SSL Configuration in Caddy

SSL Configuration in Caddy

Caddy is inbuild with SSL configuration when we use the tls directive with the Caddyfile configuration.

Default SSL Configuration

Caddy has solid SSL handling built right into its core. Use the tls directive in your Caddyfile to let Caddy do the work. Caddy automatically issues SSL certificates and securely configures the SSL setup.

You don’t need to worry about certificate paths as you need to in Nginx. Caddy handles everything for you.

Here’s a sample Caddyfile with SSL setup for the vibhuvi.com domain:

vibhuvi.com {  
  tls hello@vibhuvi.com

  reverse_proxy localhost:2022
}

:2022 {
    respond "Welcome to Caddy SSL Conf"
}

That’s it! The one line containing the tls directive tells Caddy to serve the domain via SSL and use the given email address for the ACME account that manages the site’s certificates.

ACME: Automatic Certificate Management Environment Certificate authority, cert-manager will generate a private key which is used to identify you with the ACME server.

Caddy also redirects any HTTP traffic to HTTPS when using the tls directive. You can also customize TLS versions, ciphers, curves, the used key type, and so on. Test your SSL setup on ssllabs.

SSL Labs Test Report

Custom SSL Configuration

Add your private key and certificate chain in Caddy as below

tls cert key

cert: is the certificate file. If the certificate is signed by a CA, this certificate file should be a bundle: a concatenation of the server’s certificate followed by the CA’s certificate.

cat server.crt bundle.pem > fullchain.pem

key is the server’s private key file which matches the certificate file.

Configuring Caddy specifically to listen on HTTP and HTTPS default ports by specifying the scheme for each site.

# HTTP->HTTPS redirects
http://xyz.example, http://api.xyz.example {
  redir https://{host}{uri}
}

https://xyz.example {
    # Custom SSL Conf
    tls /ssl/certs/fullchain.pem /ssl/certs/key.pem
}

https://api.xyz.example {
    # Custom SSL Conf
    tls /ssl/certs/fullchain.pem /ssl/certs/key.pem
}

Ref