Caddy

Fast and extensible multi-platform HTTP/1-2-3 web server with automatic HTTPS

Caddy 2 is a powerful, enterprise-ready, open source web server with automatic HTTPS written in Go.

간편하게 Let's Encrypt 연결이 가능하고 리버스 프록시가 쉽다.

Install

Stable releases:

sudo apt install -y debian-keyring debian-archive-keyring apt-transport-https curl
curl -1sLf 'https://dl.cloudsmith.io/public/caddy/stable/gpg.key' | sudo gpg --dearmor -o /usr/share/keyrings/caddy-stable-archive-keyring.gpg
curl -1sLf 'https://dl.cloudsmith.io/public/caddy/stable/debian.deb.txt' | sudo tee /etc/apt/sources.list.d/caddy-stable.list
sudo apt update
sudo apt install caddy

근데 위 방법보단 그냥 docker 이미지 사용하자:

docker pull caddy

Caddyfile

파일 위치는 /etc/caddy/Caddyfile 확인.

Schemas

h2c:// - HTTP/2 cleartext (비암호화)

Let's Encrypt 성공한 마지막 Caddyfile 셋팅

# The Caddyfile is an easy way to configure your Caddy web server.
#
# Unless the file starts with a global options block, the first
# uncommented line is always the address of your site.
#
# To use your own domain name (with automatic HTTPS), first make
# sure your domain's A/AAAA DNS records are properly pointed to
# this machine's public IP, then replace ":80" below with your
# domain name.

#:80 {
#       # Set this path to your site's directory.
#       root * /usr/share/caddy
#
#       # Enable the static file server.
#       file_server
#
#       # Another common task is to set up a reverse proxy:
#       # reverse_proxy localhost:8080
#
#       # Or serve a PHP site through php-fpm:
#       # php_fastcgi localhost:9000
#}

# Refer to the Caddy docs for more information:
# https://caddyserver.com/docs/caddyfile

{
    email yourid@gmail.com
}

api.domain.run {
    tls {
        alpn "h2" "http/1.1"
    }
    reverse_proxy * 192.168.100.100:8080
}

demo.domain.run {
    tls {
        alpn "h2" "http/1.1"
    }
    reverse_proxy * 192.168.100.101:8080
}

test0.domain.run {
    tls {
        alpn "h2" "http/1.1"
    }
    reverse_proxy * 192.168.100.102:8080
}

test1.domain.run {
    tls {
        alpn "h2" "http/1.1"
    }
    reverse_proxy * 192.168.100.103:8080
}

gRPC 리버스 프록시 방법

Caddy v2 부터 기본 지원이다.

grpc.example.com {
    reverse_proxy h2c://localhost:9090
}

Directives

Caddyfile Directives — Caddy Documentation

forward_auth

forward_auth (Caddyfile directive) — Caddy Documentation

reverse_proxy

reverse_proxy (Caddyfile directive) — Caddy Documentation

Docker example

How To Set Up A Reverse Proxy With Free SSL Using Caddy

version: '3'
services:
  caddy:
    image: caddy
    ports: 
      - "80:80"
      - "443:443"
    networks:
      - caddy-net
    volumes:
      - ./caddy/data/:/data/
      - ./caddy/config/:/config/
      - ./caddy/Caddyfile:/etc/caddy/Caddyfile

  frontend:
    container_name: frontend
    image: ghcr.io/<username>/<image-name>:latest
    networks:
      - caddy-net

networks:
  caddy-net:

Caddyfile:

{
    email <your@email.tld>
}

<domain.tld> {
    reverse_proxy http://frontend:8000
}

Basicauth 적용 방법

비밀번호 해시 생성:

# 프롬프트에 원하는 비밀번호 입력 후 출력된 해시 값 복사.
caddy hash-password

Caddyfile 적용하기:

sub.your.domain.com {
    tls {
        ...
    }

    # ID/PW 인증 추가 (Add basic authentication)
    basicauth * {
        your_username $여기에_해시된_비밀번호_붙여넣기$
    }

    reverse_proxy * 192.168.88.100:5000
}

Troubleshooting

could not fully update ACME renewal info

could not fully update ACME renewal info: either no ACME issuer configured for certificate, or all failed (make sure the ACME CA that issued the certificate is configured)

번역하면:

ACME 갱신 정보를 완전히 업데이트할 수 없습니다. 인증서에 대해 구성된 ACME 발급자가 없거나 모든 업데이트가 실패했습니다. (인증서를 발급한 ACME CA가 구성되어 있는지 확인하십시오.)

Caddyfile에 issuer 를 추가하지 않았다면 추가하라:

888.test.mydomain.com {
    tls {
        issuer acme {
            email your-email@example.com
            # 기본값이지만 명시적으로 지정
            dir https://acme-v02.api.letsencrypt.org/directory
        }
    }
    reverse_proxy localhost:8080
}