• 1 Post
  • 191 Comments
Joined 2 years ago
cake
Cake day: June 30th, 2023

help-circle
  • It is expected, the users inside the container are “real” users. They just get offset inside the container and some mapping is applied:

    Root inside the container is mapped outside to the user running the container, everything that has the owner “root” inside the container can be read from outside the container as your user.

    Everything that is saved as non-root inside the container gets mapped to the first subuid in /etc/subuids for your user + the uid inside the container.

    You can change this mapping such that, for example, user 1000 inside the container gets mapped to your user outside the container.

    An example:

    You have a postgres database inside a container with a volume for the database files. The postgres process inside the container doesn’t run as root but instead runs as uid 100 as such it also saves its files with that user.
    If you look at the volume outside the container you will get a permission denied error because it is owned by user 100100 (subuids starts at 100000 and usid inside container is 100).

    To fix: Either run your inner processes as root, this can often be done using environment variables and has almost no security impact or add --userns keep-id:uid=100,gid=100 to the cmdline to make uid 100 inside the container map to your user instead of root (this creates a new image automatically and takes a while on the first run)










  • There are multiple reasons but the most important one is: You didn’t enable it.

    Caddy fully supports https to the reverse proxy targets, though you’d have to get those targets trusted certificates otherwise caddy wouldn’t connect.

    The default protocol for backends is http, most of the time this isn’t a problem because:

    • The web server runs on the local machine
    • The web server runs in containers/vms on the local machine
      • or is running in a VM and has a direct virtual connection with the caddy vm
    • The connection to the Backend is encrypted with a VPN
    • Caddy and the web server are directly connected or connected through an otherwise isolated network

    Because https requires certificates that are somewhat difficult to set up for internal servers (and were even harder to get before) the default mostly is just to encrypt on another layer of the stack. Afaik at least.