Caddy: Difference between revisions
mNo edit summary |
|||
(8 intermediate revisions by 4 users not shown) | |||
Line 2: | Line 2: | ||
It can also be a reverse proxy to serve multiple web services under one server. Its main features are its simple config setup and automatic HTTPS: It will automatically request and renew a LetsEncrypt certificate so that users of your service get a Browser-trusted and secure connection. | It can also be a reverse proxy to serve multiple web services under one server. Its main features are its simple config setup and automatic HTTPS: It will automatically request and renew a LetsEncrypt certificate so that users of your service get a Browser-trusted and secure connection. | ||
== | == Setup == | ||
To try out Caddy add the following minimal example to your [[NixOS modules | NixOS module]]: | To try out Caddy add the following minimal example to your [[NixOS modules | NixOS module]]: | ||
Line 100: | Line 100: | ||
''; | ''; | ||
}; | }; | ||
</syntaxhighlight> | </syntaxhighlight>In case you would like to forward the real client IP of the request to the backend, add following headers<syntaxhighlight lang="nix"> | ||
services.caddy = { | |||
virtualHosts."example.org".extraConfig = '' | |||
reverse_proxy http://10.25.40.6 { | |||
header_down X-Real-IP {http.request.remote} | |||
header_down X-Forwarded-For {http.request.remote} | |||
} | |||
''; | |||
}; | |||
</syntaxhighlight>Fur further reverse proxy configuration, see [https://caddyserver.com/docs/quick-starts/reverse-proxy upstream documentation]. | |||
=== Redirect === | === Redirect === | ||
Permanent redirect of <code>example.org</code> and <code>old.example.org</code> to <code>www.example.org</code> | |||
<syntaxhighlight lang="nix"> | <syntaxhighlight lang="nix"> | ||
Line 113: | Line 120: | ||
virtualHosts."example.org" = { | virtualHosts."example.org" = { | ||
extraConfig = '' | extraConfig = '' | ||
redir https://www.example.org{uri} | redir https://www.example.org{uri} permanent | ||
''; | ''; | ||
serverAliases = [ "old.example.org" ]; | |||
}; | }; | ||
</syntaxhighlight> | </syntaxhighlight> | ||
Line 137: | Line 144: | ||
You'll need a [[Phpfpm|PHP-FPM]] socket listening on Unix socket path <code>/var/run/phpfpm/localhost.sock</code>. | You'll need a [[Phpfpm|PHP-FPM]] socket listening on Unix socket path <code>/var/run/phpfpm/localhost.sock</code>. | ||
=== Passing environment variable secrets/configuring acme_dns === | |||
To prevent any secrets from being put in the nix store (any NixOS setting that writes a config in the Nix store will expose any secret in it), you can use the following setting<syntaxhighlight lang="nixos"> | |||
services.caddy = { | |||
enable = true; | |||
globalConfig = '' | |||
acme_dns PROVIDER { | |||
api_key {$APIKEY} | |||
api_secret_key {$APISECRETKEY} | |||
} | |||
''; | |||
}; | |||
systemd.services.caddy.serviceConfig.EnvironmentFile = ["/path/to/envfile"]; | |||
</syntaxhighlight>And then at '''/path/to/envfile''':<syntaxhighlight> | |||
APIKEY=YOURKEY | |||
APISECRETKEY=OTHERKEY | |||
</syntaxhighlight> | |||
=== Adding plug-ins === | |||
There are many Issues/PR's about allowing Caddy to be built with plug-ins. Until then, you can use this workaround:<syntaxhighlight lang="nixos"> | |||
services.caddy = { | |||
enable = true; | |||
package = (pkgs.callPackage "${builtins.fetchurl https://raw.githubusercontent.com/jpds/nixpkgs/a33b02fa9d664f31dadc8a874eb1a5dbaa9f4ecf/pkgs/servers/caddy/default.nix}" { | |||
externalPlugins = [ | |||
{ name = "caddy-dns/porkbun"; repo = "github.com/caddy-dns/porkbun"; version = "4267f6797bf6543d7b20cdc8578a31764face4cf"; } | |||
# Set version to target repository commit hash | |||
]; | |||
vendorHash = ""; # Add this as explained in https://github.com/NixOS/nixpkgs/pull/259275#issuecomment-1763478985 | |||
}); | |||
globalConfig = '' | |||
... | |||
''; | |||
} | |||
</syntaxhighlight> | |||
== Debugging == | == Debugging == | ||
Line 206: | Line 247: | ||
[[Category:Applications]] | [[Category:Applications]] | ||
[[Category: | [[Category:Server]] | ||
[[Category: | [[Category:Networking]] |