How to remotely configure Caddy 2

ImedAdel · May 9, 2020, 11:13pm

1. Caddy version (`caddy version`):

2.0.0

2. How I run Caddy:

a. System environment:

AWS EC2 T2 Micro, Amazon Linux 2, Docker 19.03

b. Command:

docker build -t caddy .

docker run --name caddyserver -v $PWD/Caddyfile:/etc/caddy/Caddyfile -v $PWD/caddy.json:/etc/caddy/caddy.json -p 80:80 -p 443:443 -p 2020:2020 --rm caddy

c. Service/unit/compose file:

FROM caddy:2-alpine

RUN apk --no-cache add curl

EXPOSE 80 443 2020

d. My complete Caddyfile or JSON config:

{
	debug
	acme_ca https://acme-staging-v02.api.letsencrypt.org/directory
	admin localhost:2020
}

centige.site {
	redir https://centige.com permanent
}

test.centige.site {
	reverse_proxy https://xxxx.s3.amazonaws.com

	rewrite * https://xxxx.s3.amazonaws.com/{uri}
}

3. The problem I’m having:

I would like to remotely configure my Caddy server using something like api.centige.site.

I tried adding the following block, but it didn’t solve my problem:

api.centige.site {
  reverse_proxy localhost:2020
}

Then I tried setting the admin endpoint to api.centige.site:2020, but running Caddy failed.

The port 2020 is already exposed in my AWS EC2 security group.

I am not sure if what I’m doing is possible. If it is, I’d really appreciate it if I can get any sort of help : )

4. Error messages and/or full log output:

Connecting to api.centige.site:2020 or EC2_IP:2020 in Insomnia resulted in Error: Couldn't connect to server.

Using curl returns connection refused.

5. What I already tried:

oops, I already described this in 3)

6. Links to relevant resources:

A similar implementation to what I’m trying to do is GitHub Pages. They used to run on Nginx and reload the config every 30 min (Rearchitecting GitHub Pages | The GitHub Blog). I’d like to do the same thing, except, instead of reloading the config using a cron job, I can update it remotely.

PS. thank you for the awesome work

francislavoie · May 9, 2020, 11:31pm

Setting the admin endpoint to localhost:2020 will only allow connections from within the container. Instead, you could set it to :2020 which should allow connections from any IP.

FYI, there’s a Caddy v2 git plugin that might do what you need if you’re trying to implement a site that automatically updates:

ImedAdel · May 10, 2020, 12:16am

Thank you @francislavoie, I saw you comment on a similar issue and using :2020 actually worked!

Just one more thing, how do I assign only api.centige.site to that endpoint? So that you can’t use say test.centige.site:2020/config/

francislavoie · May 10, 2020, 4:20am

Currently there’s no way to do that from the Caddyfile. Instead you’ll need to use the JSON config to lock it down further:

You can set enforce_origin to true, and provide a list of allowed origins.

You can convert your Caddyfile config to JSON using caddy adapt --config /path/to/Caddyfile.

matt · May 10, 2020, 5:18am

Actually, if you can bind to test.centige.site:2020 then it will enforce the Host header to match test.centige.site: admin.go - caddyserver/caddy - Sourcegraph

In other words, it should “just work” assuming you can bind to that interface. (Depends on your system and local DNS resolution.)

ImedAdel · May 10, 2020, 2:53pm

Thank you @francislavoie! The JSON config is totally okay for me, so this solved

@matt How does binding work in this case? I tried this config, but it is clearly wrong (since it doesn’t work)

:2020 {
	bind api.centige.site:2020
}

I got:

run: loading initial config: loading new config: http app module: start: tcp: listening on [api.centige.site:2020]:2020: listen tcp: lookup api.centige.site:2020: no such host

Thank you!

matt · May 10, 2020, 3:01pm

The listen address for the admin endpoint is the socket the admin endpoint binds to.

ImedAdel · May 10, 2020, 3:05pm

Oh, so you meant changing the global config part like so?

{
  admin api.centige.site:2020
}

matt · May 10, 2020, 3:18pm

Yep! That will bind to that interface only and restrict the Host header to that value.

ImedAdel · May 10, 2020, 3:24pm

When running Caddy using the docker command

docker build -t caddy .

docker run --network host --name caddyserver -v $PWD/Caddyfile:/etc/caddy/Caddyfile  -p 80:80 -p 443:443 -p 2020:2020 --rm caddy

I get:

run: loading initial config: loading new config: starting caddy administration endpoint: listen tcp EC2_PUBLIC_IP4:2020: bind: cannot assign requested address

I’m not sure if this part is related to Caddy. If it’s not, please feel free to skip it

system · June 9, 2020, 3:34pm

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.