Die aktuellste Version dieses Dokuments ist ein Entwurf.DiffDiese Version wurde durch eine neuere bestätigte Version ersetzt.DiffDiese Version (2024/01/12 20:41) ist ein Entwurf.
Überprüfungen: 0/1
Die zuvor bestätigte Version (2024/01/08 19:39) ist verfügbar.Diff

Dies ist eine alte Version des Dokuments!


Docker: Caddy

Caddy is a powerful full featured webserver, which is also easy to use and setup.

In this guide i will show how to use Caddy as SSL- Proxy for your services to deliver them to the internet via name- based virtual hosting.

You need a (Linux/rootless)- Dockerized System, as descirbed here: https://obel1x.de/dokuwiki/doku.php?id=content:serverbasics:docker|

You will also need a domainname like my.domain.tld and hostnames, that are resolvable for each service, so that service.my.domain.tld can be resolved from out of - and in the internet to point to your Server. If you do not have them already, this is how to get them.

There are many free Domainproviders out there. I chose dynv6 ( https://dynv6.com ), but this should work with any of them.

bla (not ready) blah - setup IPV4 , setup IPV6, bla link to https://obel1x.de/dokuwiki/doku.php?id=content:serverbasics:network-dyndns|

After that, create an A-Name record (or AAAA- Name for ipv6) per service without specifying the ip, som that the dynamic ip of the domain will be taken. Only paste the servicename, dynv6 will automagically append your domain (service → service.my.domain.tld)

In our example this would be nice:

portainerportainer.my.domain.tld

log in to your docker- user using ssh e.g.: ssh localhost -l docker

Then go to where your yaml- folders are and create a new folder for your caddy service.

For me, this would be mkdir /srv/docker-compose/caddy
Change to that directory and create the following docker-compose.yml file in it, putting in the following:

version: "3.8"

services:
  caddy:
    image: caddy:alpine
    restart: always
    volumes:
      - $PWD/Caddyfile:/etc/caddy/Caddyfile:ro
      - caddy_certs:/certs
      - caddy_config:/config
      - caddy_data:/data
      - caddy_sites:/srv
#Test html
#      - $PWD/index.html:/usr/share/caddy/index.html:ro
    cap_add:
      - NET_ADMIN
    healthcheck:
      test: "wget --no-verbose --tries=1 --spider https://obel1x.dynv6.net || exit 1"
      interval: "60s"
      timeout: "3s"
      start_period: "5s"
      retries: 3
# initially i wanted to make networkmode host to acces ports on locahost directly
# it turned out not to work in rootless- mode for security reasons
# so don't use host- mode. to access local services take the hostname directly, maybe define it static and add it to /etc/hosts
# e.g. pcserver:9000 - mind, that the port must be pubilshed by the other containers to the host
# NOT localhost:9000 - this is prevented by docker in rootless- mode !
#    network_mode: "host"
# set /etc/sysctl.conf to allow Port 80 and 443 with
# net.ipv4.ip_unprivileged_port_start = 80
# net.ipv4.ip_unprivileged_port_start = 443
# can also be set without booting: sysctl key = value
    ports:
      - "80:80"
      - "443:443"
      - "443:443/udp"

volumes:
  caddy_data:
    driver: local
    driver_opts:
      device: ""
      type: ""
      o: "umask=0007"
  caddy_config:
    driver: local
    driver_opts:
      device: ""
      type: ""
      o: "umask=0007"
  caddy_certs:
    driver: local
    driver_opts:
      device: ""
      type: ""
      o: "umask=0007"
  caddy_sites:
    driver: local
    driver_opts:
      device: ""
      type: ""
      o: "umask=0007"

Also, check that your Firewall has those Ports open on your hosts and that Port Forwarding in your Router is enabled for ipv4 and for ipv6 that the host+ports are not blocked.

if you omit the Caddyfile, the server will already work, but we can directly Skip those tests and create the file Caddyfile in that folder too with the following content:

https://portainer.my.domain.tld:443 {
        header Strict-Transport-Security max-age=31536000;
        reverse_proxy mylocalhostname:9000
}

replace mylocalhostname with your actual hostname (can be found out by calling hostname in your terminal).

Don't use localhost - see above. If you do not have a clue which hostname you have, better specify some fixed one which you can freely chose and edit /etc/hosts to have that name point to your local ip.

Thats all - use docker-compose up -d to start your container. In the Container- Logs you will see Caddy automagically create SSL- Certificates from lets encrypt if everything was setup the right way. Caddy will take care of renewal without the need to configure anything.

You now have a powerful proxy, that can transparently deliver your Dockers to the world with SSL- encryption enabled.

Diese Website verwendet Cookies. Durch die Nutzung der Website stimmen Sie dem Speichern von Cookies auf Ihrem Computer zu. Außerdem bestätigen Sie, dass Sie unsere Datenschutzbestimmungen gelesen und verstanden haben. Wenn Sie nicht einverstanden sind, verlassen Sie die Website.Weitere Information
  • content/serverbasics/docker-caddy.1705092100.txt.gz
  • Zuletzt geändert: 2024/01/12 20:41
  • von Daniel