Skip to content

Commit 999d8e9

Browse files
qfiberclaude
andcommitted
fix(newsite): broaden post-validate chown to cover global Coraza logs
The previous fix only pre-created per-site logs, but `caddy validate` (run as root) also touches globals like /var/log/caddy/coraza-audit.log when it provisions the WAF module. If that file doesn't yet exist (no prior request served), validate creates it as root:root and the subsequent reload-as-caddy fails with "permission denied". Replace the per-site enumeration with a recursive chown of CADDY_LOG_DIR after validate — matches the pattern 10-caddy.sh already uses post-install and covers any future log file Coraza or other modules may introduce. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
1 parent b56696e commit 999d8e9

1 file changed

Lines changed: 6 additions & 10 deletions

File tree

newsite.sh

Lines changed: 6 additions & 10 deletions
Original file line numberDiff line numberDiff line change
@@ -464,17 +464,13 @@ success "Caddy config → ${CADDY_FILE}"
464464
# =============================================================================
465465
# Reload Caddy (validate first)
466466
# =============================================================================
467-
# Pre-create per-site log files owned by caddy. `caddy validate` runs as root
468-
# and would otherwise create them as root:root 0600, which the caddy daemon
469-
# (User=caddy) cannot open on the subsequent reload.
470-
declare -a SITE_LOGS=("${CADDY_LOG_DIR}/${DOMAIN}.log")
471-
[[ -n "${CADDY_API_FILE}" ]] && SITE_LOGS+=("${CADDY_LOG_DIR}/api.${DOMAIN}.log")
472-
for logf in "${SITE_LOGS[@]}"; do
473-
[[ -f "${logf}" ]] || install -m 0640 -o caddy -g caddy /dev/null "${logf}"
474-
chown caddy:caddy "${logf}"
475-
done
476-
477467
if /usr/local/bin/caddy validate --config /etc/caddy/Caddyfile --adapter caddyfile >/dev/null 2>&1; then
468+
# `caddy validate` runs as root and provisions every module, which can
469+
# create (or re-open) per-site logs AND globals like coraza-audit.log as
470+
# root:root 0600. The caddy daemon (User=caddy) then cannot open them on
471+
# reload, returning "permission denied". Re-chown the whole log dir before
472+
# reload — same pattern 10-caddy.sh uses post-install.
473+
chown -R caddy:caddy "${CADDY_LOG_DIR}"
478474
systemctl reload caddy && success "Caddy reloaded." || warn "Caddy reload failed."
479475
else
480476
warn "Caddy validation failed — review the snippet."

0 commit comments

Comments
 (0)