Caddy: how to use admin port on unix socket?

Created on 16 Dec 2020  路  2Comments  路  Source: caddyserver/caddy

Documentation suggests to use unix domain sockets, can someone point me the direction how to do this?

If you are running untrusted code on your server [...] configuring the endpoint to bind to a permissioned unix socket instead.

config file:

{
    admin unix//tmp/caddy-admin.sock
}

invoking caddy:

root@master:~# caddy run -adapter caddyfile -config caddy.conf 
2020/12/16 16:51:17.774 INFO    using provided configuration    {"config_file": "caddy.conf", "config_adapter": "caddyfile"}
2020/12/16 16:51:17.777 INFO    admin   admin endpoint started  {"address": "unix//tmp/caddy-admin.sock", "enforce_origin": false, "origins": [""]}
2020/12/16 16:51:17.777 INFO    tls.cache.maintenance   started background certificate maintenance  {"cache": "0xc000456380"}
2020/12/16 16:51:17.777 INFO    http    server is listening only on the HTTPS port but has no TLS connection policies; adding one to enable TLS {"server_name": "srv0", "https_port": 443}
2020/12/16 16:51:17.777 INFO    http    enabling automatic HTTP->HTTPS redirects    {"server_name": "srv0"}
2020/12/16 16:51:18.123 INFO    tls cleaned up storage units
2020/12/16 16:51:18.123 INFO    http    enabling automatic TLS certificate management   {"domains": ["h5cluster.ca"]}
2020/12/16 16:51:18.132 INFO    autosaved config    {"file": "/root/.config/caddy/autosave.json"}
2020/12/16 16:51:18.132 INFO    serving initial configuration

so far so good, I have the socket, but don't seem to be working when issuing a query: 

curl -X GET --unix-socket /tmp/caddy-admin.sock http:/localhost/config

console log printout suggests that something is not right?

2020/12/16 17:00:25.808 INFO    admin.api   received request    {"method": "GET", "host": "localhost", "uri": "/config", "remote_addr": "@", "headers": {"Accept":["*/*"],"User-Agent":["curl/7.58.0"]}}
2020/12/16 17:00:25.808 ERROR   admin.api   request error   {"error": "host not allowed: localhost", "status_code": 403

what am I doing wrong?

question
Source
picture steven-varga

Most helpful comment

OK, I got the picture -- one has to set the allowed origin to localhost (or some string that is passed in the header?), the working configuration:

{
        admin unix//tmp/caddy-admin.sock {
                origins localhost
        }
}
picture steven-varga on 16 Dec 2020
👍2

All 2 comments

OK, I got the picture -- one has to set the allowed origin to localhost (or some string that is passed in the header?), the working configuration:

{
        admin unix//tmp/caddy-admin.sock {
                origins localhost
        }
}
steven-varga picture steven-varga on 16 Dec 2020
👍2

Well, Unix sockets aren't publicly reachable, so setting a Host header in your request is a bit unusual. You _can_ but as you discovered, you have to allow it through. The simpler practice with unix sockets is to not set a Host header at all.

In the future, please direct questions to our forum. :) https://caddy.community

Thanks for following up with your solution, for others!

mholt picture mholt on 16 Dec 2020
Was this page helpful?
0 / 5 - 0 ratings

Related issues

muhammadmuzzammil1998 picture muhammadmuzzammil1998  路  3Comments
dafanasiev picture dafanasiev  路  3Comments
klaasel picture klaasel  路  3Comments
treviser picture treviser  路  3Comments
billop picture billop  路  3Comments