HomeFreeBSD

www/caddy: Secure the default admin API endpoint

Description

www/caddy: Secure the default admin API endpoint

Caddy's default of localhost:2019, particularly combined with the port
defaulting to root:wheel, can be a significant security risk.

Mitigate this by setting the default to /var/run/caddy/caddy.sock, which
will be protected by filesystem permissions. Prior behaviour can be
restored with 'sysrc caddy_admin=localhost:2019'

Additionally, help users prepare for a change to running Caddy as
www:www by default using the new security/portacl-rc port in an update
message, and by extending the comments in the rc script.

(cherry picked from commit 0c01423b48aa7b63e795601c64af03322a594cae)

Details

Provenance
tom_hur.stAuthored on Oct 12 2023, 2:32 AM
adamwCommitted on Oct 14 2023, 2:20 AM
Parents
R11:ec2084ee9a16: www/caddy: Add reloadssl rc(8) command
Branches
Unknown
Tags
Unknown