1. Caddy version (caddy version
):
# /opt/caddy/bin/caddy version
v2.4.5 h1:P1mRs6V2cMcagSPn+NWpD+OEYUYLIf6ecOa48cFGeUg=
2. How I run Caddy:
a. System environment:
# cat /etc/system-release
CentOS Linux release 8.4.2105
# systemctl status caddy
ā caddy.service - Caddy
Loaded: loaded (/etc/systemd/system/caddy.service; enabled; vendor preset: disabled)
Active: active (running) since Sun 2021-09-05 21:52:44 EDT; 12h ago
Docs: https://caddyserver.com/docs/
Main PID: 245220 (caddy)
Tasks: 10 (limit: 49327)
Memory: 31.1M
CGroup: /system.slice/caddy.service
āā245220 /opt/caddy/bin/caddy run --environ --config /opt/caddy/etc/Caddyfile
b. Command:
systemctl start caddy
c. Service/unit/compose file:
# This file is managed by Puppet
# caddy.service
#
# For using Caddy with a config file.
#
# Make sure the ExecStart and ExecReload commands are correct
# for your installation.
#
# See https://caddyserver.com/docs/install for instructions.
#
# WARNING: This service does not use the --resume flag, so if you
# use the API to make changes, they will be overwritten by the
# Caddyfile next time the service is restarted. If you intend to
# use Caddy's API to configure it, add the --resume flag to the
# `caddy run` command or use the caddy-api.service file instead.
[Unit]
Description=Caddy
Documentation=https://caddyserver.com/docs/
After=network.target network-online.target
Requires=network-online.target
[Service]
Type=notify
User=caddy
Group=caddy
ExecStart=/opt/caddy/bin/caddy run --environ --config /opt/caddy/etc/Caddyfile
ExecReload=/opt/caddy/bin/caddy reload --config /opt/caddy/etc/Caddyfile
TimeoutStopSec=5s
LimitNOFILE=1048576
LimitNPROC=512
PrivateTmp=true
ProtectSystem=full
AmbientCapabilities=CAP_NET_BIND_SERVICE
[Install]
WantedBy=multi-user.target
d. My complete Caddyfile or JSON config:
# cat /opt/caddy/etc/Caddyfile
{
auto_https disable_redirects
}
syscfg-2.tld:9200 {
bind 10.192.212.45
log {
output file /opt/caddy/logs/access.log {
roll_size 100mb
roll_keep 5
roll_keep_for 720h
}
format console
}
# Mutual TLS
tls /opt/caddy/tls/syscfg-2.tld-crt.pem /opt/caddy/tls/syscfg-2.tld-key.pem {
client_auth {
mode require_and_verify
trusted_ca_cert_file /opt/caddy/tls/ca.pem
}
}
# only allow client certs with matching CN for designated vmagents
@client_cert {
expression \
{tls_client_subject} == 'CN=vmagent-1.tld' || \
{tls_client_subject} == 'CN=vmagent-2.tld'
}
reverse_proxy @client_cert localhost:9100
}
syscfg-2.tld:9201 {
bind 10.192.212.45
log {
output file /opt/caddy/logs/access.log {
roll_size 100mb
roll_keep 5
roll_keep_for 720h
}
format console
}
# Mutual TLS
tls /opt/caddy/tls/syscfg-2.tld-crt.pem /opt/caddy/tls/syscfg-2.tld-key.pem {
client_auth {
mode require_and_verify
trusted_ca_cert_file /opt/caddy/tls/ca.pem
}
}
# only allow client certs with matching CN for designated vmagents
@client_cert {
expression \
{tls_client_subject} == 'CN=vmagent-1.tld' || \
{tls_client_subject} == 'CN=vmagent-2.tld'
}
reverse_proxy @client_cert localhost:9101
}
3. The problem Iām having:
Iām using caddy as TLS reverse proxy on two separate ports (9200 and 9201) to different http frontends. I would like to avoid having to repeat a lot of the mutual TLS configuration. Any way to consolidate the config? The only difference in the two configs is the reverse_proxy
lines.