Basic Caddy Upgrade Docker with cloudflare

1. My Caddy version (caddy version):

V2 :latest (there’s no caddy:2.0.0 amd64 image btw)

2. How I run Caddy:

docker compose.ymp

 caddy:
    container_name: caddy
    image: caddy:latest
    restart: always
    environment:
      - ACME_AGREE=true
      - CLOUDFLARE_EMAIL=cloudflare email
      - CLOUDFLARE_API_KEY=cloudflare key
    networks:
      - caddy-proxy
    ports:
      - 443:443
      - 80:80
      - 8480:8480
      - 8443:8443
    secrets:
      - cloudflare_api
      - cloudflare_email
    dns:
      - 192.168.10.1
    volumes:
      - ./caddy/certs:/root/.caddy
      - ./caddy/srv:/srv
      - ./caddy/Caddyfile:/etc/caddy/Caddyfile

a. System environment:

Ubuntu 19.04 LTS

b. Command:

n//a?

c. Service/unit/compose file:

paste full file contents here

d. My complete Caddyfile or JSON config:

(tls) {
        tls letsencrypt@domain.com {
                dns cloudflare
                wildcard
        }
}
USG
https://unifi.internal.domain.com {
        import tls
        log / stdout "Unifi          : {common}"
        errors stdout
        #not working
        reverse_proxy / https://192.168.10.45:8444/ {
                insecure_skip_verify
                transparent
        websocket
        }
}

3. The problem I’m having:

Figuring out how to start.
Apart from changing proxy to reverse_proxy in the caddy file and pulling the new image, I’m kinda stuck.

I used to use teh abisoft caddy image for v1, which may have had the cloudflare plugin added? So first step, how to I add that? Do i ned to build each time?

Then as I’ll be using a new machine with a branch of my caddy file, how can I test the certs are being pulled down ( moving the the acme test api end point, the docs said I could do it, but didn’t show me how).

We’re working on it! Something seemed to have gone wrong when we triggered the docker builds.

I think you’re looking for the builder image, you’ll need to install the GitHub - caddy-dns/cloudflare: Caddy module: dns.providers.cloudflare plugin. See the docs on docker hub, specifically the “Adding custom Caddy modules” section.

So does that mean I have to create my own dockerfle and use that? Which extends the base official docker image?

Unless I can do it somehow in a compose file.

Yep! It might look like this:

FROM caddy:2.0.0-builder AS builder

RUN caddy-builder \
    github.com/caddy-dns/cloudflare

FROM caddy:2.0.0

COPY --from=builder /usr/bin/caddy /usr/bin/caddy
1 Like

Mnaged to get over that. So adding a Dockerfile as per you example then the following in the compose:

caddy:
    container_name: caddy
    build:
      dockerfile: ${PWD}/caddy/Dockerfile
      context: ${PWD}/caddy

I ned to verify if the ${PWD} does anything, I cheated and put the full path. But this built the image an dused it with the cloudflare plugin.

So next step is understanding how to use it.

Current caddyfile has a tls section which told it my meail address and how to pull from cloudflare.
But now it seems to waht a special challenge field. But it doesn’t quite tell me where it should go:

{
	"challenges": {
		"dns": {
			"provider": "cloudflare",
			"api_token": "secret"
		}
	}
}

Source: Caddy2 cloudflare plugin - #3 by Dejan_Milosevic but all the links are bad.

You can just do this:

      dockerfile: ./caddy/Dockerfile
      context: ./caddy

Relative paths from the docker-compose.yml

In the Caddyfile it would look like this:

    tls {
        dns cloudflare <api_token>
    }

And just FYI the JSON docs on the website – for that field in particular – are outdated until about an hour from now. They were one of the last things to change.

Edit: They’re current now.

Cool that got me further…and I thought I’d tried the caddy/Dockerfile, I think it needed the ./caddy removed.

Teh cloudflare thing worked. But now I see I’m up against: v2: wildcard hostnames with automatic TLS · Issue #2867 · caddyserver/caddy · GitHub As I have a wildcard cert

So reading down that issue I see th eposter has:

*.theblazehen.com {
  tls {
    ask http://httpstat.us/200
  }
  reverse_proxy / {host}.home:80
}

Where I have:

(tls) {
        tls letsencrypt@domain.com {
                dns cloudflare ${CLOUDFLARE_API_KEY)
                wildcard
        }
}

But then on

https://unifi.domain.com {
        import tls
        log / stdout "Unifi          : {common}"
        errors stdout
        reverse_proxy / https://192.168.10.41:8444/ {
                insecure_skip_verify
                transparent
        websocket
        }
}

I import the tls entry. Or would I now go:

*.domain.com {
      tls {
                tls letsencrypt@domain.com {
                 dns cloudflare ${CLOUDFLARE_API_KEY)
                wildcard
         }
      }
     https://unifi.domain.com {
         reverse_proxy / https://192.168.10.41:8444/ {
          insecure_skip_verify
         transparent
         websocket
      }
   }
}

And put them all under the *.domain.com entry?

Pleae excuse the json, I’m hoping I’ve structure it right, I write it in the post rather than in a real file to try.

tls {
    dns cloudflare {$CLOUDFLARE_API_KEY}
}

Reference:

I’m still updating the website docs, been a little busy today. The DNS providers were the last thing to squeeze in so they’re not really documented yet.

Any further information on how the *.domain.com and the subdomain should look?

What do you mean?

This whole post: Basic Caddy Upgrade Docker with cloudflare - #9 by psyciknz

Which uses a wildcard domain name and then a subdomain

I still don’t understand your question.

To get a wildcard cert, just use a wildcard in your site address, like: *.example.com and then enable the DNS challenge for that site.

So my question is how should the json look for that.
All the posts i’ve seen and or docs don’t really present a single json to apply those two directives. In that post I presented a possible json down the bottom (which I’ve subsequenty found does not work).

So my question is, what does the entire section look like.

This Caddyfile will get you a wildcard cert:

*.example.com

tls {
    dns cloudflare {env.CLOUDFLARE_API_TOKEN}
}

Assuming you use Cloudflare and your API token is in that env variable.

How do I reference that wildcard (tls) for a subdomain?

In caddy v1, I’d create an entry:
unifi.domain.com {
import tls

}

ie import the tls entry, which is named in your wildcard example.

Is that still current?

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.