Attachment #244812 for bug #273181

Lines 1-7 Link Here

(-)b/www/caddy/Makefile (-1 / +4 lines)
1	PORTNAME= caddy	1	PORTNAME= caddy
2	DISTVERSIONPREFIX= v	2	DISTVERSIONPREFIX= v
3	DISTVERSION= 2.7.4	3	DISTVERSION= 2.7.4
4	PORTREVISION= 1	4	PORTREVISION= 2
5	CATEGORIES= www	5	CATEGORIES= www
6	DIST_SUBDIR= caddy	6	DIST_SUBDIR= caddy
7		7
Lines 31-36 GO_MODULE= github.com/caddyserver/caddy/v2 Link Here
31	# If modules must be specified manually:	31	# If modules must be specified manually:
32	#.include "${.CURDIR}/modules.mk"	32	#.include "${.CURDIR}/modules.mk"
33		33
		34	USERS= www
		35	GROUPS= www
		36
34	post-install:	37	post-install:
35	${MKDIR} ${STAGEDIR}${ETCDIR}	38	${MKDIR} ${STAGEDIR}${ETCDIR}
36	${INSTALL_DATA} ${WRKDIR}/Caddyfile.sample ${STAGEDIR}${ETCDIR}	39	${INSTALL_DATA} ${WRKDIR}/Caddyfile.sample ${STAGEDIR}${ETCDIR}




# REQUIRE: LOGIN DAEMON NETWORKING
# KEYWORD: shutdown

# To enable caddy:
# 
# - Edit %%ETCDIR%%/Caddyfile
#   See https://caddyserver.com/docs/
# - Run 'service enable caddy'
# 
# Note while Caddy currently defaults to running as root:wheel, it is strongly
# recommended to run the server as an unprivileged user, such as www:www --
# 
# - Use security/portacl-rc to enable privileged port binding:
# 
#   # pkg install security/portacl-rc
#   # sysrc portacl_users+=www
#   # sysrc portacl_user_www_tcp="http https"
#   # sysrc portacl_user_www_udp="https"
#   # service portacl enable
#   # service portacl start
# 
# - Configure caddy to run as www:www
# 
#   # sysrc caddy_user=www caddy_group=www
# 
# - Note if Caddy has been started as root previously, files in
#   /var/log/caddy, /var/db/caddy, and /var/run/caddy may require their ownership
#   changing manually.

# Optional settings:
# caddy_command (string):     Full path to the caddy binary
# caddy_config (string):      Full path to caddy config file
#                             (%%ETCDIR%%/Caddyfile)
# caddy_adapter (string):     Config adapter type (caddyfile)
# caddy_admin (string):       Default administration endpoint
#                             (unix//var/run/caddy/caddy.sock)
# caddy_directory (string):   Root for caddy storage (ACME certs, etc.)
#                             (/var/db/caddy)
# caddy_extra_flags (string): Extra flags passed to caddy start

load_rc_config $name

# Defaults
: ${caddy_enable:="NO"}
: ${caddy_adapter:="caddyfile"}
: ${caddy_config:="%%ETCDIR%%/Caddyfile"}
: ${caddy_admin:="unix//var/run/${name}/${name}.sock"}
: ${caddy_command:="%%PREFIX%%/bin/${name}"}
: ${caddy_directory:="/var/db/caddy"}
: ${caddy_extra_flags:=""}
: ${caddy_logdir:="/var/log/${name}"}
: ${caddy_logfile:="${caddy_logdir}/${name}.log"}

: ${XDG_DATA_HOME:="${caddy_directory}/data"}
export XDG_CONFIG_HOME XDG_DATA_HOME

# Default admin interface
export CADDY_ADMIN="${caddy_admin}"

command="${caddy_command}"
pidfile="/var/run/${name}/${name}.pid"



    echo -n "Stopping caddy... "

    result="$(caddy_execute stop ${caddy_flags} 2>&1)"
    if [ ${?} -eq 0 ]; then
        echo "done"
        exit 0





- Edit %%ETCDIR%%/Caddyfile
  See https://caddyserver.com/docs/
- Run 'service enable caddy'

Note while Caddy currently defaults to running as root:wheel, it is strongly
recommended to run the server as an unprivileged user, such as www:www --

- Use security/portacl-rc to enable privileged port binding:

  # pkg install security/portacl-rc
  # sysrc portacl_users+=www
  # sysrc portacl_user_www_tcp="http https"
  # sysrc portacl_user_www_udp="https"
  # service portacl enable
  # service portacl start

- Configure caddy to run as www:www

  # sysrc caddy_user=www caddy_group=www

- Note if Caddy has been started as root previously, files in
  /var/log/caddy, /var/db/caddy, and /var/run/caddy may require their ownership
  changing manually.

%%PREFIX%%/etc/rc.d/caddy has the following defaults:

- Server log: /var/log/caddy/caddy.log
  (runtime messages, NOT an access.log)
- Automatic SSL certificate storage: /var/db/caddy/data/caddy/
- Administration endpoint: //unix/var/run/caddy/caddy.sock
- Runs as root:wheel (this will change to www:www in the future)
  including 80 and 443)

INSTALL
}
{
  type: upgrade
  maximum_version: "2.3.0"
  message: <<UPGRADE
The default locations for caddy runtime files have changed!



You can change these defaults. See %%PREFIX%%/etc/rc.d/caddy

UPGRADE
}
{
  type: upgrade
  maximum_version: "2.7.4_2"
  message: <<UPGRADE
The default Caddy administration endpoint location has been changed from
localhost:2019 to a protected Unix domain socket located in
/var/run/caddy/caddy.sock

This can be overridden with the `caddy_admin` rc variable, or by specifiying
an alternative in the Caddyfile `admin` section, documented here:

  https://caddyserver.com/docs/caddyfile/options#admin

The previous default, particularly paired with the server running as root,
may have serious security implications for shared machines with untrusted
users.

UPGRADE
}
{
  type: upgrade
  message: <<UPGRADE
It is STRONGLY RECOMMENDED to run Caddy as an unprivileged user, such as
www:www, rather than the current default of root:wheel.

If you have relied upon earlier defaults:

- Use security/portacl-rc to enable privileged port binding:

  # pkg install security/portacl-rc
  # sysrc portacl_users+=www
  # sysrc portacl_user_www_tcp="http https"
  # sysrc portacl_user_www_udp="https"
  # service portacl enable
  # service portacl start

- Stop the server, and update ownership on Caddy runtime files:

  # service caddy stop
  # chown -r www:www /var/db/caddy /var/log/caddy /var/run/caddy

Other changes may be necessary depending on your exact Caddy
configuration.

- Change the default runtime user, and restart the server:

  # sysrc caddy_user=www caddy_group=www
  # service caddy start

UPGRADE
}
]
- 

Return to bug 273181

Lines 4-17 Link Here

(-)b/www/caddy/files/caddy.in (-6 / +35 lines)
4	# REQUIRE: LOGIN DAEMON NETWORKING	4	# REQUIRE: LOGIN DAEMON NETWORKING
5	# KEYWORD: shutdown	5	# KEYWORD: shutdown
6		6
7	# To enable caddy, add 'caddy_enable="YES"' to /etc/rc.conf or	7	# To enable caddy:
8	# /etc/rc.conf.local	8	#
		9	# - Edit %%ETCDIR%%/Caddyfile
		10	# See https://caddyserver.com/docs/
		11	# - Run 'service enable caddy'
		12	#
		13	# Note while Caddy currently defaults to running as root:wheel, it is strongly
		14	# recommended to run the server as an unprivileged user, such as www:www --
		15	#
		16	# - Use security/portacl-rc to enable privileged port binding:
		17	#
		18	# # pkg install security/portacl-rc
		19	# # sysrc portacl_users+=www
		20	# # sysrc portacl_user_www_tcp="http https"
		21	# # sysrc portacl_user_www_udp="https"
		22	# # service portacl enable
		23	# # service portacl start
		24	#
		25	# - Configure caddy to run as www:www
		26	#
		27	# # sysrc caddy_user=www caddy_group=www
		28	#
		29	# - Note if Caddy has been started as root previously, files in
		30	# /var/log/caddy, /var/db/caddy, and /var/run/caddy may require their ownership
		31	# changing manually.
9		32
10	# Optional settings:	33	# Optional settings:
11	# caddy_command (string): Full path to the caddy binary	34	# caddy_command (string): Full path to the caddy binary
12	# caddy_config (string): Full path to caddy config file	35	# caddy_config (string): Full path to caddy config file
13	# (%%ETCDIR%%/Caddyfile)	36	# (%%ETCDIR%%/Caddyfile)
14	# caddy_adapter (string): Config adapter type (caddyfile)	37	# caddy_adapter (string): Config adapter type (caddyfile)
		38	# caddy_admin (string): Default administration endpoint
		39	# (unix//var/run/caddy/caddy.sock)
15	# caddy_directory (string): Root for caddy storage (ACME certs, etc.)	40	# caddy_directory (string): Root for caddy storage (ACME certs, etc.)
16	# (/var/db/caddy)	41	# (/var/db/caddy)
17	# caddy_extra_flags (string): Extra flags passed to caddy start	42	# caddy_extra_flags (string): Extra flags passed to caddy start
Lines 37-47 desc="Powerful, enterprise-ready, open source web server with automatic HTTPS wr Link Here
37	load_rc_config $name	62	load_rc_config $name
38		63
39	# Defaults	64	# Defaults
40	: ${caddy_enable:=NO}	65	: ${caddy_enable:="NO"}
41	: ${caddy_adapter:=caddyfile}	66	: ${caddy_adapter:="caddyfile"}
42	: ${caddy_config:="%%ETCDIR%%/Caddyfile"}	67	: ${caddy_config:="%%ETCDIR%%/Caddyfile"}
		68	: ${caddy_admin:="unix//var/run/${name}/${name}.sock"}
43	: ${caddy_command:="%%PREFIX%%/bin/${name}"}	69	: ${caddy_command:="%%PREFIX%%/bin/${name}"}
44	: ${caddy_directory:=/var/db/caddy}	70	: ${caddy_directory:="/var/db/caddy"}
45	: ${caddy_extra_flags:=""}	71	: ${caddy_extra_flags:=""}
46	: ${caddy_logdir:="/var/log/${name}"}	72	: ${caddy_logdir:="/var/log/${name}"}
47	: ${caddy_logfile:="${caddy_logdir}/${name}.log"}	73	: ${caddy_logfile:="${caddy_logdir}/${name}.log"}
Lines 53-58 load_rc_config $name Link Here
53	: ${XDG_DATA_HOME:="${caddy_directory}/data"}	79	: ${XDG_DATA_HOME:="${caddy_directory}/data"}
54	export XDG_CONFIG_HOME XDG_DATA_HOME	80	export XDG_CONFIG_HOME XDG_DATA_HOME
55		81
		82	# Default admin interface
		83	export CADDY_ADMIN="${caddy_admin}"
		84
56	command="${caddy_command}"	85	command="${caddy_command}"
57	pidfile="/var/run/${name}/${name}.pid"	86	pidfile="/var/run/${name}/${name}.pid"
58		87
Lines 115-121 caddy_prestop() Link Here
115		144
116	echo -n "Stopping caddy... "	145	echo -n "Stopping caddy... "
117		146
118	result="$(caddy_execute stop 2>&1)"	147	result="$(caddy_execute stop ${caddy_flags} 2>&1)"
119	if [ ${?} -eq 0 ]; then	148	if [ ${?} -eq 0 ]; then
120	echo "done"	149	echo "done"
121	exit 0	150	exit 0

Lines 6-27 To enable caddy: Link Here

(-)b/www/caddy/files/pkg-message.in (-6 / +75 lines)
6		6
7	- Edit %%ETCDIR%%/Caddyfile	7	- Edit %%ETCDIR%%/Caddyfile
8	See https://caddyserver.com/docs/	8	See https://caddyserver.com/docs/
9	- Add caddy_enable="YES" to /etc/rc.conf	9	- Run 'service enable caddy'
		10
		11	Note while Caddy currently defaults to running as root:wheel, it is strongly
		12	recommended to run the server as an unprivileged user, such as www:www --
		13
		14	- Use security/portacl-rc to enable privileged port binding:
		15
		16	# pkg install security/portacl-rc
		17	# sysrc portacl_users+=www
		18	# sysrc portacl_user_www_tcp="http https"
		19	# sysrc portacl_user_www_udp="https"
		20	# service portacl enable
		21	# service portacl start
		22
		23	- Configure caddy to run as www:www
		24
		25	# sysrc caddy_user=www caddy_group=www
		26
		27	- Note if Caddy has been started as root previously, files in
		28	/var/log/caddy, /var/db/caddy, and /var/run/caddy may require their ownership
		29	changing manually.
10		30
11	%%PREFIX%%/etc/rc.d/caddy has the following defaults:	31	%%PREFIX%%/etc/rc.d/caddy has the following defaults:
12		32
13	- Server log: /var/log/caddy/caddy.log	33	- Server log: /var/log/caddy/caddy.log
14	(runtime messages, NOT an access.log)	34	(runtime messages, NOT an access.log)
15	- Automatic SSL certificate storage: /var/db/caddy/data/caddy/	35	- Automatic SSL certificate storage: /var/db/caddy/data/caddy/
16	- Runs as root:wheel (you can run as another user, like www,	36	- Administration endpoint: //unix/var/run/caddy/caddy.sock
17	but caddy will be unable to bind to low-numbered ports,	37	- Runs as root:wheel (this will change to www:www in the future)
18	including 80 and 443)
19		38
20	INSTALL	39	INSTALL
21	}	40	}
22	{	41	{
23	type: upgrade	42	type: upgrade
24	maximum_version: 2.3.0	43	maximum_version: "2.3.0"
25	message: <<UPGRADE	44	message: <<UPGRADE
26	The default locations for caddy runtime files have changed!	45	The default locations for caddy runtime files have changed!
27		46
Lines 36-41 The default locations for caddy runtime files have changed! Link Here
36		55
37	You can change these defaults. See %%PREFIX%%/etc/rc.d/caddy	56	You can change these defaults. See %%PREFIX%%/etc/rc.d/caddy
38		57
		58	UPGRADE
		59	}
		60	{
		61	type: upgrade
		62	maximum_version: "2.7.4_2"
		63	message: <<UPGRADE
		64	The default Caddy administration endpoint location has been changed from
		65	localhost:2019 to a protected Unix domain socket located in
		66	/var/run/caddy/caddy.sock
		67
		68	This can be overridden with the `caddy_admin` rc variable, or by specifiying
		69	an alternative in the Caddyfile `admin` section, documented here:
		70
		71	https://caddyserver.com/docs/caddyfile/options#admin
		72
		73	The previous default, particularly paired with the server running as root,
		74	may have serious security implications for shared machines with untrusted
		75	users.
		76
		77	UPGRADE
		78	}
		79	{
		80	type: upgrade
		81	message: <<UPGRADE
		82	It is STRONGLY RECOMMENDED to run Caddy as an unprivileged user, such as
		83	www:www, rather than the current default of root:wheel.
		84
		85	If you have relied upon earlier defaults:
		86
		87	- Use security/portacl-rc to enable privileged port binding:
		88
		89	# pkg install security/portacl-rc
		90	# sysrc portacl_users+=www
		91	# sysrc portacl_user_www_tcp="http https"
		92	# sysrc portacl_user_www_udp="https"
		93	# service portacl enable
		94	# service portacl start
		95
		96	- Stop the server, and update ownership on Caddy runtime files:
		97
		98	# service caddy stop
		99	# chown -r www:www /var/db/caddy /var/log/caddy /var/run/caddy
		100
		101	Other changes may be necessary depending on your exact Caddy
		102	configuration.
		103
		104	- Change the default runtime user, and restart the server:
		105
		106	# sysrc caddy_user=www caddy_group=www
		107	# service caddy start
		108
39	UPGRADE	109	UPGRADE
40	}	110	}
41	]	111	]
42	-