You can not select more than 25 topics
Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
330 lines
5.2 KiB
330 lines
5.2 KiB
3 years ago
|
---
|
||
|
|
||
|
Alias: ["caddy"]
|
||
|
Tag: ["Computer", "Server", "Reverse-Proxy"]
|
||
|
Date: 2021-09-19
|
||
|
DocType: "Personal"
|
||
|
Hierarchy: "NonRoot"
|
||
|
TimeStamp:
|
||
|
location: [51.514678599999996, -0.18378583926867909]
|
||
|
CollapseMetaTable: Yes
|
||
|
|
||
|
---
|
||
|
|
||
3 years ago
|
Parent:: [[Selfhosting]], [[Server Tools]]
|
||
3 years ago
|
|
||
|
---
|
||
|
|
||
|
 
|
||
|
|
||
|
```button
|
||
|
name Save
|
||
|
type command
|
||
|
action Save current file
|
||
|
id Save
|
||
|
```
|
||
|
^button-caddySave
|
||
|
|
||
|
 
|
||
|
|
||
|
# Configuring caddy
|
||
|
|
||
|
 
|
||
|
|
||
|
```ad-abstract
|
||
|
title: Summary
|
||
|
collapse: open
|
||
|
This note runs through [caddy](https://caddyserver.com), a free tool webserver allowing for reverse-proxy and automatic SSL certifications.
|
||
|
```
|
||
|
|
||
|
 
|
||
|
|
||
|
```toc
|
||
|
style: number
|
||
|
```
|
||
|
|
||
|
 
|
||
|
|
||
|
---
|
||
|
|
||
|
 
|
||
|
|
||
|
### Installation
|
||
|
|
||
|
 
|
||
|
|
||
|
#### Program installation
|
||
|
|
||
|
1. **Pull the software signature key & image**
|
||
|
|
||
|
`echo "deb [trusted=yes] https://apt.fury.io/caddy/ /" | sudo tee -a /etc/apt/sources.list.d/caddy-fury.list`
|
||
|
|
||
|
3. **Install caddy**
|
||
|
|
||
|
`sudo apt update`
|
||
|
`sudo apt install caddy`
|
||
|
|
||
|
Installing caddy will create a default user 'caddy'.
|
||
|
|
||
|
4. **Test install**
|
||
|
|
||
|
Go to the homepage to see the caddy default page.
|
||
|
|
||
|
 
|
||
|
|
||
|
#### Installing php
|
||
|
|
||
|
PHP needs to be enabled for caddy to work.
|
||
|
|
||
|
`sudo add-apt-repository ppa:ondrej/php`
|
||
|
`sudo apt install php-cli php-fpm php-mysql`
|
||
|
|
||
|
Check if php is installed correctly:
|
||
|
|
||
|
`php --version`
|
||
|
|
||
|
 
|
||
|
|
||
|
---
|
||
|
|
||
|
 
|
||
|
|
||
|
### Configuration of caddy
|
||
|
|
||
|
 
|
||
|
|
||
|
Caddy will fetch a **SSL certificate** for all sub-domains and addresses present in the config file automatically, once the declaration is made properly.
|
||
|
|
||
|
 
|
||
|
|
||
|
#### Basic files & directories
|
||
|
|
||
|
1. Create a default website folder
|
||
|
|
||
|
`sudo mkdir -p /var/www/html`
|
||
|
|
||
|
2. Create a default log folder
|
||
|
|
||
|
`sudo mkdir /var/log/caddy`
|
||
|
`sudo chown -R caddy:caddy /var/log/caddy`
|
||
|
|
||
|
 
|
||
|
|
||
3 years ago
|
---
|
||
|
|
||
|
 
|
||
|
|
||
3 years ago
|
#### Caddy configuration file
|
||
|
|
||
|
Caddy's configuration file is inder:
|
||
|
|
||
|
`/etc/caddy/Caddyfile`
|
||
|
|
||
|
Default configuration is:
|
||
|
|
||
|
>(localhost) {
|
||
|
>root * /var/www/html
|
||
|
>encode gzip zstd
|
||
|
>php_fastcgi unix//run/php/php7.4-fpm.sock
|
||
|
>tls (service email) {
|
||
|
>protocols tls1.2 tls1.3
|
||
|
>}
|
||
|
>}
|
||
|
|
||
|
 
|
||
|
|
||
3 years ago
|
---
|
||
|
|
||
|
 
|
||
|
|
||
3 years ago
|
#### PHP configuration file
|
||
|
|
||
|
To update php, edit the following file:
|
||
|
|
||
|
`sudo nano /etc/php/7.4/fpm/pool.d/www.conf`
|
||
|
|
||
|
Change all 'www-data' user reference with 'caddy' including:
|
||
|
|
||
|
```
|
||
|
listen.owner = caddy
|
||
|
listen.group = caddy
|
||
|
```
|
||
|
|
||
|
Once this is done, restart php:
|
||
|
|
||
|
`sudo systemctl restart php7.4-fpm`
|
||
|
|
||
|
 
|
||
|
|
||
3 years ago
|
---
|
||
|
|
||
|
 
|
||
|
|
||
|
#### Configuring CORS
|
||
|
|
||
|
 
|
||
|
|
||
|
##### Preliminary CORS code snippet
|
||
|
|
||
|
>(cors) {
|
||
|
> @origin{args.0} header Origin {args.0}
|
||
|
> header @origin{args.0} Access-Control-Allow-Origin "{args.0}"
|
||
|
>}
|
||
|
|
||
|
 
|
||
|
|
||
|
##### CORS for a sub-domain
|
||
|
|
||
|
> import cors (http://subdomain.tld)
|
||
|
> header Access-Control-Allow-Methods "POST, GET, OPTIONS, PUT"
|
||
|
> header Access-Control-Allow-Headers "*"
|
||
|
|
||
|
 
|
||
|
|
||
|
---
|
||
|
|
||
|
 
|
||
|
|
||
|
#### Configuration of a sub-domain suffix
|
||
|
|
||
|
Configuration requires to add the following in the sub-domain definition:
|
||
|
|
||
|
> handle_path /(suffix)\* {
|
||
|
> root * /(path to suffix)
|
||
|
> file_server
|
||
|
> }
|
||
|
|
||
|
 
|
||
|
|
||
|
---
|
||
|
|
||
|
 
|
||
|
|
||
3 years ago
|
#### Configuration with the docker network
|
||
|
|
||
|
Configuration of a service attached to the docker network is easy:
|
||
|
|
||
|
> (hostname) {
|
||
|
> encode zstd gzip
|
||
|
> reverse_proxy xxx.yyy.zzz.aaa:port
|
||
|
> }
|
||
|
|
||
|
 
|
||
|
|
||
3 years ago
|
---
|
||
|
|
||
|
 
|
||
|
|
||
3 years ago
|
#### Configuring login with a cookie
|
||
|
|
||
|
```ad-info
|
||
|
title: Tutorial
|
||
|
[Link](https://josheli.com/knob/2021/02/24/single-sign-on-in-caddy-server-using-only-the-caddyfile-and-basic-authentication/)
|
||
|
```
|
||
|
|
||
|
 
|
||
|
|
||
|
##### Preliminary login code snippets
|
||
|
|
||
|
1. **Creat hashed passwords**
|
||
|
|
||
|
`caddy hash-password`
|
||
|
|
||
|
2. **Define the array of users and hashed password**
|
||
|
|
||
|
>(basic-auth) {
|
||
|
> basicauth / {
|
||
|
> user hashed-password
|
||
|
> }
|
||
|
>}
|
||
|
|
||
|
3. **Define the snippet to test whether the cookie is installed**
|
||
|
|
||
|
>(proxy-auth) {
|
||
|
>% if cookie not = some-token-nonsense
|
||
|
> @no-auth {
|
||
|
> not header_regexp mycookie Cookie myid=(regex-to-match-id)
|
||
|
> }
|
||
|
>
|
||
|
> % store current time, page and redirect to auth
|
||
|
route @no-auth {
|
||
|
> header Set-Cookie "myreferer={scheme}://{host}{uri}; Domain=example.com; Path=/; Max-Age=30; HttpOnly; SameSite=Strict; Secure"
|
||
|
> redir https://auth.example.com
|
||
|
> }
|
||
|
>}
|
||
|
|
||
|
 
|
||
|
|
||
|
##### Intermediary authentication page
|
||
|
|
||
|
After setting up a new subdomain/page and appropriate DNS records, define it as follows:
|
||
|
|
||
|
>auth.example.com {
|
||
|
route / {
|
||
|
> % require authentication
|
||
|
> import basic-auth
|
||
|
>
|
||
|
> % upon successful auth, set a client token
|
||
|
> header Set-Cookie "myid=some-long-hopefully-random-string; Domain=example.com; Path=/; Max-Age=3600; HttpOnly; SameSite=Strict; Secure"
|
||
|
>
|
||
|
> % delete the referer cookie
|
||
|
>header +Set-Cookie "myreferer=null; Domain=example.com; Path=/; Expires=Thu, 25 Sep 1971 12:00:00 GMT; HttpOnly; SameSite=Strict; Secure"
|
||
|
>
|
||
|
> % redirect back to the original site
|
||
|
> redir {http.request.cookie.myreferer}
|
||
|
}
|
||
|
>
|
||
|
> % fallback
|
||
|
respond "Hi."
|
||
|
}
|
||
|
|
||
|
 
|
||
|
|
||
|
##### Adding authentication to a subdomain
|
||
|
|
||
|
Simply add the following at the top of all declarations for sub-domain definitions:
|
||
|
|
||
|
> import proxy-auth
|
||
|
|
||
|
 
|
||
|
|
||
|
---
|
||
|
|
||
|
 
|
||
|
|
||
3 years ago
|
### Utilities
|
||
|
|
||
|
 
|
||
|
|
||
|
#### SSL Certification location
|
||
|
|
||
|
Look for a folder with the following sequence:
|
||
|
|
||
|
`/.local/share/caddy`
|
||
|
|
||
|
 
|
||
|
|
||
|
---
|
||
|
|
||
|
 
|
||
|
|
||
3 years ago
|
### Basic commands
|
||
|
|
||
|
A full repository of commands can be found [here](https://caddyserver.com/docs/)
|
||
|
|
||
|
 
|
||
|
|
||
|
#### Start/Stop/Restart
|
||
|
|
||
|
`sudo systemctl start/stop/restart caddy`
|
||
|
|
||
|
 
|
||
|
|
||
|
#### Reload config
|
||
|
|
||
|
Once config amended just run:
|
||
|
|
||
|
`sudo systemctl reload caddy`
|
||
|
|
||
|
 
|
||
|
 
|