Unrestricted access to Caddy API interface
Description
Caddy is an open-source web server, reverse proxy, and load balancer written in Go that provides a RESTful JSON API for dynamic configuration management. This vulnerability exists when the Caddy API endpoint is accessible without authentication, allowing unauthorized users to interact with the administrative interface. By default, the API listens on localhost, but misconfigurations can expose it to external networks without proper access controls.
Remediation
Restrict access to the Caddy API interface by implementing one or more of the following controls:
1. Bind to localhost only: Ensure the API endpoint is only accessible from the local machine by configuring it to listen on 127.0.0.1 in your Caddyfile or JSON configuration.
2. Use network-level restrictions: Configure firewall rules to block external access to the API port (default: 2019) and only allow connections from trusted IP addresses or management networks.
3. Implement authentication: Use a reverse proxy with authentication in front of the Caddy API, or configure the admin endpoint with access controls:
{
admin 127.0.0.1:2019
}
4. Disable the API if not needed: If dynamic configuration is not required, disable the admin API entirely:
{
admin off
}
5. Regularly audit your Caddy configuration to ensure the API endpoint is not inadvertently exposed to untrusted networks.