I want to run caddy as an unprivileged user. Since that user won't be able to bind ports 80 and 443, I figured I could port forward them with npf.
I added these port forwarding rules.
map $ext_if dynamic 127.0.0.1 port 8080 <- $ext_ip port 80
map $ext_if dynamic ::1 port 8080 <- $ext_ip port 80
map $ext_if dynamic 127.0.0.1 port 8443 <- $ext_ip port 443
map $ext_if dynamic ::1 port 8443 <- $ext_ip port 443
Then allow the traffic with this, and everything works as I wanted.
pass stateful proto tcp to $ext_ip port { http, https }
Is this a reasonable way to secure caddy? Is it secure? Also, if caddy gets hacked, has my whole localhost network been exposed?
I noticed that some examples for nginx and caddy have reverse proxies pointing to localhost:9000 for fastcgi, so I figured it must be secure enough to just run caddy on localhost:8080 and 8443.