Unsure if I have correclty translated my NGINX config into Caddy


(r) #1

I am in the process of purifying my server and am working on the switch from NGINX to Caddy, but I am skeptical of how simple it was to make the Caddyfile. Also, I have some questions that I could not find answers to. For example in NGINX there is a ssl_dhparam /path/to/.pem option but I could not find the equivalent of that while reading the Caddy docs, is this handled automatically? My next question would be for the TLS DNS options: setting environment variables and the email field. I plan on using the linode option so in the Caddyfile I would write the following, but something tells me this is wrong:

tls {
dns linode apikey
email email@gggg.com
}

My next question would be about the “upstream” in http.proxy, because I am not sure on using it correctly either. Here is how I have it in NGINX:

upstream servername {
	server 127.0.0.1:8000;
}
...
location / {
		proxy_pass http://servername/;
		...

And in the Caddyfile:

https://servername.org {

	proxy / 127.0.0.1:8000 {
		upstream servername
		websocket
		transparent
	}

And here is my first draft of the proposed Caddyfile:

https://servername.org {

	proxy / 127.0.0.1:8000 {
		upstream servername
		websocket
		transparent
	}
	
	header / {
		X-Frame-Options 					"SAMEORIGIN"
		X-XSS-Protection 					"1; mode=block"
		Referrer-Policy 					"strict-origin"
		X-Content-Type-Options				"nosniff" always;
		X-Permitted-Cross-Domain-Policies	"none"
		Strict-Transport-Security 			"max-age=300; includeSubDomains; always"
		X-Robots-Tag 						"none"
		Access-Control-Allow-Methods 		"GET, POST, PUT"
		Content-Security-Policy 			"upgrade-insecure-requests"
		Feature-Policy 						"accelerometer 'none'; ambient-light-sensor 'none'; autoplay 'self'; camera 'none'; encrypted-media 'none'; fullscreen 'self'; geolocation 'none'; gyroscope 'none'; magnetometer 'none'; microphone 'none'; midi 'none'; payment 'none'; picture-in-picture *; speaker 'none'; sync-xhr 'none'; usb 'none'; vr 'none'"
		-Server
	}
	
	tls {
		dns linode apikey
		email email@email.com
		protocols tls1.2 tls1.3
	}
	
	
	limits {
		header 100KB
		body 100MB
	}
	
	timeouts {
		read 36000s
		body 600s
	}
	
	status 404 {
		/
	}
	
	root /home/a/t/server/www/.well-known/
	
}

Versus the esoteric Frankenstein’s Monster of cobbled together NGINX configs:
nginx.conf
servername.org.conf
ssltweaks.conf
securityheaders.conf


(Matthew Fay) #2

Hi @park, welcome to the Caddy community.

ssl_dhparam sets the parameters for Diffie-Hellman ephemeral ciphers. Caddy has modern, sane and secure defaults for its cipher suite built in; you don’t need to configure the ciphers or their parameters, although you can specify with the ciphers subdirective for tls.

https://caddyserver.com/docs/tls

Something is telling you right. The dns subdirective can’t be loaded up this way. You just want dns linode, and you’ll want to set the environmental variables based on the provider chart here:

https://caddyserver.com/docs/automatic-https#dns-challenge

In your case, you’ll only need to set one; LINODE_API_KEY.

If you’ve only got one target, don’t worry about the upstream subdirective. It’s used to add additional upstream targets, such as for load balancing on the proxy. You’ve already specified the upstream in your example: 127.0.0.1:8000. Remove the upstream subdirective line entirely and you’ll be good to go.

At the moment, on the latest Caddy version 0.11.4, we don’t have TLS1.3 yet. It’s been updated in the source repository though, so if you’re building that, you’re good (and it’ll be in the next release). Also note that TLS1.2 is the default minimum; this line doesn’t need to be here unless you specifically want to call it out.

This will cause every single request to your site to return a 404. Did you want to return a 404 for the web root only? Incidentally, you could replace it with a one-liner status 404 / instead of opening a braced block.

Everything else looks good, although I haven’t looked through all the nginx configs to confirm you’ve got all the configuration covered.


(r) #3

Hello, and thank you. Yep, I’m building from source and have corrected several errors such adding LINODE_API_KEY=ssss to /etc/profile (and removing the email line from tls. I changed “body” to “write” in timeouts. As for status, it was my intention to replicate the block below from NGINX.

location / {
    try_files $uri $uri/ =404;
}

My final hurdle currently is with the DNS challenge when trying to run Caddy:

acme: error presenting token: json: cannot unmarshal object into Go value of type []*dns.Domain

But I suspect it is because I have configured something wrong.


(Matthew Fay) #4

Strange. Can you try with 0.11.4 and see if it does the same thing? Seems like an issue with the DNS provider plugin.