Docker: Caddy

Caddy is a powerful full featured webserver, which is also easy to use and setup.

In this guide i will show how to use Caddy as SSL- Proxy for your services to deliver them to the internet via name- based virtual hosting.

You need a (Linux/rootless)- Dockerized System, as descirbed here: https://obel1x.de/dokuwiki/doku.php?id=content:serverbasics:docker|

You will also need a domainname like my.domain.tld and hostnames, that are resolvable for each service, so that service.my.domain.tld can be resolved from out of - and in the internet to point to your Server. If you do not have them already, this is how to get them.

There are many free Domainproviders out there. I chose dynv6 ( https://dynv6.com ), but this should work with any of them.

bla (not ready) blah - setup IPV4 , setup IPV6, bla link to https://obel1x.de/dokuwiki/doku.php?id=content:serverbasics:network-dyndns|

After that, create an A-Name record (or AAAA- Name for ipv6) per service without specifying the ip, som that the dynamic ip of the domain will be taken.

log in to your docker- user using ssh e.g.: ssh localhost -l docker

Then go to where your yaml- folders are and create a new folder for your caddy service.

For me, this would be mkdir /srv/docker-compose/caddy
Change to that directory and create the following docker-compose.yml file in it, putting in the following:

version: "3.8"

services:
  caddy:
    image: caddy:alpine
    restart: always
    volumes:
      - $PWD/Caddyfile:/etc/caddy/Caddyfile:ro
      - caddy_certs:/certs
      - caddy_config:/config
      - caddy_data:/data
      - caddy_sites:/srv
#Test html
#      - $PWD/index.html:/usr/share/caddy/index.html:ro
    cap_add:
      - NET_ADMIN
# initially i wanted to make networkmode host to acces ports on locahost directly
# it turned out not to work in rootless- mode for security reasons
# so don't use host- mode. to access local services take the hostname directly, maybe define it static and add it to /etc/hosts
# e.g. pcserver:9000 - mind, that the port must be pubilshed by the other containers to the host
# NOT localhost:9000 - this is prevented by docker in rootless- mode !
#    network_mode: "host"
# set /etc/sysctl.conf to allow Port 80 and 443 with
# net.ipv4.ip_unprivileged_port_start = 80
# net.ipv4.ip_unprivileged_port_start = 443
    ports:
      - "80:80"
      - "443:443"
      - "443:443/udp"

volumes:
  caddy_data:
    driver: local
    driver_opts:
      device: ""
      type: ""
      o: "umask=0007"
  caddy_config:
    driver: local
    driver_opts:
      device: ""
      type: ""
      o: "umask=0007"
  caddy_certs:
    driver: local
    driver_opts:
      device: ""
      type: ""
      o: "umask=0007"
  caddy_sites:
    driver: local
    driver_opts:
      device: ""
      type: ""
      o: "umask=0007"

if you omit the Caddyfile, the server will already work, but we can directly Skip those tests and create the file Caddyfile in that folder too with the following content:

https://portainer.obel1x.dynv6.net:443 {
        header Strict-Transport-Security max-age=31536000;
        reverse_proxy pcserver2023:9000
}