Caddy: Difference between revisions
imported>Malteneuss (Add debugging section) |
(→Reverse proxy: Add example on forward real client ip) |
||
| (19 intermediate revisions by 7 users not shown) | |||
| Line 1: | Line 1: | ||
[https://caddyserver.com/ Caddy] is | [https://caddyserver.com/ Caddy] is an efficient, HTTP/2 capable web server that can serve static and dynamic web pages. | ||
It can also be a reverse proxy to serve multiple web services under one server. Its main features are its simple config setup and automatic HTTPS: It will automatically request and renew a LetsEncrypt certificate so that users of your service get a Browser-trusted and secure connection. | |||
== | == Get started == | ||
To try out Caddy add the following minimal example to your [[NixOS modules | NixOS module]]: | |||
<syntaxhighlight lang="nix"> | <syntaxhighlight lang="nix"> | ||
services.caddy = { | { | ||
# ... | |||
services.caddy = { | |||
http://localhost | enable = true; | ||
virtualHosts."localhost".extraConfig = '' | |||
respond "Hello, world!" | |||
''; | |||
}; | |||
} | |||
</syntaxhighlight> | |||
This snippet will let Caddy respond on <code>http://localhost</code> and <code>https://localhost</code> with a dummy text "Hello world!". When no port is mentioned on virtualhost like just <code>localhost</code> instead of <code>localhost:8080</code>, Caddy listens on <code>80</code> and <code>443</code> by default and redirects requests from port 80 (unsecured) to 443 (secured). | |||
==== Check http connection ==== | |||
You can use <code>curl</code> to test the http connections: | |||
<syntaxhighlight lang="bash"> | |||
$ curl localhost -i -L -k | |||
HTTP/1.1 308 Permanent Redirect | |||
Location: https://localhost/ | |||
.. | |||
HTTP/2 200 | |||
alt-svc: h3=":443"; ma=2592000 | |||
content-type: text/plain; charset=utf-8 | |||
... | |||
Hello, world! | |||
</syntaxhighlight> | |||
Here you can see that Caddy automatically redirects from an unsecure http://localhost to a secure https://localhost call. | |||
For local addresses like "localhost" Caddy always generates and uses a self-signed certificate, which curl correctly doesn't trust; use the <code>-k</code> flag to ignore that. | |||
==== Check http(s) connection ==== | |||
When virtualhost and "real" host aren't the same it gets complicated with HTTPS, so the following curl command works: | |||
<syntaxhighlight lang="bash"> | |||
$ curl --connect-to <virtualhost>:443:<realhost>:443 https://<virtualhost> -k | |||
Hello, world! | |||
</syntaxhighlight> | |||
Curl will set <code>Host</code> header and TLS <code>SNI</code> in the request to <code><virtualhost></code> as desired by Caddy, but will make the actual request against the <code><realhost></code>, e.g. a load-balancer or ingress-controller. | |||
Alternatively with http and automatic redirects to https you can extend that call: | |||
<syntaxhighlight lang="bash"> | |||
$ curl --connect-to <virtualhost>:80:<realhost>:80 --connect-to <virtualhost>:443:<realhost>:443 https://<virtualhost> -k -L | |||
Hello, world! | |||
</syntaxhighlight> | </syntaxhighlight> | ||
== | * [https://curl.se/docs/manpage.html#--connect-to curl connect-to documentation] | ||
* [https://www.claudiokuenzler.com/blog/693/curious-case-of-curl-ssl-tls-sni-http-host-header Curl on HTTPS, SNI, Host] | |||
* [https://github.com/caddyserver/caddy/issues/2656#issuecomment-1627342466 curl to Caddy over HTTPS] | |||
== Typical configurations == | |||
=== SSL === | === SSL === | ||
| Line 42: | Line 82: | ||
} | } | ||
''; | ''; | ||
}; | }; | ||
networking.firewall.allowedTCPPorts = [ 80 443]; | |||
</syntaxhighlight> | </syntaxhighlight> | ||
| Line 54: | Line 95: | ||
virtualHosts."example.org".extraConfig = '' | virtualHosts."example.org".extraConfig = '' | ||
reverse_proxy http://10.25.40.6 | reverse_proxy http://10.25.40.6 | ||
''; | |||
virtualHosts."another.example.org".extraConfig = '' | |||
reverse_proxy unix//run/gunicorn.sock | |||
''; | |||
}; | |||
</syntaxhighlight>In case you would like to forward the real client IP of the request to the backend, add following headers<syntaxhighlight lang="nix"> | |||
services.caddy = { | |||
virtualHosts."example.org".extraConfig = '' | |||
reverse_proxy http://10.25.40.6 { | |||
header_down X-Real-IP {http.request.remote} | |||
header_down X-Forwarded-For {http.request.remote} | |||
} | |||
''; | ''; | ||
}; | }; | ||
</syntaxhighlight> | </syntaxhighlight>Fur further reverse proxy configuration, see [https://caddyserver.com/docs/quick-starts/reverse-proxy upstream documentation]. | ||
=== Redirect === | === Redirect === | ||
| Line 69: | Line 120: | ||
virtualHosts."example.org" = { | virtualHosts."example.org" = { | ||
extraConfig = '' | extraConfig = '' | ||
redir https://www.example.org | redir https://www.example.org{uri} | ||
''; | ''; | ||
serverAliases = [ "old.example.org" ]; | |||
}; | }; | ||
</syntaxhighlight> | </syntaxhighlight> | ||
| Line 96: | Line 147: | ||
== Debugging == | == Debugging == | ||
=== Check used ports === | |||
To check if Caddy is running and listening as configured you can run <code>netstat</code>: | |||
<syntaxhighlight lang="bash"> | <syntaxhighlight lang="bash"> | ||
$ netstat -tulpn | $ netstat -tulpn | ||
Active Internet connections (only servers) | Active Internet connections (only servers) | ||
Proto Recv-Q Send-Q | Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name | ||
tcp 0 | tcp 0 0 127.0.0.1:2019 0.0.0.0:* LISTEN 1202/caddy | ||
tcp6 0 | tcp6 0 0 :::80 :::* LISTEN 1202/caddy | ||
tcp6 0 | tcp6 0 0 :::443 :::* LISTEN 1202/caddy | ||
udp6 | udp6 0 0 :::443 :::* 1202/caddy | ||
</syntaxhighlight> | </syntaxhighlight> | ||
The tcp (ipv4) socket port 2019 is Caddy's management endpoint, for when you want manage its config via web REST calls instead of Nix (ignore). | The tcp (ipv4) socket port 2019 is Caddy's management endpoint, for when you want manage its config via web REST calls instead of Nix (ignore). | ||
The tcp6 (an ipv6 socket that also listens on ipv4) socket on port 80 (HTTP) and 443 (HTTPS) indicate that | The tcp6 (an ipv6 socket that also listens on ipv4) socket on port 80 (HTTP) and 443 (HTTPS) indicate that our virtualhost config was used. | ||
=== Virtualhost and real host not identical === | |||
When you connect to Caddy must ensure that the "Host" header matches the virtualhost entry of Caddy. For example, when testing locally a config like | |||
<syntaxhighlight lang="nix"> | <syntaxhighlight lang="nix"> | ||
| Line 125: | Line 175: | ||
}; | }; | ||
</syntaxhighlight> | </syntaxhighlight> | ||
you must send the request against "localhost" and manually override the host header to "example.org": | |||
<syntaxhighlight lang="bash"> | |||
$ curl localhost -i -H "Host: example.org" | |||
HTTP/1.1 308 Permanent Redirect | |||
Connection: close | |||
Location: https://example.org/ | |||
Server: Caddy | |||
... | |||
</syntaxhighlight> | |||
Above you also see the redirect from http://localhost to https://example.org; Caddy always redirects from the unsecure to the secure port of your virtualhost. | |||
If the response is empty, try setting a port number like 80 and/or try a local TLS security certificate instead of global LetsEncrypt: | If the response is empty, try setting a port number like 80 and/or try a local TLS security certificate instead of global LetsEncrypt: | ||
| Line 150: | Line 213: | ||
[[Category:Applications]] | [[Category:Applications]] | ||
[[Category: | [[Category:Server]] | ||
[[Category:Networking]] | |||
Latest revision as of 16:28, 19 May 2024
Caddy is an efficient, HTTP/2 capable web server that can serve static and dynamic web pages. It can also be a reverse proxy to serve multiple web services under one server. Its main features are its simple config setup and automatic HTTPS: It will automatically request and renew a LetsEncrypt certificate so that users of your service get a Browser-trusted and secure connection.
Get started
To try out Caddy add the following minimal example to your NixOS module:
{
# ...
services.caddy = {
enable = true;
virtualHosts."localhost".extraConfig = ''
respond "Hello, world!"
'';
};
}
This snippet will let Caddy respond on http://localhost and https://localhost with a dummy text "Hello world!". When no port is mentioned on virtualhost like just localhost instead of localhost:8080, Caddy listens on 80 and 443 by default and redirects requests from port 80 (unsecured) to 443 (secured).
Check http connection
You can use curl to test the http connections:
$ curl localhost -i -L -k
HTTP/1.1 308 Permanent Redirect
Location: https://localhost/
..
HTTP/2 200
alt-svc: h3=":443"; ma=2592000
content-type: text/plain; charset=utf-8
...
Hello, world!
Here you can see that Caddy automatically redirects from an unsecure http://localhost to a secure https://localhost call.
For local addresses like "localhost" Caddy always generates and uses a self-signed certificate, which curl correctly doesn't trust; use the -k flag to ignore that.
Check http(s) connection
When virtualhost and "real" host aren't the same it gets complicated with HTTPS, so the following curl command works:
$ curl --connect-to <virtualhost>:443:<realhost>:443 https://<virtualhost> -k
Hello, world!
Curl will set Host header and TLS SNI in the request to <virtualhost> as desired by Caddy, but will make the actual request against the <realhost>, e.g. a load-balancer or ingress-controller.
Alternatively with http and automatic redirects to https you can extend that call:
$ curl --connect-to <virtualhost>:80:<realhost>:80 --connect-to <virtualhost>:443:<realhost>:443 https://<virtualhost> -k -L
Hello, world!
Typical configurations
SSL
Caddy will automatically try to acquire SSL certificates for the specified domain, in this example example.org. This requires you to configure the DNS records of your domain correctly, which should point to the address of your Caddy server. The firewall ports 80 and 443 needs to be opened.
services.caddy = {
enable = true;
virtualHosts."example.org".extraConfig = ''
encode gzip
file_server
root * ${
pkgs.runCommand "testdir" {} ''
mkdir "$out"
echo hello world > "$out/example.html"
''
}
'';
};
networking.firewall.allowedTCPPorts = [ 80 443];
Reverse proxy
The following snippet creates a reverse proxy for the domain example.org, redirecting all requests to http://10.25.40.6
services.caddy = {
enable = true;
virtualHosts."example.org".extraConfig = ''
reverse_proxy http://10.25.40.6
'';
virtualHosts."another.example.org".extraConfig = ''
reverse_proxy unix//run/gunicorn.sock
'';
};
In case you would like to forward the real client IP of the request to the backend, add following headers
services.caddy = {
virtualHosts."example.org".extraConfig = ''
reverse_proxy http://10.25.40.6 {
header_down X-Real-IP {http.request.remote}
header_down X-Forwarded-For {http.request.remote}
}
'';
};
Fur further reverse proxy configuration, see upstream documentation.
Redirect
Redirecting example.org and old.example.org to www.example.org
services.caddy = {
enable = true;
virtualHosts."example.org" = {
extraConfig = ''
redir https://www.example.org{uri}
'';
serverAliases = [ "old.example.org" ];
};
PHP FastCGI
Serving a PHP application in /var/www on http://localhost .
services.caddy = {
enable = true;
virtualHosts."http://localhost" = {
extraConfig = ''
root * /var/www
file_server
php_fastcgi unix/var/run/phpfpm/localhost.sock
'';
};
};
You'll need a PHP-FPM socket listening on Unix socket path /var/run/phpfpm/localhost.sock.
Debugging
Check used ports
To check if Caddy is running and listening as configured you can run netstat:
$ netstat -tulpn
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name
tcp 0 0 127.0.0.1:2019 0.0.0.0:* LISTEN 1202/caddy
tcp6 0 0 :::80 :::* LISTEN 1202/caddy
tcp6 0 0 :::443 :::* LISTEN 1202/caddy
udp6 0 0 :::443 :::* 1202/caddy
The tcp (ipv4) socket port 2019 is Caddy's management endpoint, for when you want manage its config via web REST calls instead of Nix (ignore). The tcp6 (an ipv6 socket that also listens on ipv4) socket on port 80 (HTTP) and 443 (HTTPS) indicate that our virtualhost config was used.
Virtualhost and real host not identical
When you connect to Caddy must ensure that the "Host" header matches the virtualhost entry of Caddy. For example, when testing locally a config like
services.caddy = {
enable = true;
virtualHosts."example.org".extraConfig = ''
respond "Hello, world!"
'';
};
you must send the request against "localhost" and manually override the host header to "example.org":
$ curl localhost -i -H "Host: example.org"
HTTP/1.1 308 Permanent Redirect
Connection: close
Location: https://example.org/
Server: Caddy
...
Above you also see the redirect from http://localhost to https://example.org; Caddy always redirects from the unsecure to the secure port of your virtualhost.
If the response is empty, try setting a port number like 80 and/or try a local TLS security certificate instead of global LetsEncrypt:
services.caddy = {
enable = true;
virtualHosts."example.org:80".extraConfig = ''
respond "Hello, world!"
tls internal
'';
};
With "tls internal" Caddy will generate a local certificate, which is good when testing locally and/or you don't have internet access (e.g. inside a nixos-container).