Reverse Proxy Standards - What else can I do?

dancgn · November 21, 2024, 2:52pm

Hello there,
after try a couple of RPs my way leads me to caddy.

At the moment I’m running v2.8.4 on a Raspi 4 to send all tld-requests to a lil Proxmox-Server and a Synology-Server. As you can see, my tld goes trough cloudflare. And as I want all subs getting ssl.

A basicauth is also running and works.

Here my question(s):
What else can I do to make it “better”, faster and saver? What have I add to get loadbalacing and other stuff that make my config better? Hope you understand what I want.

Yes, I could read many many Wikis and stuff, but it’s overloaded and I didn’t understand everything correctly. English, as you guess, isn’t my native language. And I’m old. Just need some “add this to your config and you’re good”-stuff.

}
:443   {
    tls internal {
        on_demand
    }
    root * /usr/share/caddy
    file_server
}
(cloudflare) {
        tls {
                dns cloudflare thisismycloudflareapi
        }
}
home.example.com {
        basicauth {
           user $2a$thatworktoo
        }
        encode gzip
        reverse_proxy 192.168.0.0:port
        tls {
            protocols tls1.3
        }
}
sub.example.com {
        encode gzip
        reverse_proxy 192.168.0.0:port
        tls {
            protocols tls1.3
        }

Of course this aren’t all subs, but their all looking the same as the example above.

Thank you in advance for not roasting and helping.
Dan

francislavoie · November 21, 2024, 6:07pm

Are you sure you need this? This is insecure and unsafe if your server is publicly accessible, because then any attacker could point unlimited domains to your server and cause your server to fill up with garbage certs and keys until you run out of storage space. This serves no purpose, so remove it. You should not use on_demand unless you understand the implications. and read all the warnings on the tin (the docs).

Remove this. There’s no reason to override the TLS protocols Caddy uses. Let Caddy choose modern secure defaults for you.

Next time, please fill out the help topic template as per the forum rules.

dancgn · November 21, 2024, 6:50pm

I’m not sure of course. I will remove it.

And I will remove the protocols.

Everything else? Load balancing, or?

francislavoie · November 21, 2024, 7:49pm

You only have one upstream, so load balancing isn’t a thing. That would matter if you had more than one copy of the upstreams.

Seems like this is for a home server? Don’t worry about it.

dancgn · November 21, 2024, 8:20pm

Yes, it’s a home server. Thank you very much.

Whitestrake · November 22, 2024, 12:13am

Other than things Francis already mentioned, your config honestly looks good!

With Caddy, simpler is almost always better. The less config you have, the faster the server will be. Caddy cares a lot about having modern, secure, fast defaults out of the box, so you only need to configure exceptions to the best practice, if you really need them.

Caddy is fastest and safest with just a single reverse_proxy in a site block.

dancgn · November 22, 2024, 7:20am

Nice to hear. It’s really confusing of that easy setup.