="https" |
20 |
# service portacl enable |
21 |
# service portacl start |
22 |
|
23 |
- Configure caddy to run as www:www |
24 |
|
25 |
# sysrc caddy_user=www caddy_group=www |
26 |
|
27 |
- Note if Caddy has been started as root previously, files in |
28 |
/var/log/caddy, /var/db/caddy, and /var/run/caddy may require their ownership |
29 |
changing manually. |
10 |
|
30 |
|
11 |
%%PREFIX%%/etc/rc.d/caddy has the following defaults: |
31 |
%%PREFIX%%/etc/rc.d/caddy has the following defaults: |
12 |
|
32 |
|
13 |
- Server log: /var/log/caddy/caddy.log |
33 |
- Server log: /var/log/caddy/caddy.log |
14 |
(runtime messages, NOT an access.log) |
34 |
(runtime messages, NOT an access.log) |
15 |
- Automatic SSL certificate storage: /var/db/caddy/data/caddy/ |
35 |
- Automatic SSL certificate storage: /var/db/caddy/data/caddy/ |
16 |
- Runs as root:wheel (you can run as another user, like www, |
36 |
- Administration endpoint: //unix/var/run/caddy/caddy.sock |
17 |
but caddy will be unable to bind to low-numbered ports, |
37 |
- Runs as root:wheel (this will change to www:www in the future) |
18 |
including 80 and 443) |
|
|
19 |
|
38 |
|
20 |
INSTALL |
39 |
INSTALL |
21 |
} |
40 |
} |
22 |
{ |
41 |
{ |
23 |
type: upgrade |
42 |
type: upgrade |
24 |
maximum_version: 2.3.0 |
43 |
maximum_version: "2.3.0" |
25 |
message: <<UPGRADE |
44 |
message: <<UPGRADE |
26 |
The default locations for caddy runtime files have changed! |
45 |
The default locations for caddy runtime files have changed! |
27 |
|
46 |
|
Lines 36-41
The default locations for caddy runtime files have changed!
Link Here
|
36 |
|
55 |
|
37 |
You can change these defaults. See %%PREFIX%%/etc/rc.d/caddy |
56 |
You can change these defaults. See %%PREFIX%%/etc/rc.d/caddy |
38 |
|
57 |
|
|
|
58 |
UPGRADE |
59 |
} |
60 |
{ |
61 |
type: upgrade |
62 |
maximum_version: "2.7.4_2" |
63 |
message: <<UPGRADE |
64 |
The default Caddy administration endpoint location has been changed from |
65 |
localhost:2019 to a protected Unix domain socket located in |
66 |
/var/run/caddy/caddy.sock |
67 |
|
68 |
This can be overridden with the `caddy_admin` rc variable, or by specifiying |
69 |
an alternative in the Caddyfile `admin` section, documented here: |
70 |
|
71 |
https://caddyserver.com/docs/caddyfile/options#admin |
72 |
|
73 |
The previous default, particularly paired with the server running as root, |
74 |
may have serious security implications for shared machines with untrusted |
75 |
users. |
76 |
|
77 |
UPGRADE |
78 |
} |
79 |
{ |
80 |
type: upgrade |
81 |
message: <<UPGRADE |
82 |
It is STRONGLY RECOMMENDED to run Caddy as an unprivileged user, such as |
83 |
www:www, rather than the current default of root:wheel. |
84 |
|
85 |
If you have relied upon earlier defaults: |
86 |
|
87 |
- Use security/portacl-rc to enable privileged port binding: |
88 |
|
89 |
# pkg install security/portacl-rc |
90 |
# sysrc portacl_users+=www |
91 |
# sysrc portacl_user_www_tcp="http https" |
92 |
# sysrc portacl_user_www_udp="https" |
93 |
# service portacl enable |
94 |
# service portacl start |
95 |
|
96 |
- Stop the server, and update ownership on Caddy runtime files: |
97 |
|
98 |
# service caddy stop |
99 |
# chown -r www:www /var/db/caddy /var/log/caddy /var/run/caddy |
100 |
|
101 |
Other changes may be necessary depending on your exact Caddy |
102 |
configuration. |
103 |
|
104 |
- Change the default runtime user, and restart the server: |
105 |
|
106 |
# sysrc caddy_user=www caddy_group=www |
107 |
# service caddy start |
108 |
|
39 |
UPGRADE |
109 |
UPGRADE |
40 |
} |
110 |
} |
41 |
] |
111 |
] |
42 |
- |
|
|