Securing communication between webserver and app
│ unix-sockets tmpfiles.d webserver │ sysadmin
Webapps usually listen on a random tcp port and a web server forwards the requests to it. Webserver handles tls, static asset serving and sometimes authentication, bruteforce check etc., However any local user in the system can directly connect to the app’s listen port bypassing the web server and thus loose the protections offered by the webserver.
Unix sockets
Unix sockets are special files in filesystem that processes can use to communicate instead of tcp ports. Since they are files, filesytem ownership and permissions can be used to restrict which system-users can listen or connect to them
Caddy ↔ Gitea
I use Caddy web server which reverse-proxies to Gitea server. For caddy to connect to gitea and also disallow anyother user to connect, we want a socket like below
srw-rw---- 1 gitea caddy 0 Apr 17 21:24 /run/gitea.sock
Unfortunately neither user caddy nor user gitea, can create such socket.
Regular users can only create files owned by themselves. Only root can
create/change ownership of files and folders.
tmpfiles.d to rescue
tmpfiles.d provides a way to do it. Since it is run as root, it can create files and directories as any user.
❯ cat /etc/tmpfiles.d/caddy-run-unix.conf
d /run/gitea-caddy 0750 gitea caddy -
Above config creates below directory every time on startup.
❯ sudo ls -ld /run/gitea-caddy/
drwxr-x--- 2 gitea caddy 60 Apr 17 21:24 /run/gitea-caddy/
With those permissions and ownership, only user gitea can create the socket
in /run/gitea-caddy and only user caddy can cd into that directory.
❯ sudo ls -l /run/gitea-caddy/web.sock
srw-rw-rw- 1 gitea gitea 0 Apr 17 21:24 /run/gitea-caddy/web.sock
The socket file permission can be more liberal as no other user can read into
the /run/gitea-caddy directory
Bonus!
If your app does not connect to any external services, it can even be run in a private network.