Skip to content

docs: mention file placeholder for secrets#543

Open
givemethatsewon wants to merge 1 commit into
caddyserver:masterfrom
givemethatsewon:codex/document-file-secret-placeholder
Open

docs: mention file placeholder for secrets#543
givemethatsewon wants to merge 1 commit into
caddyserver:masterfrom
givemethatsewon:codex/document-file-secret-placeholder

Conversation

@givemethatsewon

Copy link
Copy Markdown

Summary

  • Add a security note to the Caddyfile environment variables section explaining that process environment secrets can be exposed through runtime and diagnostic surfaces
  • Show {file.*} as an alternative when a secret is supplied as a file and the config field supports placeholders
  • Expand the global placeholder table to make {file.*} easier to discover for file-supplied secrets

Fixes #507.

Security note

This does not claim that file-based secrets are inaccessible to Caddy. The Caddy process still needs permission to read the file. The docs only clarify that {file.*} avoids placing the secret value in the process-wide environment.

Verification

  • git diff --check
  • docker run --rm --name caddy-website-507 -p 8443:443 -v "$PWD:/wd" caddy:2 sh -c 'cd /wd && caddy run'
  • curl -ks 'https://localhost:8443/docs/caddyfile/concepts#environment-variables' | rg 'process environment|file\.\*|process-wide environment|cloudflare_api_token'
  • curl -ks 'https://localhost:8443/docs/conventions#placeholders' | rg 'file\.\*|secret is supplied as a file'

------------|-------------
`{env.*}` | Environment variable; example: `{env.HOME}`
`{file.*}` | Contents from a file; example: `{file./path/to/secret.txt}`
`{file.*}` | Contents from a file, useful when a secret is supplied as a file; example: `{file./path/to/secret.txt}`

Copy link
Copy Markdown
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I don't think this change is necessary, it's redundant - the example has secret.txt, pretty self explanatory.

I want to be careful on the length of the description mainly for visual reasons, line wrapping etc.

}
```

Environment variables are convenient, but sensitive values in a process environment can be exposed by process inspection, child process inheritance, logs, crash dumps, or platform diagnostics.

Copy link
Copy Markdown
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This line feels weird, because it's like "well everything you just read? forget about it because this and this and that." It's strange to have something criticize the use of env vars, in the env vars section of the docs (I don't disagree with the content though, it's true).

I don't have a specific answer to this, but it needs some rethinking of where exactly this fits into the docs.


This does not make the secret inaccessible to Caddy; the Caddy process still needs permission to read the file. It avoids placing the secret value in the process-wide environment.

If you're running Caddy as a systemd service, see [these instructions](/docs/running#overrides) for setting service overrides to define your environment variables.

Copy link
Copy Markdown
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This section is still talking about env vars, so it's weird that the {file.*} stuff is cutting right in the middle of it. Needs reorganizing.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

ENV concepts section should raise awareness of file placeholder for secrets

2 participants