{"id":18088993,"url":"https://github.com/eriksjolund/podman-caddy-socket-activation","last_synced_at":"2026-01-18T23:02:17.283Z","repository":{"id":257951915,"uuid":"869332549","full_name":"eriksjolund/podman-caddy-socket-activation","owner":"eriksjolund","description":"Demo of how to run socket-activated caddy with Podman. Source IP address is preserved.","archived":false,"fork":false,"pushed_at":"2025-09-07T09:11:32.000Z","size":77,"stargazers_count":84,"open_issues_count":7,"forks_count":2,"subscribers_count":6,"default_branch":"main","last_synced_at":"2025-09-07T10:11:31.777Z","etag":null,"topics":["caddy","container","demo","podman","socket-activation","systemd-service"],"latest_commit_sha":null,"homepage":"","language":"Shell","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"apache-2.0","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/eriksjolund.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null,"zenodo":null,"notice":null,"maintainers":null,"copyright":null,"agents":null,"dco":null,"cla":null}},"created_at":"2024-10-08T05:56:23.000Z","updated_at":"2025-09-07T08:31:15.000Z","dependencies_parsed_at":"2024-10-27T21:07:29.489Z","dependency_job_id":"e7348bb5-0971-4b15-b871-c5419d3fbbda","html_url":"https://github.com/eriksjolund/podman-caddy-socket-activation","commit_stats":null,"previous_names":["eriksjolund/podman-caddy-socket-activation"],"tags_count":0,"template":false,"template_full_name":null,"purl":"pkg:github/eriksjolund/podman-caddy-socket-activation","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/eriksjolund%2Fpodman-caddy-socket-activation","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/eriksjolund%2Fpodman-caddy-socket-activation/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/eriksjolund%2Fpodman-caddy-socket-activation/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/eriksjolund%2Fpodman-caddy-socket-activation/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/eriksjolund","download_url":"https://codeload.github.com/eriksjolund/podman-caddy-socket-activation/tar.gz/refs/heads/main","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/eriksjolund%2Fpodman-caddy-socket-activation/sbom","scorecard":null,"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":286080680,"owners_count":28553055,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2026-01-18T20:59:07.572Z","status":"ssl_error","status_checked_at":"2026-01-18T20:59:02.799Z","response_time":98,"last_error":"SSL_connect returned=1 errno=0 peeraddr=140.82.121.5:443 state=error: unexpected eof while reading","robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":false,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["caddy","container","demo","podman","socket-activation","systemd-service"],"created_at":"2024-10-31T17:42:32.952Z","updated_at":"2026-01-18T23:02:17.277Z","avatar_url":"https://github.com/eriksjolund.png","language":"Shell","funding_links":[],"categories":["Shell"],"sub_categories":[],"readme":"# podman-caddy-socket-activation\n\nThis demo shows how to run a socket-activated caddy container with Podman.\nSee also\n\n* [Podman socket activation](https://github.com/containers/podman/blob/main/docs/tutorials/socket_activation.md)\n* The section _HTTP reverse proxy_ in [podman-networking-docs](https://github.com/eriksjolund/podman-networking-docs?tab=readme-ov-file#http-reverse-proxy)\n* [podman-nginx-socket-activation](https://github.com/eriksjolund/podman-nginx-socket-activation)\n\nOverview of the examples\n\n| Example | Type of service | Ports | Using quadlet | DNS entry required (ACME) | HTTP/3 | rootful/rootless podman | Comment |\n| --      | --              |   -- | --      | --   | --  |  -- | -- |\n| [Example 1](examples/example1) | systemd user service | 8080/TCP | :heavy_check_mark: |  |  | rootless podman | hello world web server |\n| [Example 2](examples/example2) | systemd user service | 8080/TCP | :heavy_check_mark: |  |  | rootless podman | http reverse proxy with TCP backends |\n| [Example 3](examples/example3) | systemd user service | 80/TCP, 443/TCP, 443/UDP | :heavy_check_mark: | :heavy_check_mark: | :heavy_check_mark: | rootless podman | hello world web server |\n| [Example 4](examples/example4) | systemd user service | 80/TCP, 443/TCP, 443/UDP | :heavy_check_mark: |  :heavy_check_mark: | :heavy_check_mark: | rootless podman | http reverse proxy with TCP backends |\n\n## Using Caddy with socket activation\n\nWhile Caddy can create sockets by itself, there are security and performance advantages of using\na service manager, such as systemd, for creating the sockets.\nCaddy does not need to create listening sockets as long as Caddy inherits those sockets\nfrom its parent process. This technique, commonly named _socket activation_, is\nsupported for example when Caddy is running as a systemd service. Optionally Podman can start\nCaddy in the systemd service in case you want to run Caddy inside a container.\n\nUsing _socket activation_ allows you to run Caddy with fewer privileges\nbecause Caddy would not need the privilege to create a socket.\nFor example if Podman is running Caddy as a static web server, then it is possible\nto enable the Podman option `--network=none` which improves security.\nHowever, obtaining a publicly-trusted TLS certificate with the ACME protocol\nis not possible when using `--network=none` because\nCaddy then needs to connect to the internet.\n\nUsing _socket activation_ improves network performance when Caddy is run by rootless Podman in a systemd service.\nWhen using rootless Podman, network traffic is normally passed through Slirp4netns or Pasta.\nThis comes with a performance penalty. Fortunately, communication over the socket-activated\nsocket does not pass through Slirp4netns or Pasta so it has the same performance characteristics\nas the normal network on the host.\n\nThe source IP address in TCP connections is preserved when using socket activation.\nThis can otherwise be a problem when using rootless Podman with Pasta.\nSource IP addresses are not preserved in TCP connections from ports that were published the\nconventional way, that is with `--publish`, if the container is running in a custom network\nby rootless Podman with Pasta.\n\nFor more details about advantages of using socket activation with Podman, see\nhttps://github.com/eriksjolund/podman-nginx-socket-activation?tab=readme-ov-file#advantages-of-using-rootless-podman-with-socket-activation\n\n### Support for socket activation in Caddy\n\nSocket activation support was added to Caddy in\n\n* https://github.com/caddyserver/caddy/pull/6573\n\nCaddy does not make use of file descriptor names that can be retrieved with [sd_listen_fds_with_names()](https://www.freedesktop.org/software/systemd/man/latest/sd_listen_fds.html).\nInstead file descriptor numbers are specified.\nDo not use multiple socket units. Use one socket unit so that the file descriptor numbers can be mapped to the listening sockets that are configured with `ListenStream=` and `ListenDatagram=`.\n\n| order of the sockets in the socket unit | Caddyfile syntax |\n| -- | -- |\n| 1st | `bind fd/3` or `bind fdgram/3` |\n| 2nd | `bind fd/4` or `bind fdgram/4` |\n| 3rd | `bind fd/5` or `bind fdgram/5` |\n| ... |  ... |\n| nth | follow the same pattern as above and specify a number n + 2 |\n\n(`fd` should be used for `ListenStream=` and `fdgram` should be used for `ListenDatagram=`)\n\nQuote from man page [systemd.socket(5)](https://www.freedesktop.org/software/systemd/man/latest/systemd.socket.html):\n_\"Sockets configured in one unit are passed in the order of configuration, but no ordering between socket units is specified\"_\n\n\u003e [!NOTE]\n\u003e Reloading the caddy configuration works when [`admin`](https://caddyserver.com/docs/caddyfile/options#admin)\nis set to a unix socket path or a TCP listening port, but not when set to a file descriptor (see issue https://github.com/caddyserver/caddy/issues/6631).\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Feriksjolund%2Fpodman-caddy-socket-activation","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Feriksjolund%2Fpodman-caddy-socket-activation","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Feriksjolund%2Fpodman-caddy-socket-activation/lists"}