---

Alias: ["caddy"]
Tag: ["Computer", "Server", "Reverse-Proxy"]
Date: 2021-09-19
DocType: "Personal"
Hierarchy: "NonRoot"
TimeStamp:
location: [51.514678599999996, -0.18378583926867909]
CollapseMetaTable: Yes

---

Parent:: [[Selfhosting]], [[Server Tools]]

---

&emsp;

```button
name Save
type command
action Save current file
id Save
```
^button-caddySave

&emsp;

# Configuring caddy

&emsp;

```ad-abstract
title: Summary
collapse: open
This note runs through [caddy](https://caddyserver.com), a free tool webserver allowing for reverse-proxy and automatic SSL certifications.
```

&emsp;

```toc
style: number
```

&emsp;

---

&emsp;

### Installation

&emsp;

#### Program installation

1. **Pull the software signature key & image**

`echo "deb [trusted=yes] https://apt.fury.io/caddy/ /" | sudo tee -a /etc/apt/sources.list.d/caddy-fury.list`

3. **Install caddy**

`sudo apt update`
`sudo apt install caddy`

Installing caddy will create a default user 'caddy'.

4. **Test install**

Go to the homepage to see the caddy default page.

&emsp;

#### Installing php

PHP needs to be enabled for caddy to work.

`sudo add-apt-repository ppa:ondrej/php`
`sudo apt install php-cli php-fpm php-mysql`

Check if php is installed correctly:

`php --version`

&emsp;

---

&emsp;

### Configuration of caddy

&emsp;

Caddy will fetch a **SSL certificate** for all sub-domains and addresses present in the config file automatically, once the declaration is made properly.

&emsp;

#### Basic files & directories

1. Create a default website folder

`sudo mkdir -p /var/www/html`

2. Create a default log folder

`sudo mkdir /var/log/caddy`
`sudo chown -R caddy:caddy /var/log/caddy`

&emsp;

---

&emsp;

#### Caddy configuration file

Caddy's configuration file is inder:

`/etc/caddy/Caddyfile`

Default configuration is:

>(localhost) {
>root * /var/www/html
>encode gzip zstd
>php_fastcgi unix//run/php/php7.4-fpm.sock
>tls (service email) {
>protocols tls1.2 tls1.3
>}
>}

&emsp;

---

&emsp;

#### PHP configuration file

To update php, edit the following file:

`sudo nano /etc/php/7.4/fpm/pool.d/www.conf`

Change all 'www-data' user reference with 'caddy' including:

```
listen.owner = caddy
listen.group = caddy
```

Once this is done, restart php:

`sudo systemctl restart php7.4-fpm`

&emsp;

---

&emsp;

#### Configuring CORS

&emsp;

##### Preliminary CORS code snippet

>(cors) {
>        @origin{args.0} header Origin {args.0}
>        header @origin{args.0} Access-Control-Allow-Origin "{args.0}"
>}

&emsp;

##### CORS for a sub-domain

> import cors (http://subdomain.tld)
> header Access-Control-Allow-Methods "POST, GET, OPTIONS, PUT"
> header Access-Control-Allow-Headers "*"

&emsp;

---

&emsp;

#### Configuration of a sub-domain suffix

Configuration requires to add the following in the sub-domain definition:

> handle_path /(suffix)\* {
> root * /(path to suffix)
> file_server
> }

&emsp;

---

&emsp;

#### Configuration with the docker network

Configuration of a service attached to the docker network is easy:

> (hostname) {
> encode zstd gzip
> reverse_proxy xxx.yyy.zzz.aaa:port
> }

&emsp;

---

&emsp;

#### Configuring login with a cookie

```ad-info
title: Tutorial
[Link](https://josheli.com/knob/2021/02/24/single-sign-on-in-caddy-server-using-only-the-caddyfile-and-basic-authentication/)
```

&emsp;

##### Preliminary login code snippets

1. **Creat hashed passwords**

`caddy hash-password`

2. **Define the array of users and hashed password**

>(basic-auth) {
>  basicauth / {
>    user hashed-password
>  }
>}
 
3. **Define the snippet to test whether the cookie is installed**

>(proxy-auth) {
>% if cookie not = some-token-nonsense
>  @no-auth {
>    not header_regexp mycookie Cookie myid=(regex-to-match-id)
>  }
>
> % store current time, page and redirect to auth
  route @no-auth {
>    header Set-Cookie "myreferer={scheme}://{host}{uri}; Domain=example.com; Path=/; Max-Age=30; HttpOnly; SameSite=Strict; Secure"
>    redir https://auth.example.com
>  }
>}

&emsp;

##### Intermediary authentication page

After setting up a new subdomain/page and appropriate DNS records, define it as follows:

>auth.example.com {
  route / {
> % require authentication
>    import basic-auth
>
> % upon successful auth, set a client token
>    header Set-Cookie "myid=some-long-hopefully-random-string; Domain=example.com; Path=/; Max-Age=3600; HttpOnly; SameSite=Strict; Secure"
>     
> % delete the referer cookie
>header +Set-Cookie "myreferer=null; Domain=example.com; Path=/; Expires=Thu, 25 Sep 1971 12:00:00 GMT; HttpOnly; SameSite=Strict; Secure"
>     
> % redirect back to the original site
>    redir {http.request.cookie.myreferer}
  }
>
> % fallback
  respond "Hi."
}

&emsp;

##### Adding authentication to a subdomain

Simply add the following at the top of all declarations for sub-domain definitions:

> import proxy-auth

&emsp;

---

&emsp;

### Utilities

&emsp;

#### SSL Certification location

Look for a folder with the following sequence:

`/.local/share/caddy`

&emsp;

---

&emsp;

### Basic commands

A full repository of commands can be found [here](https://caddyserver.com/docs/)

&emsp;

#### Start/Stop/Restart

`sudo systemctl start/stop/restart caddy`

&emsp;

#### Reload config

Once config amended just run:

`sudo systemctl reload caddy`

&emsp;
&emsp;