Caddy + fcgiwrap for shell scripts

Caddy + fcgiwrap to run shell scripts remotely with HTTPS Basic auth (Debian)

It is less hassle to add reverse_proxy » transport fastcgi to an existing Caddyfile; this example does extra work for a self-signed certificate.

Tested in a VM (2022-Dec)
- Guest OS: Debian Testing (11 - Bookworm) netinst
- Host OS: Windows Hyper-V Generation 2
  - Networking: Default Switch (NAT + DHCP)
  - Insallation Options: Install […] from a bootable CD/DVD-ROM
    - Media » Image file (.iso)
  - Settings » Security » Secure Boot » Template » Microsoft UEFI Certificate Authority
- Three passwords (choose something legit): root - ~~debian1~~, regular user - ~~debian2~~, and Caddy basicauth - ~~debian3~~
- Graphical installer
  - Continue
  - root Password: ~~debian1~~ (2x)
  - Username: debian, Password: ~~debian2~~
  - Continue
  - Write the changes to disk? » Yes
  - Continue
  - Software selection
    - uncheck: "Debian desktop environment"
    - uncheck: "... GNOME"
    - check: "SSH server"
  - Continue
- Host shell (PowerShell, CMD, etc.)
  - List Hyper-V Default Switch IPs
    arp -a | findstr 00-15
    - An attempt to avoid logging in to the console to run ip addr
  - SSH to IP with highest final single-digit MAC octet (most recently created VM)
    ssh debian@172.xx.xxx.xx
  - continue connecting […]? » yes
- Guest shell (SSH bash session per above): Install & configure sudo
  - First run su to login as root
    su
    - When prompted, enter the root password: ~~debian1~~
  - Then run these commands as root:
    - Warning: the second line enables use of sudo without entering a password
    apt install -y --no-install-recommends sudo echo "debian ALL=(ALL:ALL) NOPASSWD: ALL" > /etc/sudoers.d/debian exit
- TODO: key-only SSH login

Install Caddy & fcgiwrap
- Caddy v2.6.2; fcgiwrap v1.1.0-14
sudo apt install -y --no-install-recommends gpg fcgiwrap libnss3-tools wget https://dl.cloudsmith.io/public/caddy/stable/gpg.key -O- | sudo gpg --dearmor --output /usr/share/keyrings/caddy-stable-archive-keyring.gpg sudo wget https://dl.cloudsmith.io/public/caddy/stable/debian.deb.txt -O /etc/apt/sources.list.d/caddy-stable.list sudo apt update && sudo apt install -y --no-install-recommends caddy

Configure Caddy with self-signed SSL & HTTP Basic auth for a sample script
- Extra work: tls internal requires host name ?
- When prompted, enter and confirm the Caddy basicauth password: ~~debian3~~
export hash=`caddy hash-password` echo "$USER:443 { tls internal basicauth { $USER $hash } reverse_proxy /df unix//run/fcgiwrap.socket { transport fastcgi { env SCRIPT_FILENAME /var/www/cgi-bin/df.sh } } }" > ~/Caddyfile.new sudo mv /etc/caddy/Caddyfile /etc/caddy/Caddyfile.original sudo mv ~/Caddyfile.new /etc/caddy/Caddyfile

Extra work: initialize Caddy self-signed SSL (run once with elevated permissions)
- otherwise: failed to install root certificate ?
sudo systemctl stop caddy sudo caddy run --config /etc/caddy/Caddyfile
- Press Ctrl+C to stop Caddy after initialization finishes (no OCSP stapling warning), then (re)start it as a service
sudo systemctl start caddy

Example FCGI shell script: df -H
- The script first outputs the Content-Type header to ensure a valid HTTP response
- fcgiwrap runs the script as user www-data per /lib/systemd/system/fcgiwrap.service
echo '#!/bin/bash echo -e "Content-Type: text/plain\n" df -H' > ~/df.sh chmod +x ~/df.sh sudo mkdir -p /var/www/cgi-bin sudo mv ~/df.sh /var/www/cgi-bin/df.sh sudo chown www-data:www-data /var/www /var/www/cgi-bin /var/www/cgi-bin/df.sh

Tested in Host OS
- Create hosts file local DNS entry for VM IP address
  - Run Notepad as Administrator
  - Open %SystemRoot%\System32\drivers\etc\hosts
  - Append VM IP address followed by the host name (debian)
    172.xx.xxx.xx debian
- Open https://debian/df
  - Expect a self-signed certificate error
    - In Chromium browsers: Advanced » Continue to debian (unsafe)
  - Enter username: debian and the Caddy basicauth password: ~~debian3~~ when prompted.