---
Alias: ["caddy"]
Tag: ["Computer", "Server", "Reverse-Proxy"]
Date: 2021-09-19
DocType: "Personal"
Hierarchy: "NonRoot"
TimeStamp:
location: [51.514678599999996, -0.18378583926867909]
CollapseMetaTable: true
---
Parent:: [[Selfhosting]], [[Server Tools]]
---
^Top
 
```button
name Save
type command
action Save current file
id Save
```
^button-caddySave
 
# Configuring caddy
 
```ad-abstract
title: Summary
collapse: open
This note runs through [caddy ](https://caddyserver.com ), a free tool webserver allowing for reverse-proxy and automatic SSL certifications.
```
 
```toc
style: number
```
 
---
 
### Installation
[[#^Top|TOP]]
 
#### Program installation
1. **Pull the software signature key & image**
```ad-command
~~~bash
echo "deb [trusted=yes] https://apt.fury.io/caddy/ /" | sudo tee -a /etc/apt/sources.list.d/caddy-fury.list
~~~
```
3. **Install caddy**
```ad-command
~~~bash
sudo apt update
sudo apt install caddy
~~~
```
Installing caddy will create a default user 'caddy'.
4. **Test install**
Go to the homepage to see the caddy default page.
 
#### Installing php
PHP needs to be enabled for caddy to work.
```ad-command
~~~bash
sudo add-apt-repository ppa:ondrej/php
sudo apt install php-cli php-fpm php-mysql
~~~
```
Check if php is installed correctly:
```ad-command
~~~bash
php --version
~~~
```
 
---
 
### Configuration of caddy
[[#^Top|TOP]]
 
Caddy will fetch a **SSL certificate** for all sub-domains and addresses present in the config file automatically, once the declaration is made properly.
 
#### Basic files & directories
[[#^Top|TOP]]
1. Create a default website folder
```ad-command
~~~bash
sudo mkdir -p /var/www/html
~~~
```
2. Create a default log folder
```ad-command
~~~bash
sudo mkdir /var/log/caddy
sudo chown -R caddy:caddy /var/log/caddy
~~~
```
 
---
 
#### Caddy configuration file
[[#^Top|TOP]]
Caddy's configuration file is inder:
```ad-path
/etc/caddy/Caddyfile
```
Default configuration is:
```ad-code
~~~javascript
(localhost) {
root * /var/www/html
encode gzip zstd
php_fastcgi unix//run/php/php7.4-fpm.sock
tls (service email) {
protocols tls1.2 tls1.3
}
}
~~~
```
 
---
 
#### PHP configuration file
[[#^Top|TOP]]
To update php, edit the following file:
```ad-path
/etc/php/7.4/fpm/pool.d/www.conf
```
Change all 'www-data' user reference with 'caddy' including:
```ad-code
~~~yaml
listen.owner = caddy
listen.group = caddy
~~~
```
Once this is done, restart php:
```ad-command
~~~bash
sudo systemctl restart php7.4-fpm
~~~
```
 
---
 
#### Configuring CORS
[[#^Top|TOP]]
 
##### Preliminary CORS code snippet
```ad-code
~~~javascript
(cors) {
@origin {args.0} header Origin {args.0}
header @origin {args.0} Access-Control-Allow-Origin "{args.0}"
}
~~~
```
 
##### CORS for a sub-domain
```ad-code
~~~javascript
import cors (http://subdomain.tld)
header Access-Control-Allow-Methods "POST, GET, OPTIONS, PUT"
header Access-Control-Allow-Headers "*"
~~~
```
 
---
 
#### Configuration of a sub-domain suffix
[[#^Top|TOP]]
Configuration requires to add the following in the sub-domain definition of the [[Configuring Caddy#Caddy configuration file|Caddyfile]]:
```ad-code
~~~javascript
handle_path /(suffix)* {
root * /(path to suffix)
file_server
}
~~~
```
 
---
 
#### Configuring with the docker network
[[#^Top|TOP]]
Configuration of a service attached to the docker network is easy:
```ad-code
~~~javascript
(hostname) {
encode zstd gzip
reverse_proxy xxx.yyy.zzz.aaa:port
}
~~~
```
 
---
 
#### Configuring login with a cookie
[[#^Top|TOP]]
```ad-info
title: Tutorial
[Link ](https://josheli.com/knob/2021/02/24/single-sign-on-in-caddy-server-using-only-the-caddyfile-and-basic-authentication/ )
```
 
##### Preliminary login code snippets
1. **Creat hashed passwords**
```ad-command
~~~bash
caddy hash-password
~~~
```
2. **Define the array of users and hashed password**
In the [[Configuring Caddy#Caddy configuration file|Caddyfile]]:
```ad-code
~~~javascript
(basic-auth) {
basicauth / {
user hashed-password
}
}
~~~
```
3. **Define the snippet to test whether the cookie is installed**
In the [[Configuring Caddy#Caddy configuration file|Caddyfile]]:
```ad-code
~~~javascript
(proxy-auth) {
% if cookie not = some-token-nonsense
@no -auth {
not header_regexp mycookie Cookie myid=(regex-to-match-id)
}
% store current time, page and redirect to auth
route @no -auth {
header Set-Cookie "myreferer={scheme}://{host}{uri}; Domain=example.com; Path=/; Max-Age=30; HttpOnly; SameSite=Strict; Secure"
redir https://auth.example.com
}
}
~~~
```
 
##### Intermediary authentication page
[[#^Top|TOP]]
After setting up a new subdomain/page and appropriate DNS records, define it as follows in the [[Configuring Caddy#Caddy configuration file|Caddyfile]]:
```ad-code
~~~javascript
auth.example.com {
route / {
% require authentication
import basic-auth
% upon successful auth, set a client token
header Set-Cookie "myid=some-long-hopefully-random-string; Domain=example.com; Path=/; Max-Age=3600; HttpOnly; SameSite=Strict; Secure"
% delete the referer cookie
header +Set-Cookie "myreferer=null; Domain=example.com; Path=/; Expires=Thu, 25 Sep 1971 12:00:00 GMT; HttpOnly; SameSite=Strict; Secure"
% redirect back to the original site
redir {http.request.cookie.myreferer}
}
% fallback
respond "Hi."
}
~~~
```
 
##### Adding authentication to a subdomain
Simply add the following at the top of all declarations for sub-domain definitions:
```ad-code
~~~javascript
import proxy-auth
~~~
```
 
---
 
#### Configuring logging for Caddy
1. In the [[Configuring Caddy#Caddy configuration file|Caddyfile]], add a logging module:
```ad-code
title: logging script
~~~javascript
(log) {
log {
output file /var/log/caddy/caddy.log {
roll_local_time
# Other parameters can be found on the Caddy website
}
format json # (or console)
level INFO # (or ERROR)
}
}
~~~
```
 
2. In the global configuration section, add the `import log` directive
```ad-code
~~~javascript
{
import log
}
~~~
```
2. In each subdomain definition, add the following line
`import log`
 
---
 
### Utilities
[[#^Top|TOP]]
 
#### SSL Certification location
Look for a folder with the following sequence:
```ad-path
/.local/share/caddy
```
 
#### Reading the log file
Caddy does offer a `common_log` field in their JS log that can be called for consumption by other software:
```ad-command
~~~bash
sudo cat /var/log/caddy/caddy.log | jq -r ' .. | .common_log? | select(. !=null)'
~~~
```
 
#### Sending logs to user
In order to consume the logs, it is sent through a cron job to a [[Configuring Telegram bots|Telegram bot]].
The script is below:
```ad-code
~~~bash
~~~
```
 
---
 
### Basic commands
[[#^Top|TOP]]
A full repository of commands can be found [here ](https://caddyserver.com/docs/ )
 
#### Start/Stop/Restart
```ad-command
~~~bash
sudo systemctl start/stop/restart caddy
~~~
```
 
#### Reload config
Once config amended just run:
```ad-command
~~~bash
sudo systemctl reload caddy
~~~
```
[[#^Top|TOP]]