You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.

5.2 KiB

Alias Tag Date DocType Hierarchy TimeStamp location CollapseMetaTable
caddy
Computer
Server
Reverse-Proxy
2021-09-19 Personal NonRoot
51.514678599999996
-0.18378583926867909
Yes

Parent:: Selfhosting, Server Tools


name Save
type command
action Save current file
id Save

^button-caddySave

Configuring caddy

title: Summary
collapse: open
This note runs through [caddy](https://caddyserver.com), a free tool webserver allowing for reverse-proxy and automatic SSL certifications.

style: number


Installation

Program installation

  1. Pull the software signature key & image

echo "deb [trusted=yes] https://apt.fury.io/caddy/ /" | sudo tee -a /etc/apt/sources.list.d/caddy-fury.list

  1. Install caddy

sudo apt update sudo apt install caddy

Installing caddy will create a default user 'caddy'.

  1. Test install

Go to the homepage to see the caddy default page.

Installing php

PHP needs to be enabled for caddy to work.

sudo add-apt-repository ppa:ondrej/php sudo apt install php-cli php-fpm php-mysql

Check if php is installed correctly:

php --version


Configuration of caddy

Caddy will fetch a SSL certificate for all sub-domains and addresses present in the config file automatically, once the declaration is made properly.

Basic files & directories

  1. Create a default website folder

sudo mkdir -p /var/www/html

  1. Create a default log folder

sudo mkdir /var/log/caddy sudo chown -R caddy:caddy /var/log/caddy


Caddy configuration file

Caddy's configuration file is inder:

/etc/caddy/Caddyfile

Default configuration is:

(localhost) { root * /var/www/html encode gzip zstd php_fastcgi unix//run/php/php7.4-fpm.sock tls (service email) { protocols tls1.2 tls1.3 } }


PHP configuration file

To update php, edit the following file:

sudo nano /etc/php/7.4/fpm/pool.d/www.conf

Change all 'www-data' user reference with 'caddy' including:

listen.owner = caddy
listen.group = caddy

Once this is done, restart php:

sudo systemctl restart php7.4-fpm


Configuring CORS

Preliminary CORS code snippet

(cors) { @origin{args.0} header Origin {args.0} header @origin{args.0} Access-Control-Allow-Origin "{args.0}" }

CORS for a sub-domain

import cors (http://subdomain.tld) header Access-Control-Allow-Methods "POST, GET, OPTIONS, PUT" header Access-Control-Allow-Headers "*"


Configuration of a sub-domain suffix

Configuration requires to add the following in the sub-domain definition:

handle_path /(suffix)* { root * /(path to suffix) file_server }


Configuration with the docker network

Configuration of a service attached to the docker network is easy:

(hostname) { encode zstd gzip reverse_proxy xxx.yyy.zzz.aaa:port }


title: Tutorial
[Link](https://josheli.com/knob/2021/02/24/single-sign-on-in-caddy-server-using-only-the-caddyfile-and-basic-authentication/)

Preliminary login code snippets
  1. Creat hashed passwords

caddy hash-password

  1. Define the array of users and hashed password

(basic-auth) { basicauth / { user hashed-password } }

  1. Define the snippet to test whether the cookie is installed

(proxy-auth) { % if cookie not = some-token-nonsense @no-auth { not header_regexp mycookie Cookie myid=(regex-to-match-id) }

% store current time, page and redirect to auth route @no-auth { header Set-Cookie "myreferer={scheme}://{host}{uri}; Domain=example.com; Path=/; Max-Age=30; HttpOnly; SameSite=Strict; Secure" redir https://auth.example.com } }

Intermediary authentication page

After setting up a new subdomain/page and appropriate DNS records, define it as follows:

auth.example.com { route / { % require authentication import basic-auth

% upon successful auth, set a client token header Set-Cookie "myid=some-long-hopefully-random-string; Domain=example.com; Path=/; Max-Age=3600; HttpOnly; SameSite=Strict; Secure"

% delete the referer cookie header +Set-Cookie "myreferer=null; Domain=example.com; Path=/; Expires=Thu, 25 Sep 1971 12:00:00 GMT; HttpOnly; SameSite=Strict; Secure"

% redirect back to the original site redir {http.request.cookie.myreferer} }

% fallback respond "Hi." }

Adding authentication to a subdomain

Simply add the following at the top of all declarations for sub-domain definitions:

import proxy-auth


Utilities

SSL Certification location

Look for a folder with the following sequence:

/.local/share/caddy


Basic commands

A full repository of commands can be found here

Start/Stop/Restart

sudo systemctl start/stop/restart caddy

Reload config

Once config amended just run:

sudo systemctl reload caddy