Caddy and staticfiles (Django)

1. My Caddy version (caddy -version):

v2.0.0-beta.13
docker image - caddy/caddy:alpine
django version - 2.0+

2. How I run Caddy:

Docker as service in docker swarm

Stack file:

  caddy:
    image: caddy/caddy:alpine
    hostname: "{{.Service.Name}}-{{.Task.Slot}}"
    depends_on:
      - django
    ports:
      - "0.0.0.0:2015:2015"
      - "0.0.0.0:8088:8088"
    volumes:
      - /etc/localtime:/etc/localtime:ro
      - /opt/project/compose/caddy/:/etc/caddy/
      - /opt/project:/srv
    deploy:
      replicas: 1
      mode: replicated
      placement:
        constraints:
          - node.labels.server == backend
      restart_policy:
        condition: on-failure
    cap_add:
      - CAP_NET_BIND_SERVICE
    networks:
      - blabla

For the first version of Caddy I used the following caddy file:

example.com {
    header / {
      -Server
      -X-Host
    }

    proxy / django:5000 {
            except project/static
            transparent
    }
    gzip
    log stdout
    errors stderr
    tls /srv/compose/caddy/security-cert/client_ssl.pem /srv/compose/caddy/security-cert/root.unencrypted.pem {
    protocols tls1.2
    }
}

    localhost:8088 {

        header / {
          -Server
          -X-Host
        }

        proxy / django:5000 {
                except project/static
                transparent
        }
    gzip
    log stdout
    errors stderr
    tls off
    }

Now I started using the second version of caddy (Caddy server) and made a different caddy for it.:

{
http_port 8088
https_port 2015
}

example.com:2015 {
    reverse_proxy django:5000
    tls /srv/compose/caddy/security-cert/client_ssl.pem /srv/compose/caddy/security-cert/root.unencrypted.pem {
        protocols tls1.2 tls1.3
    }
    encode zstd gzip
}


localhost:8088 {
    root * /srv/project/
    reverse_proxy django:5000 {
         header_down -Server
         header_down -Host
    }
    file_server
}

Questions:

1. The alternative way for server caddy(caddy2) parameter “except”? (That use static files because I get status 404 from my all static files)
2. How to set only tls1. 2? ((If I try to do it on caddy 2 I get a message “building standard TLS config: protocol min (746c73312e32) cannot be greater than protocol max ()”)
3. Are these two files the same caddy? ((I may have read the documentation for caddy 2 quite well)

Solving your first question is quite easy. You need to use a matcher to tell Caddy not to use the reverse_proxy on requests to certain paths.

This would probably look like this (may or may not work as-is, try different path combinations until you get something that works for you):

@notStatic {
    not {
        path /project/static*
    }
}
reverse_proxy @notStatic django:5000

For your second question, I don’t think you need to do this at all. The default is already to have minimum as tls1.2 and maximum as tls1.3, see tls (Caddyfile directive) — Caddy Documentation. You might be running into a bug here though, that error message does seem strange.

@Mohammed90 do you think you could take a quick look into that one? I’m sure you’d figure it out quicker than I would.

One thing I noticed about your v2 config is that you set header_down -Host, but in your v1 config you set header / -X-Host. Seems like you’re removing a different header in v2. Also, I’m not sure you need to specify those global config options for the ports, I think it’s enough to have specified the ports in the site labels. Otherwise, yes, those configs look more or less equivalent to my eyes.

That’s a bug. The check isn’t accounting for max protocol config being optional, so it ends up comparing the value “tls1.2” against an empty string.

If max is not specified, Caddy will use “tls1.3” by default. For your case, you have to set both min and max to “tls1.2”. So your directive will be:

    tls /srv/compose/caddy/security-cert/client_ssl.pem /srv/compose/caddy/security-cert/root.unencrypted.pem {
        protocols tls1.2 tls1.2
    }

This topic was automatically closed 90 days after the last reply. New replies are no longer allowed.