caddyserver/caddy 自动申请续期TLS证书的NGINX
Opened this issue · 3 comments
cisen commented
https://github.com/caddyserver/caddy
简单的配置:Caddy的配置非常简单,可以通过简单的文本文件来配置监听端口、域名、根目录等基本信息。Caddy还支持自动HTTPS,只需在配置文件中指定证书的位置即可自动获取并启用HTTPS。
自动化管理:Caddy支持自动化管理,包括自动HTTPS、自动TLS证书续期、自动转发等。这些自动化功能可以减少管理员的工作量,并提高Web应用程序的安全性和可靠性。
高性能和安全性:Caddy使用Go语言编写,具有高度的性能和安全性。Caddy支持HTTP/3协议,可在网络状况较差的情况下提供更快的Web服务。
多种插件支持:Caddy支持多种插件,可以实现更多的功能,如HTTP代理、反向代理、WebSocket、CGI等。
开源和免费:Caddy是一款开源的Web服务器软件,用户可以免费使用和修改。
cisen commented
https代理
如果你有 SSL证书和密匙的话,把 SSL证书(xxx.crt)和密匙(xxx.key)文件放到 /root 文件夹下(也可以是其他文件夹,自己改下面代码),然后这样做:
一次性复制以下全部代码,并粘贴到SSH中执行:
echo "https://www.xx.com {
gzip
tls /root/xxx.crt /root/xxx.key
proxy / https://www.bibiqiqi.com
}" > /usr/local/caddy/Caddyfile
如果你没有 SSL证书和密匙,那么你可以这样做:
下面的 xxxx@xxx.xx 改成你的邮箱,同时需要注意的是,申请 SSL证书前,请务必提前解析好域名记录(解析后最好等一会,以全球生效),重启caddy前请测试域名是否解析成功 请注意 www.xxx.com 和xxx.com解析记录是否相同,否则 Caddy会申请并配置失败!
一次性复制以下全部代码,并粘贴到SSH中执行:
echo "https://www.xx.com {
gzip
tls xxxx@xxx.xx
proxy / https://www.bibiqiqi.com
}" > /usr/local/caddy/Caddyfile
Caddyfile写入以下内容,格式还是比较简单的
example.com:80
gzip
log /var/log/caddy/access.log
root /var/www
tls tls@outlook.com
首先第一行必须是网站的地址 首先第一行必须是网站的地址 首先第一行必须是网站的地址
第2行的 gzip 是一个指令,表示打开 gzip 压缩功能,这样网站在传输网页时降低流量
第3行的 log 指令会为网站开启 log 功能,log 后的参数是log 文件的存放位置
第4行的 root 是指定网站的根目录
第5行的 tls 指令告诉 caddy 为网站开启 https 并自动申请证书,后面的 email 参数是告知 CA 申请人的邮箱。caddy 会默认使用 let's encrypt 申请证书并续约。 tls 也可以使用路径给出的证书 tls /etc/ssl/cert.pem /etc/ssl/key.pem
如何设置多站点访问呢?
example.com:80 {
gzip
log /var/log/caddy/access.log
root /var/www
tls /etc/ssl/cert.pem /etc/ssl/key.pem
}
example2.com:3000{
gzip
log /var/log/caddy/example2/access.log
root /var/www/example2
tls /etc/ssl/example2/cert.pem /etc/ssl/example2/key.pem
}
网页加密
什么?担心自己做的镜像不小心爆露被滥用?没事,设置一下用户名和密码即可,只需要在上面的示例中加入这行代码:
basicauth / user passwd
user指的是 用户名,passwd指的是 用户名密码,设置这个后,访问网页就需要输入用户名和密码来验证了!
修改配置文件后,记得重启 Caddy !
配置示例:
echo "https://www.xx.com {
gzip
basicauth / user passwd
tls xx@xx.com
proxy / https://www.bibiqiqi.com
}" > /usr/local/caddy/Caddyfile
cisen commented
所有配置
https://caddyserver.com/docs/caddyfile/options
{
# General Options
debug
http_port <port>
https_port <port>
default_bind <hosts...>
order <dir1> first|last|[before|after <dir2>]
storage <module_name> {
<options...>
}
storage_clean_interval <duration>
renew_interval <duration>
ocsp_interval <duration>
admin off|<addr> {
origins <origins...>
enforce_origin
}
persist_config off
log [name] {
output <writer_module> ...
format <encoder_module> ...
level <level>
include <namespaces...>
exclude <namespaces...>
}
grace_period <duration>
shutdown_delay <duration>
# TLS Options
auto_https off|disable_redirects|ignore_loaded_certs|disable_certs
email <yours>
default_sni <name>
local_certs
skip_install_trust
acme_ca <directory_url>
acme_ca_root <pem_file>
acme_eab <key_id> <mac_key>
acme_dns <provider> ...
on_demand_tls {
ask <endpoint>
interval <duration>
burst <n>
}
key_type ed25519|p256|p384|rsa2048|rsa4096
cert_issuer <name> ...
ocsp_stapling off
preferred_chains [smallest] {
root_common_name <common_names...>
any_common_name <common_names...>
}
# Server Options
servers [<listener_address>] {
name <name>
listener_wrappers {
<listener_wrappers...>
}
timeouts {
read_body <duration>
read_header <duration>
write <duration>
idle <duration>
}
trusted_proxies <module> ...
metrics
max_header_size <size>
log_credentials
protocols [h1|h2|h2c|h3]
strict_sni_host [on|insecure_off]
}
# PKI Options
pki {
ca [<id>] {
name <name>
root_cn <name>
intermediate_cn <name>
intermediate_lifetime <duration>
root {
format <format>
cert <path>
key <path>
}
intermediate {
format <format>
cert <path>
key <path>
}
}
}
# Event options
events {
on <event> <handler...>
}
}
cisen commented
例子
github搜索Caddyfile, reverse_proxy
https://git.vcholerae.com {
gzip
minify
log git.access.log {
rotate
}
errors {
log git.errors.log
404 /opt/gitlab/embedded/service/gitlab-rails/public/404.html
422 /opt/gitlab/embedded/service/gitlab-rails/public/422.html
500 /opt/gitlab/embedded/service/gitlab-rails/public/500.html
502 /opt/gitlab/embedded/service/gitlab-rails/public/502.html
}
header /shared/ Cache-Control "max-age=7200, public"
proxy / http://127.0.0.1:8181 {
fail_timeout 300s
proxy_header Host {host}
proxy_header X-Real-IP {remote}
proxy_header X-Forwarded-Proto {scheme}
proxy_header X-Forwarded-Ssl on
proxy_header Cache-Control "max-age=7200, public"
}
}
vibriocholera.com {
root /home/blast/public/www/www/
gzip
errors ./errors_ani.log
log ./log_ani.log
}
t6ss.vibriocholera.com {
errors ./errors_ani.log
log ./log_ani.log
proxy /websocket/ http://127.0.0.1:4545 {
websocket
}
proxy / http://127.0.0.1:4545 {
proxy_header Host {host}
proxy_header X-Real-IP {remote}
proxy_header X-Forwarded-Proto {scheme}
}
}
blast.vibriocholera.com {
gzip
errors ./errors_blast.log
log ./log_blast.log
proxy / 127.0.0.1:4567/ {
without /blast
proxy_header Host {host}
}
}
{
admin :2019
}
## Alias for EFI server
minio.carlboettiger.info {
tls cboettig@gmail.com
reverse_proxy nvme:9000 {
header_up X-Forwarded-Proto {scheme}
header_up X-Forwarded-Host {host}
header_up Host {host}
health_path /minio/health/ready
}
}
data.carlboettiger.info {
tls cboettig@gmail.com
reverse_proxy nvme:9001 {
header_up X-Forwarded-Proto {scheme}
header_up X-Forwarded-Host {host}
header_up Host {host}
health_path /minio/health/ready
}
}
millie.carlboettiger.info {
tls cboettig@gmail.com
reverse_proxy millie:8787
}
status.cirrus.carlboettiger.info {
tls cboettig@gmail.com
reverse_proxy monitor:19999
}
cirrus.carlboettiger.info {
tls cboettig@gmail.com
reverse_proxy rstudio:8787 {
header_up Host {host}
}
}
spatial.carlboettiger.info {
tls cboettig@gmail.com
reverse_proxy spatial:8787 {
header_up Host {host}
}
}
rstudio.carlboettiger.info {
tls cboettig@gmail.com
reverse_proxy rstudio3:8787 {
header_up Host {host}
}
}
marcus.carlboettiger.info {
tls cboettig@gmail.com
reverse_proxy marcus:8787 {
header_up Host {host}
}
}
rstudio.cirrus.carlboettiger.info {
tls cboettig@gmail.com
reverse_proxy rstudio2:8787 {
header_up Host {host}
}
}
vscode.cirrus.carlboettiger.info {
tls cboettig@gmail.com
reverse_proxy vscode:8080 {
header_up Host {host}
}
}
tensorboard.cirrus.carlboettiger.info {
tls cboettig@gmail.com
reverse_proxy rstudio:2223 {
header_up Host {host}
}
}
jupyter.cirrus.carlboettiger.info {
tls cboettig@gmail.com
reverse_proxy rstudio2:8000 {
header_up Host {host}
}
}
data.cirrus.carlboettiger.info {
tls cboettig@gmail.com
reverse_proxy minio:9001 {
header_up X-Forwarded-Proto {scheme}
header_up X-Forwarded-Host {host}
header_up Host {host}
health_path /minio/health/ready
}
}
minio.cirrus.carlboettiger.info {
tls cboettig@gmail.com
reverse_proxy minio:9000 {
header_up X-Forwarded-Proto {scheme}
header_up X-Forwarded-Host {host}
header_up Host {host}
health_path /minio/health/ready
}
}
prometheus.cirrus.carlboettiger.info {
tls cboettig@gmail.com
reverse_proxy prometheus:9090
}
hash-archive.carlboettiger.info {
tls cboettig@gmail.com
reverse_proxy hash-archive:8000
}
fishbase.ropensci.org {
tls cboettig@gmail.com
reverse_proxy minio:9000 {
header_up X-Forwarded-Proto {scheme}
header_up X-Forwarded-Host {host}
header_up Host {host}
health_path /minio/health/ready
}
}
{{ MFE_HOST }}{$default_site_port} {
respond / 204
request_body {
max_size 2MB
}
reverse_proxy /api/mfe_config/v1* lms:8000 {
# We need to specify the host header, otherwise it will be rejected with 400
# from the lms.
header_up Host {{ LMS_HOST }}
}
import proxy "mfe:8002"
}
https://your.website {
reverse_proxy * navidrome:4533 {
header_up Host {http.reverse_proxy.upstream.hostport}
header_up X-Forwarded-For {http.request.remote}
header_up X-Real-IP {http.reverse_proxy.upstream.port}
}
}