1. Caddy version (caddy version
):
caddy:2
2. How I run Caddy:
docker
a. System environment:
Docker on Ubuntu 20.04
d. My complete Caddyfile or JSON config:
(strip-www) {
@www.{args.0} host www.{args.0}
redir @www.{args.0} https://{args.0}{uri}
}
(add-www) {
@{args.0} host {args.0}
redir @{args.0} https://www.{args.0}{uri}
}
www.example.com:443 {
import strip-www example.com
tls let_admin@example.com {
# on_demand
protocols tls1.2 tls1.3
ciphers TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256 TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256
}
# HSTS (63072000 seconds)
header / Strict-Transport-Security "max-age=63072000"
}
example.com:443 {
reverse_proxy http://internal_app:65
@websockets {
header_regexp Connection Upgrade
header Upgrade websocket
}
reverse_proxy @websockets http://internal_app:65
tls let_admin@example.com {
# on_demand
protocols tls1.2 tls1.3
ciphers TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256 TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256
}
# HSTS (63072000 seconds)
header / Strict-Transport-Security "max-age=63072000"
}
3. The problem I’m having:
I have a server running internally at 65 and serve it over example.com:443 to the public internet.
What I would like to do is:
- If user arrives at www.example.com:443 (out of habit or browser shortcut), redirect them to example.com:443
- If user arrives at (www.)example.com:80, redirect them to example.com:443 (is that called an HTTPS upgrade?)
- Have HSTS enabled on example.com:443
Here’s what I have. I think I have done a poor job because it’s not DRY - what are some things I can do better?