Security beleid bracht mij een aangename kennismaking met webserver caddy.

https://caddyserver.com/

De uitdaging

Voor project Foo moest een export van server A naar server B.

En dat we uit veiligheidsoverweging niet toestaan om een password login te doen.

Dus dat secure copy niet kan.

stappers@nodeA:~
$ scp projectFoo.export nodeB.lan42:
The authenticity of host 'nodeB.lan42 (192.0.2.25)' can't be established.
ECDSA key fingerprint is SHA256:I5qi1mCBPWJwYX1QSvzSMD+koVStuamiTgosJNKoJec.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added 'nodeB.lan42,192.0.2.25' (ECDSA) to the list of known hosts.
Welcome to nodeB!
stappers@nodeB.lan42: Permission denied (publickey).
lost connection
stappers@nodeA:~
$

Onderweg naar oplossing

Dan maar via de aanwezige webserver.
Ik had nginx verwacht, maar kom daar Caddy tegen.
Na overwegingen daar mee verder gegaan.

stappers@nodeA:~
$ sudo ss -ltp | grep nginx
stappers@nodeA:~
$ sudo ss -ltp | less
...
# op webserver port luistert process met naam "caddy"
...
stappers@nodeA:~
$

Manual page niet beschikbaar, wel een help tekst:

stappers@nodeA:~
$ caddy --help
[ERROR] first argument must be a subcommand; see 'caddy help'
stappers@nodeA:~
$ caddy help
Caddy is an extensible server platform.

usage:
caddy <command> [<args...>]

commands:
adapt Adapts a configuration to Caddy's native JSON
build-info Prints information about this build
environ Prints the environment
file-server Spins up a production-ready file server
fmt Formats a Caddyfile
hash-password Hashes a password and writes base64
help Shows help for a Caddy subcommand
list-modules Lists the installed Caddy modules
reload Changes the config of the running Caddy instance
reverse-proxy A quick and production-ready reverse proxy
run Starts the Caddy process and blocks indefinitely
start Starts the Caddy process in the background and then returns
stop Gracefully stops a started Caddy process
trust Installs a CA certificate into local trust stores
untrust Untrusts a locally-trusted CA certificate
validate Tests whether a configuration file is valid
version Prints the version

Use 'caddy help <command>' for more information about a command.

Full documentation is available at:
https://caddyserver.com/docs/command-line
stappers@nodeA:~
$

En dan is file server wel veelbelovend.

stappers@nodeA:~
$ caddy help file-server
A simple but production-ready file server. Useful for quick deployments,
demos, and development.

The listener's socket address can be customized with the --listen flag.

If a domain name is specified with --domain, the default listener address
will be changed to the HTTPS port and the server will use HTTPS. If using
a public domain, ensure A/AAAA records are properly configured before
using this option.

If --browse is enabled, requests for folders without an index file will
respond with a file listing.

usage:
caddy file-server [--domain <example.com>] [--root <path>] [--listen <addr>] [--browse] [--access-log]

flags:
-access-log
Enable the access log
-browse
Enable directory browsing
-domain string
Domain name at which to serve the files
-listen string
The address to which to bind the listener
-root string
The path to the root of the site
-templates
Enable template rendering

Full documentation is available at:
https://caddyserver.com/docs/command-line
stappers@nodeA:~
$

De webserver opgestart om de huidige directory te laten serveren.

stappers@nodeA:~
$ caddy file-server --listen 192.0.2.24:1857 --root $PWD --browse
2020/10/14 17:01:17.196 WARN admin admin endpoint disabled
2020/10/14 17:01:17.196 INFO tls.cache.maintenance started background certificate maintenance {"cache": "0xc00037eee0"}
2020/10/14 17:01:17.197 INFO tls cleaned up storage units
2020/10/14 17:01:17.197 INFO autosaved config {"file": "/home/stappers/.config/caddy/autosave.json"}
2020/10/14 19:01:17 Caddy 2 serving static files on 192.0.2.24:1857

Op de andere server de export opgehaald.
En een checksum berekening gedaan.

stappers@nodeB:~
$ wget http://nodeA.lan42:1857/projectFoo.export
--2020-10-14 19:01:21-- http://nodeA.lan42:1857/projectFoo.export
Resolving nodeA.lan42 (nodeA.lan42)... 192.0.2.24
Connecting to nodeA.lan42 (nodeA.lan42)|192.0.2.24|:1857... connected.
HTTP request sent, awaiting response... 200 OK
Length: 2608012773 (2.4G) [application/gzip]
Saving to: ‘projectFoo.export’

projectFoo.export 100%[================================>] 2.43G 112MB/s in 22s

2020-10-14 19:01:44 (112 MB/s) - ‘projectFoo.export’ saved [2608012773/2608012773]

stappers@nodeB:~
$ md5sum projectFoo.export
ae49f17f951206f51dc36f6f42b3d0ef projectFoo.export
stappers@nodeB:~
$

Terug naar server A. caddy gestopt met behulp van Control-C.
En ook checksum berekend over het origineel.

^C2020/10/14 17:02:45.074 INFO shutting down {"signal": "SIGINT"}
2020/10/14 17:02:45.574 INFO tls.cache.maintenance stopped background certificate maintenance {"cache": "0xc00037eee0"}
2020/10/14 17:02:45.574 INFO shutdown done {"signal": "SIGINT"}
stappers@nodeA:~
$ md5sum projectFoo.export
ae49f17f951206f51dc36f6f42b3d0ef projectFoo.export
stappers@nodeA:~
$

Ja, dat is dezelfde checksum, project Foo kon verder op server B.

Zonder caddy had de document_root van de webserver eerst opgezocht moeten worden
en de export in die document_root gezet moeten worden voordat de wget kon gebeuren.

Bijkomende voordelen:

  • projectFoo.export heeft nooit in document_root gelegen, hoeft daar dus ook niet opgeruimd te worden.
  • projectFoo.export is niet door een gewone webserver aan de wereld getoond.

Auteur: Geert Stappers (DevOps Engineer, Hendrikx ITC)