From 244a7ac537ad4b7f08723534539b9ddb441ed91e Mon Sep 17 00:00:00 2001 From: bt90 Date: Thu, 28 Dec 2023 15:26:27 +0000 Subject: [PATCH 1/2] Switch to TasksMax --- init/caddy-api.service | 2 +- init/caddy.service | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/init/caddy-api.service b/init/caddy-api.service index 89dc043..6c8a0f1 100644 --- a/init/caddy-api.service +++ b/init/caddy-api.service @@ -20,7 +20,7 @@ Group=caddy ExecStart=/usr/bin/caddy run --environ --resume TimeoutStopSec=5s LimitNOFILE=1048576 -LimitNPROC=512 +TasksMax=512 PrivateTmp=true ProtectSystem=full AmbientCapabilities=CAP_NET_ADMIN CAP_NET_BIND_SERVICE diff --git a/init/caddy.service b/init/caddy.service index 541d65e..30ca048 100644 --- a/init/caddy.service +++ b/init/caddy.service @@ -27,7 +27,7 @@ ExecStart=/usr/bin/caddy run --environ --config /etc/caddy/Caddyfile ExecReload=/usr/bin/caddy reload --config /etc/caddy/Caddyfile --force TimeoutStopSec=5s LimitNOFILE=1048576 -LimitNPROC=512 +TasksMax=512 PrivateTmp=true ProtectSystem=full AmbientCapabilities=CAP_NET_ADMIN CAP_NET_BIND_SERVICE From 1ab49e1a45bc14702dcfba189ccda4ed81364edc Mon Sep 17 00:00:00 2001 From: bt90 Date: Thu, 28 Dec 2023 15:28:59 +0000 Subject: [PATCH 2/2] Update readme --- init/README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/init/README.md b/init/README.md index d26328b..dbeec70 100644 --- a/init/README.md +++ b/init/README.md @@ -62,7 +62,7 @@ To keep our unit files tidy, we haven't littered them with comments. So here we - **`After=network.target network-online.target`** and **`Requires=network-online.target`** ensures that the network interfaces are online before Caddy starts. This is necessary because Caddy uses the network to obtain certificates and serve your site over TLS. Specifically, `network-online.target` is needed for the many users who bind listeners to specific network interfaces. - **`TimeoutStopSec=5s`** will forcibly kill the caddy process if it cannot gracefully shut down within this time limit. We figure, if you're stopping the server anyway (as opposed to reloading -- two very distinct operations!) then stopping gracefully is less important than stopping at all. - **`LimitNOFILE=1048576`** raises the file descriptor limit for the caddy process (`ulimit -n`). This is very important for busy sites, or for servers which need to keep connections open longer. This is the [maximum allowed value](https://stackoverflow.com/a/1213069/1048862) for some popular Linux distros. -- **`LimitNPROC=512`** raises the number of threads caddy is allowed to have (`ulimit -u`). Obviously, setting this too low for a highly concurrent server is a bad idea. +- **`TasksMax=512`** raises the number of threads caddy is allowed to have (`ulimit -u`). Obviously, setting this too low for a highly concurrent server is a bad idea. - **`PrivateTmp=true`** keeps /tmp and /var/tmp private, which are discarded after caddy stops. - **`ProtectSystem=full`** allows writing to /var, which is crucial so that it can store certificates and other data for your site. - **`AmbientCapabilities=CAP_NET_ADMIN CAP_NET_BIND_SERVICE`** allows caddy to modify socket options and bind to low ports (< 1024) without running as root.