Problems building custom caddy docker image or running pre-made image

tiwas · May 31, 2025, 1:12pm

1. The problem I’m having:

I’m running a test server with flask and want to test it with users. In order to do that properly, I need authentication. And in order for that, I need a server that’s pretty easy to maintain. And that’s how I stumbled onto Caddy.

This is to be run on my Synology NAS (DSM 7).

First, I’ve tried several ways to build my image, but it always ends with this:

The command used is: sudo docker build -f Dockerfile -t test-caddy-security .

Ok, so I tried a premade image (both thekevjames/caddy-security and androw/caddy-security) with the following command: sudo docker run -d --name test-server -p 8443:8443 -v /volume1/docker_config/Caddy/test-server:/srv -v caddy_data:/data -v /volume1/docker_config/Caddy/config/Caddyfile:/etc/caddy/Caddyfile -v /volume1/public/certificate/2025-2030:/etc/caddy/certs -v /volume1/docker_config/Caddy/config:/etc/caddy/config thekevjames/caddy-security:latest

2. Error messages and/or full log output:

2025/05/30 06:26:32 [INFO] Setting capabilities (requires admin privileges): [setcap cap_net_bind_service=+ep /app/caddy] 
Failed to set capabilities on file '/app/caddy': Not supported 
Error: failed to setcap on the binary: exit status 1 
failed to setcap on the binary: exit status 1 
The command '/bin/sh -c xcaddy build --with github.com/greenpau/caddy-security --output /app/caddy' returned a non-zero code: 1

3. Caddy version:

sudo docker-compose exec caddy caddy version
Password:
service "caddy" is not running

4. How I installed and ran Caddy:

I didn’t get that far.

a. System environment:

Synology DSM 7

b. Command:

I didn’t get that far.

d. My complete Caddy config:

:8443 {
    security {
        basic_auth {
            users file:/etc/caddy/config/passwdfile_security
        }
    }
    respond "Autentisering OK"
}

5. Links to relevant resources:

This question on Reddit is probably more informative: https://www.reddit.com/r/docker/comments/1kyxnjl/problems_building_custom_caddy_docker_image_or/

Mohammed90 · May 31, 2025, 1:57pm

Where’s this Dockerfile?

What’s the output of this command?

Why did the mods remove it?!

tiwas · June 1, 2025, 4:53pm

Hi.

Not sure, but it could be they didn’t like the repost? I tried several places - Syno told me to check Docker, who told me to check Caddy, so I tried a crosspost.

I’ve done quite a bit since yesterday, and I even tried using Gemini for help. No luck still.

This is my last Caddyfile:

# Global options block
{
    admin localhost:2019
    log { 
		level DEBUG 
	}
    default_sni 192.168.1.15 
    security {
        local identity store local_users {
            realm "Lokalt Område"
            path /etc/caddy/config/auth/users.json
        }
        authentication portal my_application_portal {
            crypto key sign-verify "{env.MY_CADDY_JWT_KEY}"
            crypto default token lifetime 3600
            enable identity store local_users
            ui {
                theme basic
            }
        }
        authorization policy require_authenticated_user {
            crypto key verify "{env.MY_CADDY_JWT_KEY}"
            allow roles authenticated authp/user
        }
    }
}

192.168.1.15:8443 {
    tls internal

    route /login* { # Din eksplisitte inngang for å starte pålogging
        authenticate with my_application_portal
        respond "Login-prosessen er initiert/fullført for /login."
    }

    route {
        authorize with require_authenticated_user
        respond "Velkommen, {http.request.header.Get X-Authenticated-User-Name}! Du er logget inn."
    }
}

tiwas.synology.me:8443 {
    tls /etc/caddy/certs/tiwas.synology.me.crt /etc/caddy/certs/tiwas.synology.me_key.txt 
    respond "This is the server accessed via tiwas.synology.me:8443 with your custom cert!"
}

http://192.168.1.15:8080 {
    # Samme logikk som for HTTPS-siden:
    # La caddy-security håndtere sine stier først.

    route /login* {
        authenticate with my_application_portal
        respond "Login-prosessen er initiert/fullført for /login (HTTP)."
    }

    route {
        authorize with require_authenticated_user
        respond "Velkommen, {http.request.header.Get X-Authenticated-User-Name}! Du er på HTTP-serveren."
    }
}

For my last attempt I used Synology’s Docker Manager to download androw/docker-security:latest and set it up similar to this Dockerfile:

# Start from a base image with Go and Caddy
FROM caddy:builder AS builder

# Install Git and OpenSSH client
RUN apk add --no-cache git openssh-client

# Create SSH directory and set permissions
RUN mkdir -p /root/.ssh && chmod 700 /root/.ssh

# Add GitHub's host key
RUN ssh-keyscan github.com >> /root/.ssh/known_hosts

# Add SSH key as a build argument
ARG SSH_PRIVATE_KEY
RUN echo "$SSH_PRIVATE_KEY" > /root/.ssh/id_rsa && chmod 600 /root/.ssh/id_rsa

# Tell Git to use SSH for GitHub
RUN git config --global url."git@github.com:".insteadOf "https://github.com/"

# Build Caddy with caddy-security and specific output name
RUN xcaddy build --with github.com/greenpau/caddy-security --output /app/caddy

# Delete the SSH key
RUN rm -rf /root/.ssh

# Final image
FROM caddy:latest
COPY --from=builder /app/caddy /usr/bin/caddy

I got as far as seeing a mangled login page like this

There were several errors in the developer console indicating I didn’t have rights to open the files (which is why I wanted to log in )

If you have any leads I’d be really happy to get this thing up and running.

Mohammed90 · June 1, 2025, 5:01pm

I need both Caddy logs and what the browser complains about