https://hub.docker.com/_/caddy
https://caddyserver.com/download
https://www.toolnb.com/tools/rewriteTools.html - 伪静态转换
https://caddyserver.com/docs/caddyfile/patterns
https://caddyserver.com/docs/command-line
https://github.com/caddyserver/caddy/releases
https://github.com/caddy-dns/dnspod
https://github.com/caddy-dns/alidns
docker run -d -p 80:80 -p 443:443 --name caddy --restart=always -v /data/site/docker/env/nginx/caddy/etc/Caddyfile:/etc/caddy/Caddyfile -v /data/site/docker/env/nginx/caddy/ssl:/etc/ssl/caddy -v /data/site/docker/env/nginx/caddy/config:/config -v /data/site:/data/site -v /data/file:/data/file -v /etc/localtime:/etc/localtime:ro caddy
docker exec -it caddy sh
docker run -d -p 87:80 --name caddytest --restart=always -v /data/docker/nginx/caddy/config:/config -v /data/site:/data/site -v /data/file:/data/file -v /etc/localtime:/etc/localtime:ro caddy
docker exec -it caddytest sh
caddy upgrade
caddy add-package github.com/caddy-dns/dnspod
chown -R admin.admin /data/docker/nginx/caddy
chmod -R 777 /data/docker/nginx/caddy
---简单挑了几个常用插件,执行一键安装脚本
curl https://getcaddy.com | bash -s personal hook.service,http.cache,http.cgi,http.expires,http.git,http.filter,http.forwardproxy,http.realip,tls.dns.cloudflare,http.geoip,http.grpc
---查询caddy位置
which caddy
/usr/local/bin/caddy
---不要以root用户身份运行Caddy二进制文件。
-为了使Caddy能够以非root用户身份绑定到特权端口(例如80、443),您需要运行以下setcap命令:
setcap 'cap_net_bind_service=+ep' /usr/local/bin/caddy
-创建专用的系统用户和用户组caddy,创建的用户caddy只能用于管理Caddy服务,而不能用于登录.
useradd -r -d /var/www -M -s /sbin/nologin caddy
---配置Caddyfile
vim /etc/caddy/Caddyfile
wenboz.com {
redir https://www.wenboz.com
}
www.wenboz.com {
root * /var/www/wenboz.com
gzip
log /var/log/caddy/wenboz.com.log
tls im.wbzhang@gmail.com
}
so.wenboz.com {
root * /var/www/so.wenboz.com
gzip
log /var/log/caddy/so.wenboz.com.log
tls im.wbzhang@gmail.com
}-Caddy 默认会将 HTTP 访问转为 HTTPS
---配置服务
vim /etc/systemd/system/caddy.service
[Unit] Description=Caddy HTTP/2 web server After=network-online.target Wants=network-online.target systemd-networkd-wait-online.service [Service] Restart=on-abnormal ; User and group the process will run as. User=caddy Group=caddy ; Letsencrypt-issued certificates will be written to this directory. Environment=CADDYPATH=/etc/ssl/caddy ; Always set "-root" to something safe in case it gets forgotten in the Caddyfile. ExecStart=/usr/local/bin/caddy -log stdout -agree=true -conf=/etc/caddy/Caddyfile -root=/var/tmp -quic ExecReload=/bin/kill -USR1 $MAINPID ; Use graceful shutdown with a reasonable timeout KillMode=mixed KillSignal=SIGQUIT TimeoutStopSec=5s ; Limit the number of file descriptors; see `man systemd.exec` for more limit settings. LimitNOFILE=1048576 ; Unmodified caddy is not expected to use more than that. LimitNPROC=512 ; Use private /tmp and /var/tmp, which are discarded after caddy stops. PrivateTmp=true ; Use a minimal /dev (May bring additional security if switched to 'true', but it may not work on Raspberry Pi's or other devices, so it has been disabled in this dist.) PrivateDevices=false ; Hide /home, /root, and /run/user. Nobody will steal your SSH-keys. ProtectHome=true ; Make /usr, /boot, /etc and possibly some more folders read-only. ProtectSystem=full ; … except /etc/ssl/caddy, because we want Letsencrypt-certificates there. ; This merely retains r/w access rights, it does not add any new. Must still be writable on the host! ReadWriteDirectories=/etc/ssl/caddy ; The following additional security directives only work with systemd v229 or later. ; They further restrict privileges that can be gained by caddy. Uncomment if you like. ; Note that you may have to add capabilities required by any plugins in use. ;CapabilityBoundingSet=CAP_NET_BIND_SERVICE ;AmbientCapabilities=CAP_NET_BIND_SERVICE ;NoNewPrivileges=true [Install] WantedBy=multi-user.target
-官方脚本里运行 Caddy 的用户为:caddy:caddy,涉及到 Caddy 的访问权限问题
-配置文件
mkdir /etc/caddy
touch /etc/caddy/Caddyfile
chown -R caddy:caddy /etc/caddy
- SSL 文件
mkdir /etc/ssl/caddy
chown -R caddy:caddy /etc/ssl/caddy
chmod 0770 /etc/ssl/caddy
-Caddy 日志
mkdir /var/log/caddy/
chown -R caddy:caddy /var/log/caddy/
-网站根目录
mkdir /var/www
chown caddy:caddy /var/www
---使用 systemd 管理 Caddy
-重载配置
systemctl daemon-reload
-启动
systemctl start caddy.service
-重启
systemctl restart caddy.service
-查看
systemctl status caddy.service
-开机启动
systemctl enable caddy.service
---caddy help
-版本
caddy version
-升级caddy
caddy upgrade
-列出caddy当前已经安装的模块
caddy list-modules --packages
---使用journalctl查看详细信息
journalctl -u caddy
-还可以指定时间,例如5分钟
journalctl -u caddy --since "5 min ago"
---Caddy 开启 QUIC 很简单。只需要启动时加上 '-quic'
-使用 QUIC 协议网站可以大大提升访问速度
--dns.cloudflare插件
-在service块内加入两行
Environment=CLOUDFLARE_EMAIL=example@mail.com
Environment=CLOUDFLARE_API_KEY=123456789
-conf
example.com {
gzip
proxy / http://localhost:8080 {
transparent
}
tls {
dns cloudflare
}
}
---cache插件
example.com {
gzip
cache
proxy / http://localhost:8080 {
transparent
}
tls {
dns cloudflare
}
}
---git插件
example.com {
root /srv/www/example
gzip
git https://tt-rss.org/git/tt-rss.git
# PHP-FPM Configuration for Caddy
fastcgi / /run/php/php7.2-fpm.sock php {
ext .php
split .php
index index.php
}
}
-指定git地址,root目录会自动同步到最新代码
---静态文件服务
www.flysnow.org {
root * /var/www/mysite
file_server
}
--泛域名证书申请和使用
-阿里云
caddy add-package github.com/caddy-dns/alidns
-腾讯云
caddy add-package github.com/caddy-dns/dnspod
-阿里云
-key_id和key_secret来自控制台创建的accesskey,从这里可以创建,region就是账户所属区域,可不填,默认为 zh-hangzhou
*.my.com {
tls {
dns alidns {
access_key_id key_id
access_key_secret key_secret
# region_id region
}
}
}-腾讯云
-dnspod需要的是api token,由 ID,Token 组合而成的,用英文的逗号分割, 这里有说明如何创建Token. 如id为3245,token为sf3fwr234,则完整的api_token为 3245,sf3fwr234
*.my.com {
tls {
dns dnspod api_token
}---泛域名证书的使用
-默认目录配置, 当前用户为my, 域名为my.com
*.my.com {
tls {
dns cloudflare cloudflare_apikey
}
}
www.my.com {
proxy localhost:5000
tls /etc/ssl/caddy/certificates/acme.zerossl.com-v2-dv90/wildcard_.my.com/wildcard_.my.com.crt /etc/ssl/caddy/certificates/acme.zerossl.com-v2-dv90/wildcard_.my.com/wildcard_.my.com.key
}
api.my.com {
reverse_proxy localhost:5000
tls /etc/ssl/caddy/certificates/acme.zerossl.com-v2-dv90/wildcard_.my.com/wildcard_.my.com.crt /etc/ssl/caddy/certificates/acme.zerossl.com-v2-dv90/wildcard_.my.com/wildcard_.my.com.key
}-demo
{
storage file_system {
root /etc/ssl/caddy
}
}
*.kufind.com {
tls {
dns dnspod 298790,fa576b11a14e7df8257cac2ca983af90
}
tls 522588122@qq.com
tls /etc/ssl/caddy/certificates/acme.zerossl.com-v2-dv90/wildcard_.kufind.com/wildcard_.kufind.com.crt /etc/ssl/caddy/certificates/acme.zerossl.com-v2-dv90/wildcard_.kufind.com/wildcard_.kufind.com.key
file_server browse
encode zstd gzip
root * /data/site/kufind.www
handle_errors {
rewrite * /data/site/shell/404.html
templates
file_server
}
log {
output file /data/file/logs/nginx/kufind.log {
roll_size 1mb
roll_keep 5
roll_keep_for 720h
}
}
@key0 {
not file
path_regexp key0 '(.*)'
}
rewrite @key0 /index.php
php_fastcgi 127.0.0.1:9000
}
kufind.com {
redir https://www.kufind.com{uri} 301
}-修改数据目录为/etc/ssl/caddy后的配置
{
storage file_system {
root /etc/ssl/caddy
}
}
#*.kufind.com {
# tls {
# dns dnspod 298790,fa576b11a14e7df8257cac2ca983af90
# }
#}
kufind.com {
redir https://www.kufind.com{uri}
}
www.kufind.com {
encode zstd gzip
tls 522588122@qq.com
root * /data/site/kufind.www
log {
output file /data/file/logs/nginx/kufind.www.log {
roll_size 1mb
roll_keep 5
roll_keep_for 720h
}
}
}
m.kufind.com {
encode zstd gzip
tls 522588122@qq.com
root * /data/site/kufind.www
log {
output file /data/file/logs/nginx/kufind.m.log {
roll_size 1mb
roll_keep 5
roll_keep_for 720h
}
}
}单个域名路径:
/data/docker/nginx/caddy/ssl/certificates/acme-v02.api.letsencrypt.org-directory
泛域名路径:
/data/docker/nginx/caddy/ssl/certificates/acme.zerossl.com-v2-dv90/wildcard_.kufind.com
---负载均衡
Caddy支持负载均衡配置,并支持三种负载均衡算法:random(随机)、least_conn(最少连接)以及round_robin(轮询调度)。
负载均衡同样是通过proxy middleware实现的。
localhost:2015 {
log ./2015.log
proxy / localhost:9001 localhost:9003 {
policy round_robin
}
proxy /bar localhost:9002 localhost:9004 {
policy least_conn
}
}---自定义错误页面
errors {
404 404.html
500 /var/www/html/500.html
}
---跳转功能(目录重写功能也类似)
redir http://example.com{url} 301
而且不像nginx进行www重定向那么麻烦,把域名原域名(不限协议)写上,大括号里加上这个就可以
---php
php_fastcgi localhost:9000 {
index index.php
}
---IP屏蔽
ipfilter / {
rule block
ip 212.10.15.0-255 202.10.15.0-10 59.43.247.103
blockpage /var/www/html/403.html
}
---cors跨域
cors / {
origin https://alleysakura.com
origin http://alleysakura.pw https://alleysakura.pw
methods POST,PUT
allow_credentials false
max_age 3600
allowed_headers X-Custom-Header,X-Foobar
exposed_headers X-Something-Special,SomethingElse
}
header /api {
Access-Control-Allow-Origin *
Access-Control-Allow-Methods "GET, POST, OPTIONS" -Server
}
---rewrite
rewrite {
to {path} {path}/ /index.php?{query}
}
---访问口令认证(用户emiria,密码abc123)
basicauth / emiria abc123
---自主ssl证书
tls /path/ssl/example.com.crt /path/ssl/example.com.key
---git拉取功能(3600秒为间隔时间)
git https://github.com/user/project.git /var/www/html/git/ {
interval 3600
}
---log日志
log {
output file /var/log/access.log
}
log {
output file access.log
format single_field common_log
}
---目录访问
---使caddy同时支持zstd gzip压缩
encode zstd gzip
---root
root * /var/www
---proxy
reverse_proxy localhost:9005
-反向代理需加:
header_up Host {http.reverse_proxy.upstream.hostport}
---使用Caddy的自签名功能
tls self_signed
---caddy-geo-ip
https://github.com/shift72/caddy-geo-ip
{
http_port 8080
https_port 8443
order geo_ip first
}
localhost:8080 {
geo_ip {
db_path GeoLite2-Country.mmdb
trust_header X-Real-IP
}
respond / 200 {
body "Hello from {geoip.country_code}"
}
}---caddy-git
https://github.com/greenpau/caddy-git
{
git {
repo authp.github.io {
base_dir /tmp
url https://github.com/authp/authp.github.io.git
branch gh-pages
post pull exec {
name Pager
command /usr/bin/echo
args "pulled authp.github.io repo"
}
}
}
}
authp.myfiosgateway.com {
route /version* {
respond * "1.0.0" 200
}
route /update/authp.github.io {
git update repo authp.github.io
}
route {
file_server {
root /tmp/authp.github.io
}
}
}---demo
:80 {
respond * 404 #首页变404
file_server
#php_fastcgi unix//run/php/php7.4-fpm.sock #去掉#变可用
}
site.net, www.site.net {
root * /home/site
encode zstd gzip
tls yourmail@gmail.com
file_server
log {
output file /var/log/site/access.log {
roll_size 1mb
roll_keep 5
roll_keep_for 720h
}
}
reverse_proxy https://whereyouwantto.com {
header_up Host {http.reverse_proxy.upstream.hostport}
}
php_fastcgi unix//run/php/php7.4-fpm.sock
}---https://github.com/ueffel/caddy-brotli
caddy add-package github.com/ueffel/caddy-brotli
encode gzip br
---https://github.com/shift72/caddy-geo-ip
caddy add-package github.com/shift72/caddy-geo-ip
{
http_port 8080
https_port 8443
order geo_ip first
}
localhost:8080 {
geo_ip {
db_path GeoLite2-Country.mmdb
trust_header X-Real-IP
}
respond / 200 {
body "Hello from {geoip.country_code}"
}
}