Just wanting a review to check if my setup is correct

Hit there, just started using Caddy and I’m just looking for some reassurance that what I’ve done is correct. I have my app up and running in the way I want but it was so easy to set up that I’ve got a feeling I may have missed something opened a security hole or something. I’m not a network guy or anything and things don’t usually work first time for me like this .

Quite simply I’ve got some internal tools I want to use HTTPS and domain name with while keeping them behind my internal network.

Full log output:

May 07 09:46:04 research-base systemd[1]: Reloading caddy.service - Caddy...
May 07 09:46:04 research-base caddy[2129]: {"level":"info","ts":1746607564.7904232,"msg":"using config from file","file":"/etc/caddy/Caddyfile"}
May 07 09:46:04 research-base caddy[2129]: {"level":"info","ts":1746607564.7932217,"msg":"adapted config to JSON","adapter":"caddyfile"}
May 07 09:46:04 research-base caddy[696]: {"level":"info","ts":1746607564.7961316,"logger":"admin.api","msg":"received request","method":"POST","host":"localhost:2019","uri":"/load","remote_ip":"127.0.0.1","remote_port":"51904","headers":{"Accept-Encoding":["gzip"],"Cache-Control":["must-revalidate"],"Content-Length":["592"],"Content-Type":["application/json"],"Origin":["http://localhost:2019"],"User-Agent":["Go-http-client/1.1"]}}
May 07 09:46:04 research-base caddy[696]: {"level":"info","ts":1746607564.8000894,"logger":"admin","msg":"admin endpoint started","address":"localhost:2019","enforce_origin":false,"origins":["//localhost:2019","//[::1]:2019","//127.0.0.1:2019"]}
May 07 09:46:04 research-base caddy[696]: {"level":"info","ts":1746607564.8005664,"logger":"http.auto_
https","msg":"server is listening only on the HTTPS port but has no TLS connection policies; adding one to enable TLS","server_name":"srv0","https_port":443}
May 07 09:46:04 research-base caddy[696]: {"level":"info","ts":1746607564.800603,"logger":"http.auto_https","msg":"enabling automatic HTTP->HTTPS redirects","server_name":"srv0"}
May 07 09:46:04 research-base caddy[696]: {"level":"info","ts":1746607564.8011649,"logger":"http","msg":"enabling HTTP/3 listener","addr":":443"}
May 07 09:46:04 research-base caddy[696]: {"level":"info","ts":1746607564.8011935,"logger":"http.log","msg":"server running","name":"srv0","protocols":["h1","h2","h3"]}
May 07 09:46:04 research-base caddy[696]: {"level":"warn","ts":1746607564.8012795,"logger":"http","msg":"HTTP/2 skipped because it requires TLS","network":"tcp","addr":":80"}
May 07 09:46:04 research-base caddy[696]: {"level":"warn","ts":1746607564.8012908,"logger":"http","msg":"HTTP/3 skipped because it requires TLS","network":"tcp","addr":":80"}
May 07 09:46:04 research-base caddy[696]: {"level":"info","ts":1746607564.801297,"logger":"http.log","msg":"server running","name":"remaining_auto_https_redirects","protocols":["h1","h2","h3"]}
May 07 09:46:04 research-base caddy[696]: {"level":"info","ts":1746607564.801327,"logger":"http","msg":"enabling automatic TLS certificate management","domains":["da-ph-ne.com"]}
May 07 09:46:04 research-base caddy[696]: {"level":"info","ts":1746607564.801416,"logger":"http","msg":"servers shutting down with eternal grace period"}
May 07 09:46:04 research-base caddy[696]: {"level":"info","ts":1746607564.8019295,"msg":"autosaved config (load with --resume flag)","file":"/var/lib/caddy/.config/caddy/autosave.json"}
May 07 09:46:04 research-base caddy[696]: {"level":"info","ts":1746607564.8026543,"logger":"admin.api","msg":"load complete"}
May 07 09:46:04 research-base caddy[696]: {"level":"info","ts":1746607564.8042977,"logger":"admin","msg":"stopped previous server","address":"localhost:2019"}
May 07 09:46:04 research-base systemd[1]: Reloaded caddy.service - Caddy. 

How I installed and ran Caddy:

I’m running caddy using the pre-built package with the integrated Cloudflare module. It’s enabled as a service file.

I then added this to my Cloudflare DNS settings. It’s the local IP of the virtual machine the app runs on.

image1267×297 16.5 KB

a. System environment:

PRETTY_NAME=“Debian GNU/Linux 12 (bookworm)”
NAME=“Debian GNU/Linux”
VERSION_ID=“12”
VERSION=“12 (bookworm)”
VERSION_CODENAME=bookworm
ID=debian
HOME_URL=“https://www.debian.org/”
SUPPORT_URL=“Debian -- User Support”
BUG_REPORT_URL=“https://bugs.debian.org/”

c. Service/unit/compose file:

[Unit]
Description=Caddy
Documentation=https://caddyserver.com/docs/
After=network.target network-online.target
Requires=network-online.target

[Service]
Type=notify
User=caddy
Group=caddy
ExecStart=/usr/local/bin/caddy run --environ --config /etc/caddy/Caddyfile
ExecReload=/usr/local/bin/caddy reload --config /etc/caddy/Caddyfile --force
TimeoutStopSec=5s
LimitNOFILE=1048576
PrivateTmp=true
ProtectSystem=full
AmbientCapabilities=CAP_NET_ADMIN CAP_NET_BIND_SERVICE

[Install]
WantedBy=multi-user.target

d. My complete Caddy config:

da-ph-ne.com {
        tls {
                dns cloudflare [REDACTED]
                resolvers 1.1.1.1
        }

        # Set this path to your site's directory.
        root * /www/Blazor_Data_Platform

        # Enable the static file server.
        file_server

        # Another common task is to set up a reverse proxy:
        reverse_proxy 127.0.0.1:5000
}

Yes, your config is proper. It’s that easy