docs: mention file placeholder for secrets#543
Conversation
| ------------|------------- | ||
| `{env.*}` | Environment variable; example: `{env.HOME}` | ||
| `{file.*}` | Contents from a file; example: `{file./path/to/secret.txt}` | ||
| `{file.*}` | Contents from a file, useful when a secret is supplied as a file; example: `{file./path/to/secret.txt}` |
There was a problem hiding this comment.
I don't think this change is necessary, it's redundant - the example has secret.txt, pretty self explanatory.
I want to be careful on the length of the description mainly for visual reasons, line wrapping etc.
| } | ||
| ``` | ||
|
|
||
| Environment variables are convenient, but sensitive values in a process environment can be exposed by process inspection, child process inheritance, logs, crash dumps, or platform diagnostics. |
There was a problem hiding this comment.
This line feels weird, because it's like "well everything you just read? forget about it because this and this and that." It's strange to have something criticize the use of env vars, in the env vars section of the docs (I don't disagree with the content though, it's true).
I don't have a specific answer to this, but it needs some rethinking of where exactly this fits into the docs.
|
|
||
| This does not make the secret inaccessible to Caddy; the Caddy process still needs permission to read the file. It avoids placing the secret value in the process-wide environment. | ||
|
|
||
| If you're running Caddy as a systemd service, see [these instructions](/docs/running#overrides) for setting service overrides to define your environment variables. |
There was a problem hiding this comment.
This section is still talking about env vars, so it's weird that the {file.*} stuff is cutting right in the middle of it. Needs reorganizing.
Summary
{file.*}as an alternative when a secret is supplied as a file and the config field supports placeholders{file.*}easier to discover for file-supplied secretsFixes #507.
Security note
This does not claim that file-based secrets are inaccessible to Caddy. The Caddy process still needs permission to read the file. The docs only clarify that
{file.*}avoids placing the secret value in the process-wide environment.Verification
git diff --checkdocker run --rm --name caddy-website-507 -p 8443:443 -v "$PWD:/wd" caddy:2 sh -c 'cd /wd && caddy run'curl -ks 'https://localhost:8443/docs/caddyfile/concepts#environment-variables' | rg 'process environment|file\.\*|process-wide environment|cloudflare_api_token'curl -ks 'https://localhost:8443/docs/conventions#placeholders' | rg 'file\.\*|secret is supplied as a file'