1. Caddy version (caddy version
):
V2.4.6
2. How I run Caddy:
Docker
a. System environment:
skiffOS with docker
c. Service/unit/compose file:
version: '3.7'
services:
nginx:
depends_on:
- radicale
- homeassistant
image: nginx:latest
container_name: nginx_reverse_proxy
volumes:
- /etc/localtime:/etc/localtime:ro
- /mnt/persist/mydocker/nginx.conf:/etc/nginx/nginx.conf
- /mnt/persist/mydocker/nginx/error.log:/etc/nginx/error.log
- /mnt/persist/mydocker/nginx/access.log:/etc/nginx/access.log
- /mnt/persist/mydocker/letsencrypt/:/etc/letsencrypt/
- /mnt/persist/mydocker/nginx/dhparams.pem:/etc/nginx/dhparams.pem
- snikket_data:/snikket:ro
restart: unless-stopped
network_mode: host
radicale:
image: tomsquest/docker-radicale
container_name: radicale
ports:
- 127.0.0.1:5232:5232
init: true
read_only: true
security_opt:
- no-new-privileges:true
cap_drop:
- ALL
cap_add:
- SETUID
- SETGID
- CHOWN
- KILL
healthcheck:
test: curl -f http://127.0.0.1:5232 || exit 1
interval: 30s
retries: 3
restart: unless-stopped
volumes:
- /etc/localtime:/etc/localtime:ro
- /mnt/persist/mydocker/radicale/data:/data
- /mnt/persist/mydocker/radicale/config:/config:ro
- /mnt/persist/mydocker/radicale/users:/etc/radicale/users
- /mnt/persist/mydocker/radicale/log:/var/log/radicale/log
homeassistant:
container_name: home-assistant
image: homeassistant/home-assistant:stable
volumes:
- /etc/localtime:/etc/localtime:ro
- /mnt/persist/mydocker/homeassistant:/config
environment:
- TZ=Europe/London
restart: unless-stopped
network_mode: host
esphome:
image: esphome/esphome
volumes:
- /mnt/persist/mydocker/esphome/config:/config:rw
- /etc/localtime:/etc/localtime:ro
network_mode: host
restart: unless-stopped
snikket_proxy:
container_name: snikket-proxy
image: snikket/snikket-web-proxy:dev
env_file: snikket.conf
network_mode: host
volumes:
- snikket_data:/snikket
- acme_challenges:/var/www/html/.well-known/acme-challenge
restart: "unless-stopped"
snikket_certs:
container_name: snikket-certs
image: snikket/snikket-cert-manager:dev
env_file: snikket.conf
volumes:
- snikket_data:/snikket
- acme_challenges:/var/www/.well-known/acme-challenge
restart: "unless-stopped"
snikket_portal:
container_name: snikket-portal
image: snikket/snikket-web-portal:dev
network_mode: host
env_file: snikket.conf
restart: "unless-stopped"
snikket_server:
container_name: snikket
image: snikket/snikket-server:dev
network_mode: host
volumes:
- snikket_data:/snikket
env_file: snikket.conf
restart: "unless-stopped"
volumes:
acme_challenges:
snikket_data:
Nginx config
user www-data;
worker_rlimit_core 500M;
worker_processes 1;
events {
worker_connections 1024;
}
http {
map $http_upgrade $connection_upgrade {
default upgrade;
'' close;
}
error_log /etc/nginx/error.log warn;
access_log /etc/nginx/access.log;
ssl_dhparam /etc/nginx/dhparams.pem;
ssl_prefer_server_ciphers on;
ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384;
ssl_protocols TLSv1.2 TLSv1.3;
add_header Strict-Transport-Security "max-age=31536000; includeSubdomains";
ssl_stapling on;
ssl_stapling_verify on;
ssl_certificate /etc/letsencrypt/live/myradicaleserver.duckdns.org/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/myradicaleserver.duckdns.org/privkey.pem;
ssl_trusted_certificate /etc/letsencrypt/live/myradicaleserver.duckdns.org/chain.pem;
ssl_session_cache shared:SSL:10m;
proxy_buffering off;
server {
listen 80;
server_name myradicaleserver.duckdns.org;
return 301 https://$server_name$request_uri;
}
server {
listen 443 ssl http2;
server_name myradicaleserver.duckdns.org;
location /radicale/ {
proxy_pass http://localhost:5232/;
proxy_set_header X-Script-Name /radicale;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_pass_header Authorization;
}
}
server {
listen 80;
server_name myhomeassistantserver.duckdns.org;
return 301 https://$server_name$request_uri;
}
server {
listen 443 ssl http2;
server_name myhomeassistantserver.duckdns.org;
location / {
proxy_pass http://localhost:8123;
proxy_set_header Host $host;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
}
location /api/websocket {
proxy_pass http://localhost:8123/api/websocket;
proxy_set_header Host $host;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
}
}
server {
# Accept HTTP connections
listen 80;
listen [::]:80;
server_name mysnikketserver.duckdns.org;
server_name groups.mysnikketserver.duckdns.org;
server_name share.mysnikketserver.duckdns.org;
client_max_body_size 20M;
location / {
proxy_pass http://localhost:5080/;
proxy_set_header Host $host;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
}
}
server {
# Accept HTTPS connections
listen [::]:443 ssl ipv6only=on;
listen 443 ssl;
ssl_certificate /snikket/letsencrypt/live/mysnikketserver.duckdns.org/fullchain.pem;
ssl_certificate_key /snikket/letsencrypt/live/mysnikketserver.duckdns.org/privkey.pem;
client_max_body_size 20M;
server_name mysnikketserver.duckdns.org;
server_name groups.mysnikketserver.duckdns.org;
server_name share.mysnikketserver.duckdns.org;
location / {
proxy_pass https://localhost:5443/;
proxy_set_header Host $host;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
# REMOVE THIS IF YOU CHANGE `localhost` TO ANYTHING ELSE ABOVE
proxy_ssl_verify off;
proxy_set_header X-Forwarded-Proto https;
proxy_ssl_server_name on;
}
}
}
Hi
I could really use some advice currently I have a setup that uses nginx as a reverse proxy running in docker with several service ( home assistant , radicale, etc ) available remotely . I use a cron job to renew certs currently but I will be moving to a different operating system which is based on buildroot , SkiffOS .
so all service including cert renewal needs to run in containers , I did ask on the certbot forum about running certbot in a container and still using cron to renew the certs , but this seems a bit messy , why not take this time to switch to Caddy . link to certbot forum post
my questions are, I see that caddy does things like oscp stapling http to https redirects by default , but what else does it do by default , basically what can I remove from the above nginx config file thats not required in a caddyfile config . For example I know after a bit of research that I dont need the dhparam.pen or any of the cyphers (although I know there is an option for it )
I know a caddyfile is relatively simple to put together so something like home assistant can be as simple as
example.com {
reverse_proxy localhost:8123
}
so I’m quite excited to get stuck in a create the caddyfile but do I need most of the global options from the nginx config for a secure caddy reverse proxy ?
my second question is I’ve seen mention of a duckdns plugin, is this something that ,I would need/benefit from as I use duckdns for my dns resolver , although I do have a static IP.
finally I have a xmpp server (snikket) running also in docker , It gets its own certs and I believe automatically proxys to https I know its possible to use external certs with caddy but I dont fully understand how.
thanks in advance for any advice / direction you have for me.
so far this is my first very basic attempt at understanding the caddyfile
{
log [access] {
output /var/log/access.log
}
}
myradicaleserver.duckdns.org{
handle_path /radicale* {
reverse_proxy localhost:5232 {
header_up X-Script-Name /radicale
}
}
}
myhomeassistantserver.duckdns.org {
reverse_proxy localhost:8123
}
http://mysnikketserver.duckdns.org, http://groups.mysnikketserver.duckdns.org, http://share.mysnikketserver.duckdns.org {
reverse_proxy localhost:5080 localhost:5443
request_body {
max_size 20MB
}
}