diff --git a/content/posts/unix-socket-perms.md b/content/posts/unix-socket-perms.md
new file mode 100644
index 0000000..c906582
--- /dev/null
+++ b/content/posts/unix-socket-perms.md
@@ -0,0 +1,74 @@
+---
+title: "Securing communication between webserver and app"
+date: 2024-04-19T17:31:06-04:00
+tags:
+    - unix-sockets
+    - tmpfiles.d
+    - webserver
+categories:
+    - sysadmin
+---
+
+Webapps usually listen on a random tcp port and a web server forwards the
+requests to it. Webserver handles tls, static asset serving and sometimes
+authentication, bruteforce check etc., However any local user in the system can
+directly connect to the app's listen port bypassing the web server and thus
+loose the protections offered by the webserver.
+
+### Unix sockets
+
+Unix sockets are special files in filesystem that processes can use to
+communicate instead of tcp ports. Since they are files, filesytem ownership and
+permissions can be used to restrict which system-users can listen or connect to
+them
+
+### Caddy ↔ Gitea
+
+I use [Caddy][1] web server which reverse-proxies to [Gitea][2] server. For
+caddy to connect to gitea and also disallow anyother user to connect, we want a
+socket like below
+
+```bash
+srw-rw---- 1 gitea caddy 0 Apr 17 21:24 /run/gitea.sock
+```
+
+Unfortunately neither `user caddy` nor `user gitea`, can create such socket.
+Regular users can only create files owned by themselves. Only root can
+create/change ownership of files and folders.
+
+### `tmpfiles.d` to rescue
+
+[tmpfiles.d][3] provides a way to do it. Since it is run as root, it can create
+files and directories as any user.
+
+```bash
+❯ cat /etc/tmpfiles.d/caddy-run-unix.conf
+d /run/gitea-caddy 0750 gitea caddy -
+```
+Above config creates below directory every time on startup.
+
+```bash
+❯ sudo ls -ld /run/gitea-caddy/
+drwxr-x--- 2 gitea caddy 60 Apr 17 21:24 /run/gitea-caddy/
+```
+
+With those permissions and ownership, only `user gitea` can create the socket
+in `/run/gitea-caddy` and only `user caddy` can `cd` into that directory.
+
+```bash
+❯ sudo ls -l /run/gitea-caddy/web.sock
+srw-rw-rw- 1 gitea gitea 0 Apr 17 21:24 /run/gitea-caddy/web.sock
+```
+
+The socket file permission can be more liberal as no other user can read into
+the `/run/gitea-caddy` directory
+
+### Bonus!
+
+If your app does not connect to any external services, it can even be run in a
+[private network][4].
+
+ [1]: https://caddyserver.com
+ [2]: https://gitea.com
+ [3]: https://man.archlinux.org/man/tmpfiles.d.5
+ [4]: https://www.freedesktop.org/software/systemd/man/latest/systemd.exec.html#PrivateNetwork=
diff --git a/public b/public
index a67beef..315118b 160000
--- a/public
+++ b/public
@@ -1 +1 @@
-Subproject commit a67beefc68787fd8fc899fec11346326474dc80e
+Subproject commit 315118b85c7de204251c9038192ab1f4917ffc96