1. Caddy version (caddy version
):
2.4.5
2. How I run Caddy:
Installed via official Ansible role
a. System environment:
Ubuntu 20.04 LTS.
b. Command:
/usr/local/bin/caddy" run --environ --config "/home/fuzzy/caddy/Caddyfile
c. Service/unit/compose file:
;
; Ansible managed
;
; source: https://github.com/mholt/caddy/blob/master/dist/init/linux-systemd/caddy.service
; version: 6be0386
; changes: Set variables via Ansible
[Unit]
Description=Caddy HTTP/2 web server
Documentation=https://caddyserver.com/docs
After=network-online.target
[Service]
Restart=on-failure
StartLimitInterval=86400
StartLimitBurst=5
; User and group the process will run as.
User=www-data
Group=www-data
; Letsencrypt-issued certificates will be written to this directory.
Environment=CADDYPATH=/etc/ssl/caddy
ExecStart="/usr/local/bin/caddy" run --environ --config "/home/fuzzy/caddy/Caddyfile"
ExecReload="/usr/local/bin/caddy" reload --config "/home/fuzzy/caddy/Caddyfile"
; Limit the number of file descriptors; see `man systemd.exec` for more limit settings.
LimitNOFILE=1048576
; Use private /tmp and /var/tmp, which are discarded after caddy stops.
PrivateTmp=true
; Use a minimal /dev
PrivateDevices=true
; Hide /home, /root, and /run/user. Nobody will steal your SSH-keys.
ProtectHome=false
; Make /usr, /boot, /etc and possibly some more folders read-only.
ProtectSystem=full
; ^` except /etc/ssl/caddy, because we want Letsencrypt-certificates there.
; This merely retains r/w access rights, it does not add any new. Must still be writable on the host!
ReadWriteDirectories=/etc/ssl/caddy /var/log/caddy
; The following additional security directives only work with systemd v229 or later.
; They further retrict privileges that can be gained by caddy.
; Note that you may have to add capabilities required by any plugins in use.
CapabilityBoundingSet=CAP_NET_BIND_SERVICE
AmbientCapabilities=CAP_NET_BIND_SERVICE
NoNewPrivileges=true
[Install]
WantedBy=multi-user.target
d. My complete Caddyfile or JSON config:
Links provided below if needed
3. The problem I’m having:
I run Caddy in two places, on my VPS which is public facing and then on a local server that has a wireguard connection to the VPS. What I’d like to do is be able to set up my Adguard/DNS on my home network to point to the local server so I avoid putting traffic through the VPS (and also eliminate as much latency as possible). Currently I have a setup that’s working but it terminates TLS on the VPS and forwards the traffic to the local Caddy server over http. I’d like to also have HTTPS when i’m on my home network.
What I’d ideally like to do is have only reverse_proxy
entry per domain. IE just something like this:
photos.example.com {
tls PATH_TO_CERTS
reverse_proxy http://192.168.1.20:8000
import headers
}
That could handle both the connection from the VPS and internally (and give me HTTPS in both spots). I figured out a solution using request matching with something like this:
https://photos.example.com {
@local remote_ip 192.168.0.0/16 172.16.0.0/12 10.0.0.0/8
reverse_proxy @local http://192.168.1.20:8000
tls PATH_TO_CERTS
import headers
}
http://photos.example.com {
reverse_proxy http://192.168.1.20:8000
import headers
}
But that’s kludgey on a large scale. Is there a way to streamline this to be a single block per subdomain? Or alternatively, is it possible to do HTTPS on both the VPS and local server so it wouldn’t matter? I tried something like this on the VPS/local server to do HTTPS/HTTPS but all I got was a blank page:
VPS:
*.example.com {
tls PATH_TO_CERTS
@photos host photos.example.com
handle @photos {
reverse_proxy https://10.10.10.10:443
import personal_headers
import no_robots
}
}
Local server:
photos.example.com {
tls PATH_TO_CERTS
reverse_proxy http://192.168.1.20:8000
import headers
}
If you really want to see my full Caddyfiles of my existing setup (that’s HTTPS->HTTP), here’s the VPS one and the local server one
4. Error messages and/or full log output:
No errors that I can see
5. What I already tried:
See above