4.4 KiB
Alias | Tag | Date | DocType | Hierarchy | TimeStamp | location | CollapseMetaTable | ||||||
---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|
2021-09-19 | Personal | NonRoot |
|
Yes |
Parent:: Selfhosting, Tools Server
name Save
type command
action Save current file
id Save
^button-caddySave
Configuring caddy
title: Summary
collapse: open
This note runs through [caddy](https://caddyserver.com), a free tool webserver allowing for reverse-proxy and automatic SSL certifications.
style: number
Installation
Program installation
- Pull the software signature key & image
echo "deb [trusted=yes] https://apt.fury.io/caddy/ /" | sudo tee -a /etc/apt/sources.list.d/caddy-fury.list
- Install caddy
sudo apt update
sudo apt install caddy
Installing caddy will create a default user 'caddy'.
- Test install
Go to the homepage to see the caddy default page.
Installing php
PHP needs to be enabled for caddy to work.
sudo add-apt-repository ppa:ondrej/php
sudo apt install php-cli php-fpm php-mysql
Check if php is installed correctly:
php --version
Configuration of caddy
Caddy will fetch a SSL certificate for all sub-domains and addresses present in the config file automatically, once the declaration is made properly.
Basic files & directories
- Create a default website folder
sudo mkdir -p /var/www/html
- Create a default log folder
sudo mkdir /var/log/caddy
sudo chown -R caddy:caddy /var/log/caddy
Caddy configuration file
Caddy's configuration file is inder:
/etc/caddy/Caddyfile
Default configuration is:
(localhost) { root * /var/www/html encode gzip zstd php_fastcgi unix//run/php/php7.4-fpm.sock tls (service email) { protocols tls1.2 tls1.3 } }
PHP configuration file
To update php, edit the following file:
sudo nano /etc/php/7.4/fpm/pool.d/www.conf
Change all 'www-data' user reference with 'caddy' including:
listen.owner = caddy
listen.group = caddy
Once this is done, restart php:
sudo systemctl restart php7.4-fpm
Configuration with the docker network
Configuration of a service attached to the docker network is easy:
(hostname) { encode zstd gzip reverse_proxy xxx.yyy.zzz.aaa:port }
Configuring login with a cookie
title: Tutorial
[Link](https://josheli.com/knob/2021/02/24/single-sign-on-in-caddy-server-using-only-the-caddyfile-and-basic-authentication/)
Preliminary login code snippets
- Creat hashed passwords
caddy hash-password
- Define the array of users and hashed password
(basic-auth) { basicauth / { user hashed-password } }
- Define the snippet to test whether the cookie is installed
(proxy-auth) { % if cookie not = some-token-nonsense @no-auth { not header_regexp mycookie Cookie myid=(regex-to-match-id) }
% store current time, page and redirect to auth route @no-auth { header Set-Cookie "myreferer={scheme}://{host}{uri}; Domain=example.com; Path=/; Max-Age=30; HttpOnly; SameSite=Strict; Secure" redir https://auth.example.com } }
Intermediary authentication page
After setting up a new subdomain/page and appropriate DNS records, define it as follows:
auth.example.com { route / { % require authentication import basic-auth
% upon successful auth, set a client token header Set-Cookie "myid=some-long-hopefully-random-string; Domain=example.com; Path=/; Max-Age=3600; HttpOnly; SameSite=Strict; Secure"
% delete the referer cookie header +Set-Cookie "myreferer=null; Domain=example.com; Path=/; Expires=Thu, 25 Sep 1971 12:00:00 GMT; HttpOnly; SameSite=Strict; Secure"
% redirect back to the original site redir {http.request.cookie.myreferer} }
% fallback respond "Hi." }
Adding authentication to a subdomain
Simply add the following at the top of all declarations for sub-domain definitions:
import proxy-auth
Basic commands
A full repository of commands can be found here
Start/Stop/Restart
sudo systemctl start/stop/restart caddy
Reload config
Once config amended just run:
sudo systemctl reload caddy